Nicholas Davis, profile picture
Uploaded byNicholas Davis
PPT, PDF1,267 views

Social Engineering

This document discusses social engineering techniques used to gain unauthorized access to information systems. It defines social engineering and provides examples of common methods like pretexting, phishing, and exploiting human trust relationships. Specific tactics like establishing credibility through small details and transferring trust between individuals are examined. The importance of security awareness training and careful handling of personal information are emphasized to combat social engineering threats.

Embed presentation

Downloaded 12 times
Information Systems 365/765 Information Systems Security and Strategy Lecture 7 Lecture 7 Social Engineering
Today’s Chocolate Bar • Nestle Crunch, created in 1938 • Current slogan is “For the kid in you”….BORING • Bunch-a-crunch controversy • "Betcha Can't Crunch This!"
Warning
WARNING • I use REAL people as examples in this presentation • I do this not to mock them, or intimidate them, but to impress upon them in the most real way I know of, the importance of sharing information about themselves only on a “need to know basis” in public forums
Social Engineering • No matter how many security measures you introduce, there is one which proves to be the most challening… • How do we secure human beings?
Social Engineering Defined • The use of psychological tricks in order to get useful information about a system • Using psychological tricks to build inappropriate trust relationships with insiders
Kevin Mitnick • World’s most famous Social Engineer • “The weakest link in the security chain is the human element” • Half of his exploits involved using social engineering • See the master in action!
Social Engineering • Social Engineering goes back to the first lie ever told and will continue into the future. • Social Engineering is successful because people are generally helpful, especially to those who are: • Nice • Knowledgeable • Insistent
Three Primary Methods of Social Engineering • Flattery • Authority Impersonation • Threatening Behavior
Helpful By Default • We don’t see a motive to hack our network. “If I see it everyday, it can’t be important.“ • Industrial Espionage • Revenge • Just for fun
How Does It Happen? • “An ounce of prevention is worth a pound of cure!” • The Social Engineer uses simple information found online, or by making a basic phone call into the office • That stuff really isn’t that easy to get…Don’t be dramatic!
Let’s Setup a Case Scenario Using a Method Called Pretexting • Meet Angry Cow • Computer Science Student at UW-Madison • Angry Cow just got an eviction notice
Case Continued – Simple Public Information is Found • Angry Cow lives at the Regent • The Regent’s website indicates that it is owned by Steve Brown Properties • Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid
Next – Finding A Way In… • Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information • Poor controls over data sharing • Lots of important information there that might not seem important, but could be his first step in… • Go to Facebook and search: “Steve Brown Apartments” to find an appropriate unknowing accomplice
Let’s See – Danielle Treu • Born July 24, 1988 • Enjoys playing in the rain, drinking coffee and spending money • Works at Subway and as a Resident Assistant for Steve Brown Apartments
Let’s See – David Klabanoff • Born April 21, 1979 • Likes Star Wars and The Muppet Movie • Is a Concierge for Steve Brown Apartments
Let’s See – Andrew Baldinger – I think I might know this guy! • March 30, 1986 • Likes kayaking, exploring, and getting lost • Lives at the Regent • Works as a Technology Support Specialist for Steve Brown Apartments!
Let’s Start with Danielle Treu • Her Facebook profile is public, but she is intelligent. She keeps her contact information private • But, her profile does say that she attends UW-Madison… • I wonder if they have some more public information about her
The Research, Phase II • I’m so thankful for the UW Whitepages! • Remember, this is PUBLIC information! • I got her email address!
Primary Contact
Establishing the Trust • Danielle talks to David, and since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew • Angry Cow shows up later that day, David is expecting him • Angry Cow identifies himself as Andrew and asks David for key to server room
The Hack • Angry Cow, gets physical access to server, uses Ophcrack (just like we did in class to get Admin username) • Angry Cow logs into server and alters accounting files to indicate that his rent has been paid
Summary of This Example • Search for public information about your target, using both official and unofficial sources • Build a trust ladder, Julie trusts Andrew and David trusts Julie, therefore David will trust Andrew—even if “Andrew” really is Angry Cow! • Built a credible story • Based on PRETEXTING
Let’s Watch Another Example • Silence of the Lambs Movie scene • Notice how they both establish trust through the use of kindness or perceived kindness
How to Keep Social Engineering From Working • Administrators need to: • Establish Policies • Train Employees • Run Drills • Office Workers: • Need to be aware of Social Engineering tactics • Follow policies
Let’s Watch the AT@T Internal Social Engineering Training Video • Which Social Engineering techniques can you identify in the video? (Flattery, Authority, Threats) • How would you CLASSIFY this video (remember Data Classification) • What is going on at AT&T?
Pretexting • Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.
Pretexting • It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
Is This Really a Threat to Businesses? PRETEXTING • So far, this just looks like a technique employed by angry individuals. • Did you know that Hewlett Packard regularly engaged in Social Engineering? • They used the method of PRETEXTING in order to get phone records • Let’s watch the testimony of Patricia Dunn, Director of HP
Pretexting Will Likely Continue • As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future. • Pretexting is the most common form of Social Engineering
Phishing • Phishing is the use of email as a means to extract personal information from a user • A variant is called IVR Phone Phishing
Phishing Continued • Direct you towards bogus (fake) websites • Purpose is to harvest information • PayPal example – I don’t even have a PayPal account! • Use common sense! • Don’t click on links directly! • Phishing Filter!
TROJAN HORSE • Is a virus or malware, disguised in such as way as to appeal to a person’s curiosity or greed • Usually arrives in the form of an email with an attachment • ILOVEYOU virus is an example of a Trojan Horse • Adware hiding inside downloads is another example
Road Apples • Road Apples are also known as Baiting • Uses physical media and relies on the curiosity or greed of the victim • USB drives or CDs found in the parking lot, with label: 3M Executive Salaries • Autorun on inserted media
Quid Pro Quo • Means “something for something” • A person contacts people one by one, until he/she finds a person with a problem • When they find a person, they “fix” their problem by introducing malware to their machine
Summary – Today’s Take Aways • Social Engineering involves manipulating others to get access • Main techniques are: Flattery, Authority, Threatening • Main types are: Pretexting, Phishing, Trojan Horses and Quid Pro Quo
Ways to Combat Social Enginering • Good security policy • Make sure your employees understand dangers and threats • Make sure employees understand what Data Classification means and what type of information you publicly give away
Most Important Gem of Wisdom in Defeating Social Engineering • Never, Never give out username, password, account number, SSN, etc over the same channel used to initiate the request • For example, if a phone call comes in, asking for a SSN, send the SSN via email or regular mail

More Related Content

PPTX
Brute force-attack presentation
byMahmoud Ibra
 
PPTX
Social engineering
byAbdelhamid Limami
 
PDF
Social engineering
byRobert Hood
 
PDF
Social engineering
byankushmohanty
 
PPTX
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
PPTX
Social engineering
byMaulik Kotak
 
PDF
What is Social Engineering? An illustrated presentation.
byPratum
 
PPTX
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
Brute force-attack presentation
byMahmoud Ibra
 
Social engineering
byAbdelhamid Limami
 
Social engineering
byRobert Hood
 
Social engineering
byankushmohanty
 
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
Social engineering
byMaulik Kotak
 
What is Social Engineering? An illustrated presentation.
byPratum
 
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 

What's hot

PPTX
Social engineering
byVishal Kumar
 
PDF
Social Engineering Basics
byLuke Rusten
 
PPT
Ethical hacking
bySourabh Badve
 
PPTX
Penetration Testing
byRomSoft SRL
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PPTX
Ethical hacking presentation
bySuryansh Srivastava
 
PPTX
Vulnerability and Assessment Penetration Testing
byYvonne Marambanyika
 
PPTX
Reconnaissance
byn|u - The Open Security Community
 
PPT
Application Security
byflorinc
 
PPTX
ETHICAL HACKING PRESENTATION
byYash Shukla
 
PPTX
Two factor authentication 2018
byWill Adams
 
PPTX
Social engineering
byVishal Kumar
 
PPTX
Denial of service
bygarishma bhatia
 
PPTX
Presentation on ethical hacking
bySunny Sundeep
 
PPTX
Social Engineering
byn|u - The Open Security Community
 
PPTX
Ethical hacking
byAlapan Banerjee
 
PDF
Social engineering attacks
byRamiro Cid
 
PPTX
Cyber Security Awareness
byInnocent Korie
 
PPTX
Social engineering
byVîñàý Pãtêl
 
PPT
Social Engineering | #ARMSec2015
byHovhannes Aghajanyan
 
Social engineering
byVishal Kumar
 
Social Engineering Basics
byLuke Rusten
 
Ethical hacking
bySourabh Badve
 
Penetration Testing
byRomSoft SRL
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Ethical hacking presentation
bySuryansh Srivastava
 
Vulnerability and Assessment Penetration Testing
byYvonne Marambanyika
 
Reconnaissance
byn|u - The Open Security Community
 
Application Security
byflorinc
 
ETHICAL HACKING PRESENTATION
byYash Shukla
 
Two factor authentication 2018
byWill Adams
 
Social engineering
byVishal Kumar
 
Denial of service
bygarishma bhatia
 
Presentation on ethical hacking
bySunny Sundeep
 
Social Engineering
byn|u - The Open Security Community
 
Ethical hacking
byAlapan Banerjee
 
Social engineering attacks
byRamiro Cid
 
Cyber Security Awareness
byInnocent Korie
 
Social engineering
byVîñàý Pãtêl
 
Social Engineering | #ARMSec2015
byHovhannes Aghajanyan
 

Similar to Social Engineering

PDF
Social Engineering.pdf
byMeshalALshammari12
 
PPTX
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
PDF
- Social Engineering Unit- II Part- I.pdf
byRamya Nellutla
 
PDF
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
byInfosecurity2010
 
PPT
Module 3 social engineering-b
byBbAOC
 
PDF
02 Intro to Social Engg understanding society
by2961rabbit
 
PDF
What is social engineering.pdf
byuzair
 
PDF
Case Study On Social Engineering Techniques for Persuasion Full Text
bygraphhoc
 
PPTX
Social engineering
byAlexander Zhuravlev
 
PPTX
Social Engineering
byMuhanned Alaqili
 
PDF
Airport IT&T 2013 John McCarthy
byRussell Publishing
 
PPTX
Social engineering presentation
bypooja_doshi
 
PPTX
FINAL INTRO 2 Social engineering for BSIT
byUzumakiNamikaze
 
PDF
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
byEMC
 
PPTX
Social engineering 101 or The Art of How You Got Owned by That Random Stranger
bySteven Hatfield
 
PDF
socialengineering-100519023327-phpapp02.pdf
byPradmohanSinghTomar1
 
PPTX
PACE-IT, Security+3.3: Summary of Social Engineering Attacks
byPace IT at Edmonds Community College
 
PDF
Presentation_Social_Engineering.pdf
byinternetcomputer60
 
PPTX
btNOG 9 Keynote Speech on Evolution of Social Engineering
byAPNIC
 
PPTX
Social engineering hacking attack
byPankaj Dubey
 
Social Engineering.pdf
byMeshalALshammari12
 
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
- Social Engineering Unit- II Part- I.pdf
byRamya Nellutla
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
byInfosecurity2010
 
Module 3 social engineering-b
byBbAOC
 
02 Intro to Social Engg understanding society
by2961rabbit
 
What is social engineering.pdf
byuzair
 
Case Study On Social Engineering Techniques for Persuasion Full Text
bygraphhoc
 
Social engineering
byAlexander Zhuravlev
 
Social Engineering
byMuhanned Alaqili
 
Airport IT&T 2013 John McCarthy
byRussell Publishing
 
Social engineering presentation
bypooja_doshi
 
FINAL INTRO 2 Social engineering for BSIT
byUzumakiNamikaze
 
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
byEMC
 
Social engineering 101 or The Art of How You Got Owned by That Random Stranger
bySteven Hatfield
 
socialengineering-100519023327-phpapp02.pdf
byPradmohanSinghTomar1
 
PACE-IT, Security+3.3: Summary of Social Engineering Attacks
byPace IT at Edmonds Community College
 
Presentation_Social_Engineering.pdf
byinternetcomputer60
 
btNOG 9 Keynote Speech on Evolution of Social Engineering
byAPNIC
 
Social engineering hacking attack
byPankaj Dubey
 

More from Nicholas Davis

PPTX
Conducting a NIST Cybersecurity Framework (CSF) Assessment
byNicholas Davis
 
PPTX
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
PPTX
UW-Madison, Information Systems 371 - Decision Support Systems
byNicholas Davis
 
PPTX
Lecture blockchain
byNicholas Davis
 
PPTX
Software Development Methodologies
byNicholas Davis
 
PPTX
Information systems 365 - Cloud and BYOD Security
byNicholas Davis
 
PPTX
Information Security Awareness: at Work, at Home, and For Your Kids
byNicholas Davis
 
PPTX
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
byNicholas Davis
 
PPTX
Information Systems 371 -The Internet of Things Overview
byNicholas Davis
 
PPTX
Cyberwar Gets Personal
byNicholas Davis
 
PPTX
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
byNicholas Davis
 
PPT
Bringing the Entire Information Security Semester Together With a Team Project
byNicholas Davis
 
PPT
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
byNicholas Davis
 
PPTX
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
byNicholas Davis
 
PPTX
Information Security Fall Semester 2016 - Course Wrap Up Summary
byNicholas Davis
 
PPTX
Organizational Phishing Education
byNicholas Davis
 
PPT
Security Operations -- An Overview
byNicholas Davis
 
PPT
Network Design, Common Network Terminology and Security Implications
byNicholas Davis
 
PPT
Survey Presentation About Application Security
byNicholas Davis
 
PPT
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
byNicholas Davis
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
byNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
byNicholas Davis
 
Lecture blockchain
byNicholas Davis
 
Software Development Methodologies
byNicholas Davis
 
Information systems 365 - Cloud and BYOD Security
byNicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
byNicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
byNicholas Davis
 
Information Systems 371 -The Internet of Things Overview
byNicholas Davis
 
Cyberwar Gets Personal
byNicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
byNicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
byNicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
byNicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
byNicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
byNicholas Davis
 
Organizational Phishing Education
byNicholas Davis
 
Security Operations -- An Overview
byNicholas Davis
 
Network Design, Common Network Terminology and Security Implications
byNicholas Davis
 
Survey Presentation About Application Security
byNicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
byNicholas Davis
 

Social Engineering

  • 1.
    Information Systems 365/765 InformationSystems Security and Strategy Lecture 7 Lecture 7 Social Engineering
  • 2.
    Today’s Chocolate Bar •Nestle Crunch, created in 1938 • Current slogan is “For the kid in you”….BORING • Bunch-a-crunch controversy • "Betcha Can't Crunch This!"
  • 3.
  • 4.
    WARNING • I useREAL people as examples in this presentation • I do this not to mock them, or intimidate them, but to impress upon them in the most real way I know of, the importance of sharing information about themselves only on a “need to know basis” in public forums
  • 5.
    Social Engineering • Nomatter how many security measures you introduce, there is one which proves to be the most challening… • How do we secure human beings?
  • 6.
    Social Engineering Defined •The use of psychological tricks in order to get useful information about a system • Using psychological tricks to build inappropriate trust relationships with insiders
  • 7.
    Kevin Mitnick • World’smost famous Social Engineer • “The weakest link in the security chain is the human element” • Half of his exploits involved using social engineering • See the master in action!
  • 8.
    Social Engineering • SocialEngineering goes back to the first lie ever told and will continue into the future. • Social Engineering is successful because people are generally helpful, especially to those who are: • Nice • Knowledgeable • Insistent
  • 9.
    Three Primary Methodsof Social Engineering • Flattery • Authority Impersonation • Threatening Behavior
  • 10.
    Helpful By Default •We don’t see a motive to hack our network. “If I see it everyday, it can’t be important.“ • Industrial Espionage • Revenge • Just for fun
  • 11.
    How Does ItHappen? • “An ounce of prevention is worth a pound of cure!” • The Social Engineer uses simple information found online, or by making a basic phone call into the office • That stuff really isn’t that easy to get…Don’t be dramatic!
  • 12.
    Let’s Setup aCase Scenario Using a Method Called Pretexting • Meet Angry Cow • Computer Science Student at UW-Madison • Angry Cow just got an eviction notice
  • 13.
    Case Continued –Simple Public Information is Found • Angry Cow lives at the Regent • The Regent’s website indicates that it is owned by Steve Brown Properties • Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid
  • 14.
    Next – FindingA Way In… • Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information • Poor controls over data sharing • Lots of important information there that might not seem important, but could be his first step in… • Go to Facebook and search: “Steve Brown Apartments” to find an appropriate unknowing accomplice
  • 16.
    Let’s See –Danielle Treu • Born July 24, 1988 • Enjoys playing in the rain, drinking coffee and spending money • Works at Subway and as a Resident Assistant for Steve Brown Apartments
  • 17.
    Let’s See –David Klabanoff • Born April 21, 1979 • Likes Star Wars and The Muppet Movie • Is a Concierge for Steve Brown Apartments
  • 18.
    Let’s See –Andrew Baldinger – I think I might know this guy! • March 30, 1986 • Likes kayaking, exploring, and getting lost • Lives at the Regent • Works as a Technology Support Specialist for Steve Brown Apartments!
  • 19.
    Let’s Start withDanielle Treu • Her Facebook profile is public, but she is intelligent. She keeps her contact information private • But, her profile does say that she attends UW-Madison… • I wonder if they have some more public information about her
  • 20.
    The Research, PhaseII • I’m so thankful for the UW Whitepages! • Remember, this is PUBLIC information! • I got her email address!
  • 21.
  • 22.
    Establishing the Trust •Danielle talks to David, and since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew • Angry Cow shows up later that day, David is expecting him • Angry Cow identifies himself as Andrew and asks David for key to server room
  • 23.
    The Hack • AngryCow, gets physical access to server, uses Ophcrack (just like we did in class to get Admin username) • Angry Cow logs into server and alters accounting files to indicate that his rent has been paid
  • 24.
    Summary of ThisExample • Search for public information about your target, using both official and unofficial sources • Build a trust ladder, Julie trusts Andrew and David trusts Julie, therefore David will trust Andrew—even if “Andrew” really is Angry Cow! • Built a credible story • Based on PRETEXTING
  • 25.
    Let’s Watch AnotherExample • Silence of the Lambs Movie scene • Notice how they both establish trust through the use of kindness or perceived kindness
  • 26.
    How to KeepSocial Engineering From Working • Administrators need to: • Establish Policies • Train Employees • Run Drills • Office Workers: • Need to be aware of Social Engineering tactics • Follow policies
  • 27.
    Let’s Watch theAT@T Internal Social Engineering Training Video • Which Social Engineering techniques can you identify in the video? (Flattery, Authority, Threats) • How would you CLASSIFY this video (remember Data Classification) • What is going on at AT&T?
  • 28.
    Pretexting • Pretexting isthe act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.
  • 29.
    Pretexting • It's morethan a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
  • 30.
    Is This Reallya Threat to Businesses? PRETEXTING • So far, this just looks like a technique employed by angry individuals. • Did you know that Hewlett Packard regularly engaged in Social Engineering? • They used the method of PRETEXTING in order to get phone records • Let’s watch the testimony of Patricia Dunn, Director of HP
  • 31.
    Pretexting Will LikelyContinue • As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future. • Pretexting is the most common form of Social Engineering
  • 32.
    Phishing • Phishing isthe use of email as a means to extract personal information from a user • A variant is called IVR Phone Phishing
  • 33.
    Phishing Continued • Directyou towards bogus (fake) websites • Purpose is to harvest information • PayPal example – I don’t even have a PayPal account! • Use common sense! • Don’t click on links directly! • Phishing Filter!
  • 34.
    TROJAN HORSE • Isa virus or malware, disguised in such as way as to appeal to a person’s curiosity or greed • Usually arrives in the form of an email with an attachment • ILOVEYOU virus is an example of a Trojan Horse • Adware hiding inside downloads is another example
  • 35.
    Road Apples • RoadApples are also known as Baiting • Uses physical media and relies on the curiosity or greed of the victim • USB drives or CDs found in the parking lot, with label: 3M Executive Salaries • Autorun on inserted media
  • 36.
    Quid Pro Quo •Means “something for something” • A person contacts people one by one, until he/she finds a person with a problem • When they find a person, they “fix” their problem by introducing malware to their machine
  • 37.
    Summary – Today’sTake Aways • Social Engineering involves manipulating others to get access • Main techniques are: Flattery, Authority, Threatening • Main types are: Pretexting, Phishing, Trojan Horses and Quid Pro Quo
  • 38.
    Ways to CombatSocial Enginering • Good security policy • Make sure your employees understand dangers and threats • Make sure employees understand what Data Classification means and what type of information you publicly give away
  • 39.
    Most Important Gemof Wisdom in Defeating Social Engineering • Never, Never give out username, password, account number, SSN, etc over the same channel used to initiate the request • For example, if a phone call comes in, asking for a SSN, send the SSN via email or regular mail