7. The Shmooze is Strong inThis
One
January 5th 2011- DefCon Security Conference campaign to increase
awareness of social engineering.
Contestants tried to extract as much potentially harmful information as possible from
target businesses through social engineering. Google, Microsoft, Apple, Cisco, BP, Shell,
Ford, PG&E, Coke, and Pepsi “failed” the test and of the 50 employees that were
targeted, only 3 did not reveal any information and terminated the call.
8. Who is likely to be targeted?
The people with the most information and least security training possible.This
usually falls under the category of the C-suite, probably the most susceptible to
social engineering attacks.
•48% of enterprises have been victims of social engineering attacks, 25 in the past 2 years.
•86% of IT and security professionals are aware of the risks of social engineering.
•75% success rate with social engineering phone calls to businesses according to the FBI.
10. A variety of techniques can be used by an attacker to gather information
about the target(s). Once gathered, this information can then be used to
build a relationship with either the target or someone important to the
success of the attack.
Information Gathering
11. An aggressor may freely exploit the willingness of a target to be trusting in
order to develop rapport with them.While developing this relationship, the
aggressor will position himself into a position of trust which he will then
exploit.
Developing a Relationship
12. The target may then be manipulated by the ‘trusted’ aggressor to reveal
information (e.g. passwords) or perform an action (e.g. creating an account
or reversing telephone charges) that would not normally occur.This action
could be the end of the attack or the beginning of the next stage.
Exploitation
13. Once the target has completed the task requested by the aggressor, the
cycle is complete.
Execution
14. Prevention? Not really, Control.
Security policy, Education/Awareness, Incident response
strategy and Security Culture.