This slide gives a brief description of social engineering, its classcification, attack environment and various impersonation scenario which will give the audinece a sound knowledge on social engineering technique.
2. Summary
Social engineering is the specialty of persuading individuals to uncover secret data.
It includes gaining sensitive data or unseemly get to benefits by an outsider.
Intruders endeavor social designing assaults on office specialists to concentrate
valuable information.
Human-based social designing alludes to individual to-individual association to
recover the sought data.
PC based social designing refers to having PC programming that endeavors to
retrieve the craved data.
Data fraud happens when somebody takes your name and other individual data
for fake purposes.
An effective safeguard relies on upon having great strategies and their industrious
usage.
3. Statistics
88% clicking links in the email are reported as phishing
77% of phishing are all socially based
90% of all emails are spam & virus
13.3 Million users reported phishing attacks in 2013
88% of the stolen data were personal information
2.4 M customers targeted for phone fraud all for 2012
2.3 M customers targeted for phone fraud for first half of 2013
Among them 26% lures the user for calling a number, 14% for replying to text
& 60% for clicking on a link
Average victims lost $4,187 a year
Top place for this attack was work area of personal and corporate
4. Introduction
Passive penetration using social engineering depends on the fact that
users are unaware of their valuable information and they are not sincere
enough to protect it against fraud.
Victims include help desk personnel, technical support executive, system
admins, VIP, business person, corporate, bankers etc.
Several behaviors are vulnerable to attacks: human nature of trust,
ignorance about social engineering, tendency to promise something for
nothing, greediness & lack of moral obligation.
There are several factors that make corporates to vulnerable to this attack
are: insufficient security training, unregulated access to information,
several organizational units and lack of security policies.
Social Engineering leads an organization to economic loss, privacy loss,
temporary or permanent closure, damage of goodwill etc.
5. Why this method is effective ?
Difficult to detect social engineering attempts
No software or hardware based approach to prevent human stupidity
No method to ensure complete security from social engineering
As to err is human, so security policies are as somehow weakest to a link
Human does not continuously safeguard his/her activity and can not
change their behavioral pattern frequently. This thing suspects to social
engineering vulnerability.
Diversifying the human nature everywhere is not absolutely possible. But
lack of this practice drives them to social engineering attack.
6. Phases in social engineering
Researching upon target company includes: websites, whoislookups,
pipl.com, employees, dumpster diving etc.
Selecting victim includes finding out the frustrated employees of the target
company
Developing relationship with targeted employees
Exploiting the relationship includes: collecting sensitive information,
financial information and current technologies
Getting in touch with the sensitive data and retrieving personal
information from the victim.
7. Classification of Social Engineering
Social engineering falls into three category. They are human based,
computer based and mobile based.
Human based social engineering refers to pretending some one legitimate
or as an authorized person.
Computer based social engineering refers to use pop up windows, hoax,
chain letters, spam emails to lure users for trapping.
Mobile based social engineering refers to publishing malicious apps on
app store, publishing fake security applications, using SMS etc.
8. Attack Environment
We will discuss several social engineering based attack here. These attacks fall in
different categories which are mentioned in the previous slide.
Social engineering is carried out through impersonation. Such as attempting to
extract sensitive information from the help desk. Help desks are mostly a weakest
link since they are in the place to help explicitly.
Attacker also apply third party authorization to retrieve valuable information from
organization. At first they obtain the name of authorized employee having an access
to the information attacker wants. Next the attacker tries to call the target
organization demanding that the particular employee is in need of the information.
If target organization provides the attacker access to the information they get
trapped.
9. Another technique the attackers use to apply this kind of attack is being tech
support and repairman. Attacker pretends to be technical support staff of
organizations software or hardware vendor. Then claims user ID and password for
troubleshooting problem in the organization. Once these credentials are obtained
then attacker looks for the information and retrieve it.
Again attacker may pose as cable/telephone technician to enter the target
organization. After getting access in the organization they may plant snooping
devices to gain hidden passwords of the employees.
Being a trusted authority figure attackers attempt to execute social engineering
attack.
Cont..
10. Other popular classified social engineering attacks are eavesdropping and shoulder
surfing. Eavesdropping refers to unauthorized listening of conversations or reading
personal contents. Also covers interception audio, video or written medium of
communication.
Shoulder surfing means to look over someone's shoulder to retrieve information
like password, PIN or account numbers etc.
This strategy can also be implied with vision surfing devices such as binocular.
Another attempts of social engineering attack includes dumpster diving which
means looking for valuable information in trash of target user.
Other attack strategies under social engineering includes piggybacking, tailgating &
reverse social engineering.
Cont..
11. Cont..
Besides human based impersonation it is also popular to launch computer
based social engineering attack which consists of instant chat messenger, pop-
up windows, spam email, chain letters etc.
One of the most popular social engineering attack is phasing. It is an
illegitimate email luring users to provide their personal information. These
messages falsely claim themselves from legitimate web sites.
Another derivation from the phishing is spear phishing which is targeted at
specific individual within an organization. Basically it results in a higher
response rate than conventional phishing.
Specialized messages are furnished for specialized attack for target individuals.
12. Alongside using computers, mobile are also a great medium for the attackers to
execute social engineering attack. Since mobiles are highly available in
comparing to other devices thus it is one of the key medium and top choices to
the attackers.
Attackers publish apps with lucrative features, similar name to popular apps to
attract users. Once users get these apps installed then they send user credential
to the remote attackers. End user remain unware of these total facts.
Generally malicious developers download popular apps and repackage them
with malwares. Then they re-upload them in the third party app store.
End users download these apps and get infected.
Cont..
13. Another widespread technique under social engineering is to temp the users to
install fake security applications via pop-up, email etc.
Users suddenly feel unsecured without these applications and many of them
without a second thought install these software. These software exploit all the
user privileges, activities. They steal valuable information from the user
computer and upload them to remote server.
Apart from apps based social engineering technique it is also popular to exploit
user using text, phone call based approach.
Attacker send fake message to the target user’s phone and drive them to make
a phone call to a specific number. When users dials to the number the he/she
actually hears a recording asking the user for their credentials for any security
issues.
If user get convinced then they reveal their sensitive information.
Cont..
14. Attackers also perform social engineering attack through social network
websites like Facebook, twitter, LinkedIn, google plus etc. They create fake
accounts in others name and gather confidential information about target users
from the websites.
They create large network of friends and extract information from them via
social engineering.
They try to join the employee group of large organizations where company
share their various information.
They also use collected information to carry out other forms of social
engineering attacks.
The information which attacker looks for are date of birth, educational
qualification, spouse names etc.
Cont..
15. Another popular application of social engineering is identity theft. It happens
when someone stelas ones identity for fraud purposes.
Personal information includes name, email, phone numbers, credit card number,
social security number or driving licenses. After obtaining these information
attacker commit several crimes.
They try to impersonate the employees of the organization and physically access
into the corporation.
Sometimes they produce false proof of identity to request new identity which
might often be threat for the information stolen person.
Cont..
16. Demonstration of attack
In previous slides we have talked about various social engineering attack
scenario. Now we have demonstrated them if the following slides. Each
images are unique and drawn using Microsoft Visio 2016.
These figures consists of the following social engineering techniques. They
are impersonation, mobile based & computer based social engineering,
tampering frustrated employees etc.
17.
18.
19.
20.
21. Countermeasure
Social engineering can be countermeasure through good polices and procedures.
But these things are effective if and only if employees & individuals het well trained
and get adapted with these things.
Some password policies include: parodic password change, avoiding guessable
password, blocking accounts after fail , attempts, complexity in password, secrecy of
password, high dimensionality in the password providing techniques etc.
Some physical policies include: identifying employees through uniform, ID, badges
etc., using garbage shredder for unnecessary documents, access are restriction,
escorting the visitors etc.
22. Some countermeasure for social engineering includes:
Training: Employees are required a lot of training to become conscious and
prevention techniques about this kind of attack in the organization. They
should be aware of the security policies. Motivation for the employees are also
needed to keep them away for organizational frustration.
Access Privileges: Administrator, guest, normal user accounts should be kept
apart with proper authorization.
Operational Guidelines: Making sure that sensitive information get touched by
only authorized users.
Classification of information: Information should be categorized as top secret,
preparatory, internal use only, public etc.
There should be also good lessons on proper time incidence based response
from the employees in case of social engineering.
Cont..
23. Along side humanoid approaches there should be also some software
based approaches to counter social engineering. Multiple layers of
antivirus defense and mail gateway levels should be protected with
security soft wares to prevent social engineering.
Instead of password sometime biometric or two step authentication
should be implied.
Document change management process should be applied rather than ad
hoc processes.
Several toolbars can be used in the browser to prevent social engineering.
Such as Netcraft, PhisTank etc,
Cont..
24. Apart from being safe internally into the organization it is also needed to
put safeguard of the organization in the web.
Several techniques can be adopted to do so:
Protecting personal information from being exposed
Suspecting and verifying all personal data request
No need to display account number or contact number unless necessary
Denying to provide personal information on the phone
Checking mailboxes regularly and creating rules. Need to flag the
legitimate contacts.
Never to do add unknown contacts in the social network website.
Cont..
25. To prevent social engineering attack, emails must be handled very
carefully. Keeping the mailboxes empty as soon as possible makes it
harder for the intruder.
Employees should be specially trained about good interpersonal skill, good
communication skill, creativity and talkative and friendly nature of
attackers.
Attackers often apply the mentioned behaviors to convince their target.