Social Engineering and Identity Theft.pptx

Social Engineering and Identity Theft
How to avoid being a victim
Scott Teipe – CISSP, CISM
Manager of Information Security

©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Social Engineering and Identity Theft Cases
Frank Abagnale (1969)
• http://en.wikipedia.org/wiki/Frank_Abagnale
Lifelock (2007)
• http://en.wikipedia.org/wiki/Lifelock
HBGary vs. Anonymous (2011)
• http://en.wikipedia.org/wiki/HBGary
Amar Singh (2012)
• http://www.huffingtonpost.com/2012/08/07/largest-id-theft-in-
history_n_1751241.html

Identity Theft Statistics
• One of the most common cybercrimes worldwide!
The 2013 Identity Fraud Report released by Javelin
Strategy & Research indicates:
In 2012 identity fraud incidents increased by
more than one million victims.
Fraudsters stole more than $21 billion, the
highest amount since 2009.
12.6 million victims in the United States in 2012.
1 new victim every 3 seconds!!!

Identity Theft
Javelin Strategy & Research Report
https://www.javelinstrategy.com/news/1387/92/More-Than-12-Million-Identity-Fraud-Victims-in-2012-
According-to-Latest-Javelin-Strategy-Research-Report/d,pressRoomDetail

Identity Theft
Once your personal data is obtained, it can be used to:
• Apply for a job
• Charge utilities
• File for bankruptcy
• File fraudulent tax returns
• Open new accounts on your name
• Commit a crime or get into legal trouble
• Drain your checking account and savings
• Go on a spending spree, purchase a car, appliances, services, etc.

Social Engineering
• Social Engineering - New term for an old
problem: being scammed.
• Exploit Human Nature Weakness
• Desire to Help
• Fear of Authority
• Use of logic(mask a small lie within a
series of true statements)
• Exploit necessities and desires (money,
sex, free services/entertainment, etc.)
• Technical and Non Technical
• Phone, email, trash, face to face
• Target: Your personal information or third
party information for which you have
access.

Social Engineering Techniques
• Phishing and Spearphishing
• Dumpster Diving
• Be aware of what you throw in the trash. Someone’s trash is someone else’s
treasure.
• Shoulder surfing
• Always check to ensure nobody is peeking over your shoulder when entering security
credentials (PIN, Password, etc)
Some of these techniques allow the attacker to bypass security controls
(passwords, firewalls, etc)

Scenario 1
• You find a USB key in the parking lot at your workplace, once you plug it in, you
find a program that offer free access to a website in order to watch pirated first-
run movies.

Scenario 2
• You work in IT support and receive a phone call. The person on the other side of
the line claims to be the new VP of the company and has forgotten his/her
security credentials (pin/password) and asks you to reset their password.

Strategy
• Awareness and Common Sense
• If its too good to be true…
• Discipline and Education
• If in doubt, look for confirmation
• Efficient use of defensive
technologies
• Proper use, storage and disposal
of your information

Technology Defense Mechanisms
• Security in depth: Multiple overlapping defenses
• Remember there is no single solution that protects 100% against an attack
• Proactive vs. Reactive
• Firewall, Antivirus, System Patches
• Most Modern operating systems have user friendly security features built-in
• Passwords security
• Data disposal

Action Center
• Windows 7/8
• Antivirus:
• Win8: Windows Defender
• Win7: Windows security essentials
• Firewall: Windows Firewall
• Patch Management: Windows Update
• Other features:
• Data Privacy/Protection (BitLocker Win7/8)
• Antiphishing (Win8 Windows SmartScreen)
• Family Safety (Win 8)

Action Center
• Display Important messages
• Windows update: Make sure Windows Update is configured correctly and turned
on!

Windows Defender
• Antivirus Real time
protection
• Status color coded:
Green, Yellow, Red

Windows Smart Screen
• Real time protection
against malware
• Offers phishing
protection within IE in
real time.

Password Security
• Length: 16 or more characters
• Complexity
• Avoid Dictionary words and personally identifiable information
• Change the order - use numbers, symbols then letters.
• Human nature is to use a capital letter then lower case then
numbers and symbols to form a password. Hacking programs
know this!
• Use password generators
• https://www.grc.com/passwords.htm
• http://passwordsgenerator.net/
• Too many passwords? Try a password manager
• Free Password Manager – Keepass
• http://keepass.info/

Two Factor Authentication
• Offers an extra layer of security
• It requires an additional authentication
factor
• One of the following besides username
and password:
• Something you have: Security token
• Something you know: PIN or pattern
• Something you are: Biometrics like
fingerprint, voice, etc
• Google and Yahoo started offering two
factor authentication as an additional
security feature back in 2011.

Digital Fingerprints
• Where we are leaving traces of
our lives:
• Social Media (Twitter,
Facebook, LinkedIN, etc)
• Old Devices: Cellphones
• What are we leaving behind:
• Date/Place of birth
• Family Members Information
(Nicknames/Dates/etc)
• Social Security Numbers,
Phone Numbers, etc.

How to Manage Your Information
• Install a data sanitation utility
and use it to delete any
important and/or personal
information.
• If you are going to
sell/transfer a device wipe the
storage device clean
including the memory card!
• Another excellent protection
is to encrypt your sensitive
information.

Free Tools for Secure Erase
• Eraser
• http://eraser.heidi.ie/download.php
• Ccleaner
• http://www.piriform.com/ccleaner/download
• File Shredder
• http://www.fileshredder.org/

Free Tools for Data Wipe
• Secure Erase
• http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
• MHDD
• http://hddguru.com/software/2005.10.02-MHDD/
• Hard disk vendors offer utilities to wipe the contents of their HD
• Always wipe the Hard disk before disposing or donating an old computer!!!
• Don’t become a victim of old personal data.

Free Tools for Data Encryption
• Truecrypt
• http://www.truecrypt.org/
• Safehouse Explorer Encryption
• http://www.safehousesoftware.com/
• Windows 7/8 Bitlocker
• http://windows.microsoft.com/en-
hk/windows7/products/features/bitlocker
Encrypt data on removable storage (USB
thumb drives, SD cards)

Free Anti-virus
• Avast:
http://www.avast.com/index
• AVG: http://free.avg.com/ww-
en/homepage
• Avira:
http://www.avira.com/en/avira-
free-antivirus

Email
Basic principles
• Avoid clicking on links contained within e-mail messages.
• Type the webpage into the browser instead of clicking on the link.
• If in doubt, confirm the validity of the e-mail with the sender.
WHY???
• It is very easy for hackers to forge the sender’s identity.
• It is easy to forge the e-mail format to make it look legitimate.
• Clicking on a legitimate looking link may install malicious software without your
consent or knowledge.

Email
No official UN or HSBC email addresses
Take a look to the header

Internet Browsing
• Most vulnerabilities require you to click on something within the website to
activate the vulnerability and cause your computer to crash or become very slow.
• Websites make it difficult to choose the right place to click. Often times, buttons
are just images coaxing you to perform an action such as clicking on a link
embedded in an image.
• Critical: keep your browser and computer updated with the latest versions and
patches!!!

Conclusions
• Be aware, educated and
disciplined.
• Keep it simple (i.e: Just install
the applications that you really
need).
• There are no silver bullets,
having a strategy in
conjunction with the proper
use of technology will help
you to minimize your exposure
to fraud.

Questions??

Social Engineering and Identity Theft.pptx

Recommended

Recommended

More Related Content

Similar to Social Engineering and Identity Theft.pptx

Similar to Social Engineering and Identity Theft.pptx (20)

More from Roshni814224

More from Roshni814224 (20)

Recently uploaded

Recently uploaded (20)

Social Engineering and Identity Theft.pptx