Hovhannes Aghajanyan, profile picture
Uploaded byHovhannes Aghajanyan
2,144 views

Social Engineering | #ARMSec2015

This document discusses social engineering, which involves manipulating individuals to reveal sensitive information, often leading to data breaches. It highlights various techniques, case studies, and statistics indicating the prevalence and costs of such attacks on organizations, emphasizing the need for awareness and defensive measures. The document also outlines types of social engineering, including phishing and pretexting, and offers recommendations for individuals and companies to protect against these threats.

Embed presentation

Social Engineering Art of "Human OS" hacking Hovhannes Aghajanyan hovhannesagh
Topics covered  What is Social Engineering?  Techniques and Case studies of Social Engineering  Defending against Social Engineering
Objectives  Understand the principles of social engineering  Define the goals of social engineering  Recognize the signs of social engineering  Increase awareness conserving social engineering  Identify ways to protect yourself from social engineering 3
What is Social Engineering At its core it is manipulating a person into knowingly or unknowingly giving up information; essentially 'hacking' into a person to steal valuable information.  Psychological manipulation  Trickery or Deception for the purpose of information gathering. One of the most effective routes to stealing confidential data from organizations 85% of office workers were duped by engineering 4
What is Social Engineering The purpose of social engineering is secretly install spyware, other malicious software or to trick persons into handing over passwords and/or other sensitive financial or personal information 5
48% of enterprises have been victims of social engineering attacks, experiencing 25% or more such attacks in the past two years at a average cost of over $ 18,000 per incident Source: Check Point (http://www.net-security.org/secworld.php?id=11665) 6
 Phishing emails were ranked the most common source of social engineering threats (47%), followed by social networking sites that can expose personal and professional information (39%) and insecure mobile devices (12%).  New employees are at high risk to social engineering risks, followed by contractors (44%), executive assistants (38%), human resources (33%), business leaders (32%) and IT personnel (23%). Source: Check Point (http://www.net-security.org/secworld.php?id=11665) 7
Who are Social Engineers ?  Lone hackers and or organized cybercriminals  Script kiddies o Unskilled hackers who use simple techniques.  Hacktivists o Adding the online activity of hacking to political activism gives us hacktivism.  Nation-state hackers: o These actors pose the highest, consistent cyberthreat to state and territorial governments, and an unknown level of risk to local and tribal governments.  Media, Commercial Organizations, Private investigators
What motivates social engineers?  Obtaining personal information.  Gaining unauthorized access.  Circumventing established procedures.  Because they can.
Kevin Mitnick Famous Social Engineer Hacker • Went to prison for hacking • Became computer security consultant "The weakest link in the security chain is the human element."
Social Engineering can take on many forms. It can be malicious and it can be friendly.
Phases in a Social Engineering Attack • Research on a target o Websites, Employees, Search Engine, News ..etc. • Select a victim o Identify the frustrated person. • Develop a Relationship o Develop Relationship with the selected person. • Exploit the Relationship o Manipulate, Collect Sensitive information, financial information, and.
Why Social Engineering is effective and very dangerous?  Security Polices are strong, but as their, and humans factor is the weakest link.  It is difficult to detect social engineering attempts.  There is no method to ensure complete security from social engineering attacks.  There is no specific software or hardware for defending against a social engineering attack.
Types of Social Engineering • Quid Pro Quo o Something for something • Phishing o Fraudulently obtaining private information o Send out bait to fool victims into giving away their information • Baiting o Real world trojan horse • Pretexting o Invented Scenario • Diversion Theft, Tailgating o delivery is requested elsewhere
Human-based Social Engineering • Posing as a legitimate end user o Give identity and ask for sensitive-information. Example “Hi This is Hovhannes, From Marketing Department, I have forgotten my password, Can I get it ?“ • Posing as an Important user o Posing as a VIP of a Target company, valuable customer, etc. Example " Hi! This is Lilit, CEO Secretary. I'm working on an urgent project and lost my system password, Can you help me out? “ • Posing as Technical Support o Call as technical support staff and request IDs and passwords. Example "Sir, this is Gurgen, Technical Support, our company, last night we had a system crash, and we are checking for the lost data, Can you give me your ID and password? "
Computer-based Social Engineering  Pop-Ups trick users into clicking a hyperlink that redirects them to fake web pages asking for personal information, or downloads malicious programs such Key-loggers, Trojans, or Spyware.  An illegitimate email falsely claiming to be from legitimate company attempts to acquire the user’s personal or account information's.
Mobile-based social engineering  Tracy Received SMS, notifications  Tracy calls, Recordings, IVR
CASE STUDIES RSA SecurID Breach - $66 million  "The attacker in this case sent two different phishing emails over a two-day period. The email subject line read '2011 Recruitment Plan.'  "The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled '2011 Recruitment plan.xls.'  "The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609)."
CASE STUDIES ABN Amro bank- $27.9 million  Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence.  Use charm and brought them chocolates,  Got the original of keys to make copies and got information on where the diamonds were.
CASE STUDIES CIA Director John Brennan - email  Call Verizon  Take Brennan’s account number, his four-digit PIN, the backup mobile number on the account, Brennan’s AOL email address and the last four digits on his bank card.  Call AOL
Ways to Prevent Social Engineering  For Individuals o Do not provide personal information o Always be suspicious, Read mails and don’t click o Take ownership for corporate security o Password management/Two factor authentication o Understand what information you are putting on the Web/Social networks  For Companies o 3rd Party tests o Policies o Trainings/User Awareness o Email/Web fliting and Strong authentication o Customer notification 34% of businesses do not have any employee training or security policies.
THANKS AND PROTECT YOURSELF ! Hovhannes Aghajanyan hovhannesagh

More Related Content

PPTX
Social engineering
byVishal Kumar
 
PPTX
Social Engineering,social engeineering techniques,social engineering protecti...
byABHAY PATHAK
 
PPTX
Social Engineering - Human aspects of industrial and economic espionage
byMarin Ivezic
 
PPTX
Social engineering
byAbdelhamid Limami
 
PPTX
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
PPTX
Social engineering hacking attack
byPankaj Dubey
 
PPTX
Social engineering
byVishal Kumar
 
PPTX
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
Social engineering
byVishal Kumar
 
Social Engineering,social engeineering techniques,social engineering protecti...
byABHAY PATHAK
 
Social Engineering - Human aspects of industrial and economic espionage
byMarin Ivezic
 
Social engineering
byAbdelhamid Limami
 
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
Social engineering hacking attack
byPankaj Dubey
 
Social engineering
byVishal Kumar
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 

What's hot

PPTX
Social engineering presentation
bypooja_doshi
 
PDF
Customer information security awareness training
byAbdalrhmanTHassan
 
PPSX
Social Engineering - Are You Protecting Your Data Enough?
byJamRivera1
 
PPTX
Social Engineering
byn|u - The Open Security Community
 
PPTX
Different Types of Phishing Attacks
bySysCloud
 
PDF
Social engineering
byankushmohanty
 
PPTX
Hyphenet Security Awareness Training
byJen Ruhman
 
PPT
Phishing
byAlka Falwaria
 
PDF
Social Engineering Basics
byLuke Rusten
 
PPTX
Social engineering
byMaulik Kotak
 
PDF
What is Social Engineering? An illustrated presentation.
byPratum
 
PPT
Phishing
byanjalika sinha
 
PDF
Social engineering
byRobert Hood
 
PPTX
Social Engineering new.pptx
bySanthosh Prabhu
 
PPTX
Email phishing and countermeasures
byJorge Sebastiao
 
PPTX
Password Attack
bySina Manavi
 
PPTX
Ethical hacking
byAlapan Banerjee
 
PDF
Social engineering attacks
byRamiro Cid
 
PDF
Basics of Cyber Security
byNikunj Thakkar
 
PPTX
Incident response
byAnshul Gupta
 
Social engineering presentation
bypooja_doshi
 
Customer information security awareness training
byAbdalrhmanTHassan
 
Social Engineering - Are You Protecting Your Data Enough?
byJamRivera1
 
Social Engineering
byn|u - The Open Security Community
 
Different Types of Phishing Attacks
bySysCloud
 
Social engineering
byankushmohanty
 
Hyphenet Security Awareness Training
byJen Ruhman
 
Phishing
byAlka Falwaria
 
Social Engineering Basics
byLuke Rusten
 
Social engineering
byMaulik Kotak
 
What is Social Engineering? An illustrated presentation.
byPratum
 
Phishing
byanjalika sinha
 
Social engineering
byRobert Hood
 
Social Engineering new.pptx
bySanthosh Prabhu
 
Email phishing and countermeasures
byJorge Sebastiao
 
Password Attack
bySina Manavi
 
Ethical hacking
byAlapan Banerjee
 
Social engineering attacks
byRamiro Cid
 
Basics of Cyber Security
byNikunj Thakkar
 
Incident response
byAnshul Gupta
 

Viewers also liked

PPTX
Social Engineering
byprimeteacher32
 
PPTX
Social Engineering
byAhmed Musaad
 
PDF
Hacking the Helpdesk: Social Engineering Risks
byCraig Clark ITIL, CIS LI,EU GDPR P
 
PDF
Social engineering-Sandy Suhling
bysuhlingse
 
PDF
Social Engineering
byWilliam Gregorian
 
PPT
Social engineering for security attacks
bymasoud khademi
 
PDF
Ceh v5 module 09 social engineering
byVi Tính Hoàng Nam
 
PPTX
Phishing techniques
bySushil Kumar
 
PDF
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
byDefCamp
 
PDF
Social Engineering, or hacking people
byTudor Damian
 
PPT
Phishing & Pharming
byDevendra Yadav
 
PPTX
Social Engineering
byCyber Agency
 
PPTX
Internet Privacy
byrealpeterz
 
PPTX
PHISHING PROJECT REPORT
byvineetkathan
 
Social Engineering
byprimeteacher32
 
Social Engineering
byAhmed Musaad
 
Hacking the Helpdesk: Social Engineering Risks
byCraig Clark ITIL, CIS LI,EU GDPR P
 
Social engineering-Sandy Suhling
bysuhlingse
 
Social Engineering
byWilliam Gregorian
 
Social engineering for security attacks
bymasoud khademi
 
Ceh v5 module 09 social engineering
byVi Tính Hoàng Nam
 
Phishing techniques
bySushil Kumar
 
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
byDefCamp
 
Social Engineering, or hacking people
byTudor Damian
 
Phishing & Pharming
byDevendra Yadav
 
Social Engineering
byCyber Agency
 
Internet Privacy
byrealpeterz
 
PHISHING PROJECT REPORT
byvineetkathan
 

Similar to Social Engineering | #ARMSec2015

PPTX
Social engineering
byAlexander Zhuravlev
 
PPTX
Social engineering 101 or The Art of How You Got Owned by That Random Stranger
bySteven Hatfield
 
PDF
02 Intro to Social Engg understanding society
by2961rabbit
 
PDF
socialengineering-100519023327-phpapp02.pdf
byPradmohanSinghTomar1
 
PDF
Presentation_Social_Engineering.pdf
byinternetcomputer60
 
PPTX
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
PDF
Airport IT&T 2013 John McCarthy
byRussell Publishing
 
PDF
- Social Engineering Unit- II Part- I.pdf
byRamya Nellutla
 
PPTX
Social engineering
byVîñàý Pãtêl
 
PDF
What is social engineering.pdf
byuzair
 
PDF
Social Engineering.pdf
byMeshalALshammari12
 
PDF
Social Engineering
byPaul Devassy, CPP
 
PPTX
Social Engineering
byMuhanned Alaqili
 
PDF
DebmallyaManda_18700122148_1_Project.pdf
byPiyushKaloya1
 
PPTX
MHTA Social Engineering Presentation - 050917
byEvan Francen
 
PPTX
Social engineering: A Human Hacking Framework
byJahangirnagar University
 
PPT
Social engineering
byNicholas Davis
 
PPT
Social Engineering
byNicholas Davis
 
PPTX
FINAL INTRO 2 Social engineering for BSIT
byUzumakiNamikaze
 
PPTX
Social Enginesssssssssssssssssssssssssss
byah2233015
 
Social engineering
byAlexander Zhuravlev
 
Social engineering 101 or The Art of How You Got Owned by That Random Stranger
bySteven Hatfield
 
02 Intro to Social Engg understanding society
by2961rabbit
 
socialengineering-100519023327-phpapp02.pdf
byPradmohanSinghTomar1
 
Presentation_Social_Engineering.pdf
byinternetcomputer60
 
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
Airport IT&T 2013 John McCarthy
byRussell Publishing
 
- Social Engineering Unit- II Part- I.pdf
byRamya Nellutla
 
Social engineering
byVîñàý Pãtêl
 
What is social engineering.pdf
byuzair
 
Social Engineering.pdf
byMeshalALshammari12
 
Social Engineering
byPaul Devassy, CPP
 
Social Engineering
byMuhanned Alaqili
 
DebmallyaManda_18700122148_1_Project.pdf
byPiyushKaloya1
 
MHTA Social Engineering Presentation - 050917
byEvan Francen
 
Social engineering: A Human Hacking Framework
byJahangirnagar University
 
Social engineering
byNicholas Davis
 
Social Engineering
byNicholas Davis
 
FINAL INTRO 2 Social engineering for BSIT
byUzumakiNamikaze
 
Social Enginesssssssssssssssssssssssssss
byah2233015
 

Recently uploaded

PDF
Enshittification and the Current State of UX/Product
byAndrew Turnbull
 
PDF
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
PDF
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
PDF
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
PDF
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
PPTX
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
PPTX
Standards-of-Quality-Improvement-in-Nursing.pptx
byDr.Anjalatchi Muthukumaran
 
PPT
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 
PPTX
Quality Assurance in nursing profession pptx
byDr.Anjalatchi Muthukumaran
 
Enshittification and the Current State of UX/Product
byAndrew Turnbull
 
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
Standards-of-Quality-Improvement-in-Nursing.pptx
byDr.Anjalatchi Muthukumaran
 
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 
Quality Assurance in nursing profession pptx
byDr.Anjalatchi Muthukumaran
 

Social Engineering | #ARMSec2015

  • 1.
    Social Engineering Art of"Human OS" hacking Hovhannes Aghajanyan hovhannesagh
  • 2.
    Topics covered  Whatis Social Engineering?  Techniques and Case studies of Social Engineering  Defending against Social Engineering
  • 3.
    Objectives  Understand theprinciples of social engineering  Define the goals of social engineering  Recognize the signs of social engineering  Increase awareness conserving social engineering  Identify ways to protect yourself from social engineering 3
  • 4.
    What is SocialEngineering At its core it is manipulating a person into knowingly or unknowingly giving up information; essentially 'hacking' into a person to steal valuable information.  Psychological manipulation  Trickery or Deception for the purpose of information gathering. One of the most effective routes to stealing confidential data from organizations 85% of office workers were duped by engineering 4
  • 5.
    What is SocialEngineering The purpose of social engineering is secretly install spyware, other malicious software or to trick persons into handing over passwords and/or other sensitive financial or personal information 5
  • 6.
    48% of enterpriseshave been victims of social engineering attacks, experiencing 25% or more such attacks in the past two years at a average cost of over $ 18,000 per incident Source: Check Point (http://www.net-security.org/secworld.php?id=11665) 6
  • 7.
     Phishing emailswere ranked the most common source of social engineering threats (47%), followed by social networking sites that can expose personal and professional information (39%) and insecure mobile devices (12%).  New employees are at high risk to social engineering risks, followed by contractors (44%), executive assistants (38%), human resources (33%), business leaders (32%) and IT personnel (23%). Source: Check Point (http://www.net-security.org/secworld.php?id=11665) 7
  • 8.
    Who are SocialEngineers ?  Lone hackers and or organized cybercriminals  Script kiddies o Unskilled hackers who use simple techniques.  Hacktivists o Adding the online activity of hacking to political activism gives us hacktivism.  Nation-state hackers: o These actors pose the highest, consistent cyberthreat to state and territorial governments, and an unknown level of risk to local and tribal governments.  Media, Commercial Organizations, Private investigators
  • 9.
    What motivates socialengineers?  Obtaining personal information.  Gaining unauthorized access.  Circumventing established procedures.  Because they can.
  • 10.
    Kevin Mitnick Famous SocialEngineer Hacker • Went to prison for hacking • Became computer security consultant "The weakest link in the security chain is the human element."
  • 11.
    Social Engineering cantake on many forms. It can be malicious and it can be friendly.
  • 12.
    Phases in aSocial Engineering Attack • Research on a target o Websites, Employees, Search Engine, News ..etc. • Select a victim o Identify the frustrated person. • Develop a Relationship o Develop Relationship with the selected person. • Exploit the Relationship o Manipulate, Collect Sensitive information, financial information, and.
  • 13.
    Why Social Engineeringis effective and very dangerous?  Security Polices are strong, but as their, and humans factor is the weakest link.  It is difficult to detect social engineering attempts.  There is no method to ensure complete security from social engineering attacks.  There is no specific software or hardware for defending against a social engineering attack.
  • 14.
    Types of SocialEngineering • Quid Pro Quo o Something for something • Phishing o Fraudulently obtaining private information o Send out bait to fool victims into giving away their information • Baiting o Real world trojan horse • Pretexting o Invented Scenario • Diversion Theft, Tailgating o delivery is requested elsewhere
  • 15.
    Human-based Social Engineering • Posingas a legitimate end user o Give identity and ask for sensitive-information. Example “Hi This is Hovhannes, From Marketing Department, I have forgotten my password, Can I get it ?“ • Posing as an Important user o Posing as a VIP of a Target company, valuable customer, etc. Example " Hi! This is Lilit, CEO Secretary. I'm working on an urgent project and lost my system password, Can you help me out? “ • Posing as Technical Support o Call as technical support staff and request IDs and passwords. Example "Sir, this is Gurgen, Technical Support, our company, last night we had a system crash, and we are checking for the lost data, Can you give me your ID and password? "
  • 16.
    Computer-based Social Engineering  Pop-Upstrick users into clicking a hyperlink that redirects them to fake web pages asking for personal information, or downloads malicious programs such Key-loggers, Trojans, or Spyware.  An illegitimate email falsely claiming to be from legitimate company attempts to acquire the user’s personal or account information's.
  • 17.
    Mobile-based social engineering  TracyReceived SMS, notifications  Tracy calls, Recordings, IVR
  • 18.
    CASE STUDIES RSA SecurIDBreach - $66 million  "The attacker in this case sent two different phishing emails over a two-day period. The email subject line read '2011 Recruitment Plan.'  "The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled '2011 Recruitment plan.xls.'  "The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609)."
  • 19.
    CASE STUDIES ABN Amrobank- $27.9 million  Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence.  Use charm and brought them chocolates,  Got the original of keys to make copies and got information on where the diamonds were.
  • 20.
    CASE STUDIES CIA DirectorJohn Brennan - email  Call Verizon  Take Brennan’s account number, his four-digit PIN, the backup mobile number on the account, Brennan’s AOL email address and the last four digits on his bank card.  Call AOL
  • 21.
    Ways to PreventSocial Engineering  For Individuals o Do not provide personal information o Always be suspicious, Read mails and don’t click o Take ownership for corporate security o Password management/Two factor authentication o Understand what information you are putting on the Web/Social networks  For Companies o 3rd Party tests o Policies o Trainings/User Awareness o Email/Web fliting and Strong authentication o Customer notification 34% of businesses do not have any employee training or security policies.
  • 22.
    THANKS AND PROTECTYOURSELF ! Hovhannes Aghajanyan hovhannesagh