WH
Uploaded byWasim Halani
2,137 views

Social Engineering - Exploiting the Human Weakness

Network Intelligence India Pvt. Ltd. is an ISO 27001-certified company that provides IT governance, risk management, and compliance services. Wasim Halani of Network Intelligence gave a presentation on exploiting human weakness through social engineering. Social engineering manipulates people into divulging confidential information rather than using technical hacking methods. Halani described conducting a social engineering penetration test against a client company that involved gaining physical access to their office by posing as a security auditor and convincing employees to disclose sensitive information under false pretenses. The test revealed vulnerabilities that could be exploited through social engineering attacks like phishing and fake profiles on social media.

Embed presentation

Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
 Information security at every organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
“Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
 Wordpress vulnerability on the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
 Phishing  Baiting  Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
 IT/ITES Company  Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
 Only 3 people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
 Security Auditor ◦ Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
www.niiconsulting.com
 Visit the office  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
 Gain unauthorized access  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
 Sensitive information on technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
 We registered a domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
www.niiconsulting.com
 About 10 users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
 Linkedin ◦ Fake employee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
www.niiconsulting.com
 Turns out they had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com
www.niiconsulting.com
 Confidential… www.niiconsulting.com
Contact:  wasim.halani@niiconsulting.com  http://www.niiconsulting.com  @washalsec www.niiconsulting.com

More Related Content

PDF
NII Social Engineering Case Study
byNetwork Intelligence India
 
PPTX
Disadvantages of Digital Identity
byDigital-identity
 
PDF
AI And Cyber-security Threats
bySpotle.ai
 
PPT
UW School of Medicine Social Engineering and Phishing Awareness
byNicholas Davis
 
PDF
Introduction to IoT (Internet of Things)
byVikram Nandini
 
PPT
Phishing
byHK Khemnani
 
PPT
Tony Nadalin' presentation at eComm 2008
byeComm2008
 
DOCX
Ms 425 electronic banking and it in banks (1)
bysmumbahelp
 
NII Social Engineering Case Study
byNetwork Intelligence India
 
Disadvantages of Digital Identity
byDigital-identity
 
AI And Cyber-security Threats
bySpotle.ai
 
UW School of Medicine Social Engineering and Phishing Awareness
byNicholas Davis
 
Introduction to IoT (Internet of Things)
byVikram Nandini
 
Phishing
byHK Khemnani
 
Tony Nadalin' presentation at eComm 2008
byeComm2008
 
Ms 425 electronic banking and it in banks (1)
bysmumbahelp
 

Viewers also liked

PDF
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
byInfosecurity2010
 
PPT
Parenting Styles
byjeredduffy
 
PDF
40 Great Ways to Make your Employees Feel Appreciated
by6Q
 
PPSX
Dr. Phils Personality Test [Amazing]
bySreenath S
 
PPT
Parenting Styles
bylinyuan
 
PPS
Divine Mercy Sunday - The First Sunday After Easter
byAnna *
 
PPT
Engenharia Social
byData Security
 
PPT
Lenient Versus Strict Rate Control ?
byปิติ นิยมศิริวนิช
 
PDF
Entendendo a Engenharia Social
byDaniel Marques
 
PPS
Psychology Test
byMaureenWard
 
PPT
People's style presentation
byمحمد عبد العزيز
 
PPTX
Team building
byمحمد عبد العزيز
 
PDF
Engenharia Social: A Doce Arte de Hackear Mentes
byRafael Jaques
 
PPTX
Facebook vs mixi
byRahul Roy
 
PPTX
Outcome 5 of Performance Appraisal and Productivity
byDr.Manishankar Chakraborty
 
PDF
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
byAbhimanyu Lad
 
PDF
10 Estratégias de Manipulação
byUniversidade Estácio de Sá
 
PDF
CERIS_Symposium_Kolar
byysorano
 
PDF
Is there a deterrence gap? -GLRC seminar, March 19, 2014
byysorano
 
PDF
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
byStockholm Institute of Transition Economics
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
byInfosecurity2010
 
Parenting Styles
byjeredduffy
 
40 Great Ways to Make your Employees Feel Appreciated
by6Q
 
Dr. Phils Personality Test [Amazing]
bySreenath S
 
Parenting Styles
bylinyuan
 
Divine Mercy Sunday - The First Sunday After Easter
byAnna *
 
Engenharia Social
byData Security
 
Lenient Versus Strict Rate Control ?
byปิติ นิยมศิริวนิช
 
Entendendo a Engenharia Social
byDaniel Marques
 
Psychology Test
byMaureenWard
 
People's style presentation
byمحمد عبد العزيز
 
Team building
byمحمد عبد العزيز
 
Engenharia Social: A Doce Arte de Hackear Mentes
byRafael Jaques
 
Facebook vs mixi
byRahul Roy
 
Outcome 5 of Performance Appraisal and Productivity
byDr.Manishankar Chakraborty
 
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
byAbhimanyu Lad
 
10 Estratégias de Manipulação
byUniversidade Estácio de Sá
 
CERIS_Symposium_Kolar
byysorano
 
Is there a deterrence gap? -GLRC seminar, March 19, 2014
byysorano
 
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
byStockholm Institute of Transition Economics
 

Similar to Social Engineering - Exploiting the Human Weakness

PPTX
Employee Security Awareness Training
byDenis kisina
 
PDF
National Life IT Department's Cyber Security Awareness Presentation
byJamie Proctor-Brassard
 
PPT
Ia 124 1621324160 ia_124_lecture_02
byITNet
 
PDF
Social Engineering.pdf
byMeshalALshammari12
 
PDF
Social engineering attacks
byRamiro Cid
 
PPTX
mobile security.pptx
byTapan Khilar
 
PPT
Social Engineering threats and concern.ppt
byasalahuddin317
 
PPTX
Social engineering-Attack of the Human Behavior
byJames Krusic
 
PPTX
Social engineering
byAbdelhamid Limami
 
PPT
Edith Turuka: Cyber-Security, An Eye Opener to the Society
byHamisi Kibonde
 
PPTX
7 social engineering and insider threats
bymohamad Hamizi
 
PPTX
social engineering
byRavi Patel
 
PDF
Social Engineering Case Study by Wasim Halani
byn|u - The Open Security Community
 
PPT
Social engineering for security attacks
bymasoud khademi
 
PPTX
Data security concepts chapter 2
byNickkisha Farrell
 
PDF
Information security
byVijayananda Mohire
 
PPTX
THE LEADERS AWARENESS OF INFORMATION SECURITY
byCsaba KOLLAR (Dr. Dr. habil. PhD.)
 
PDF
LinkedIn to Your Network - The Social Engineering Threat
byLancope, Inc.
 
PDF
Social Networks And Phishing
byecarrow
 
PPT
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
Employee Security Awareness Training
byDenis kisina
 
National Life IT Department's Cyber Security Awareness Presentation
byJamie Proctor-Brassard
 
Ia 124 1621324160 ia_124_lecture_02
byITNet
 
Social Engineering.pdf
byMeshalALshammari12
 
Social engineering attacks
byRamiro Cid
 
mobile security.pptx
byTapan Khilar
 
Social Engineering threats and concern.ppt
byasalahuddin317
 
Social engineering-Attack of the Human Behavior
byJames Krusic
 
Social engineering
byAbdelhamid Limami
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
byHamisi Kibonde
 
7 social engineering and insider threats
bymohamad Hamizi
 
social engineering
byRavi Patel
 
Social Engineering Case Study by Wasim Halani
byn|u - The Open Security Community
 
Social engineering for security attacks
bymasoud khademi
 
Data security concepts chapter 2
byNickkisha Farrell
 
Information security
byVijayananda Mohire
 
THE LEADERS AWARENESS OF INFORMATION SECURITY
byCsaba KOLLAR (Dr. Dr. habil. PhD.)
 
LinkedIn to Your Network - The Social Engineering Threat
byLancope, Inc.
 
Social Networks And Phishing
byecarrow
 
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 

Recently uploaded

PDF
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PDF
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
PDF
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PPTX
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
PDF
threat-hunters-cookbook for cybersecurity
bylobster6719
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
PDF
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
PDF
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 
PPTX
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
threat-hunters-cookbook for cybersecurity
bylobster6719
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 

Social Engineering - Exploiting the Human Weakness

  • 1.
    Exploiting the humanweakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
  • 2.
    Network Intelligence, incorporatedin 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
  • 3.
     Information security atevery organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
  • 4.
    “Social Engineering isthe act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
  • 5.
  • 6.
  • 9.
     Wordpress vulnerabilityon the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
  • 11.
     Phishing  Baiting Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
  • 12.
     IT/ITES Company Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
  • 14.
     Only 3people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
  • 15.
     Security Auditor ◦Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
  • 16.
  • 17.
     Visit theoffice  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
  • 18.
     Gain unauthorizedaccess  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
  • 20.
     Sensitive informationon technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
  • 22.
     We registereda domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
  • 23.
  • 24.
     About 10users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
  • 25.
     Linkedin ◦ Fakeemployee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
  • 26.
  • 28.
     Turns outthey had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com
  • 29.
  • 30.
  • 31.