Social engineering-Sandy Suhling

655 views

Published on

Social engineering: Case Study & attack implications

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
655
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Social engineering-Sandy Suhling

  1. 1. Social Engineering Attacks: Case Studies & Security Implications By Sandy Suhling INFO 644--Fall 2013
  2. 2. What is social engineering? ● “gaining of information from legitimate users for illegitimate access (Dhillon, 2013).” ● generally involves manipulating someone to take action or give information that may or may not be in the target’s best interests (Hadnagy, 2010).
  3. 3. Social Engineering techniques ● dumpster diving (Brody, Brizzee, & Cano, 2012) ● shoulder surfing ● tailgating/piggybacking ● phishing ● pretexting ● intimidation (Orlando, 2007) ● bribery
  4. 4. Case Study: Wayland Fruit Company http://world-beautifulwallpapers.blogspot.com/2013/02/beautiful-fruits-wallpapers.html
  5. 5. Case Study: Holes in Security ● company policy violations ○ vulnerable to blackmail, coercion ● hacker use of pretexting to get information ○ pretended to be EW IT Technician ○ knew information about the company & Mr. Farmer ● Lack of awareness/education ● use of same login ID and password for multiple accounts
  6. 6. Social & Technical Vulnerabilities ● Walmart: good customer service vs. giving out business information (Cowley, 2012). ● Human tendencies = vulnerabilities: ○ want to be helpful ○ make assumptions ○ reluctance to question authorities ○ people take shortcuts, security vs. usabilitiy (Hadnagy, 2010). ○ overconfidence
  7. 7. Implications for attacks ● can have high costs ○ financial costs $25,000-$100,000/incident ○ loss of trust in employees ○ loss of business ● difficult to prevent because of natural human tendencies
  8. 8. Preventing social engineering attacks ● include 4th generation security measures (Dhillon, 2013). ● education and awareness about social engineering for all employees ● use a combination of informal, formal, and technical controls/security measures ● make use of penetration testing ● don’t make it easy! ○ ex: proper disposal of trash/important documents (Brody, Brizzee, & Cano, 2012)
  9. 9. Class Question What other security measures can businesses use to prevent social engineering attacks? How are these security measures different from those instituted to protect from other types of attacks?
  10. 10. References ● Brody, R.G., Brizzee, W.B., and Cano, L. (2012). Flying under the radar: Social engineering. International Journal of Accounting and Information Management, 20(4). Retrieved from http://www.emeraldinsight.com.proxy.library.vcu.edu/ journals.htm?articleid=17058136&show=abstract. ● Cowley, S. (2012). How a lying 'social engineer' hacked Wal-Mart. CNN. Retrieved from http://money.cnn.com/2012/08/07/technology/walmart-hack-defcon/index.htm. ● Dhillon, G. (2013). Enterprise Cyber Security: Principles and Practice. Washington, DC: Paradigm Books. ● Hadnagy, C. (2010). Social Engineering: The Art of Human Hacking. Indianapolis, IN: John Wiley & Sons. Retrieved from http://proquest.safaribooksonline.com.proxy.library.vcu.edu/9780470639535 ● Orlando, J. (2007). Social engineering in penetration testing: Cases. Security Strategies Alert. Retrieved from http://www.networkworld.com/newsletters/2007/1022sec2.html?page=1

×