Social Engineering Presentation 2008 Linkedin[1]


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Social Engineering Presentation 2008 Linkedin[1]

  1. 1. Corporate Information Security: New Trends in Corporate Information Loss Tim Rhodes Provizio 208-629-3300
  2. 2. Learning Objectives <ul><ul><li>Today ’ s learning objective ’ s include: </li></ul></ul><ul><ul><ul><li>Identify the threats of deceptive social engineering to gain confidential and proprietary corporate information </li></ul></ul></ul><ul><ul><ul><li>Understand the “ red flag ” warnings of a potential social engineering attempt </li></ul></ul></ul><ul><ul><ul><li>Identify how social engineers identify potential sources of confidential information & exploit opportunities to gain that information </li></ul></ul></ul><ul><ul><ul><li>Learn how social engineers are successful gaining confidential information from specific employee types within a company </li></ul></ul></ul><ul><ul><ul><li>Understand how to combat social engineering attempts </li></ul></ul></ul>
  3. 3. Economic & Industrial Espionage <ul><ul><li>Corporate confidential information loss is real! </li></ul></ul><ul><ul><li>US Fortune 1000 companies lost upwards of $300 BILLION from intellectual property theft 1 </li></ul></ul><ul><ul><ul><li>26% of companies surveyed by FBI reported intellectual property theft </li></ul></ul></ul><ul><ul><ul><li>44% of industrial technology collection efforts linked to foreign governments and government-affiliated organizations </li></ul></ul></ul><ul><ul><ul><li>54% linked to domestic competitor espionage activities </li></ul></ul></ul><ul><ul><ul><ul><li>This is from “ social engineering ” , which is the purposeful collection of confidential and proprietary information from either knowing or unknowing company employees </li></ul></ul></ul></ul><ul><ul><ul><ul><li>“ Social engineers ” use varying techniques ranging from completely overt information collection to entirely covert methods </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Overt examples : Survey or interview request, discussions at tradeshows, or formal approach </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Covert examples : Pretending to be a potential customer or company employee </li></ul></ul></ul></ul></ul>1. Source: Annual Report to Congress on Foreign Economic & Industrial Espionage – Feb 2005
  4. 4. Successful Espionage Tactics Source : Defense Security Service Combating social engineering is JUST AS Important as the tactics, processes, and prevention strategies used to combat hacking
  5. 5. Common Social Engineering Methods Source : Defense Security Service <ul><li>Top four social engineering methods (makes up 74% of all social engineering): </li></ul><ul><ul><li>Fake RFPs and fake sales requests </li></ul></ul><ul><ul><li>Direct social engineering of company employees </li></ul></ul><ul><ul><li>Confidential information release from companies ’ partners, resellers, or vendors </li></ul></ul><ul><ul><li>Social engineering at trade shows & seminars </li></ul></ul>
  6. 6. How Social Engineering Works <ul><ul><li>Information Gathering: Collected information is either used as a basis to build a relationship, however temporary, with someone connected to the eventual target or used as a primary piece of intelligence to answer the key intelligence questions (KIQs) </li></ul></ul><ul><ul><li>Development of Relationship : It's human nature to be somewhat trusting. Attackers exploit this tendency to develop a rapport with their targets. Often, this takes place in a single phone call; in others, it can span weeks or longer. By developing a relationship, attackers place themselves in a position of trust, which can then be exploited in the short-term as well as long-term </li></ul></ul><ul><ul><li>Exploitation of Relationship : The attacker exploits the target into revealing information or performing an action that would not normally occur. This information or action can be the end objective or can be used to stage the next attack/phase of attack. </li></ul></ul><ul><ul><li>Execution to Achieve Objective : The attacker executes the cycle to achieve the end objective. Often an attack can include a number of these cycles, combined with traditional cracking methods and some physical information gathering, to achieve the end objective . What is important to understand is that trained social engineers collect “ pieces ” of information from various sources to build the picture after all the collection is completed. RARELY do they seek the answer from a single source </li></ul></ul>Collection is cyclical, with every piece of information being valuable. Cycle is restarted & used until objective is met. Development of Relationship Information Gathering Exploitation of Relationship Execution to Achieve Objective
  7. 7. How Social Engineering Works <ul><ul><li>The “ Puzzle ” Approach to Social Engineering </li></ul></ul><ul><ul><ul><li>Rather than targeting one or two individuals with knowledge about a specific piece of needed information, successful social engineers (SE) target multiple human sources using a “ puzzle approach ” </li></ul></ul></ul><ul><ul><ul><li>SEs may target multiple source types, including former employees, current & lost customers, channel partners & vendors, and various types of employees </li></ul></ul></ul>Effective SEs are creative in their approach by identifying multiple sources that may even have a minor “ piece ” of the “ puzzle ”
  8. 8. How Social Engineering Works <ul><ul><li>The “ Puzzle ” Approach to Social Engineering </li></ul></ul><ul><ul><ul><li>Puzzle approach requires extensive planning, identifying sources, and developing strategies for approaching sources </li></ul></ul></ul><ul><ul><ul><ul><li>Effective SE ’ s also ask the question, “ Why would this particular person want to talk to me? ” </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The SE then creates an environment around the most plausible answer to that question </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Example: Calls a sales manager as a potential high-dollar customer </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Example : Finds an employee name within a company ’ s promoted case study and inflates their ego for having “ so much knowledge and experience to be apart of such a strong case study ” </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Example: “ Recruiter ” strategy- “ John, as part of my determination if you would be a good fit for this new position, tell me about the size of budget you managed at your current position? ” </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Example : Knowing calls an employee that would not have the answer but asks for a referral to someone that would know the answer; Is successful 9 times out of 10 </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>“ Hi, Jake. Hey, John in Sales told me to call you and said you were the in-house expert of this. What is the date of the launch of the new product X? ” </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Puzzle approach limits suspicion by targeting specific sources for information that is part of their normal, daily job function </li></ul></ul></ul></ul>
  9. 9. How Social Engineering Works <ul><ul><li>The “ Puzzle ” Approach to Social Engineering </li></ul></ul><ul><ul><ul><li>Example of a typical plan for targeting multiple sources (to the right) </li></ul></ul></ul><ul><ul><ul><ul><li>Using the “ Puzzle ” approach requires obtaining “ pieces ” of information from various types of sources based upon the intelligence question </li></ul></ul></ul></ul><ul><ul><ul><li>After all interviews are complete, information is synthesized together ( “ pieces of the puzzle put together ” ) in an attempt to identify the answer to the intelligence question </li></ul></ul></ul><ul><ul><ul><ul><li>If there is a gap in the intelligence or not enough depth, either re-interviews are completed or new sources are sought to provided the needed information to fill the intelligence gap </li></ul></ul></ul></ul>Target Company
  10. 10. Social Engineering Methods <ul><ul><li>Various social engineering techniques used seek to leverage human motivators, egos, & behaviors combined with their specific knowledge area, and probability of providing accurate information </li></ul></ul><ul><ul><ul><li>Elicitation: The seemingly normal conversation with an individual contrived to extract sensitive information about companies, strategies/products & employees (can be covert or overt) </li></ul></ul></ul><ul><ul><ul><ul><li>Puts someone at ease to share information </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Difficult to recognize as an espionage attempt </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Easily deniable by an adversary; Lowers suspicion </li></ul></ul></ul></ul><ul><ul><ul><li>False Covers : Lowering suspicion & building trust through false identification: </li></ul></ul></ul><ul><ul><ul><ul><li>Journalists : Promising to promote company interests & promote the employee positively </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Current employee : Able to demonstrate “ inside ” information to gain trust </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Recruiter : Very popular and successful technique used today </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Students : MBA student </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Customer : Current or potential customers, suppliers & partners </li></ul></ul></ul></ul>
  11. 11. Social Engineering Methods <ul><ul><li>Accessing Key Employees : Finding employees willing to share sensitive information, either knowingly or unknowingly </li></ul></ul><ul><ul><ul><li>“ War Dialing ” to create phone directories </li></ul></ul></ul><ul><ul><ul><li>False referrals from executives or higher-level employees </li></ul></ul></ul><ul><ul><ul><li>Utilize PR/IR departments to interview senior execs unprotected </li></ul></ul></ul><ul><ul><ul><li>Leveraging corporate social networking sites (,, to gain legitimate access to potential individuals & leverage their personal backgrounds to develop a short-term or long-term relationship </li></ul></ul></ul><ul><ul><ul><ul><li>Example : Identify a potential source ’ s former graduate school and their degree </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Example : Identify name of a potential source ’ s co-worker that you “ received a referral from ” </li></ul></ul></ul></ul>Actual Profile on Linkedin.Com Profile provides in-depth specifics on job responsibilities as well as confidential budget & earning figures
  12. 12. Social Engineering Methods <ul><ul><li>Augment with Technical Intelligence: Use of technical information collection devices to gain an edge for source identification, source background information or the actual collection of specific intelligence </li></ul></ul><ul><ul><ul><li>Common consumer technology used : When illegal eavesdropping is desired, spies will often utilize untraceable and inexpensive consumer technology that can be easily modified for audio and video spying </li></ul></ul></ul><ul><ul><ul><ul><li>Baby monitors : Microphones are hyper-sensitive and can pick-up room conversions as well as be applied to windows </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Prepaid cellphones : Unlimited range of transmission range for audio eavesdropping; Can use covertly by turning off ringer and setting to auto-answer </li></ul></ul></ul></ul>Audio/Video Wireless “ Bug ” (1,000 feet transmission range); $90 from Small FM Wireless “ Bug ” (1/2 mile transmission range); $45 from Prepaid cell phone (Unlimited transmission range); $45 Baby Monitor (1,000 feet transmission range); $80 retail
  13. 13. Social Engineering Methods <ul><ul><li>Bribery: Use of specific sums of money or personal leverage to encourage employee(s) to provide confidential information </li></ul></ul><ul><ul><li>Using false identification : Accessing confidential information (corporate data bases, e-mail, servers, etc) through assuming the identity of an employee </li></ul></ul><ul><ul><ul><li>Assume identities of traveling executives (secondary research) </li></ul></ul></ul><ul><ul><ul><li>Create travel “ emergency ” . Ex: remote access problem </li></ul></ul></ul><ul><ul><ul><li>Request temporary passwords/login assistance. Ex: change passwords </li></ul></ul></ul>
  14. 14. The Art of Human Persuasion <ul><ul><li>Social Engineers play on human tendencies & motivators to elicit certain responses in the target, taking advantage of the following </li></ul></ul><ul><ul><ul><li>Fear of job loss or personal embarrassment </li></ul></ul></ul><ul><ul><ul><li>Desire to help others: Tendency is to help others in need (personally & professionally) </li></ul></ul></ul><ul><ul><ul><li>Desire for prestige : can stimulate bragging, often resulting in information release </li></ul></ul></ul><ul><ul><ul><li>Desire for personal gain : Sales professionals want to sell, often allowing the release of product & strategy information </li></ul></ul></ul><ul><ul><ul><li>Overworked, tired, under-appreciated employees : IT and IS staff are often eager to talk because of traditionally being over-exploited and over-worked </li></ul></ul></ul>
  15. 15. The Art of Human Persuasion <ul><ul><li>Successful SEs will often combine techniques that leverage human behavior characteristics </li></ul></ul><ul><ul><ul><li>Will also plan to use specific techniques & approaches based upon the profile of the source completed during planning </li></ul></ul></ul><ul><ul><ul><ul><li>Do they appear egotistical, humble, friendly </li></ul></ul></ul></ul><ul><ul><li>Examples of specific approaches and techniques include: </li></ul></ul><ul><ul><ul><li>Provocative Statement – Designed to set the stage and is followed-up by another approach. Examples: </li></ul></ul></ul><ul><ul><ul><ul><li>Quid pro Quo </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Naiveté </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Disbelief </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Criticism </li></ul></ul></ul></ul><ul><ul><ul><li>Quid pro Quo (or Leveraging) – Providing some information to get information you really want. </li></ul></ul></ul><ul><ul><ul><ul><li>“ I heard that Motorola was launching their wireless product in June. Is that close to your launch? ” </li></ul></ul></ul></ul>
  16. 16. The Art of Human Persuasion <ul><ul><li>Examples of specific approaches and techniques include: </li></ul></ul><ul><ul><ul><li>Simple Flattery: Complimenting the source based on some recent success with the company or organization. </li></ul></ul></ul><ul><ul><ul><li>Exploiting the Instinct to Complain: Finding a disgruntled employee to talk about a specific negative condition to stimulate discussion & build a relationship </li></ul></ul></ul><ul><ul><ul><li>Bracketing: Providing a range of possible dates, times, revenues to exploit human tendency to correct mistakes </li></ul></ul></ul><ul><ul><ul><ul><li>“ I heard that the budget for the new program was between $5 million and $10 million. Is that correct? ” </li></ul></ul></ul></ul><ul><ul><ul><li>False Statement: Providing purposefully false statement to leverage human instinct to correct a mistake as well as to demonstrate competency (boast, ego-driven) </li></ul></ul></ul><ul><ul><ul><ul><li>SE: “ When the product launches in July … . ” </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Source: “ Oh, you mean October. Because it got pushed back due to engineering problems with … . ” </li></ul></ul></ul></ul>Techniques can be combined to leverage specific information or dig further into a subject;
  17. 17. Social Engineering : Sources vs. Assets <ul><ul><li>Often, successful social engineers looking to develop long-term sources may not solicit confidential information during the first 2-3 phone calls/interactions; Rather, they may build the relationship to turn a one-time information source into a long-term “ asset ” </li></ul></ul><ul><ul><ul><li>“ Source ” is referred to short-term use of an individual for information </li></ul></ul></ul><ul><ul><li>Building of long long-term relationships with company contacts occurs: </li></ul></ul><ul><ul><ul><li>To establish 2-way exchange of information & benefits of cooperation </li></ul></ul></ul><ul><ul><ul><li>Appeal to personal motivations & promise anonymity </li></ul></ul></ul><ul><ul><ul><li>Use “ assets ” to expand source network inside target company </li></ul></ul></ul><ul><ul><li>To build long-term assets, social engineers will often build a profile of an individual using information that includes: </li></ul></ul><ul><ul><ul><li>All demographic information, prior employment, current friends, any routines, personal likes/dislikes (to create a common ground), personal relationships, charities, personal hobbies, and former education </li></ul></ul></ul><ul><ul><ul><li>Credit reports, cell phone / landline records, credit card records </li></ul></ul></ul><ul><ul><ul><li>Civil/criminal histories </li></ul></ul></ul><ul><ul><ul><li>News articles, blogs, and postings from online discussion forums </li></ul></ul></ul>
  18. 18. Legal & Ethical Legal But Unethical Illegal Use of Secondary sources Proper use of Primary sources All interviews & discussions in true name (no misrepresentation) No collection of known confidential information (rather, use multiple data sources and analyze “ pieces ” of data together into your “ puzzle picture ” ) Use of HUMINT using different name (misrepresentation) Ex: MBA student, journalist, potential investor, etc Seeking confidential information (single source interviews) Use of social engineering-Misrepresentation to gain confidential information Using technical means to acquire information (listening devices or “ bugs ” , video surveillance, etc) Bribery to obtain information (exchanging money for information or holding information over someone to force information) Espionage Vs. Competitive Intelligence <ul><ul><li>Competitive Intelligence is NOT espionage </li></ul></ul><ul><ul><ul><li>CI is the legal and ethical means of collecting & analyzing information from multiple data sources </li></ul></ul></ul><ul><ul><ul><li>Three different ways to collect information: </li></ul></ul></ul>
  19. 19. Detecting Social Engineering <ul><ul><li>Red Flags to help determine a potential social engineering attack </li></ul></ul><ul><ul><ul><li>Phone calls with blocked caller ID from individuals seeking critical/suspecting information </li></ul></ul></ul><ul><ul><ul><li>Individuals that will not leave phone number, their name, e-mail, and mailing address </li></ul></ul></ul><ul><ul><ul><li>Use of non-company email address (Yahoo, Hotmail, AOL, etc) </li></ul></ul></ul><ul><ul><ul><li>Individuals claiming to be employees but unwilling to authenticate their employment (their extension, group supervisor, division, etc) </li></ul></ul></ul><ul><ul><ul><li>Journalists or reports calling without PR/IR persons on the line with them or prior notification </li></ul></ul></ul><ul><ul><ul><ul><li>Will often “ name drop ” the PR manager or others to an individual to gain short-term trust. Example : “ Audrey Schaefer gave me your name & number & told me to call. ” </li></ul></ul></ul></ul><ul><ul><ul><li>False identities (reporter, potential customer, vendor, etc) </li></ul></ul></ul><ul><ul><ul><ul><li>No website (or lack of a significant website) to go with their reported company </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Use of only a cell phone with no landline phone </li></ul></ul></ul></ul>
  20. 20. Protecting Your Company <ul><ul><li>Awareness </li></ul></ul><ul><ul><ul><li>Be aware that not every interaction (phone call, trade show visit, etc) is an authentic sales or customer opportunity </li></ul></ul></ul><ul><ul><ul><li>Pay attention to details. Look for things out of the ordinary or that do not add up (gut feelings are usually correct!) </li></ul></ul></ul><ul><ul><ul><ul><li>(Hotmail account, cell phone, unwillingness to give contact information, inappropriate level of hostility, etc) </li></ul></ul></ul></ul><ul><ul><ul><li>Have a plan . Send the expected SE to the proper internal employees to deal with the issue; You Do NOT have to deal with the issue yourself </li></ul></ul></ul><ul><ul><li>Procedures </li></ul></ul><ul><ul><ul><li>Know who & how to call for help </li></ul></ul></ul><ul><ul><ul><li>Log the incident </li></ul></ul></ul><ul><ul><li>Commitment </li></ul></ul><ul><ul><ul><li>Don ’ t give out information, even if you think it is public or non-critical </li></ul></ul></ul>
  21. 21. Additional Recommendations <ul><ul><li>Make sure that sensitive documents are not left where others can gain easy access (e.g., conference rooms, desktops, printers, at Kinko’s, etc.) </li></ul></ul><ul><ul><li>Erase white boards at the end of meetings to prevent visitors from seeing potentially confidential information. </li></ul></ul><ul><ul><li>Do not use the trash to get rid of sensitive documents or e-mails. Instead use the shredding bins. </li></ul></ul><ul><ul><li>Take special care to protect information on laptop computers while traveling. It is very easy for someone to view information over your shoulder or to quickly download information from an unattended laptop. </li></ul></ul><ul><ul><li>Avoid holding sensitive conversations and phone calls in places where others can overhear what is being said. </li></ul></ul><ul><ul><li>Avoid posting excess information about yourself, your job responsibilities, and your company on business and social media websites </li></ul></ul><ul><ul><li>When in doubt about what is confidential, err on the side of caution.  Assume information is confidential unless it has been released in public documents.  </li></ul></ul><ul><ul><li>If you become aware that the company's confidential information has been improperly disclosed, bring it to the attention of your supervisor or Corporate Security without delay. </li></ul></ul>