Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social engineering

Social engineering is an means of hacking making a person fool and to steal their dat

  • Login to see the comments

Social engineering

  1. 1. THE MIND GAME BEYOND Normal HUMAN!
  2. 2. Simple Definition  Social engineering is a psycho-social attack that subverts human trust and helpfulness in order to attain the attacker’s goals.
  3. 3. Outline  What is it?  How is it done?  Who is at risk?  Approach?
  4. 4. What is it?  Social engineering is the oldest form of hacking.  Social engineers focus on the users of the system. By gaining the trust of the user, a social engineer can simply ask for whatever information he or she wants…and usually get it.
  5. 5. The Social Engineering!!!!  Uses Psychological Methods  Exploits human tendency to trust  Goals are the Same as Hacking “the art and science of getting people to comply with your wishes”
  6. 6. Why Social Engineering?  Easier than technical hacking  Hard to detect and track
  7. 7. A social engineer’s mantra… “There is no patch for human stupidity.”
  8. 8. The Mind of a Social Engineer  More like actors than hackers  Learn to know how people feel by observing their actions  can alter these feelings by changing what they say and do  make the victim want to give them the information they need
  9. 9. How is it done?  Attacks come in various forms:  On the phone, over e-mail, in person impersonation
  10. 10. Impersonation  Play the part!  Social Engineers must:  Anticipate problems  Know jargon and procedures of the role
  11. 11. Impersonation  And most importantly, knowledge of how to build trust with whomever they need information from.  Social engineers most often impersonate authority figures, assistants to authority figure, and new employees.
  12. 12. More techniques…  Dummy Mode  Bury the key question  Research (Google)
  13. 13. Over the phone  The phone is the most popular method of social engineering because it is difficult to verify or deny someone’s identity.
  14. 14. Over e-mail and IM  E-mail attacks are very common (phishing).  E-mail is also used for impersonation.  Obtaining password for an IM account could lead to access to a bank account, other personal data.
  15. 15. Dumpster diving  Digging through trash at corporations in search of sensitive data.
  16. 16. Outline  What is it?  How is it done?  Who is at risk?  Approach?
  17. 17. Who is at risk?  Everyone.  Everyone with information is a potential target!
  18. 18. Real World Examples  90% of office workers gave away their password for a pen.  70% of people who trade their password for a bar of chocolate.
  19. 19. Real World Examples  1/3 of the IRS employees provided their user name and changed their password in a 2005 security audit.  USC vs. Cal basketball game
  20. 20. Approaches  Carelessness  Comfort Zone  Helpfulness  Fear
  21. 21. Careless Approach  Victim is Careless  Does not implement, use, or enforce proper countermeasures  Used for Reconnaissance  Looking for what is laying around
  22. 22. Careless Examples  Dumpster Diving/Trashing  Huge amount of information in the trash  Most of it does not seem to be a threat  The who, what and where of an organization  Knowledge of internal systems  Materials for greater authenticity  Intelligence Agencies have done this for years
  23. 23. Comfort Zone Examples  Impersonation  Could be anyone  Tech Support  Co-Worker  Boss  CEO  User  Maintenance Staff  Generally Two Goals  Asking for a password  Building access - Careless Approach
  24. 24. Comfort Zone Approach  Victim organization members are in a comfortable environment  Lower threat perception  Usually requires the use of another approach
  25. 25. Helpful Approach  People generally try to help even if they do not know who they are helping  Usually involves being in a position of obvious need  Attacker generally does not even ask for the help they receive
  26. 26. Helpful Examples  Piggybacking  Attacker will trail an employee entering the building  More Effective:  Carry something large so they hold the door open for you  Go in when a large group of employees are going in  Pretend to be unable to find door key
  27. 27. Fear Approach  Usually draws from the other approaches  Puts the user in a state of fear and anxiety  Very aggressive
  28. 28. Fear Examples  Conformity  The user is the only one who has not helped out the attacker with this request in the past  Personal responsibility is diffused  User gets justification for granting an attack.
  29. 29. Combating Social Engineers  User Education and Training  Identifying Areas of Risk  Tactics correspond to Area  Strong, Enforced, and Tested Security Policy
  30. 30. User Education and Training  Security Orientation for new employees  Yearly security training for all employees  Weekly newsletters, videos, brochures, games and booklets detailing incidents and how they could have been prevented  Signs, posters, coffee mugs, pens, pencils, mouse pads, screen savers, etc with security slogans (I.e. “Loose lips sink ships”).
  31. 31. Security Policy  Management should know the importance of protecting against social engineering attacks  Specific enough that employees should not have to make judgment calls  Include procedure for responding to an attack
  32. 32. Areas of Risk  Certain areas have certain risks  What are the risks for these areas?  Help Desk, Building entrance, Office, Mail Room, Machine room/Phone Closet, Dumpsters, Intranet/Internet, Overall
  33. 33. Conclusions  Social Engineering is a very real threat  Realistic prevention is hard  Can be expensive  Militant Vs. Helpful Helpdesk Staff  Reasonable Balance
  34. 34. “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” -Kevin Mitnick
  35. 35. Questions
  36. 36. References  Psychological Based Social Engineering, Charles Lively. December 2003. SANS Institute. 10 September 2005. http://www.giac.org/certified_professionals/practicals/gsec/3547.php  Sarah Granger, “Social Engineering Fundamentals: Part I”. Security Focus. December 2001. 10 September 2005. http://www.securityfocus.com/infocus/1527  Sarah Granger, “Social Engineering Fundamentals: Part II”. Security Focus. January 2002. 10 September 2005. http://www.securityfocus.com/infocus/1533

×