 -
Social Engineering
PowerPoint
Security Awareness ~ Social Engineering
Social Engineering
Wikipedia defines Social Engineering as the
practice of obtaining confidential information by manipulation of legitimate
users. A social engineer will commonly use the telephone or Internet to
trick people into revealing sensitive information or getting them to do
something that is against typical policies. By this method, social engineers
exploit the natural tendency of a person to trust his or her word, rather
than exploiting computer security holes.
It is generally agreed upon that
“users are the weak link” in security and this principle is what makes
social engineering possible.
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)
Social Engineering
- People are the weakest link in the security of
an institution.
- Social Engineers take advantage because:
- It is natural for
people to want to help.
- It is natural for people to trust.
- It is natural for
people to fear what happens when they do something wrong.
- The most predominant
way data is compromised.
- Usually, the first type of attack to occur
- A direct request from the attacker.
- An indirect request from the attacker.
- They ask questions that are not directly related to their
objective and want the victim to supply the answers with the information
they really want.
- Use statements that make the person feel a certain way.
- Fear of reprimand or losing their job.
- Defending against Social Engineering is difficult.
- The security of the institution relies on individuals to determine what is right (instinct?)
- To ensure people are aware, training is a key component of any security awareness program
- Policies are implemented
Direct Engineering
- Direct engineering can take the form of the following:
- Impersonation: “This is representative from your bank. We
need to verify some info.”
- Authority figure: “This is sergeant yada yada from your
local precinct. Can you verify your name and address for me.”
- Help Desk (most common target)
- Authorized third party: “This is someone from some
contractor and I need access to your username and password to verify
something.”
- Support: “This is someone from some contractor and I need
access to your username and password to verify something”
- In person: “I have a bunch of food for a meeting, can you
open the door for me.”
- Direct engineering can also take the form of the
following:
- Dumpster diving: Digging through trash to collect details
about someone.
- Ever through a credit card receipts away with the entire
number on them?
- Thrown away something with your SSN on it?
- Invest in a shredder!!!
- Shoulder Surfing: This is the act of monitoring (or
watching) as a user types in their information, password, username, PIN for
an ATM, etc.
- Is there someone behind you standing too close?
- Direct engineering can take the form of the following:
- Piggybacking (2 definitions):
- Gaining access to a restricted area by means
of being close to someone so they hold the door open for you.
- One of the easiest ways to gain access to a building.
- Plays on peoples wanting to help.
- When entering a restricted or locked area, have you ever held the door open
(being polite) for someone you didn’t recognize whether they asked or not?
- Gaining access to a computer because the user did not lock it when leaving
even for just a moment.
Computer Based Engineering
- Spam/Phishing
- Spam is unsolicited
email advertising wonder drugs for cheap. Usually, you provide your credit card
info and find you have maxed it out. Even worse, you gave them info about your
debit card…
- Phishing is unsolicited email that appears to come from a legitimate
banking site requesting you click a url and enter your banking information,
userid, password, account number, SSN, etc…
- Always be the one to initiate
contact. If you get a phone call from your bank, ask to call them back at a
published number or go to a branch.
- Research it! Most scams will have others
screaming about it online.
- Popups are additional windows that will “popup” when
surfing the internet or malicious software has been installed on your PC.
- In
some cases, like free internet services, the popups are part of a policy you
have accepted. NetZero
- Clean your PC and get a popup blocker. Google Toolbar
- Web sites are not always legitimate.
- Hacked web sites are
out there as companies or there systems have flaws that can be exploited.
- Your PC can be redirected to malicious sites.
- Email attachments can include
executables (programs) or other files that contain malicious code.
- Before
opening an email, make sure you know who it is.
- Where you expecting it?
- Anti-Virus software should be installed.
- Anti-Spyware software should be
installed.
About Social Engineers
- Social Engineers may have these
personality traits:
- Place the blame on someone else, maybe a supervisor
- Who will benefit? Them? You?
- They will gain your trust.
- They will play on your emotions. Feel guilty? Morally
correct?
- They will empathize with you or get you to empathize with
them.
- They will appear to be helpful in any way possible.
- They will appear to be very cooperative.
- How does a social engineer get a person to do what they
want?
- They may ask directly.
- Please get so and so’s password and user ID. So
and so trusts you.
- They may make the request appear complicated. If there
are more issues involved, the more one will want to help.
- They may make the
victim feel as if the decision was theirs.
Ways Security Can be Breached
- Ways security can be breached:
- Acquire username and password for user.
- Set up web sites to collect information or install malicious
code when accessed.
- Install modems for dialing to a server or a wireless access
point so a laptop can get on the network and monitor or use hacking tools.
- Pretend to be the help desk and get users to perform
functions for them.
Protecting Yourself
- So, how do you protect yourself
from social engineers?
- Issue ID cards or badges and have them checked
- Biometric, such as retina scans, fingerprint scans, voice or facial recognition
- Implement password policies
- Do not share your passwords
- Do not write down your passwords
- Use caller ID.
- Do you answer when there is no name or number displayed?
- Shredders are our friends.
- Be able to recognize the signs:
- They refuse to give you contact information
- You can’t contact them
- They rush/hurry
- They drop important people’s names
- They try to intimidate you
- There are small mistakes in what they say or are doing
- They request information that is forbidden
- Their cell phone is “about to die”
- The cell phone can only make calls, not receive them
- So, how do you protect yourself from social
engineers?
- Implement policies
- Call them back at publicly listed telephone
numbers.
- Are they in the phone book?
- Vendors and contractors should be
accompanied at all times.
- Assign someone for the task of accompanying them
NSU Policies
|
