SlideShare uma empresa Scribd logo

Exploiting human weakness: Social Engineering techniques

W
Wasim Halani

Network Intelligence India Pvt. Ltd. is an ISO 27001-certified company that provides IT governance, risk management, and compliance services. Wasim Halani of Network Intelligence gave a presentation on exploiting human weakness through social engineering. Social engineering manipulates people into divulging confidential information rather than using technical hacking methods. Halani described conducting a social engineering penetration test against a client company that involved gaining physical access to their office by posing as a security auditor and convincing employees to disclose sensitive information under false pretenses. The test revealed vulnerabilities that could be exploited through social engineering attacks like phishing and fake profiles on social media.

Tecnologia
1 de 31
Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
 Information security at every organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
“Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
 Wordpress vulnerability on the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
 Phishing  Baiting  Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
 IT/ITES Company  Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
 Only 3 people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
 Security Auditor ◦ Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
www.niiconsulting.com
 Visit the office  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
 Gain unauthorized access  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
 Sensitive information on technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
 We registered a domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
www.niiconsulting.com
 About 10 users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
 Linkedin ◦ Fake employee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
www.niiconsulting.com
 Turns out they had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com
www.niiconsulting.com
 Confidential… www.niiconsulting.com
Contact:  wasim.halani@niiconsulting.com  http://www.niiconsulting.com  @washalsec www.niiconsulting.com

Recomendados

NII Social Engineering Case Study
NII Social Engineering Case StudyNII Social Engineering Case Study
NII Social Engineering Case StudyNetwork Intelligence India
 
AI And Cyber-security Threats
AI And Cyber-security ThreatsAI And Cyber-security Threats
AI And Cyber-security ThreatsSpotle.ai
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008eComm2008
 
Introduction to IoT (Internet of Things)
Introduction to IoT (Internet of Things)Introduction to IoT (Internet of Things)
Introduction to IoT (Internet of Things)Vikram Nandini
 
Disadvantages of Digital Identity
Disadvantages of Digital IdentityDisadvantages of Digital Identity
Disadvantages of Digital IdentityDigital-identity
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Ms 425 electronic banking and it in banks (1)
Ms 425 electronic banking and it in banks (1)Ms 425 electronic banking and it in banks (1)
Ms 425 electronic banking and it in banks (1)smumbahelp
 
Phishing
PhishingPhishing
PhishingHK Khemnani
 

Recomendados

NII Social Engineering Case Study
NII Social Engineering Case StudyNII Social Engineering Case Study
NII Social Engineering Case StudyNetwork Intelligence India
 
AI And Cyber-security Threats
AI And Cyber-security ThreatsAI And Cyber-security Threats
AI And Cyber-security ThreatsSpotle.ai
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008eComm2008
 
Introduction to IoT (Internet of Things)
Introduction to IoT (Internet of Things)Introduction to IoT (Internet of Things)
Introduction to IoT (Internet of Things)Vikram Nandini
 
Disadvantages of Digital Identity
Disadvantages of Digital IdentityDisadvantages of Digital Identity
Disadvantages of Digital IdentityDigital-identity
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Ms 425 electronic banking and it in banks (1)
Ms 425 electronic banking and it in banks (1)Ms 425 electronic banking and it in banks (1)
Ms 425 electronic banking and it in banks (1)smumbahelp
 
Phishing
PhishingPhishing
PhishingHK Khemnani
 
Engenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesEngenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesRafael Jaques
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Infosecurity2010
 
Engenharia Social
Engenharia SocialEngenharia Social
Engenharia SocialData Security
 
Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014ysorano
 
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from ChinaLeniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from ChinaStockholm Institute of Transition Economics
 
Divine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After EasterDivine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After EasterAnna *
 
CERIS_Symposium_Kolar
CERIS_Symposium_KolarCERIS_Symposium_Kolar
CERIS_Symposium_Kolarysorano
 
Entendendo a Engenharia Social
Entendendo a Engenharia SocialEntendendo a Engenharia Social
Entendendo a Engenharia SocialDaniel Marques
 
Team building
Team buildingTeam building
Team buildingمحمد عبد العزيز
 
People's style presentation
People's style presentationPeople's style presentation
People's style presentationمحمد عبد العزيز
 
Lenient Versus Strict Rate Control ?
Lenient Versus Strict Rate Control ?Lenient Versus Strict Rate Control ?
Lenient Versus Strict Rate Control ?ปิติ นิยมศิริวนิช
 
Facebook vs mixi
Facebook vs mixiFacebook vs mixi
Facebook vs mixiRahul Roy
 
Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity Dr.Manishankar Chakraborty
 
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Abhimanyu Lad
 
Psychology Test
Psychology TestPsychology Test
Psychology TestMaureenWard
 
40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated6Q
 
Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Sreenath S
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Stylesjeredduffy
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Styleslinyuan
 
10 Estratégias de Manipulação
10 Estratégias de Manipulação10 Estratégias de Manipulação
10 Estratégias de ManipulaçãoUniversidade Estácio de Sá
 
Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim HalaniSocial Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halanin|u - The Open Security Community
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 

Mais conteúdo relacionado

Destaque

Engenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesEngenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesRafael Jaques
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Infosecurity2010
 
Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014ysorano
 
Divine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After EasterDivine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After EasterAnna *
 
CERIS_Symposium_Kolar
CERIS_Symposium_KolarCERIS_Symposium_Kolar
CERIS_Symposium_Kolarysorano
 
Entendendo a Engenharia Social
Entendendo a Engenharia SocialEntendendo a Engenharia Social
Entendendo a Engenharia SocialDaniel Marques
 
Facebook vs mixi
Facebook vs mixiFacebook vs mixi
Facebook vs mixiRahul Roy
 
Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity Dr.Manishankar Chakraborty
 
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Abhimanyu Lad
 
40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated6Q
 
Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Sreenath S
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Stylesjeredduffy
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Styleslinyuan
 

Destaque (20)

Engenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesEngenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear Mentes
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
 
Engenharia Social
Engenharia SocialEngenharia Social
Engenharia Social
 
Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014
 
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from ChinaLeniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
 
Divine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After EasterDivine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After Easter
 
CERIS_Symposium_Kolar
CERIS_Symposium_KolarCERIS_Symposium_Kolar
CERIS_Symposium_Kolar
 
Entendendo a Engenharia Social
Entendendo a Engenharia SocialEntendendo a Engenharia Social
Entendendo a Engenharia Social
 
Team building
Team buildingTeam building
Team building
 
People's style presentation
People's style presentationPeople's style presentation
People's style presentation
 
Lenient Versus Strict Rate Control ?
Lenient Versus Strict Rate Control ?Lenient Versus Strict Rate Control ?
Lenient Versus Strict Rate Control ?
 
Facebook vs mixi
Facebook vs mixiFacebook vs mixi
Facebook vs mixi
 
Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity
 
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
 
Psychology Test
Psychology TestPsychology Test
Psychology Test
 
40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated
 
Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Styles
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Styles
 
10 Estratégias de Manipulação
10 Estratégias de Manipulação10 Estratégias de Manipulação
10 Estratégias de Manipulação
 

Semelhante a Exploiting human weakness: Social Engineering techniques

National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attackPankaj Dubey
 
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdf
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdftruzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdf
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdfh-bauer2014
 
Hacker Defense: How to Make Your Law Firm a Harder Target
Hacker Defense: How to Make Your Law Firm a Harder TargetHacker Defense: How to Make Your Law Firm a Harder Target
Hacker Defense: How to Make Your Law Firm a Harder TargetLexisNexis
 
Is Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferIs Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferMAX Technical Training
 
Chapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenChapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenVidaB
 
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...Internet 2Conf
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
SECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxSECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxBangHendroz1
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security Lokender Yadav
 
Phishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptxPhishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptxStephen Jesukanth Martin
 
Chp4:Data and Privacy.pptx
Chp4:Data and Privacy.pptxChp4:Data and Privacy.pptx
Chp4:Data and Privacy.pptxAsmajaved42
 
Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?CBIZ, Inc.
 
Security and the Service Desk
Security and the Service DeskSecurity and the Service Desk
Security and the Service DeskNorthCoastHDI
 
Breakfast Briefings - February 2018
Breakfast Briefings - February 2018Breakfast Briefings - February 2018
Breakfast Briefings - February 2018PKF Francis Clark
 

Semelhante a Exploiting human weakness: Social Engineering techniques (20)

Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim HalaniSocial Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halani
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness Presentation
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
 
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdf
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdftruzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdf
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdf
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Hacker Defense: How to Make Your Law Firm a Harder Target
Hacker Defense: How to Make Your Law Firm a Harder TargetHacker Defense: How to Make Your Law Firm a Harder Target
Hacker Defense: How to Make Your Law Firm a Harder Target
 
Masterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy BasicsMasterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy Basics
 
Is Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferIs Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson Helfer
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
Chapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenChapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce Jen
 
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
SECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxSECURITY AWARENESS.pptx
SECURITY AWARENESS.pptx
 
The 10 most trusted identity and access management solution providers 2018
The 10 most trusted identity and access management solution providers 2018The 10 most trusted identity and access management solution providers 2018
The 10 most trusted identity and access management solution providers 2018
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security
 
Phishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptxPhishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptx
 
Chp4:Data and Privacy.pptx
Chp4:Data and Privacy.pptxChp4:Data and Privacy.pptx
Chp4:Data and Privacy.pptx
 
Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?
 
Security and the Service Desk
Security and the Service DeskSecurity and the Service Desk
Security and the Service Desk
 
Breakfast Briefings - February 2018
Breakfast Briefings - February 2018Breakfast Briefings - February 2018
Breakfast Briefings - February 2018
 

Último

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Último (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Exploiting human weakness: Social Engineering techniques

  • 1. Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
  • 2. Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
  • 3.  Information security at every organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
  • 4. “Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
  • 7.
  • 8.
  • 9.  Wordpress vulnerability on the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
  • 10.
  • 11.  Phishing  Baiting  Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
  • 12.  IT/ITES Company  Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
  • 13.
  • 14.  Only 3 people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
  • 15.  Security Auditor ◦ Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
  • 17.  Visit the office  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
  • 18.  Gain unauthorized access  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
  • 19.
  • 20.  Sensitive information on technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
  • 21.
  • 22.  We registered a domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
  • 24.  About 10 users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
  • 25.  Linkedin ◦ Fake employee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
  • 27.
  • 28.  Turns out they had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com