SlideShare uma empresa Scribd logo

Social engineering attacks

Ramiro Cid
Ramiro Cid

This document discusses social engineering techniques used by attackers to trick people into divulging sensitive information or performing actions. It defines key terms and explains why social engineering is a threat even for organizations with strong technical security controls. Common social engineering attack methods are described in detail, including phishing emails, phone calls, dropping infected USB drives, and impersonation. The document emphasizes that education is needed to help people recognize and avoid social engineering tactics.

Tecnologia
1 de 22
Baixar para ler offline
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Ramiro Cid | @ramirocid
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 2 Index 1. Definitions Page 3 2. Why you should be concerned ? Page 4 3. Social Engineering: Potential Impact Page 7 4. Knowing the enemy Page 8 5. Email attacks (Phishing) Page 11 6. Telephone attacks (Vishing) Page 13 7. USB sticks Page 15 8. Freebies on the Internet Page 17 9. Physical impersonation Page 18 10. Searching in trash Page 20 11. Sources used and to expand knowledge Page 21
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Definitions  Cyber Security: It is also known as “IT security” or “Computer security” is information security applied to computing devices such as servers, computer networks and mobile devices (as smartphones, tablets, etc.), as well as computer networks such as private and public networks, including the whole Internet.  Social engineering: In the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.  Cybercrime: It is also known as Computer crime, is any crime that involves a computer and/or a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime is criminal exploitation of the Internet, inherently a cybercrime. Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Why you should be concerned ? Currently, market has a wide range of systems, products and services focused on computer security services: Antivirus, Antispyware, Firewalls, IPS, WAF, SIEM system, etc. All these measures are indispensable and have become a priority for any company or organization towards ensuring its assets, but social engineering plays with the advantage that you can use techniques that violate own vulnerabilities inherent in human beings and, as is well known, for this there is no patch or upgrade that provides effective protection against such attacks. People is normally “the weak link in the chain”.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Why you should be concerned ? “…Why would anybody attack me if I have nothing to hide? I don’t have any secret information. Why would an attacker be interested in me so?...” These are typical mindsets of users/people who think they are not going to be targeted by criminals. The mindset of an attacker is different:  They don’t want to attack YOU, they want something and they will use you along the way if it helps them to achieve their goal.  With many companies investing heavily into security technologies it is often easier for an attacker to exploit people, rather than to hack into computer networks and systems -> This makes you a target.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Why you should be concerned ? Regarding data privacy and also data protection (yes, this topic apply to social engineering attacks also) People use to do 3 typical mistakes: 1- Underestimating the amount of information we produce every day 2- Depreciate the value of that information 3- Think that our main problem is the NSA or other federal agency
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Social Engineering: Potential Impact • Financial loss • Data leak • Reputation image (company and/or person) • Management time • Loss of public trust • Legal fines • Loss of new or existing customers • Loss of company morale • Increased audit costs
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Knowing the enemy Your enemy is a social engineer, an attacker who focuses on attacking people instead of computers and uses psychological tricks and manipulation to succeed. You must to be aware of it. What does an attacker do to trick people? They take advantage of well-known characteristics of human decision-making for instance: • Respect for authorities (by pretending to be one) • Curiosity (by offering something intriguing) • Feeling of urgency often coupled with greed or fear • Our willingness to help others • More…
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Knowing the enemy What means do social engineers use for attacks?  Email (also known as ‘phishing’)  Phone (also known as ‘vishing’)  USB sticks: deliberately planted in strategic areas of the organization to be found and used  Internet freebies: with malicious code attached  Physical impersonation: to gain physical access  Searching trash cans: to obtain information
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Knowing the enemy What do they want? The attacker’s goal is to make you perform an action or divulge information so they can: a) Commit fraud by diverting funds b) Obtain information deemed valuable to them c) Gain access to computers to extract valuable data or to infect them and hold it hostage for ransom or use it to stage attacks on others. How can you defend yourself against attacks? The most effective way to protect yourself against social engineering is to stay informed and be vigilant. Educate yourself and know what to ng it hostage for ransom or use it to stage attacks on others. watch out for, what to avoid, and what to be cautious of.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Email attacks (Phishing) By far the most common mean of social engineering attacks. It is relatively easy to send a forged email to a large number of recipients and an attacker doesn’t have to come into direct contact with their targets. Example: An email pretending to be from our CEO asking a recipient to perform a task, e.g., divert funds. An attacker knows it is unlikely that most employees would question a CEO’s request and therefore they would comply with a higher authority, rather than question the request based on any suspicions they may have. An email promising a prize if you act quickly and click a link, open an attachment or fill in few personal details on a website within a short time or among first responders, combines urgency and greed.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Email attacks (Phishing) Good practice:  Check the sender’s email address by hovering your cursor above the sender  Check any embedded links by hovering your cursor above the link  Do not open suspicious attachments and links and do not perform requested actions  Do not respond to suspicious emails  If in doubt report suspicious email to your Helpdesk
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Telephone attacks (Vishing) Using a telephone is another popular social engineering technique. Because it is more time consuming it is used on a smaller scale than email. It has an advantage of real-time communication with the target, although this also makes it more difficult for an attacker who must be able to quickly react to different answers of the target. It is easy for an attacker to pretend they are calling or sending text messages from an official source. There are smartphone applications that allow an attacker to enter any Caller ID which in turn appears on the display of the recipient’s device. What you see as a caller’s number on your display is what the attacker wants you to see. There are also web services that allow text messages to be sent with an arbitrary phone number as a sender. So an attacker can send a text message to your mobile phone (provided they have your number) pretending the message is from your boss, friend, business partner, spouse etc.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Telephone attacks (Vishing) Social engineers can employ interactive voice response systems and send emails asking you to call the listed number. In doing so attackers can pretend to be your bank and ask you to enter your personal and bank account details for “verification purposes”. Good practice:  Be suspicious of unsolicited calls seeking internal corporate or personal information  Do not provide sensitive information over the phone  Verify who is calling: Name, organisational unit or name of an external company  Do not completely trust Caller ID both with calls and text messages  If unsure ask the caller to send their request in writing (at least email) and offer to call back. This gives you time to look for the red flags in the email. Lookup the contact information yourself and call the employee or an external company directly  If in doubt report it as a security incident to your Helpdesk
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid USB sticks This type of attack combines curiosity and greed. We like freebies and have a curious nature so finding a presumably lost USB stick may tempt us to dig deeper and find out what is on it. Attackers carefully plant cheap USB sticks where targeted users can find them e.g., kitchen, rest rooms, meeting rooms, parking, bathroom, entrance door, front desk etc. These USB sticks are loaded with malicious software (e.g., virus, keyloggers, trojans, ransomware). Once the bait is taken the attacker can gain control of your computer, infect it or encrypt it and hold your data hostage for ransom and of course in case the computer is connected on network to do the same with other computers and also servers (e.g. a ransomware as Cryptolocker could encrypt all files on a file server because user has mapped shared folders of it).
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid USB sticks Good practice:  If you find a USB stick treat it with utmost suspicion  Do not connect it to your computer and do not run its content  Report such case as a security incident to your local Service Desk
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Freebies on the Internet Examples This also uses greed and curiosity as the driver and is often found on Peer-to-Peer (P2P) sites and websites offering illegal content e.g., movies, music, software. The attacker offers something the user wants and includes malicious code into the offer and then waits for the users to download and run this code. Good practice:  Do not use Peer-to-Peer file sharing applications (eMule, BitTorrent, Ares, etc.)  Do not use websites offering illegal content such as movies, music, software, books, etc.  Do not download and run illegal software
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Physical impersonation It’s always polite to hold the door open for someone who is rushing in behind you and an attacker knows this and often prays on our good nature to tailgate, to gain unauthorised access. Similarly an attacker can be waiting nearby to a door pretending to be talking on the phone, finishing the call and swiftly following an authorised person through a security door. Impersonators are crafty and creative and can claim they’re coming to do maintenance, check alarms or smoke detectors, document fire hazards, they can carry a box pretending they are delivering something (rather than stealing), delivering food. A common trick is to make you believe they have a meeting with someone working for the same company and as they are late have called ahead to let them know they have arrived to fool you into thinking there is no need to check the identify of this person. The possibilities are only limited to the attacker’s creativity.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Physical impersonation Good practice:  Verify an outsider’s identity and reasoning before granting access  Accompany visitors on the company premises at all times  If you see an unaccompanied stranger on the premises offer them your help and escort them to the front desk or to security guards
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Searching trash “One man's trash is another man's treasure”. Trash cans are full of useful information that can be used by others in a malicious way. Often they contain financial, personal, medical information, drafts of contracts, printed PowerPoint presentations with internal data, notes with names, passwords, organisational structure etc. Sometimes even old CDs/DVDs, memory cards from cameras, hard drives or USB flash drives. Information printed or electronic is a valuable source of data for a social engineer who can either monetise found information or use it to better prepare future attack scenarios – know more details and evoke more confidence and trust. Good practice:  Shred all papers by default when disposing of them and consider only exceptions that don’t have to be shredded  Shred CDs, DVDs and plastic cards (e.g., IDs, ATM cards, access cards) before disposing of them  Securely destroy electronic data on hard drives, memory sticks or USB flash drives when discarding them
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Sources used and to expand knowledge “Types of Phishing Attacks”- PC World URL: http://www.pcworld.com/article/135293/article.html  “Phishing” definition URL: https://en.wikipedia.org/wiki/Phishing “Hacking with Social Engineering. Techniques for Human Hack. Hacker World” (this book is in Spanish) URL: http://www.ra-ma.es/libros/HACKING-CON-INGENIERIA-SOCIAL-TECNICAS-PARA-HACKEAR-HUMANOS-MUNDO- HACKER/89345/978-84-9964-539-1
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Questions ? Many thanks ! Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL ramiro@ramirocid.com @ramirocid http://www.linkedin.com/in/ramirocid http://ramirocid.com http://es.slideshare.net/ramirocid http://www.youtube.com/user/cidramiro

Recomendados

Social engineering
Social engineering Social engineering
Social engineering Vîñàý Pãtêl
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Social engineering
Social engineeringSocial engineering
Social engineeringAlexander Zhuravlev
 
Cyber security
Cyber securityCyber security
Cyber securitySamsil Arefin
 
Cyber security presentation
Cyber security presentation Cyber security presentation
Cyber security presentation sweetpeace1
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineeringn|u - The Open Security Community
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 

Recomendados

Social engineering
Social engineering Social engineering
Social engineering Vîñàý Pãtêl
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Social engineering
Social engineeringSocial engineering
Social engineeringAlexander Zhuravlev
 
Cyber security
Cyber securityCyber security
Cyber securitySamsil Arefin
 
Cyber security presentation
Cyber security presentation Cyber security presentation
Cyber security presentation sweetpeace1
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineeringn|u - The Open Security Community
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 
Cyber attack
Cyber attackCyber attack
Cyber attackManjushree Mashal
 
Social Engineering new.pptx
Social Engineering new.pptxSocial Engineering new.pptx
Social Engineering new.pptxSanthosh Prabhu
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securityAkash Dhiman
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking Institute of Information Security (IIS)
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityEng Hasan Shamroukh CISCO Exams Author
 
Cyber crime.pptx
Cyber crime.pptxCyber crime.pptx
Cyber crime.pptxDawood Faheem Abbasi
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingTharindu Kalubowila
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityChitra Mudunuru
 
Cyber security
Cyber securityCyber security
Cyber securityRishav Sadhu
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptshindept123
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering BasicsLuke Rusten
 
Cyber security
Cyber securityCyber security
Cyber securitySabir Raja
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & securityRonson Fernandes
 
Cyber security
Cyber securityCyber security
Cyber securityvishakha bhagwat
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptshindept123
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityDipesh Waghela
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securityMuhammad Hamza
 
Cyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptCyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptSukhdev48
 

Mais conteúdo relacionado

Mais procurados

Social Engineering new.pptx
Social Engineering new.pptxSocial Engineering new.pptx
Social Engineering new.pptxSanthosh Prabhu
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securityAkash Dhiman
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityChitra Mudunuru
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering BasicsLuke Rusten
 
Cyber security
Cyber securityCyber security
Cyber securitySabir Raja
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityDipesh Waghela
 

Mais procurados (20)

Cyber attack
Cyber attackCyber attack
Cyber attack
 
Social Engineering new.pptx
Social Engineering new.pptxSocial Engineering new.pptx
Social Engineering new.pptx
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cyber crime.pptx
Cyber crime.pptxCyber crime.pptx
Cyber crime.pptx
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering Basics
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 

Semelhante a Social engineering attacks

Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securityMuhammad Hamza
 
Cyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptCyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptSukhdev48
 
Edu 03 assingment
Edu 03 assingmentEdu 03 assingment
Edu 03 assingmentAswani34
 
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Shawon Raffi
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessInnocent Korie
 
Social engineering
Social engineeringSocial engineering
Social engineeringBola Oduyale
 
Internet Safety Glossary of Terms
Internet Safety Glossary of TermsInternet Safety Glossary of Terms
Internet Safety Glossary of Termsmikel_l
 
Guest Lecture-Computer and Cyber Security.pptx
Guest Lecture-Computer and Cyber Security.pptxGuest Lecture-Computer and Cyber Security.pptx
Guest Lecture-Computer and Cyber Security.pptxGudipudiDayanandam
 
Typology of Cyber Crime
Typology of Cyber CrimeTypology of Cyber Crime
Typology of Cyber CrimeGaurav Patel
 
wbushiwbisnisnisbsudhduhsubsuhsuhsusvudhuhsus
wbushiwbisnisnisbsudhduhsubsuhsuhsusvudhuhsuswbushiwbisnisnisbsudhduhsubsuhsuhsusvudhuhsus
wbushiwbisnisnisbsudhduhsubsuhsuhsusvudhuhsusxenhalo561
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
First Lecture- Cyber Security-Bangladesh.pptx
First Lecture- Cyber Security-Bangladesh.pptxFirst Lecture- Cyber Security-Bangladesh.pptx
First Lecture- Cyber Security-Bangladesh.pptxCUInnovationTeam
 
An overview study on cyber crimes in internet
An overview study on cyber crimes in internetAn overview study on cyber crimes in internet
An overview study on cyber crimes in internetAlexander Decker
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityjyoti_lakhani
 
social engineering attacks.docx
social engineering attacks.docxsocial engineering attacks.docx
social engineering attacks.docxMehwishAnsari11
 

Semelhante a Social engineering attacks (20)

Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 
Cyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptCyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.ppt
 
Edu 03 assingment
Edu 03 assingmentEdu 03 assingment
Edu 03 assingment
 
Cyber crime ethics and un ethics
Cyber crime ethics and un ethicsCyber crime ethics and un ethics
Cyber crime ethics and un ethics
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Internet Safety Glossary of Terms
Internet Safety Glossary of TermsInternet Safety Glossary of Terms
Internet Safety Glossary of Terms
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Guest Lecture-Computer and Cyber Security.pptx
Guest Lecture-Computer and Cyber Security.pptxGuest Lecture-Computer and Cyber Security.pptx
Guest Lecture-Computer and Cyber Security.pptx
 
Typology of Cyber Crime
Typology of Cyber CrimeTypology of Cyber Crime
Typology of Cyber Crime
 
UNIT 1.pptx
UNIT 1.pptxUNIT 1.pptx
UNIT 1.pptx
 
wbushiwbisnisnisbsudhduhsubsuhsuhsusvudhuhsus
wbushiwbisnisnisbsudhduhsubsuhsuhsusvudhuhsuswbushiwbisnisnisbsudhduhsubsuhsuhsusvudhuhsus
wbushiwbisnisnisbsudhduhsubsuhsuhsusvudhuhsus
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking Framework
 
First Lecture- Cyber Security-Bangladesh.pptx
First Lecture- Cyber Security-Bangladesh.pptxFirst Lecture- Cyber Security-Bangladesh.pptx
First Lecture- Cyber Security-Bangladesh.pptx
 
An overview study on cyber crimes in internet
An overview study on cyber crimes in internetAn overview study on cyber crimes in internet
An overview study on cyber crimes in internet
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 
social engineering attacks.docx
social engineering attacks.docxsocial engineering attacks.docx
social engineering attacks.docx
 

Mais de Ramiro Cid

Seminario sobre ciberseguridad
Seminario sobre ciberseguridadSeminario sobre ciberseguridad
Seminario sobre ciberseguridadRamiro Cid
 
Captación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagenCaptación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagenRamiro Cid
 
Passwords for sale
Passwords for salePasswords for sale
Passwords for saleRamiro Cid
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017Ramiro Cid
 
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?Ramiro Cid
 
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?Ramiro Cid
 
Lean Six Sigma methodology
Lean Six Sigma methodologyLean Six Sigma methodology
Lean Six Sigma methodologyRamiro Cid
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500Ramiro Cid
 
Cyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationCyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationRamiro Cid
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection RegulationRamiro Cid
 
Thinking on risk analysis
Thinking on risk analysisThinking on risk analysis
Thinking on risk analysisRamiro Cid
 
Drones and their use on critical infrastructure
Drones and their use on critical infrastructureDrones and their use on critical infrastructure
Drones and their use on critical infrastructureRamiro Cid
 
Internet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacyInternet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacyRamiro Cid
 
Space computing
Space computingSpace computing
Space computingRamiro Cid
 
The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...Ramiro Cid
 
Internet of things
Internet of thingsInternet of things
Internet of thingsRamiro Cid
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityRamiro Cid
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Risk optimization management inside it governance
Risk optimization management inside it governanceRisk optimization management inside it governance
Risk optimization management inside it governanceRamiro Cid
 

Mais de Ramiro Cid (20)

Seminario sobre ciberseguridad
Seminario sobre ciberseguridadSeminario sobre ciberseguridad
Seminario sobre ciberseguridad
 
Captación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagenCaptación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagen
 
Passwords for sale
Passwords for salePasswords for sale
Passwords for sale
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
 
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
 
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
 
Lean Six Sigma methodology
Lean Six Sigma methodologyLean Six Sigma methodology
Lean Six Sigma methodology
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500
 
Cyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationCyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk Aggregation
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
 
Payment fraud
Payment fraudPayment fraud
Payment fraud
 
Thinking on risk analysis
Thinking on risk analysisThinking on risk analysis
Thinking on risk analysis
 
Drones and their use on critical infrastructure
Drones and their use on critical infrastructureDrones and their use on critical infrastructure
Drones and their use on critical infrastructure
 
Internet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacyInternet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacy
 
Space computing
Space computingSpace computing
Space computing
 
The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Risk optimization management inside it governance
Risk optimization management inside it governanceRisk optimization management inside it governance
Risk optimization management inside it governance
 

Último

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Último (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Social engineering attacks

  • 1. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Ramiro Cid | @ramirocid
  • 2. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 2 Index 1. Definitions Page 3 2. Why you should be concerned ? Page 4 3. Social Engineering: Potential Impact Page 7 4. Knowing the enemy Page 8 5. Email attacks (Phishing) Page 11 6. Telephone attacks (Vishing) Page 13 7. USB sticks Page 15 8. Freebies on the Internet Page 17 9. Physical impersonation Page 18 10. Searching in trash Page 20 11. Sources used and to expand knowledge Page 21
  • 3. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Definitions  Cyber Security: It is also known as “IT security” or “Computer security” is information security applied to computing devices such as servers, computer networks and mobile devices (as smartphones, tablets, etc.), as well as computer networks such as private and public networks, including the whole Internet.  Social engineering: In the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.  Cybercrime: It is also known as Computer crime, is any crime that involves a computer and/or a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime is criminal exploitation of the Internet, inherently a cybercrime. Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones.
  • 4. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Why you should be concerned ? Currently, market has a wide range of systems, products and services focused on computer security services: Antivirus, Antispyware, Firewalls, IPS, WAF, SIEM system, etc. All these measures are indispensable and have become a priority for any company or organization towards ensuring its assets, but social engineering plays with the advantage that you can use techniques that violate own vulnerabilities inherent in human beings and, as is well known, for this there is no patch or upgrade that provides effective protection against such attacks. People is normally “the weak link in the chain”.
  • 5. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Why you should be concerned ? “…Why would anybody attack me if I have nothing to hide? I don’t have any secret information. Why would an attacker be interested in me so?...” These are typical mindsets of users/people who think they are not going to be targeted by criminals. The mindset of an attacker is different:  They don’t want to attack YOU, they want something and they will use you along the way if it helps them to achieve their goal.  With many companies investing heavily into security technologies it is often easier for an attacker to exploit people, rather than to hack into computer networks and systems -> This makes you a target.
  • 6. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Why you should be concerned ? Regarding data privacy and also data protection (yes, this topic apply to social engineering attacks also) People use to do 3 typical mistakes: 1- Underestimating the amount of information we produce every day 2- Depreciate the value of that information 3- Think that our main problem is the NSA or other federal agency
  • 7. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Social Engineering: Potential Impact • Financial loss • Data leak • Reputation image (company and/or person) • Management time • Loss of public trust • Legal fines • Loss of new or existing customers • Loss of company morale • Increased audit costs
  • 8. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Knowing the enemy Your enemy is a social engineer, an attacker who focuses on attacking people instead of computers and uses psychological tricks and manipulation to succeed. You must to be aware of it. What does an attacker do to trick people? They take advantage of well-known characteristics of human decision-making for instance: • Respect for authorities (by pretending to be one) • Curiosity (by offering something intriguing) • Feeling of urgency often coupled with greed or fear • Our willingness to help others • More…
  • 9. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Knowing the enemy What means do social engineers use for attacks?  Email (also known as ‘phishing’)  Phone (also known as ‘vishing’)  USB sticks: deliberately planted in strategic areas of the organization to be found and used  Internet freebies: with malicious code attached  Physical impersonation: to gain physical access  Searching trash cans: to obtain information
  • 10. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Knowing the enemy What do they want? The attacker’s goal is to make you perform an action or divulge information so they can: a) Commit fraud by diverting funds b) Obtain information deemed valuable to them c) Gain access to computers to extract valuable data or to infect them and hold it hostage for ransom or use it to stage attacks on others. How can you defend yourself against attacks? The most effective way to protect yourself against social engineering is to stay informed and be vigilant. Educate yourself and know what to ng it hostage for ransom or use it to stage attacks on others. watch out for, what to avoid, and what to be cautious of.
  • 11. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Email attacks (Phishing) By far the most common mean of social engineering attacks. It is relatively easy to send a forged email to a large number of recipients and an attacker doesn’t have to come into direct contact with their targets. Example: An email pretending to be from our CEO asking a recipient to perform a task, e.g., divert funds. An attacker knows it is unlikely that most employees would question a CEO’s request and therefore they would comply with a higher authority, rather than question the request based on any suspicions they may have. An email promising a prize if you act quickly and click a link, open an attachment or fill in few personal details on a website within a short time or among first responders, combines urgency and greed.
  • 12. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Email attacks (Phishing) Good practice:  Check the sender’s email address by hovering your cursor above the sender  Check any embedded links by hovering your cursor above the link  Do not open suspicious attachments and links and do not perform requested actions  Do not respond to suspicious emails  If in doubt report suspicious email to your Helpdesk
  • 13. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Telephone attacks (Vishing) Using a telephone is another popular social engineering technique. Because it is more time consuming it is used on a smaller scale than email. It has an advantage of real-time communication with the target, although this also makes it more difficult for an attacker who must be able to quickly react to different answers of the target. It is easy for an attacker to pretend they are calling or sending text messages from an official source. There are smartphone applications that allow an attacker to enter any Caller ID which in turn appears on the display of the recipient’s device. What you see as a caller’s number on your display is what the attacker wants you to see. There are also web services that allow text messages to be sent with an arbitrary phone number as a sender. So an attacker can send a text message to your mobile phone (provided they have your number) pretending the message is from your boss, friend, business partner, spouse etc.
  • 14. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Telephone attacks (Vishing) Social engineers can employ interactive voice response systems and send emails asking you to call the listed number. In doing so attackers can pretend to be your bank and ask you to enter your personal and bank account details for “verification purposes”. Good practice:  Be suspicious of unsolicited calls seeking internal corporate or personal information  Do not provide sensitive information over the phone  Verify who is calling: Name, organisational unit or name of an external company  Do not completely trust Caller ID both with calls and text messages  If unsure ask the caller to send their request in writing (at least email) and offer to call back. This gives you time to look for the red flags in the email. Lookup the contact information yourself and call the employee or an external company directly  If in doubt report it as a security incident to your Helpdesk
  • 15. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid USB sticks This type of attack combines curiosity and greed. We like freebies and have a curious nature so finding a presumably lost USB stick may tempt us to dig deeper and find out what is on it. Attackers carefully plant cheap USB sticks where targeted users can find them e.g., kitchen, rest rooms, meeting rooms, parking, bathroom, entrance door, front desk etc. These USB sticks are loaded with malicious software (e.g., virus, keyloggers, trojans, ransomware). Once the bait is taken the attacker can gain control of your computer, infect it or encrypt it and hold your data hostage for ransom and of course in case the computer is connected on network to do the same with other computers and also servers (e.g. a ransomware as Cryptolocker could encrypt all files on a file server because user has mapped shared folders of it).
  • 16. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid USB sticks Good practice:  If you find a USB stick treat it with utmost suspicion  Do not connect it to your computer and do not run its content  Report such case as a security incident to your local Service Desk
  • 17. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Freebies on the Internet Examples This also uses greed and curiosity as the driver and is often found on Peer-to-Peer (P2P) sites and websites offering illegal content e.g., movies, music, software. The attacker offers something the user wants and includes malicious code into the offer and then waits for the users to download and run this code. Good practice:  Do not use Peer-to-Peer file sharing applications (eMule, BitTorrent, Ares, etc.)  Do not use websites offering illegal content such as movies, music, software, books, etc.  Do not download and run illegal software
  • 18. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Physical impersonation It’s always polite to hold the door open for someone who is rushing in behind you and an attacker knows this and often prays on our good nature to tailgate, to gain unauthorised access. Similarly an attacker can be waiting nearby to a door pretending to be talking on the phone, finishing the call and swiftly following an authorised person through a security door. Impersonators are crafty and creative and can claim they’re coming to do maintenance, check alarms or smoke detectors, document fire hazards, they can carry a box pretending they are delivering something (rather than stealing), delivering food. A common trick is to make you believe they have a meeting with someone working for the same company and as they are late have called ahead to let them know they have arrived to fool you into thinking there is no need to check the identify of this person. The possibilities are only limited to the attacker’s creativity.
  • 19. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Physical impersonation Good practice:  Verify an outsider’s identity and reasoning before granting access  Accompany visitors on the company premises at all times  If you see an unaccompanied stranger on the premises offer them your help and escort them to the front desk or to security guards
  • 20. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Searching trash “One man's trash is another man's treasure”. Trash cans are full of useful information that can be used by others in a malicious way. Often they contain financial, personal, medical information, drafts of contracts, printed PowerPoint presentations with internal data, notes with names, passwords, organisational structure etc. Sometimes even old CDs/DVDs, memory cards from cameras, hard drives or USB flash drives. Information printed or electronic is a valuable source of data for a social engineer who can either monetise found information or use it to better prepare future attack scenarios – know more details and evoke more confidence and trust. Good practice:  Shred all papers by default when disposing of them and consider only exceptions that don’t have to be shredded  Shred CDs, DVDs and plastic cards (e.g., IDs, ATM cards, access cards) before disposing of them  Securely destroy electronic data on hard drives, memory sticks or USB flash drives when discarding them
  • 21. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Sources used and to expand knowledge “Types of Phishing Attacks”- PC World URL: http://www.pcworld.com/article/135293/article.html  “Phishing” definition URL: https://en.wikipedia.org/wiki/Phishing “Hacking with Social Engineering. Techniques for Human Hack. Hacker World” (this book is in Spanish) URL: http://www.ra-ma.es/libros/HACKING-CON-INGENIERIA-SOCIAL-TECNICAS-PARA-HACKEAR-HUMANOS-MUNDO- HACKER/89345/978-84-9964-539-1
  • 22. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Questions ? Many thanks ! Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL ramiro@ramirocid.com @ramirocid http://www.linkedin.com/in/ramirocid http://ramirocid.com http://es.slideshare.net/ramirocid http://www.youtube.com/user/cidramiro