Mais conteúdo relacionado
Semelhante a Social Engineering and Identity Theft (20)
Social Engineering and Identity Theft
- 1. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Social Engineering and Identity Theft
How to avoid being a victim
Scott Teipe – CISSP, CISM
Manager of Information Security
- 2. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Social Engineering and Identity Theft Cases
2
Frank Abagnale (1969)
– http://en.wikipedia.org/wiki/Frank_Abagnale
Lifelock (2007)
– http://en.wikipedia.org/wiki/Lifelock
HBGary vs. Anonymous (2011)
– http://en.wikipedia.org/wiki/HBGary
Amar Singh (2012)
– http://www.huffingtonpost.com/2012/08/07/largest-id-theft-in-
history_n_1751241.html
- 3. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Identity Theft Statistics
• One of the most common cybercrimes
worldwide!
The 2013 Identity Fraud Report released
by Javelin Strategy & Research indicates:
In 2012 identity fraud incidents increased by
more than one million victims.
Fraudsters stole more than $21 billion, the
highest amount since 2009.
12.6 million victims in the United States in
2012.
1 new victim every 3 seconds!!!
3
- 4. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Identity Theft
4
Javelin Strategy & Research Report
https://www.javelinstrategy.com/news/1387/92/More-Than-12-Million-Identity-Fraud-Victims-in-
2012-According-to-Latest-Javelin-Strategy-Research-Report/d,pressRoomDetail
- 5. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Identity Theft
Once your personal data is obtained, it can be used to:
• Apply for a job
• Charge utilities
• File for bankruptcy
• File fraudulent tax returns
• Open new accounts on your name
• Commit a crime or get into legal trouble
• Drain your checking account and savings
• Go on a spending spree, purchase a car, appliances,
services, etc.
5
- 6. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Social Engineering
• Social Engineering - New term for an old
problem: being scammed.
• Exploit Human Nature Weakness
– Desire to Help
– Fear of Authority
– Use of logic(mask a small lie within a
series of true statements)
– Exploit necessities and desires (money,
sex, free services/entertainment, etc.)
• Technical and Non Technical
– Phone, email, trash, face to face
– Target: Your personal information or third
party information for which you have
access. 6
- 7. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Social Engineering Techniques
• Phishing and Spearphishing
• Dumpster Diving
– Be aware of what you throw in the trash. Someone’s trash is
someone else’s treasure.
• Shoulder surfing
– Always check to ensure nobody is peeking over your shoulder
when entering security credentials (PIN, Password, etc)
Some of these techniques allow the attacker to bypass
security controls (passwords, firewalls, etc)
7
- 8. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Scenario 1
• You find a USB key in the parking lot at your workplace,
once you plug it in, you find a program that offer free
access to a website in order to watch pirated first-run
movies.
8
- 9. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Scenario 2
• You work in IT support and receive a phone call. The
person on the other side of the line claims to be the new VP
of the company and has forgotten his/her security
credentials (pin/password) and asks you to reset their
password.
9
- 10. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Strategy
• Awareness and Common Sense
– If its too good to be true…
• Discipline and Education
• If in doubt, look for confirmation
• Efficient use of defensive
technologies
• Proper use, storage and disposal
of your information
10
- 11. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Technology Defense Mechanisms
• Security in depth: Multiple overlapping defenses
– Remember there is no single solution that protects 100%
against an attack
• Proactive vs. Reactive
• Firewall, Antivirus, System Patches
• Most Modern operating systems have user friendly security
features built-in
• Passwords security
• Data disposal
11
- 12. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Action Center
• Windows 7/8
– Antivirus:
• Win8: Windows Defender
• Win7: Windows security essentials
– Firewall: Windows Firewall
– Patch Management: Windows Update
– Other features:
• Data Privacy/Protection (BitLocker Win7/8)
• Antiphishing (Win8 Windows SmartScreen)
• Family Safety (Win 8)
12
- 13. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Action Center
• Display Important messages
• Windows update: Make sure Windows Update is configured
correctly and turned on!
13
- 14. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Windows Defender
• Antivirus Real time
protection
• Status color coded:
Green, Yellow, Red
14
- 15. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Windows Smart Screen
• Real time protection
against malware
• Offers phishing
protection within IE in
real time.
15
- 16. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Password Security
• Length: 16 or more characters
• Complexity
– Avoid Dictionary words and personally identifiable information
– Change the order - use numbers, symbols then letters.
• Human nature is to use a capital letter then lower case then
numbers and symbols to form a password. Hacking programs
know this!
– Use password generators
• https://www.grc.com/passwords.htm
• http://passwordsgenerator.net/
• Too many passwords? Try a password manager
• Free Password Manager – Keepass
– http://keepass.info/
16
- 17. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Two Factor Authentication
• Offers an extra layer of security
• It requires an additional authentication
factor
• One of the following besides username
and password:
– Something you have: Security token
– Something you know: PIN or pattern
– Something you are: Biometrics like
fingerprint, voice, etc
• Google and Yahoo started offering two
factor authentication as an additional
security feature back in 2011.
17
- 18. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Digital Fingerprints
• Where we are leaving traces of
our lives:
– Social Media (Twitter,
Facebook, LinkedIN, etc)
– Old Devices: Cellphones
• What are we leaving behind:
– Date/Place of birth
– Family Members Information
(Nicknames/Dates/etc)
– Social Security Numbers,
Phone Numbers, etc.
18
- 19. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
How to Manage Your Information
• Install a data sanitation utility
and use it to delete any
important and/or personal
information.
• If you are going to
sell/transfer a device wipe the
storage device clean
including the memory card!
• Another excellent protection
is to encrypt your sensitive
information.
19
- 20. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Free Tools for Secure Erase
• Eraser
– http://eraser.heidi.ie/download.php
• Ccleaner
– http://www.piriform.com/ccleaner/download
• File Shredder
– http://www.fileshredder.org/
20
- 21. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Free Tools for Data Wipe
• Secure Erase
– http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
• MHDD
– http://hddguru.com/software/2005.10.02-MHDD/
• Hard disk vendors offer utilities to wipe the contents of their HD
• Always wipe the Hard disk before disposing or donating an old
computer!!!
• Don’t become a victim of old personal data.
21
- 22. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Free Tools for Data Encryption
• Truecrypt
– http://www.truecrypt.org/
• Safehouse Explorer Encryption
– http://www.safehousesoftware.com/
• Windows 7/8 Bitlocker
– http://windows.microsoft.com/en-
hk/windows7/products/features/bitlocker
Encrypt data on removable storage (USB
thumb drives, SD cards)
22
- 23. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Free Anti-virus
– Avast:
http://www.avast.com/index
– AVG: http://free.avg.com/ww-
en/homepage
– Avira:
http://www.avira.com/en/avira-
free-antivirus
23
- 24. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Email
Basic principles
– Avoid clicking on links contained within e-mail messages.
– Type the webpage into the browser instead of clicking on the
link.
– If in doubt, confirm the validity of the e-mail with the sender.
WHY???
– It is very easy for hackers to forge the sender’s identity.
– It is easy to forge the e-mail format to make it look legitimate.
– Clicking on a legitimate looking link may install malicious
software without your consent or knowledge.
24
- 25. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Email
25
No official UN or HSBC email addresses
Take a look to the header
- 26. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Internet Browsing
• Most vulnerabilities require you to click on something within
the website to activate the vulnerability and cause your
computer to crash or become very slow.
• Websites make it difficult to choose the right place to click.
Often times, buttons are just images coaxing you to perform
an action such as clicking on a link embedded in an image.
• Critical: keep your browser and computer updated with the
latest versions and patches!!!
26
- 27. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Conclusions
• Be aware, educated and
disciplined.
• Keep it simple (i.e: Just install
the applications that you really
need).
• There are no silver bullets,
having a strategy in
conjunction with the proper
use of technology will help
you to minimize your exposure
to fraud.
27
- 28. ©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.
Questions??
28