Social engineering is not just a supporting process to obtain system access; it could be the main attack. Organizations that focus only on a narrow definition of social engineering as an attack vector to obtain system access will fail to create awareness of all other possible social engineering attack methods.
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
Social Engineering - Human aspects of industrial and economic espionage
1. Social Engineering
Human aspects of industrial and economic espionage
Marin Ivezic
Cyber Agency
www.cyberagency.com
October, 2001
2. Johnson & Johnson vs. Bristol-Myers
Johnson Controls vs. Honeywell
Boeing vs. Airbus
SOME KNOWN CASES
Cyber Agency | www.cyberagency.com2
3. 1. Industrial and economic espionage using Social Engineering
2. Industrial and economic espionage countermeasures
SUBJECTS OF TODAY’S DISCUSSION…
It’s not just smart business!
Cyber Agency | www.cyberagency.com3
SOME KNOWN CASES
4. DEFINITION OF SOCIAL ENGINEERING
“Successful or unsuccessful attempts to
influence a person(s) into either revealing
information or acting in a manner that would
result in; unauthorized access, unauthorized
use, or unauthorized disclosure, to an
information system, network or data.”
(Rogers & Berti, 2001)
Cyber Agency | www.cyberagency.com4
5. EXTENDED DEFINITION OF SOCIAL ENGINEERING
Any kind of psychological
manipulation used to obtain
private or sensitive information
or to force target to perform
some action in target’s
disadvantage.
(Ivezic, 1998)
Cyber Agency | www.cyberagency.com5
6. Context for Social Engineering
“Competitive intelligence (CI) is the process of monitoring the
competitive environment. CI enables senior managers in
companies of all sizes to make informed decisions about
everything from marketing, R&D, and investing tactics to long-
term business strategies. Effective CI is a continuous process
involving the legal and ethical collection of information, analysis
that doesn't avoid unwelcome conclusions, and controlled
dissemination of actionable intelligence to decision makers.”
Source: Society of Competitive Intelligence Professionals
“Competitive intelligence is a systematic program for
gathering and analyzing information about your competitors’
activities and general business trends to further your own
company’s goal.”
Source: Larry Kahaner, “Competitive Intelligence”
DEFINITION OF COMPETITIVE INTELLIGENCE
Cyber Agency | www.cyberagency.com6
7. Context for Social Engineering
Cyber Agency | www.cyberagency.com7
White - company publications,
public records, commercial
reporting sources
Gray - Not readily available,
but can be obtained without
civil/criminal liability
Black - Obtained through unethical
or illegal means. Can result in civil
and/or criminal sanctions.
Black = Espionage
DEFINITION OF COMPETITIVE INTELLIGENCE
8. Cyber Agency | www.cyberagency.com8
Context for Social Engineering
Espionage: Information collection operations performed in unethical
and/or unlawful manner
Economic Espionage: Government intelligence operation aimed at
acquiring the economic secrets of foreign country, including information
about trade policies and the trade secrets for its companies.
Industrial Espionage: Intelligence operations conducted by one corporation
against another for the purpose of acquiring a competitive advantage in
domestic and global markets.
DEFINITION OF ESPIONAGE
9. COUNTRIES INFAMOUS FOR ECONOMIC ESPIONAGE
• USA
• Japan
• China
• Russia
• Germany
• France
UK
• Israel
South Korea, India, Pakistan, Argentina and others…
Cyber Agency | www.cyberagency.com9
10. Machinery
(1940s)
Capital / Labor
(1950-60s)
Information
(1980-90s)
Knowledge
(Intelligence)
2000s
WHY NOW?
Cyber Agency | www.cyberagency.com10
Mechanical
Technology
• The pace of business has and will increase.
• Most businesses are now in information overload.
• Increased global competition.
• Economic competition has become war.
• Political changes ripple more quickly than in the past.
• Technology changes are more rapid.
• Availability of ex cold-war spies.
Investment Computers Intelligence
Modern Business Drivers
Modern Business Eras
12. Adversary Motivation
Visibility, Publicity, Chaos, Political Change
Information for Political, Military, Economic Advantage
Military Advantage, Chaos, Target Damage
Competitive Advantage, Revenge
Monetary Gain, Revenge
Thrill, Challenge, Prestige
Revenge, Financial Gain, Institutional Change
Who thinks we are important? Or interesting?
Competitors, Suppliers, Customers, Investors, Critics, Regulators, Hackers
SECURITY THREATS
National Intelligence
Information Warfare
Terrorists
Industrial Espionage
Organized Crime
Insider
Hacker
Cyber Agency | www.cyberagency.com12
13. • “Spies” are putzes that do nothing
brilliant
• They take advantage of what they
have access to
• They abuse human nature
• They luck into it, because there are
no or minimal countermeasures
HOW IS IT DONE?
Cyber Agency | www.cyberagency.com13
Reality
• Industrial spies are well trained
James Bonds that can get anything
they want
• Hackers are geniuses that can look
at a computer and take it over
• It takes super advanced methods
and a billion dollars in new
research to figure out how to stop
them
Myths
14. Technical
People
Physical
WHY IS SE SO EFFECTIVE?
• The Security Field has focused primarily on technical security and
protection of physical assets
• Security is only as strong as the weakest link - People are the weakest link
• Why spend time attacking the technology when a person will give you
access or information
• Extremely hard to detect as there is no ID’S for “lack of common sense” or
more appropriately ignorance
Cyber Agency | www.cyberagency.com14
15. Cyber Agency | www.cyberagency.com15
Two Primary Factors: Business Environment and Human Nature
Business Environment
Service Oriented
Time Crunch
Distributed
Outsourcing
Virtual Offices
Human Nature
Helpful
Trusting
Naive
WHY IS SE SO EFFECTIVE?
16. Very similar to how intelligence agencies infiltrate their targets. Usually a vey
methodical approach. 3-phased approach:
Cyber Agency | www.cyberagency.com16
Intelligence gathering
The attack
Step 2
Step 1
Step 3
• Primarily Open Source Information such as: Dumpster diving,
Web pages, Ex-employees, Contractors, Vendors, Partners
• Looking for weaknesses in the organization’s personnel: Help
desk, Tech support, Reception, Admin. support, Etc.
• Commonly known as the con
• Three broad categories of attack: Ego attacks, Sympathy attacks,
Intimidation attacks.
• Other elicitation techniques …
Target selection
ANATOMY OF AN SE ATTACK
17. COMMON SE ATTACKS
1. Ego attacks
Cyber Agency | www.cyberagency.com17
Attacker appeals to the vanity, or ego of the victim
Usually targets someone they sense is frustrated with their
current job position
The victim wants to prove how smart or knowledgeable they
are and provides sensitive information or even access to the
systems or data
Attacker may pretend to be law enforcement, the victim feels
honored to be helping
Victim usually never realizes
18. COMMON SE ATTACKS
2. Sympathy attacks
Cyber Agency | www.cyberagency.com18
Attack pretends to be a fellow employee (new hire), contractor,
employee or a vendor, etc.
There is some urgency to complete some task or obtain some
information
Needs assistance or they will be in trouble or lose their job etc.
Plays on the empathy & sympathy of the victim
Attackers “shop around” until they find someone who will help
Very successful attack
19. COMMON SE ATTACKS
3. Intimidation attacks
Cyber Agency | www.cyberagency.com19
Attacker pretends to be someone influential, authority figure,
and in some cases law enforcement
Attempts to use their authority to coerce the victim into
cooperation
If there is resistance they use intimidation, and threats (e.g.,
job sanctions, criminal charges etc.)
If they pretend to be Law Enforcement they will claim the
investigation is hush hush and not to be discussed etc.
20. OTHER ELICITATION TECHNIQUES
• Elicitation
• Interview process which avoids direct
questions and employ a conversational style
to reduce concerns and suspicions…
• Collecting information without asking
questions.
Cyber Agency | www.cyberagency.com20
21. ELICITATION - CONVERSATIONAL HOURGLASS
• People remember questions more clearly and longer
• People remember the beginning and end of a conversation
• Concentration is on the “muddle in the middle”
Style
• Innocuous and non-threatening
• Testing of generalizations and presumptions
about human factors in elicitation
• Reading signals from source
• Pleasant and non-confrontational
Elements
• Pre-selected introductory questions about general topics
• Stacking of elicitation techniques
• Attention to details of information being provided
• Additional “cool down’ questions about other general topic
What you already know
• personal/professional background
• techniques that have worked well before
• areas of expertise or knowledge
Macro topics
Macro topics
Micro topics
Cyber Agency | www.cyberagency.com21
22. WHY DOES IT HAPPEN?
A natural tendency
• to need recognition (as an expert)
• toward self-effacement
• to correct, advise, challenge others
• to prove others wrong
• to discuss things that are not their concern
• to gossip
• not to be able to keep secrets
• to underestimate the value of information
• toward indiscretion when not in control of one’s
emotions
• to show off (professionally)
• to complain
Nolan 2000Cyber Agency | www.cyberagency.com22
23. TYPICAL ELICITATION TOOLS
1. Provocative statements evoking:
– quid pro quo
– naïveté
– disbelief
– criticism
2. quid pro quo
3. Simple flattery
4. Exploiting the instinct to complain
5. Word repetition vs. “emphatic loading”
6. Quotation of reported facts(?)
7. Naïveté
8. Oblique reference
9. Criticism
10. Bracketing
11. Feigned or real disbelief
12. Purposely erroneous statement
Nolan 2000Cyber Agency | www.cyberagency.com23
25. DEFENSE FRAMEWORK
Nolan 2000Cyber Agency | www.cyberagency.com25
People
Process
Technology Organization
Effective Policies
• Enforcement of effective policies
• Staff knowledge and skill development
Secure Systems
Technology implementation
for end-to-end security
Effective support structure
Managed Processes
Security is not about products -
it is the effective management of
processes between Policy, Technology
and Support Structure
26. THERE ARE MANY WAYS TO “BUG” A ROOM
Find professionals!
Nolan 2000Cyber Agency | www.cyberagency.com26
27. COUNTERINTELLIGENCE
Measures to prevent a competitor from gaining data or knowledge
that could give them competitive advantage over your company.
• What assets, resources & information should be protected?
(e.g., new technologies, new products/services)
• How can you safeguard what might be penetrated?
Nolan 2000Cyber Agency | www.cyberagency.com27
29. ▪ What is the cost vs. benefit?
▪ Are you creating another vulnerability?
▪ How long is the countermeasure needed?
PROTECTION – COST vs. BENEFITS
Nolan 2000Cyber Agency | www.cyberagency.com29
Cost of
Loses
Cost of
Security
31. OPERATIONS VULNERABILITIES
Procedures in Practice
• Sales & Marketing
• Public Relations
• Help Wanted Ads
• Internet Usage
• Credit Cards and other travel records
• Telephone records and conversations
• Casual conversations
• Supplier records
• Personal aggrandizement
• Taking work home
• Poor incident-reporting procedures
• Human weaknesses
Nolan 2000Cyber Agency | www.cyberagency.com31
32. OPERATIONS COUNTERMEASURES
1. Awareness Training
2. Classifying Information
3. Security Alert System
4. Reward Programs
5. Callbacks before Disclosing Sensitive Info
– Verifying the Need for Information Access
– Verifying Identities and Purposes
6. Removing Personal Identifiers from Access Badges
7. Nondisclosure/Non-compete Employee Agreements and business
partners
8. Prepublication Reviews for Employees
9. Review of Corporate Releases
10. Strict Guidelines for Marketers and Salespeople
Nolan 2000Cyber Agency | www.cyberagency.com32
33. It takes only one… Are You The Weakest Link?
Questions? Experiences?
34. 34
Particular expertise
in counter HUMINT
Provides training,
consulting,
metoring, testing
and regulasr
assessments
100% focused on
information
protection, counter
intelligence, counter
espionage
No conflict of interest
We also cover:
Penetration testing
Cyber security
Physical security
Technical security
Penetration Testing and Counter Espionage Consulting
WHO ARE WE?