SlideShare uma empresa Scribd logo

Social Engineering

Transferir como PPT, PDF
Nicholas Davis
Nicholas Davis
1 de 39
Information Systems 365/765 Information Systems Security and Strategy Lecture 7 Lecture 7 Social Engineering
Today’s Chocolate Bar • Nestle Crunch, created in 1938 • Current slogan is “For the kid in you”….BORING • Bunch-a-crunch controversy • "Betcha Can't Crunch This!"
Warning
WARNING • I use REAL people as examples in this presentation • I do this not to mock them, or intimidate them, but to impress upon them in the most real way I know of, the importance of sharing information about themselves only on a “need to know basis” in public forums
Social Engineering • No matter how many security measures you introduce, there is one which proves to be the most challening… • How do we secure human beings?
Social Engineering Defined • The use of psychological tricks in order to get useful information about a system • Using psychological tricks to build inappropriate trust relationships with insiders
Kevin Mitnick • World’s most famous Social Engineer • “The weakest link in the security chain is the human element” • Half of his exploits involved using social engineering • See the master in action!
Social Engineering • Social Engineering goes back to the first lie ever told and will continue into the future. • Social Engineering is successful because people are generally helpful, especially to those who are: • Nice • Knowledgeable • Insistent
Three Primary Methods of Social Engineering • Flattery • Authority Impersonation • Threatening Behavior
Helpful By Default • We don’t see a motive to hack our network. “If I see it everyday, it can’t be important.“ • Industrial Espionage • Revenge • Just for fun
How Does It Happen? • “An ounce of prevention is worth a pound of cure!” • The Social Engineer uses simple information found online, or by making a basic phone call into the office • That stuff really isn’t that easy to get…Don’t be dramatic!
Let’s Setup a Case Scenario Using a Method Called Pretexting • Meet Angry Cow • Computer Science Student at UW-Madison • Angry Cow just got an eviction notice
Case Continued – Simple Public Information is Found • Angry Cow lives at the Regent • The Regent’s website indicates that it is owned by Steve Brown Properties • Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid
Next – Finding A Way In… • Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information • Poor controls over data sharing • Lots of important information there that might not seem important, but could be his first step in… • Go to Facebook and search: “Steve Brown Apartments” to find an appropriate unknowing accomplice
Let’s See – Danielle Treu • Born July 24, 1988 • Enjoys playing in the rain, drinking coffee and spending money • Works at Subway and as a Resident Assistant for Steve Brown Apartments
Let’s See – David Klabanoff • Born April 21, 1979 • Likes Star Wars and The Muppet Movie • Is a Concierge for Steve Brown Apartments
Let’s See – Andrew Baldinger – I think I might know this guy! • March 30, 1986 • Likes kayaking, exploring, and getting lost • Lives at the Regent • Works as a Technology Support Specialist for Steve Brown Apartments!
Let’s Start with Danielle Treu • Her Facebook profile is public, but she is intelligent. She keeps her contact information private • But, her profile does say that she attends UW-Madison… • I wonder if they have some more public information about her
The Research, Phase II • I’m so thankful for the UW Whitepages! • Remember, this is PUBLIC information! • I got her email address!
Primary Contact
Establishing the Trust • Danielle talks to David, and since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew • Angry Cow shows up later that day, David is expecting him • Angry Cow identifies himself as Andrew and asks David for key to server room
The Hack • Angry Cow, gets physical access to server, uses Ophcrack (just like we did in class to get Admin username) • Angry Cow logs into server and alters accounting files to indicate that his rent has been paid
Summary of This Example • Search for public information about your target, using both official and unofficial sources • Build a trust ladder, Julie trusts Andrew and David trusts Julie, therefore David will trust Andrew—even if “Andrew” really is Angry Cow! • Built a credible story • Based on PRETEXTING
Let’s Watch Another Example • Silence of the Lambs Movie scene • Notice how they both establish trust through the use of kindness or perceived kindness
How to Keep Social Engineering From Working • Administrators need to: • Establish Policies • Train Employees • Run Drills • Office Workers: • Need to be aware of Social Engineering tactics • Follow policies
Let’s Watch the AT@T Internal Social Engineering Training Video • Which Social Engineering techniques can you identify in the video? (Flattery, Authority, Threats) • How would you CLASSIFY this video (remember Data Classification) • What is going on at AT&T?
Pretexting • Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.
Pretexting • It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
Is This Really a Threat to Businesses? PRETEXTING • So far, this just looks like a technique employed by angry individuals. • Did you know that Hewlett Packard regularly engaged in Social Engineering? • They used the method of PRETEXTING in order to get phone records • Let’s watch the testimony of Patricia Dunn, Director of HP
Pretexting Will Likely Continue • As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future. • Pretexting is the most common form of Social Engineering
Phishing • Phishing is the use of email as a means to extract personal information from a user • A variant is called IVR Phone Phishing
Phishing Continued • Direct you towards bogus (fake) websites • Purpose is to harvest information • PayPal example – I don’t even have a PayPal account! • Use common sense! • Don’t click on links directly! • Phishing Filter!
TROJAN HORSE • Is a virus or malware, disguised in such as way as to appeal to a person’s curiosity or greed • Usually arrives in the form of an email with an attachment • ILOVEYOU virus is an example of a Trojan Horse • Adware hiding inside downloads is another example
Road Apples • Road Apples are also known as Baiting • Uses physical media and relies on the curiosity or greed of the victim • USB drives or CDs found in the parking lot, with label: 3M Executive Salaries • Autorun on inserted media
Quid Pro Quo • Means “something for something” • A person contacts people one by one, until he/she finds a person with a problem • When they find a person, they “fix” their problem by introducing malware to their machine
Summary – Today’s Take Aways • Social Engineering involves manipulating others to get access • Main techniques are: Flattery, Authority, Threatening • Main types are: Pretexting, Phishing, Trojan Horses and Quid Pro Quo
Ways to Combat Social Enginering • Good security policy • Make sure your employees understand dangers and threats • Make sure employees understand what Data Classification means and what type of information you publicly give away
Most Important Gem of Wisdom in Defeating Social Engineering • Never, Never give out username, password, account number, SSN, etc over the same channel used to initiate the request • For example, if a phone call comes in, asking for a SSN, send the SSN via email or regular mail

Recomendados

Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Social engineering
Social engineering Social engineering
Social engineering Vîñàý Pãtêl
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 
Social engineering
Social engineering Social engineering
Social engineering Abdelhamid Limami
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
 
social engineering
social engineering social engineering
social engineeringRavi Patel
 
Social engineering
Social engineeringSocial engineering
Social engineeringankushmohanty
 
NENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social EngineeringNENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social EngineeringJack Kessler
 

Recomendados

Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Social engineering
Social engineering Social engineering
Social engineering Vîñàý Pãtêl
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 
Social engineering
Social engineering Social engineering
Social engineering Abdelhamid Limami
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
 
social engineering
social engineering social engineering
social engineeringRavi Patel
 
Social engineering
Social engineeringSocial engineering
Social engineeringankushmohanty
 
NENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social EngineeringNENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social EngineeringJack Kessler
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
 
Kevin Mitnick
Kevin Mitnick Kevin Mitnick
Kevin Mitnick Karan Bansal
 
Digital Responsibility: towards a new world order ?
Digital Responsibility: towards a new world order ?Digital Responsibility: towards a new world order ?
Digital Responsibility: towards a new world order ?University of Geneva
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
 
Breach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsBreach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsPaul W. Taylor
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyAlisa Alvich
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
Retweet, not reteach!
Retweet, not reteach!Retweet, not reteach!
Retweet, not reteach!Highland Park High School
 
Digitalcitizenproject
DigitalcitizenprojectDigitalcitizenproject
DigitalcitizenprojectJennMinor
 
Cyber security for kids
Cyber security for kidsCyber security for kids
Cyber security for kidsChris Burrows
 
Blitzing with your defense bea con
Blitzing with your defense bea conBlitzing with your defense bea con
Blitzing with your defense bea conInnismir
 
Cyber Security for 5th and 6th Graders
Cyber Security for 5th and 6th GradersCyber Security for 5th and 6th Graders
Cyber Security for 5th and 6th GradersStephen Thomas, CISSP
 
Empowerment technology cyberbullying aurino guttan
Empowerment technology cyberbullying aurino guttanEmpowerment technology cyberbullying aurino guttan
Empowerment technology cyberbullying aurino guttanRonaldAlistair
 
Olmv cyberbullying
Olmv cyberbullyingOlmv cyberbullying
Olmv cyberbullyingDiocese of Metuchen Office of Schools
 
Cyber Safety Presentation to Hadley Farms Middle School - April 2013
Cyber Safety Presentation to Hadley Farms Middle School - April 2013Cyber Safety Presentation to Hadley Farms Middle School - April 2013
Cyber Safety Presentation to Hadley Farms Middle School - April 2013Steve Peterson, CEM
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethicsfifiamalina
 
Cyberbullying - The Big Problem
Cyberbullying - The Big ProblemCyberbullying - The Big Problem
Cyberbullying - The Big ProblemGail Rebuck
 
Privacy Culture V 2
Privacy Culture V 2Privacy Culture V 2
Privacy Culture V 2Brian Rowe
 
Privacy Culture
Privacy CulturePrivacy Culture
Privacy CultureBrian Rowe
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringIntroduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringPrem Lamsal
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 

Mais conteúdo relacionado

Mais procurados

People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
 
Digital Responsibility: towards a new world order ?
Digital Responsibility: towards a new world order ?Digital Responsibility: towards a new world order ?
Digital Responsibility: towards a new world order ?University of Geneva
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
 
Breach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsBreach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsPaul W. Taylor
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyAlisa Alvich
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
Digitalcitizenproject
DigitalcitizenprojectDigitalcitizenproject
DigitalcitizenprojectJennMinor
 
Cyber security for kids
Cyber security for kidsCyber security for kids
Cyber security for kidsChris Burrows
 
Blitzing with your defense bea con
Blitzing with your defense bea conBlitzing with your defense bea con
Blitzing with your defense bea conInnismir
 
Cyber Security for 5th and 6th Graders
Cyber Security for 5th and 6th GradersCyber Security for 5th and 6th Graders
Cyber Security for 5th and 6th GradersStephen Thomas, CISSP
 
Empowerment technology cyberbullying aurino guttan
Empowerment technology cyberbullying aurino guttanEmpowerment technology cyberbullying aurino guttan
Empowerment technology cyberbullying aurino guttanRonaldAlistair
 
Cyber Safety Presentation to Hadley Farms Middle School - April 2013
Cyber Safety Presentation to Hadley Farms Middle School - April 2013Cyber Safety Presentation to Hadley Farms Middle School - April 2013
Cyber Safety Presentation to Hadley Farms Middle School - April 2013Steve Peterson, CEM
 
Cyberbullying - The Big Problem
Cyberbullying - The Big ProblemCyberbullying - The Big Problem
Cyberbullying - The Big ProblemGail Rebuck
 
Privacy Culture V 2
Privacy Culture V 2Privacy Culture V 2
Privacy Culture V 2Brian Rowe
 
Privacy Culture
Privacy CulturePrivacy Culture
Privacy CultureBrian Rowe
 

Mais procurados (19)

People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017
 
Kevin Mitnick
Kevin Mitnick Kevin Mitnick
Kevin Mitnick
 
Digital Responsibility: towards a new world order ?
Digital Responsibility: towards a new world order ?Digital Responsibility: towards a new world order ?
Digital Responsibility: towards a new world order ?
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike Bailey
 
Breach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsBreach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good Governments
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copy
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
 
Retweet, not reteach!
Retweet, not reteach!Retweet, not reteach!
Retweet, not reteach!
 
Digitalcitizenproject
DigitalcitizenprojectDigitalcitizenproject
Digitalcitizenproject
 
Cyber security for kids
Cyber security for kidsCyber security for kids
Cyber security for kids
 
Blitzing with your defense bea con
Blitzing with your defense bea conBlitzing with your defense bea con
Blitzing with your defense bea con
 
Cyber Security for 5th and 6th Graders
Cyber Security for 5th and 6th GradersCyber Security for 5th and 6th Graders
Cyber Security for 5th and 6th Graders
 
Empowerment technology cyberbullying aurino guttan
Empowerment technology cyberbullying aurino guttanEmpowerment technology cyberbullying aurino guttan
Empowerment technology cyberbullying aurino guttan
 
Olmv cyberbullying
Olmv cyberbullyingOlmv cyberbullying
Olmv cyberbullying
 
Cyber Safety Presentation to Hadley Farms Middle School - April 2013
Cyber Safety Presentation to Hadley Farms Middle School - April 2013Cyber Safety Presentation to Hadley Farms Middle School - April 2013
Cyber Safety Presentation to Hadley Farms Middle School - April 2013
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethics
 
Cyberbullying - The Big Problem
Cyberbullying - The Big ProblemCyberbullying - The Big Problem
Cyberbullying - The Big Problem
 
Privacy Culture V 2
Privacy Culture V 2Privacy Culture V 2
Privacy Culture V 2
 
Privacy Culture
Privacy CulturePrivacy Culture
Privacy Culture
 

Semelhante a Social Engineering

Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringIntroduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringPrem Lamsal
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Infosecurity2010
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and BadTzar Umang
 
Introduction to Cybersecurity - Secondary School_0.pptx
Introduction to Cybersecurity - Secondary School_0.pptxIntroduction to Cybersecurity - Secondary School_0.pptx
Introduction to Cybersecurity - Secondary School_0.pptxShubhamGupta833557
 
Social Engineering, or hacking people
Social Engineering, or hacking peopleSocial Engineering, or hacking people
Social Engineering, or hacking peopleTudor Damian
 
Cyber Security Awareness October 2014
Cyber Security Awareness October 2014Cyber Security Awareness October 2014
Cyber Security Awareness October 2014Donald E. Hester
 
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptx
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptxCapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptx
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptxCapitolTechU
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.Pratum
 
Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Justin Denton
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side... Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
 
Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)Marta Barrio Marcos
 
Social Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewSocial Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewPeter Wood
 
Jax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerJax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerSteve Poole
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917Evan Francen
 

Semelhante a Social Engineering (20)

Social engineering
Social engineeringSocial engineering
Social engineering
 
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringIntroduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineering
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and Bad
 
Introduction to Cybersecurity - Secondary School_0.pptx
Introduction to Cybersecurity - Secondary School_0.pptxIntroduction to Cybersecurity - Secondary School_0.pptx
Introduction to Cybersecurity - Secondary School_0.pptx
 
Social Engineering, or hacking people
Social Engineering, or hacking peopleSocial Engineering, or hacking people
Social Engineering, or hacking people
 
Cyber Security Awareness October 2014
Cyber Security Awareness October 2014Cyber Security Awareness October 2014
Cyber Security Awareness October 2014
 
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptx
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptxCapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptx
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptx
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of users
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side... Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
 
Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)
 
Social Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewSocial Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's View
 
Jax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerJax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developer
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 

Mais de Nicholas Davis

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development MethodologiesNicholas Davis
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Nicholas Davis
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewNicholas Davis
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing EducationNicholas Davis
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An OverviewNicholas Davis
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNicholas Davis
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
 

Mais de Nicholas Davis (20)

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support Systems
 
Lecture blockchain
Lecture blockchainLecture blockchain
Lecture blockchain
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development Methodologies
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD Security
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up Summary
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing Education
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security Implications
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
 

Social Engineering

  • 1. Information Systems 365/765 Information Systems Security and Strategy Lecture 7 Lecture 7 Social Engineering
  • 2. Today’s Chocolate Bar • Nestle Crunch, created in 1938 • Current slogan is “For the kid in you”….BORING • Bunch-a-crunch controversy • "Betcha Can't Crunch This!"
  • 4. WARNING • I use REAL people as examples in this presentation • I do this not to mock them, or intimidate them, but to impress upon them in the most real way I know of, the importance of sharing information about themselves only on a “need to know basis” in public forums
  • 5. Social Engineering • No matter how many security measures you introduce, there is one which proves to be the most challening… • How do we secure human beings?
  • 6. Social Engineering Defined • The use of psychological tricks in order to get useful information about a system • Using psychological tricks to build inappropriate trust relationships with insiders
  • 7. Kevin Mitnick • World’s most famous Social Engineer • “The weakest link in the security chain is the human element” • Half of his exploits involved using social engineering • See the master in action!
  • 8. Social Engineering • Social Engineering goes back to the first lie ever told and will continue into the future. • Social Engineering is successful because people are generally helpful, especially to those who are: • Nice • Knowledgeable • Insistent
  • 9. Three Primary Methods of Social Engineering • Flattery • Authority Impersonation • Threatening Behavior
  • 10. Helpful By Default • We don’t see a motive to hack our network. “If I see it everyday, it can’t be important.“ • Industrial Espionage • Revenge • Just for fun
  • 11. How Does It Happen? • “An ounce of prevention is worth a pound of cure!” • The Social Engineer uses simple information found online, or by making a basic phone call into the office • That stuff really isn’t that easy to get…Don’t be dramatic!
  • 12. Let’s Setup a Case Scenario Using a Method Called Pretexting • Meet Angry Cow • Computer Science Student at UW-Madison • Angry Cow just got an eviction notice
  • 13. Case Continued – Simple Public Information is Found • Angry Cow lives at the Regent • The Regent’s website indicates that it is owned by Steve Brown Properties • Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid
  • 14. Next – Finding A Way In… • Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information • Poor controls over data sharing • Lots of important information there that might not seem important, but could be his first step in… • Go to Facebook and search: “Steve Brown Apartments” to find an appropriate unknowing accomplice
  • 15.
  • 16. Let’s See – Danielle Treu • Born July 24, 1988 • Enjoys playing in the rain, drinking coffee and spending money • Works at Subway and as a Resident Assistant for Steve Brown Apartments
  • 17. Let’s See – David Klabanoff • Born April 21, 1979 • Likes Star Wars and The Muppet Movie • Is a Concierge for Steve Brown Apartments
  • 18. Let’s See – Andrew Baldinger – I think I might know this guy! • March 30, 1986 • Likes kayaking, exploring, and getting lost • Lives at the Regent • Works as a Technology Support Specialist for Steve Brown Apartments!
  • 19. Let’s Start with Danielle Treu • Her Facebook profile is public, but she is intelligent. She keeps her contact information private • But, her profile does say that she attends UW-Madison… • I wonder if they have some more public information about her
  • 20. The Research, Phase II • I’m so thankful for the UW Whitepages! • Remember, this is PUBLIC information! • I got her email address!
  • 22. Establishing the Trust • Danielle talks to David, and since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew • Angry Cow shows up later that day, David is expecting him • Angry Cow identifies himself as Andrew and asks David for key to server room
  • 23. The Hack • Angry Cow, gets physical access to server, uses Ophcrack (just like we did in class to get Admin username) • Angry Cow logs into server and alters accounting files to indicate that his rent has been paid
  • 24. Summary of This Example • Search for public information about your target, using both official and unofficial sources • Build a trust ladder, Julie trusts Andrew and David trusts Julie, therefore David will trust Andrew—even if “Andrew” really is Angry Cow! • Built a credible story • Based on PRETEXTING
  • 25. Let’s Watch Another Example • Silence of the Lambs Movie scene • Notice how they both establish trust through the use of kindness or perceived kindness
  • 26. How to Keep Social Engineering From Working • Administrators need to: • Establish Policies • Train Employees • Run Drills • Office Workers: • Need to be aware of Social Engineering tactics • Follow policies
  • 27. Let’s Watch the AT@T Internal Social Engineering Training Video • Which Social Engineering techniques can you identify in the video? (Flattery, Authority, Threats) • How would you CLASSIFY this video (remember Data Classification) • What is going on at AT&T?
  • 28. Pretexting • Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.
  • 29. Pretexting • It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
  • 30. Is This Really a Threat to Businesses? PRETEXTING • So far, this just looks like a technique employed by angry individuals. • Did you know that Hewlett Packard regularly engaged in Social Engineering? • They used the method of PRETEXTING in order to get phone records • Let’s watch the testimony of Patricia Dunn, Director of HP
  • 31. Pretexting Will Likely Continue • As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future. • Pretexting is the most common form of Social Engineering
  • 32. Phishing • Phishing is the use of email as a means to extract personal information from a user • A variant is called IVR Phone Phishing
  • 33. Phishing Continued • Direct you towards bogus (fake) websites • Purpose is to harvest information • PayPal example – I don’t even have a PayPal account! • Use common sense! • Don’t click on links directly! • Phishing Filter!
  • 34. TROJAN HORSE • Is a virus or malware, disguised in such as way as to appeal to a person’s curiosity or greed • Usually arrives in the form of an email with an attachment • ILOVEYOU virus is an example of a Trojan Horse • Adware hiding inside downloads is another example
  • 35. Road Apples • Road Apples are also known as Baiting • Uses physical media and relies on the curiosity or greed of the victim • USB drives or CDs found in the parking lot, with label: 3M Executive Salaries • Autorun on inserted media
  • 36. Quid Pro Quo • Means “something for something” • A person contacts people one by one, until he/she finds a person with a problem • When they find a person, they “fix” their problem by introducing malware to their machine
  • 37. Summary – Today’s Take Aways • Social Engineering involves manipulating others to get access • Main techniques are: Flattery, Authority, Threatening • Main types are: Pretexting, Phishing, Trojan Horses and Quid Pro Quo
  • 38. Ways to Combat Social Enginering • Good security policy • Make sure your employees understand dangers and threats • Make sure employees understand what Data Classification means and what type of information you publicly give away
  • 39. Most Important Gem of Wisdom in Defeating Social Engineering • Never, Never give out username, password, account number, SSN, etc over the same channel used to initiate the request • For example, if a phone call comes in, asking for a SSN, send the SSN via email or regular mail