O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Social engineering

Social engineering is an means of hacking making a person fool and to steal their dat

  • Seja o primeiro a comentar

Social engineering

  2. 2. Simple Definition  Social engineering is a psycho-social attack that subverts human trust and helpfulness in order to attain the attacker’s goals.
  3. 3. Outline  What is it?  How is it done?  Who is at risk?  Approach?
  4. 4. What is it?  Social engineering is the oldest form of hacking.  Social engineers focus on the users of the system. By gaining the trust of the user, a social engineer can simply ask for whatever information he or she wants…and usually get it.
  5. 5. The Social Engineering!!!!  Uses Psychological Methods  Exploits human tendency to trust  Goals are the Same as Hacking “the art and science of getting people to comply with your wishes”
  6. 6. Why Social Engineering?  Easier than technical hacking  Hard to detect and track
  7. 7. A social engineer’s mantra… “There is no patch for human stupidity.”
  8. 8. The Mind of a Social Engineer  More like actors than hackers  Learn to know how people feel by observing their actions  can alter these feelings by changing what they say and do  make the victim want to give them the information they need
  9. 9. How is it done?  Attacks come in various forms:  On the phone, over e-mail, in person impersonation
  10. 10. Impersonation  Play the part!  Social Engineers must:  Anticipate problems  Know jargon and procedures of the role
  11. 11. Impersonation  And most importantly, knowledge of how to build trust with whomever they need information from.  Social engineers most often impersonate authority figures, assistants to authority figure, and new employees.
  12. 12. More techniques…  Dummy Mode  Bury the key question  Research (Google)
  13. 13. Over the phone  The phone is the most popular method of social engineering because it is difficult to verify or deny someone’s identity.
  14. 14. Over e-mail and IM  E-mail attacks are very common (phishing).  E-mail is also used for impersonation.  Obtaining password for an IM account could lead to access to a bank account, other personal data.
  15. 15. Dumpster diving  Digging through trash at corporations in search of sensitive data.
  16. 16. Outline  What is it?  How is it done?  Who is at risk?  Approach?
  17. 17. Who is at risk?  Everyone.  Everyone with information is a potential target!
  18. 18. Real World Examples  90% of office workers gave away their password for a pen.  70% of people who trade their password for a bar of chocolate.
  19. 19. Real World Examples  1/3 of the IRS employees provided their user name and changed their password in a 2005 security audit.  USC vs. Cal basketball game
  20. 20. Approaches  Carelessness  Comfort Zone  Helpfulness  Fear
  21. 21. Careless Approach  Victim is Careless  Does not implement, use, or enforce proper countermeasures  Used for Reconnaissance  Looking for what is laying around
  22. 22. Careless Examples  Dumpster Diving/Trashing  Huge amount of information in the trash  Most of it does not seem to be a threat  The who, what and where of an organization  Knowledge of internal systems  Materials for greater authenticity  Intelligence Agencies have done this for years
  23. 23. Comfort Zone Examples  Impersonation  Could be anyone  Tech Support  Co-Worker  Boss  CEO  User  Maintenance Staff  Generally Two Goals  Asking for a password  Building access - Careless Approach
  24. 24. Comfort Zone Approach  Victim organization members are in a comfortable environment  Lower threat perception  Usually requires the use of another approach
  25. 25. Helpful Approach  People generally try to help even if they do not know who they are helping  Usually involves being in a position of obvious need  Attacker generally does not even ask for the help they receive
  26. 26. Helpful Examples  Piggybacking  Attacker will trail an employee entering the building  More Effective:  Carry something large so they hold the door open for you  Go in when a large group of employees are going in  Pretend to be unable to find door key
  27. 27. Fear Approach  Usually draws from the other approaches  Puts the user in a state of fear and anxiety  Very aggressive
  28. 28. Fear Examples  Conformity  The user is the only one who has not helped out the attacker with this request in the past  Personal responsibility is diffused  User gets justification for granting an attack.
  29. 29. Combating Social Engineers  User Education and Training  Identifying Areas of Risk  Tactics correspond to Area  Strong, Enforced, and Tested Security Policy
  30. 30. User Education and Training  Security Orientation for new employees  Yearly security training for all employees  Weekly newsletters, videos, brochures, games and booklets detailing incidents and how they could have been prevented  Signs, posters, coffee mugs, pens, pencils, mouse pads, screen savers, etc with security slogans (I.e. “Loose lips sink ships”).
  31. 31. Security Policy  Management should know the importance of protecting against social engineering attacks  Specific enough that employees should not have to make judgment calls  Include procedure for responding to an attack
  32. 32. Areas of Risk  Certain areas have certain risks  What are the risks for these areas?  Help Desk, Building entrance, Office, Mail Room, Machine room/Phone Closet, Dumpsters, Intranet/Internet, Overall
  33. 33. Conclusions  Social Engineering is a very real threat  Realistic prevention is hard  Can be expensive  Militant Vs. Helpful Helpdesk Staff  Reasonable Balance
  34. 34. “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” -Kevin Mitnick
  35. 35. Questions
  36. 36. References  Psychological Based Social Engineering, Charles Lively. December 2003. SANS Institute. 10 September 2005. http://www.giac.org/certified_professionals/practicals/gsec/3547.php  Sarah Granger, “Social Engineering Fundamentals: Part I”. Security Focus. December 2001. 10 September 2005. http://www.securityfocus.com/infocus/1527  Sarah Granger, “Social Engineering Fundamentals: Part II”. Security Focus. January 2002. 10 September 2005. http://www.securityfocus.com/infocus/1533