SlideShare uma empresa Scribd logo

Social Engineering - Exploiting the Human Weakness

W
Wasim Halani

Network Intelligence India Pvt. Ltd. is an ISO 27001-certified company that provides IT governance, risk management, and compliance services. Wasim Halani of Network Intelligence gave a presentation on exploiting human weakness through social engineering. Social engineering manipulates people into divulging confidential information rather than using technical hacking methods. Halani described conducting a social engineering penetration test against a client company that involved gaining physical access to their office by posing as a security auditor and convincing employees to disclose sensitive information under false pretenses. The test revealed vulnerabilities that could be exploited through social engineering attacks like phishing and fake profiles on social media.

Tecnologia
1 de 31
Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
 Information security at every organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
“Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
 Wordpress vulnerability on the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
 Phishing  Baiting  Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
 IT/ITES Company  Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
 Only 3 people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
 Security Auditor ◦ Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
www.niiconsulting.com
 Visit the office  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
 Gain unauthorized access  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
 Sensitive information on technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
 We registered a domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
www.niiconsulting.com
 About 10 users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
 Linkedin ◦ Fake employee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
www.niiconsulting.com
 Turns out they had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com
www.niiconsulting.com
 Confidential… www.niiconsulting.com
Contact:  wasim.halani@niiconsulting.com  http://www.niiconsulting.com  @washalsec www.niiconsulting.com

Recomendados

NII Social Engineering Case Study
NII Social Engineering Case StudyNII Social Engineering Case Study
NII Social Engineering Case StudyNetwork Intelligence India
 
AI And Cyber-security Threats
AI And Cyber-security ThreatsAI And Cyber-security Threats
AI And Cyber-security ThreatsSpotle.ai
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008eComm2008
 
Introduction to IoT (Internet of Things)
Introduction to IoT (Internet of Things)Introduction to IoT (Internet of Things)
Introduction to IoT (Internet of Things)Vikram Nandini
 
Disadvantages of Digital Identity
Disadvantages of Digital IdentityDisadvantages of Digital Identity
Disadvantages of Digital IdentityDigital-identity
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Ms 425 electronic banking and it in banks (1)
Ms 425 electronic banking and it in banks (1)Ms 425 electronic banking and it in banks (1)
Ms 425 electronic banking and it in banks (1)smumbahelp
 
Phishing
PhishingPhishing
PhishingHK Khemnani
 

Recomendados

NII Social Engineering Case Study
NII Social Engineering Case StudyNII Social Engineering Case Study
NII Social Engineering Case StudyNetwork Intelligence India
 
AI And Cyber-security Threats
AI And Cyber-security ThreatsAI And Cyber-security Threats
AI And Cyber-security ThreatsSpotle.ai
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008eComm2008
 
Introduction to IoT (Internet of Things)
Introduction to IoT (Internet of Things)Introduction to IoT (Internet of Things)
Introduction to IoT (Internet of Things)Vikram Nandini
 
Disadvantages of Digital Identity
Disadvantages of Digital IdentityDisadvantages of Digital Identity
Disadvantages of Digital IdentityDigital-identity
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Ms 425 electronic banking and it in banks (1)
Ms 425 electronic banking and it in banks (1)Ms 425 electronic banking and it in banks (1)
Ms 425 electronic banking and it in banks (1)smumbahelp
 
Phishing
PhishingPhishing
PhishingHK Khemnani
 
Engenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesEngenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesRafael Jaques
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Infosecurity2010
 
Engenharia Social
Engenharia SocialEngenharia Social
Engenharia SocialData Security
 
Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014ysorano
 
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from ChinaLeniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from ChinaStockholm Institute of Transition Economics
 
Divine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After EasterDivine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After EasterAnna *
 
CERIS_Symposium_Kolar
CERIS_Symposium_KolarCERIS_Symposium_Kolar
CERIS_Symposium_Kolarysorano
 
Entendendo a Engenharia Social
Entendendo a Engenharia SocialEntendendo a Engenharia Social
Entendendo a Engenharia SocialDaniel Marques
 
Team building
Team buildingTeam building
Team buildingمحمد عبد العزيز
 
People's style presentation
People's style presentationPeople's style presentation
People's style presentationمحمد عبد العزيز
 
Lenient Versus Strict Rate Control ?
Lenient Versus Strict Rate Control ?Lenient Versus Strict Rate Control ?
Lenient Versus Strict Rate Control ?ปิติ นิยมศิริวนิช
 
Facebook vs mixi
Facebook vs mixiFacebook vs mixi
Facebook vs mixiRahul Roy
 
Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity Dr.Manishankar Chakraborty
 
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Abhimanyu Lad
 
Psychology Test
Psychology TestPsychology Test
Psychology TestMaureenWard
 
40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated6Q
 
Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Sreenath S
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Stylesjeredduffy
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Styleslinyuan
 
10 Estratégias de Manipulação
10 Estratégias de Manipulação10 Estratégias de Manipulação
10 Estratégias de ManipulaçãoUniversidade Estácio de Sá
 
Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim HalaniSocial Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halanin|u - The Open Security Community
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 

Mais conteúdo relacionado

Destaque

Engenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesEngenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesRafael Jaques
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Infosecurity2010
 
Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014ysorano
 
Divine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After EasterDivine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After EasterAnna *
 
CERIS_Symposium_Kolar
CERIS_Symposium_KolarCERIS_Symposium_Kolar
CERIS_Symposium_Kolarysorano
 
Entendendo a Engenharia Social
Entendendo a Engenharia SocialEntendendo a Engenharia Social
Entendendo a Engenharia SocialDaniel Marques
 
Facebook vs mixi
Facebook vs mixiFacebook vs mixi
Facebook vs mixiRahul Roy
 
Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity Dr.Manishankar Chakraborty
 
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Abhimanyu Lad
 
40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated6Q
 
Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Sreenath S
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Stylesjeredduffy
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Styleslinyuan
 

Destaque (20)

Engenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesEngenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear Mentes
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
 
Engenharia Social
Engenharia SocialEngenharia Social
Engenharia Social
 
Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014Is there a deterrence gap? -GLRC seminar, March 19, 2014
Is there a deterrence gap? -GLRC seminar, March 19, 2014
 
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from ChinaLeniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
Leniency, Asymmetric Punishment and Corruption: Preliminary Evidence from China
 
Divine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After EasterDivine Mercy Sunday - The First Sunday After Easter
Divine Mercy Sunday - The First Sunday After Easter
 
CERIS_Symposium_Kolar
CERIS_Symposium_KolarCERIS_Symposium_Kolar
CERIS_Symposium_Kolar
 
Entendendo a Engenharia Social
Entendendo a Engenharia SocialEntendendo a Engenharia Social
Entendendo a Engenharia Social
 
Team building
Team buildingTeam building
Team building
 
People's style presentation
People's style presentationPeople's style presentation
People's style presentation
 
Lenient Versus Strict Rate Control ?
Lenient Versus Strict Rate Control ?Lenient Versus Strict Rate Control ?
Lenient Versus Strict Rate Control ?
 
Facebook vs mixi
Facebook vs mixiFacebook vs mixi
Facebook vs mixi
 
Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity Outcome 5 of Performance Appraisal and Productivity
Outcome 5 of Performance Appraisal and Productivity
 
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
 
Psychology Test
Psychology TestPsychology Test
Psychology Test
 
40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated40 Great Ways to Make your Employees Feel Appreciated
40 Great Ways to Make your Employees Feel Appreciated
 
Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Styles
 
Parenting Styles
Parenting StylesParenting Styles
Parenting Styles
 
10 Estratégias de Manipulação
10 Estratégias de Manipulação10 Estratégias de Manipulação
10 Estratégias de Manipulação
 

Semelhante a Social Engineering - Exploiting the Human Weakness

National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attackPankaj Dubey
 
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdf
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdftruzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdf
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdfh-bauer2014
 
Hacker Defense: How to Make Your Law Firm a Harder Target
Hacker Defense: How to Make Your Law Firm a Harder TargetHacker Defense: How to Make Your Law Firm a Harder Target
Hacker Defense: How to Make Your Law Firm a Harder TargetLexisNexis
 
Is Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferIs Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferMAX Technical Training
 
Chapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenChapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenVidaB
 
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...Internet 2Conf
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
SECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxSECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxBangHendroz1
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security Lokender Yadav
 
Phishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptxPhishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptxStephen Jesukanth Martin
 
Chp4:Data and Privacy.pptx
Chp4:Data and Privacy.pptxChp4:Data and Privacy.pptx
Chp4:Data and Privacy.pptxAsmajaved42
 
Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?CBIZ, Inc.
 
Security and the Service Desk
Security and the Service DeskSecurity and the Service Desk
Security and the Service DeskNorthCoastHDI
 
Breakfast Briefings - February 2018
Breakfast Briefings - February 2018Breakfast Briefings - February 2018
Breakfast Briefings - February 2018PKF Francis Clark
 

Semelhante a Social Engineering - Exploiting the Human Weakness (20)

Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim HalaniSocial Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halani
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness Presentation
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
 
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdf
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdftruzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdf
truzzt / Idento.one TakeOut Pflichtenheft Uni Leonie.pdf
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Hacker Defense: How to Make Your Law Firm a Harder Target
Hacker Defense: How to Make Your Law Firm a Harder TargetHacker Defense: How to Make Your Law Firm a Harder Target
Hacker Defense: How to Make Your Law Firm a Harder Target
 
Masterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy BasicsMasterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy Basics
 
Is Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferIs Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson Helfer
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
Chapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenChapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce Jen
 
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...
Internet 2.0 Conference Reviews Legit Job Listings To Prevent Remote Job Scam...
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
SECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxSECURITY AWARENESS.pptx
SECURITY AWARENESS.pptx
 
The 10 most trusted identity and access management solution providers 2018
The 10 most trusted identity and access management solution providers 2018The 10 most trusted identity and access management solution providers 2018
The 10 most trusted identity and access management solution providers 2018
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security
 
Phishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptxPhishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptx
 
Chp4:Data and Privacy.pptx
Chp4:Data and Privacy.pptxChp4:Data and Privacy.pptx
Chp4:Data and Privacy.pptx
 
Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?
 
Security and the Service Desk
Security and the Service DeskSecurity and the Service Desk
Security and the Service Desk
 
Breakfast Briefings - February 2018
Breakfast Briefings - February 2018Breakfast Briefings - February 2018
Breakfast Briefings - February 2018
 

Último

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Último (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Social Engineering - Exploiting the Human Weakness

  • 1. Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
  • 2. Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
  • 3.  Information security at every organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
  • 4. “Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
  • 7.
  • 8.
  • 9.  Wordpress vulnerability on the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
  • 10.
  • 11.  Phishing  Baiting  Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
  • 12.  IT/ITES Company  Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
  • 13.
  • 14.  Only 3 people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
  • 15.  Security Auditor ◦ Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
  • 17.  Visit the office  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
  • 18.  Gain unauthorized access  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
  • 19.
  • 20.  Sensitive information on technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
  • 21.
  • 22.  We registered a domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
  • 24.  About 10 users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
  • 25.  Linkedin ◦ Fake employee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
  • 27.
  • 28.  Turns out they had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com