PCC_Social-Engineering_2014_Final
Download
Report
Transcript PCC_Social-Engineering_2014_Final
Social Engineering: The
Human Element
How Does Social Engineering
Work and to What Purpose?
Chuck McGann
Objective:
A discussion on types of “social engineering” and how it can
be both damaging to your business and to home
environments.
[We may touch on the dangers of Social Media if there is
time.]
Defining "Social Engineering"
Social Engineering is defined as the process of
deceiving people into giving away access or confidential
information by establishing a contrived relationship of
trust.
Wikipedia defines it as: "is the act of manipulating people
into performing actions or divulging confidential
information. While similar to a confidence trick or simple
fraud, the term typically applies to trickery or deception
for the purpose of information gathering, fraud, or
computer system access; in most cases the attacker
never comes face-to-face with the victim."[1]
Defining "Social Media"
Social media is the collective of online communications
channels dedicated to community-based input, interaction,
content-sharing and collaboration. Websites and
applications dedicated to forums, microblogging, social
networking, social bookmarking, social curation, and wikis
are among the different types of social media
Quick Video
Placeholder for the below video
http://www.youtube.com/watch?v=tkgLHoaFeFk&__hssc=&__hstc&
hsCtaTracking=70edc2a8-64cf-47f8-9f306581d17e4660%7Cd07bcdc2-0e2c-4028-8505-343bc3d1e11d
The Human Element of Trust
Trust is integral to the idea of social influence: it is easier
to influence or persuade someone who is trusting. The
notion of trust is increasingly adopted to predict
acceptance of behaviors by
others, institutions (e.g. government agencies) and
objects such as machines…
Audience/Targets/Victims
Employees
Customers
Competitors
Hackers
Family
Friends
Targeted Organizations
9
By Industry
10
Real World Example
Fall of 2012, USPS was targeted by an
external social engineering attack
Over 150 USPS users opened the
phishing eMail
80 recipients provided their User ID and
Passwords
CIRT issued a requirement to reset all
WebVPN user account passwords
Lost work hours
Research by Check Point
Software Technologies
850 IT and Security professionals in North America,
Australia, and New Zealand were surveyed
48% of large businesses have suffered from socially
engineered attacks at least 25 times
Resulting in losses of between $25,000 and $100,00
per incident
Social Engineering
Types of Attacks
Phishing – Spear/Whale
Impersonation of Help Desk Agent
Fake software
Trojans
Watering Hole
Drive by download
Phishing
Use of deceptive mass emailing
Can target specific entities (“Spear phishing and Whale
phishing”)
Prevention:
Honeypot email addresses
Education
Awareness of network and website changes
Awareness of links and format of actual address
Note - http://www.usps.com
Phishing Example
----- Forwarded message ----From: Express Mail Service [mailto:[email protected]]
Sent: Friday, April 26, 2013 10:13 AM
Subject: Shipping Info
Delivery information,
Your parcel can not be delivered by courier service.
Status:Postal code is not specified.
LOCATION OF YOUR ITEM:St.Louis
STATUS OF YOUR ITEM: not delivered
SERVICE: Local Pickup
NUMBER OF YOUR PARCEL:U588850982NU
INSURANCE: No
Print a label and show it at your post office.
An additional information
If the parcel is not received within 30 working days our company will have the right to claim compensation from
you for it is keeping in the amount of $6.10 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for attention.
DHL Customer.
Impersonation on Help Desk Calls
Calling the Help Desk pretending to be someone else
Usually an employee or someone with authority with a
need-to-know
Prevention:
Assign pins for calling the Help Desk
Don’t do anything on someone’s order
Stick to the scope of the Help Desk
Fake Software
Fake login screens
The user is aware of the software but thinks it’s
trustworthy
Prevention:
Have a system for making real login screens obvious
(personalized key, image, or phrase)
Education
Antivirus (will not be able to detect zero day exploits –
new virus signatures)
Trojans
Appears to be useful and legitimate software before
running
Performs malicious actions in the background
Does not require interaction after being run
Prevention:
Don‘t run programs on someone else’s computer
Only open attachments you’re expecting
Use an up-to-date antivirus program
Security Awareness Testing
Method, Tools, and Approach
Email
Email will contain an URL which would be
redirected to a data collection and metrics web site
Data Collection and Metrics Web Site
Redirect user to a webpage which will contain
information for security awareness
What Can You Do?
Keep software and antivirus current
Strong security awareness program
Use “least privilege” for users
Periodic technology assessments
Assign the responsibility to someone
Places for Help
SANS – Securing the Human
http://www.sans.org/security-awareness/
Multi-State Information Sharing and Analysis Center
(MSISAC)
http://msisac.cisecurity.org/resources/videos/free-training.cfm
Dept. of Health and Human Services (HHS.Gov)
http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/awarenesstrai
ning.html
Stop Think Connect
http://www.stopthinkconnect.org/
Weakest Link?
• No matter how strong your:
Firewalls
Intrusion Detection Systems
Cryptography
Anti-virus software
• "At the end of the day, people are a critical part of the
security process as they can be misled by criminals and
make mistakes that lead to malware infections or
unintentional data loss“ – Oded Gonda (VP of Check
Point)
• "The weakest link in the security chain is the human
element" -Kevin Mitnick
Questions
Reference
(2013, September 11). Trust (Social Sciences). Retrieved: September 13, 2013, from
http://en.wikipedia.org/wiki/Trust_(social_sciences)
http://whatis.techtarget.com/definition/social-media
Schwartz, Mathew J. (2011, September 21). Social Engineering Attacks Cost Companies.
Retrieved: September 13, 2013, from
http://www.informationweek.com/security/vulnerabilities/social-engineering-attacks-costcompanie/231601868