Preventing Social Engineering Attacks
Download
Report
Transcript Preventing Social Engineering Attacks
Kelly Corning
Julie Sharp
Human-based techniques: impersonation
Computer-based techniques: malware and
scams
Manipulates legitimate users into
undermining their own security system
Abuses trusted relationships between
employees
Very cheap for the attacker
Attacker does not need specialized
equipment or skills
Impersonation
Help Desk
Third-party Authorization
Tech Support
Roaming the Halls
Repairman
Trusted Authority Figure
Snail Mail
Computer-Based Techniques
Pop-up windows
Instant Messaging and IRC
Email Attachments
Email Scams
Chain Letters and Hoaxes
Websites
Hacker pretends to be an employee
Recovers “forgotten” password
Help desks often do not require adequate
authentication
Targeted attack at someone who has
information
Access to assets
Verification codes
Claim that a third party has authorized the
target to divulge sensitive information
More effective if the third party is out of town
Hacker pretends to be tech support for the
company
Obtains user credentials for troubleshooting
purposes.
Users must be trained to guard credentials.
Hacker dresses to blend in with the
environment
Company uniform
Business attire
Looks for sensitive information that has been
left unattended
Passwords written down
Important papers
Confidential conversations
Hacker wears the appropriate uniform
Often allowed into sensitive environments
May plant surveillance equipment
Could find sensitive information
Hacker pretends to be someone in charge of
a company or department
Similar to “third-party authorization” attack
Examples of authority figures
Medical personnel
Home inspector
School superintendent
Impersonation in person or via telephone
Hacker sends mail that asks for personal
information
People are more trusting of printed words
than webpages
Examples
Fake sweepstakes
Free offers
Rewards programs
More effective on older generations
Window prompts user for login credentials
Imitates the secure network login
Users can check for visual indicators to verify
security
Hacker uses IM, IRC to imitate technical
support desk
Redirects users to malicious sites
Trojan horse downloads install surveillance
programs.
Hacker tricks user into downloading
malicious software
Programs can be hidden in downloads that
appear legitimate
Examples
Executable macros embedded in PDF files
Camouflaged extension: “NormalFile.doc” vs.
“NormalFile.doc.exe”
Often the final extension is hidden by the email
client.
More prevalent over time
Begins by requesting basic information
Leads to financial scams
More of a nuisance than a threat
Spread using social engineering techniques
Productivity and resource cost
Offer prizes but require a created login
Hacker capitalizes on users reusing login
credentials
Website credentials can then be used for
illegitimate access to assets
Never disclose passwords
Limit IT Information disclosed
Limit information in auto-reply emails
Escort guests in sensitive areas
Question people you don't know
Talk to employees about security
Centralize reporting of suspicious behavior
Remind employees to keep passwords secret
Don’t make exceptions
It’s not a grey area!
Only IT staff should discuss details about the
system configuration with others
Don’t answer survey calls
Check that vendor calls are legitimate
Keep details in out-of-office messages to a
minimum
Don’t give out contact information for
someone else.
Route requests to a receptionist
Guard all areas with network access
Empty offices
Waiting rooms
Conference rooms
This protects against attacks
“Repairman”
“Trusted Authority Figure”
All employees should have appropriate
badges
Talk to people who you don’t recognize
Introduce yourself and ask why they are there
Regularly talk to employees about common
social engineering techniques
Always be on guard against attacks
Everyone should watch what they say and do.
Designate an individual or group
Social engineers use many points of contact
Survey calls
Presentations
Help desk calls
Recognizing a pattern can prevent an attack
Davidson, Justin. "Best Practices to Prevent Social Engineering
Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar.
2013. <http://community.spiceworks.com/how_to/show/666-bestpractices-to-prevent-social-engineering-attacks>.
Information, Network & Managed IT Security Services. "Social
Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013.
<http://www.secureworks.com/consulting/security_testing_and_a
ssessments/social_engineering/>.
"Types of Social Engineering." NDPN.org. National Plant Diagnostic
Network, 2013. Web. 26 Mar. 2013.
<http://www.npdn.org/social_engineering_types>.