Social Engineering
Download
Report
Transcript Social Engineering
Social Engineering: The
Forgotten Information
Assurance Risk
Marc Rogers PhD, CISSP, CCCI
Associate Professor
Department of Computer Technology
Center for Education and Research in Information Assurance &
Security (CERIAS)
Purdue University
2
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Outline
• How Big is the Problem?
• What is Social Engineering?
• Why is SE so Effective?
• Anatomy of an SE Attack
• How to Mitigate the Risk
• Conclusions
3
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
4
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
How big is the Problem?
5
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
How big is the Problem?
• CSI/FBI 2004
•
• $141,496,560 decrease from
last year ???
Deloitte 2004 Global Security
Survey
•
Financial Institutions’ concern tied
to regulatory compliance
•
83% of respondents had suffered a
compromise
• Denial of Service most costly
• Theft of IP second
• 2002-03 Australian Cyber Crime
Survey
• Volume of attacks doubled
since 2001
•
PWC/Department of Trade &
Industry: information Security
Breaches Survey 2004 (UK)
•
Number of breaches increased
•
Average cost of incident to large
business was roughly $250,000
6
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
How big is the Problem?
CERT/CC Stats
Incidents Reported
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
7
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
How big is the Problem?
• CSO 2003 Survey
• Respondents who suffered the most
damages from security incidents
were two times more likely than the
average respondent to plan on
decreasing security spending next
year.
????
• Those with the most damages were
nearly half as likely to list staff
training as one of their top three
priorities.
????
8
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
How big is the Problem?
• We don’t really know????
• Lack of meaningful metrics
• Trends indicate that it is increasing yearly
• The monetary loss has been estimated from $400 Million - $12
Billion
• Identity theft - fastest growing non-violent criminal activity
• Phishing exploits seem to be on the rise
9
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
How big is the Problem?
• ID Theft: Fastest growing non-violent criminal activity in the US –
FTC
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
10
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
How big is the Problem?
• “Phishing”
• Fraudulent e-mail messages designed to fool the recipients into
divulging personal authentication data.
• account usernames and passwords, credit card numbers, social
security numbers, ATM card PINs,
• These e-mails look “official” and recipients trust the brand, they
often respond to them, resulting in financial losses, identity theft,
and other fraudulent activity.
11
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
12
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Phishing
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
13
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Phishing
• A Closer Look!
• Complete email Headers:
• Received: from customer-201-133-75-84.prod-infinitum.com.mx
([201.133.75.84]) by exchange.purdue.edu with Microsoft
SMTPSVC(6.0.3790.0); Mon, 6 Sep 2004 18:05:57 -0500
• Whois on this domain:
• Registered to a company on the Island of Curacao
14
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Phishing
Real site:
www.citizensbank.com
15
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Phishing: Source View
• Snippet of the source:
</A></a></font></p><p><font = color=3D"#FFFFFA">in 1847 Windows Me All the best
you are stupid Napster = Kid Rock Costumes in 2005 ?????? smart in 1861 Hold on
in 1822 Pokemon =
Gold It's not for me Temptation Island Big Brother I can't answer it's =
beautiful Just tonight no more Terra in 1861 going to Wrong number =
</font></p></html>
16
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
What is Social Engineering?
• Social/Psychological phenomenon
• Original Definition
“The practical application of sociological principles to particular social
problems.”
• Not necessarily a “negative” term
• Persuasion
• Various psychological/communications theories
• Cognitive Dissonance
• Language Expectation Theory
• Has now become a negative technology issue
17
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
What is Social Engineering?
• “Successful or unsuccessful attempts to influence a person(s) into either
revealing information or acting in a manner that would result in; unauthorized
access, unauthorized use, or unauthorized disclosure, to an information system,
network or data.” (Rogers & Berti, 2001)
• Basically using deception or persuasion to “con” someone into providing
information or access they would not usually have provided.
18
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Why is SE so Effective?
• The Information Assurance/Security Field has focused primarily on technical
security
• Almost no attention to the person-machine interaction
• Only as strong as the weakest link-People are the weakest link
• Why spend time attacking the technology when a person will give you access?
• Extremely hard to detect as there is no IDS for “lack of common sense” or more
appropriately, ignorance
19
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Why is SE so Effective?
• 2 Primary Factors
• Basic Human Nature & Business Environment
• Human Nature:
• Helpful
• Trusting
• Naïve
• Business Environment
• Service Oriented
• Time Crunch/Multitasking
• Distributed Locations
• Virtual Offices
• Transient Workforce
20
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Anatomy of an SE Attack
• Very similar to how Intelligence Agencies infiltrate their targets
• 3 Phased Approach
• Phase 1- Intelligence Gathering
• Phase 2- “Victim” Selection
• Phase 3 -The Attack
• Usually a very methodical approach
21
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Anatomy of an SE Attack
• Phase 1 -Intelligence Gathering
• Primarily Open Source Information
• Dumpster Diving
• Web Pages
• Ex-employees
• Contractors
• Vendors
• Strategic Partners
• The foundation for the next phases
22
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Anatomy of an SE Attack
• Phase 2 -”Victim” Selection
• Looking for weaknesses in the organization’s personnel
• Help Desk
• Tech Support
• Reception
• Admin. Support
• Etc.
23
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Anatomy of an SE Attack
• Phase 3 - The Attack
• Commonly known as the “con”
• Primarily based on “peripheral” routes to persuasion
• Authority
• Liking & Similarity
• Reciprocation
• Commitment & Consistency
• Uses emotionality as a form of distraction
24
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
The SE Attack
• 4 General categories of attacks:
• Technical Attacks
• Ego Attacks
• Sympathy Attacks
• Intimidation Attacks
25
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Anatomy of an SE Attack
• The Technical Attack - (Authority/Consistency)
• No direct interpersonal contact with victims
• Attacker forges e-mail messages, pop ups, web sites, or some other
medium
• Pretends to be an authorized support or system admin. person legitimizes
the request
• Tries to obtain sensitive account information from users (e.g., passwords,
user-ids, CC #s, PINs etc.)
• “PHISHING”
• Has been very successful to date
26
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Anatomy of an SE Attack
• The Ego Attack - (Reciprocation/Liking)
• Attacker appeals to the vanity, or ego of the victim
• Usually targets someone they sense is frustrated with their current job
position
• The victim wants to prove how smart or knowledgeable they are and
provides sensitive information or even access to the systems or data
• Attacker may pretend to be law enforcement, the victim feels honored to
be helping
• Victim usually never realizes
27
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Anatomy of an SE Attack
• Sympathy Attacks - (Liking/Commitment)
• Attacker pretends to be a fellow employee (new hire), contractor, or a
vendor, etc.
• There is some urgency to complete some task or obtain some
information
• Needs assistance or they will be in trouble or lose their job etc.
• Plays on the empathy & sympathy of the victim
• Attackers “shop around” until they find someone who will help
• Very successful attack
28
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Anatomy of an SE Attack
• Intimidation Attack - (Authority)
• Attacker pretends to be someone influential (e.g., authority figure, law
enforcement)
• Attempt to use their authority to coerce the victim into cooperation
• If there is resistance they use intimidation, and threats (e.g., job
sanctions, criminal charges etc.)
• If they pretend to be Law Enforcement they will claim the investigation
is hush hush and not to be discussed etc.
29
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Mitigating the Risk
• The Impact of SE is usually high
• The ease of the Attack is high
• Technical controls alone will not prevent the attack
• Operational/Administrative controls alone will not prevent it
• Environmental controls alone will not prevent it
30
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Mitigating the Risk
• We need a combination of Operational/Administrative,
Technical (logical), & Environmental (Physical) Control
Principles
• It really comes down to:
• Technology
• Policies
• Education
• Awareness
• Training
31
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Mitigating the Risk
• All employees should have a security mind-set and question things
• Need to recognize good “catches”
• Have proper incident response procedures and teams to mitigate the
damage if a breach occurs
• Immediate notification of targeted groups
• Apply technology where possible
• Need to test your readiness periodically
• IT Security reviews/assessments that include SE
32
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Conclusions
• SE Attacks are a serious threat
• SE Attacks are very easy and very effective
• We cannot forget about the person-machine interaction
• Information Assurance/Security is a hardware, software, firmware, and
“peopleware” problem
• The best defense is proper education and awareness training combined
with technical approaches
33
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Parting Thoughts
” Those who fail to learn the lessons of history are doomed to repeat them."
(Santayana)
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
34
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Questions/Comments?
35
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”
Contact Information
Dr. Marc Rogers
[email protected]
Department of Computer Technology
Purdue University
765-494-2561
36
© Copyright 2004 Marcus K. Rogers All Rights Reserved.
(ISC)² Presents: Securing Your Company's Infrastructure”