Social Engineering

Document Sample
Social Engineering Powered By Docstoc
					Social Engineering
• You can buy the most expensive firewall
  equipment, install the best anti-virus software,
  add the greatest intrusion detection system, but
  there is still a “weak link” in your security plan
  that you may have overlooked; People.
• In this presentation, we will discuss and educate
  you in some common social engineering tactics
  so that you will be able to identify this type of
  “intrusion” and protect yourself and your
  organization’s network against those who
  specialize in exploiting the weaknesses of
  people rather than those of the software.
           What exactly is “Social
• In the field of computer security, social engineering is the
  practice of obtaining confidential information by
  manipulation of legitimate users.
• Social engineers exploit the natural tendency of a person
  to trust his or her word, rather than exploiting computer
  security holes. It is generally agreed upon that “users are
  the weak link” in security and this principle is what
  makes social engineering possible.
• A social engineer will commonly use the telephone or
  Internet or even personal relationships to trick people
  into revealing sensitive information or getting them to do
  something that is against typical policies.

           -Social engineering (computer security) From Wikipedia, the free
   Who is the Social Engineer
• Social engineers don’t even need to be
  particularly technically savvy; it’s their
  “people skills” that get them in where they
  aren’t supposed to be. They use charm,
  intimidation or trickery to convince others
  to disclose information that compromises
  the security of the network.
  – Example Kevin Mitnick became famous (and
    went to jail) because of his mastery of the art.
         Telephone Tactics

– Telephoning a user and posing as a member
  of the IT team, who needs the user’s
  password and other information in order to
  troubleshoot problems with the network or the
  user’s account.
– Telephoning the IT department and posing as
  a high ranking executive in the company,
  pretending to have forgotten his/her password
  and demanding that information immediately
  because of a pressing business urgency.
                Internet Scams
• e-mails purporting to be from a user’s bank or
  credit card company and asking them to go to a
  Web site where they’re directed to fill in account
  information, are forms of social engineering.
• e-mail attachments that contain malicious
  payloads (that, for instance, use the victim's
  machine to send massive quantities of spam).
      • Has forced software vendors to disable automatic execution
        of attachments, users now have to explicitly activate
        attachments for this to occur. Many users, however, will
        blindly click on any attachments they receive, thus allowing
        the attack to work.
              Research Tactics
• Some social engineers base their success on research
  abilities. Such activities as “dumpster diving” (going
  through discarded paperwork to find credentials and
  other useful information) can also be considered a form
  of social engineering. Some hackers may develop
  elaborate schemes to pose as building repair personnel
  or even temporarily take jobs as janitors to gain initial
  access, while others do all of their work from afar and
  never set foot near the physical site. A determined
  hacker may put days or weeks of effort into gaining the
  trust of a target employee. This may be done in person,
  over the telephone or via e-mail or IM.
         Face to Face Tactics
• Social engineering also applies to the act of
  face-to-face manipulation
  – Developing a personal relationship with a user or IT
    team member with the intent of “sweet talking” the
    person out of confidential information that can be
    used to break into the network.
  – Even the general office worker could pose a threat to
    a company. In a Infosecurity survey, 90% of office
    workers gave away their password in exchange for a
    cheap pen. (taken from ?????_______________)
    Reverse Social Engineering
• is a term used to refer to hackers who create some sort
  of problem on the network or the user’s computer and
  then come to the rescue (like the cases we occasionally
  read about where a person sets a fire and then rushes in
  to put it out, becoming an instant hero to the victims).
  This helps the social engineer gain trust quickly, and
  makes it easier for him/her to get desired information out
  of the victim. For example, the social engineer might
  then send an e-mailed attachment that contains
  malicious code through which he can gain control of the
  victim’s computer. Because the victim now “knows” (and
  trusts) the engineer, the victim doesn’t exercise the
  same caution about opening the attachment as would be
  the case if the attachment were from someone else.
• Training users about security policies and
  ensuring that they are followed is the
  primary defense against social

Shared By: