Social Engineering

Report as inappropriate Your report has been received
Shared by: huanghengdong
Tags
Stats
views:: 6
posted:: 8/19/2011
language:: English
pages:: 38
Public Domain
Document Sample
							BAI514 – Security I
Social Engineering
 Social engineering involves obtaining protected
  information from individuals by establishing
  relationships with them and manipulating them
 Two types of social engineering
   Human-based
   Computer-based
Social Engineering
 Human-Based Social Engineering (Person-to-Person)
   Impersonation (masquerading)
       Attacker pretends to be someone else
         eg. repairman, employee, student, etc.

   In Person
       Attacker gathers information in person on the premises of the
        organization
         Dumpster diving

         Shoulder surfing
Social Engineering
 Human-Based Social Engineering (cont.)
   Important user posing
       Attacker pretends to be an individual in a position of
        authority to intimidate users
   Technical support (help desk)
       Attacker poses as a technical support person
   Authorization by a third party
       Attacker convinces an unsuspecting individual that he or she
        is authorized by a third party in a position of authority
Social Engineering
 Computer-Based Social Engineering
   Mail / IM attachments
       When opened install a Trojan
   Pop-up windows
     Simulate an urgent condition on the users system and
      instruct the user to perform an action
   Spam mail
     Initiate fraud by a variety of means

   Websites
     Fake website appears legitimate but collects user
      credentials
Social Engineering
 Reverse Social Engineering
   Attacker convinces a target individual that he or she is
    having a problem or may have one soon and the
    attacker is ready and willing to help
   Uses three steps
        Sabotaging the target’s equipment
        Ensuring the target is aware that the attacker is a person of
         authority and has the skills needed to repair the equipment
        Providing assistance in solving the problem and, in doing so,
         gaining the trust of the target and obtaining access or
         information
Social Engineering
 Phishing
    The process of obtaining sensitive personal data,
     usually financially related, under false pretenses from
     unsuspecting individuals for fraudulent purposes
        Bank account numbers
        PINs
        SINs
        etc
Social Engineering
 Phishing (cont.)
    Phishing messages and Web hosting can be based on
       servers whose organizations tolerate phishing activity
       computers that have been compromised
       reputable Web hosting providers that are unaware of the
        content
Social Engineering
 Phishing (cont.)
    A typical phishing attack
        Hacker will send a fraudulent email with false headers to
         indicate the email is from a bank
        Message will ask for confirmation of the victim’s account
         information and password
        Message will contain a link to a web server that generates a
         windows that looks like the bank’s site
        User will be prompted to enter userid and password
Social Engineering
 Hidden Frames
   Used to maintain the state of a web site without using
    cookies to store session variables
   Store data until required
   Attacker can define two frames
       Primary visible frame
       Hidden frame containing the running attack
Social Engineering
 URL Obfuscation
   Used to obscure a fake web site’s URL
       Representing characters in URL as hex format
       Expressing the domain name as decimal IP address in
        different formats
         hex

         octal

         decimal

         dword

       Adding irrelevant text after “http://” and before the @ symbol
         e.g.
           http://login.citibank.com/secure_login/login@attacker.com
Social Engineering
 HTML image mapping
   Allows the ability to link different parts of a single
    image to different hyperlinks (i.e. other websites)
        Entire text of email might be represented as an image
          no matter where you click, you’re going to the attackers
           website!
Social Engineering
 Identity Theft
    Stealing another person’s personal information and
     using that information to assume that person’s identity
        Once obtained, attacker can start making purchases or
         signing up for services
          Credit card fraud

          Mail fraud

          Other financial transactions
Social Engineering
 Identity Theft (cont.)
    Attack vectors
        Phishing
        Stealing information from financial institutions
        Dumpster diving
        Stealing email
        Stealing credit card numbers
        Stealing wallet or purse
Social Engineering
 Identity Theft (cont.)
    Warning signs
        Unauthorized or unknown long distance calls on victim’s
         phone
        Phone calls from collection agencies regarding unknown
         accounts
        Denial of credit when applying for new accounts
        You wake up one morning and realize you’re not who you
         think you are
Social Engineering
 Defending Against Social Engineering Attacks
   Best defenses are personnel related
   Policies and Procedures
       Must have comprehensive, up-to-date information security
        policies
       Personnel must read the policies and be able to recognize
        potential social engineering attacks
Physical Security
 Physical security is a necessary countermeasure to
  hacking
 Concerned with
   Physical access
   Environmental issues
   Power source(s)
   Biometrics
   Fire protection
   Inventory control
   Media erasure/destruction
   etc.
Physical Security
 Threats to physical security
    Human actions
        War
        Labor strikes
        Sabotage
        Theft
        Vanalism
    Natural events
      Storms
      Earthquakes
      etc.

    Disasters
      Release of toxic gases
      Fire
      Power outage
      Water damage
      Equipment failure
Physical Security
 Physical Security Implementation
    Includes various controls
       Facility
       Personnel
       Environment
       HVAC
       Fire safety
       Access
       Fax machines
       Physical
Physical Security
 Physical Security Implementation (cont.)
    Facility controls
        Must be an integral part of planning and design of data facilities
          Issues
             Heights
             Fire ratings of walls and ceilings
             Weight ratings
             Electrical conductivity of floors (to reduce static electricity)
             Window security
             Door security
             Emergency exits
             Fire suppression
             Shut-off switches
             Air conditioning
             positive air pressure (to protect against airborne particles entering the
               building)
             UPS
Physical Security
 Physical Security Implementation (cont.)
    Facility controls (cont.)
       Site selection considerations
         Local environment
            Security situation, types of other facilities in area
         Joint tenancy
            Restrictions/complications/vulnerabilities caused by other
              tenants
         Visibility
            Prominence of building
         Transportation
            Accessibility, congestion, etc
         Emergency services
            availability of police, fire, medical
Physical Security
 Physical Security Implementation (cont.)
    Facility controls (cont.)
       Access logs for facility entry
         Violations

         Modification of access privileges and by whom

         Time and date of access attempt

         Successful/Unsuccessful attempts

         Point of entry

         Name of individual attempting access
Physical Security
 Physical Security Implementation (cont.)
    Company Personnel Controls
       Procedures related to HR such as hiring, termination,
        background checks, performance reviews, etc.
         Employment background, reference, and education reviews

         Security clearances

         Personnel performance reviews

         Non-disclosure agreements

         Exit interviews

         Return of company property

         Change of passwords and encryption keys
Physical Security
 Physical Security Implementation (cont.)
    Environmental Controls
       Electrical power
       Heating
       Ventilation
       Air conditioning (HVAC)
       Humidity
Physical Security
 Physical Security Implementation (cont.)
    Fire Safety Controls
       Principal life safety control
       Impacts
          Personnel safety

          Economic impact from losses

          Loss of critical documents/data
Physical Security
 Physical Security Implementation (cont.)
    Fire Safety Controls (cont.)
       Combustible Material Classes
        FIRE CLASS   MATERIALS
            A        Wood, cloth, paper, rubber, most plastics, etc.
            B        Flammable liquids and gasses, oils, grease fires, tars, oil-
                     based paints, lacquers, etc.
            C        Energized electrical equipment
            D        Flammable chemicals such as magnesium and sodium
Physical Security
 Physical Security Implementation (cont.)
    Fire Safety Controls (cont.)
       Fire Suppression Classes
        CLASS   DESCRIPTION           EXTINGUISHING
                                      AGENTS
          A     Common combustibles   Water or soda acid
          B     Liquid                CO2, soda acid, Halon, FM-
                                      200
          C     Electrical            CO2, Halon, FM-200
Physical Security
 Physical Security Implementation (cont.)
    Fire Safety Controls (cont.)
       Fire Detection
         Critical to life safety

         Heat Detectors

            Respond to either rate of temp change or actual
             temperature
         Flame Detectors

            Respond flame pulsation or infrared emissions

         Smoke Detectors

            Respond to smoke interference

            Interference with ionization current
Physical Security
 Physical Security Implementation (cont.)
    Fire Safety Controls (cont.)
       Fixed fire extinguishing
         Water sprinkler system

            Wet pipe

            Dry pipe

            Deluge

            Preaction
                Combines wet and dry pipe
Physical Security
 Physical Security Implementation (cont.)
    Access Controls
       Applies to both physical and data entities
       Access cards
         Dumb – simple id card with picture

         Smart – embedded intelligence


     CARD TYPE            DESCRIPTION
     Photo ID             Picture
     Magnetic Stripe      Data encoded on magnetic material on card
     Passive electronic   Card responds to magnetic field of reader
     Active electronic    Card responds under its own power
Physical Security
 Physical Security Implementation (cont.)
    Access Controls (cont.)
       Biometric
         Provides an automated means of identifying and authenticating
          a living person based on physiological or behavioral
          characteristics
         Finger prints

         Face recognition

         Retina scan

         Gait

         Hand geometry

         Voice

         Signature dynamics
  Physical Security
    Physical Security Implementation (cont.)
       Access Controls (cont.)
             Intrusion Detection Systems
DEVICES                  DESCRIPTION
Photoelectric sensors    Beams of light, broken by an intruder

Dry contact mechanism    Switches or metal foil tape that open a ciruit

Motion sensors           Sonic, ultrasonic, or microwave radiation disturbed by intruder

Capacitance detectors    Detecting changes in an electric field
Sound detectors          Detect sound anomalies
Voice                    Voice patterns captured
Facial recognition       Facial features and geometry acquired
Physical Security
 Physical Security Implementation (cont.)
    FAX machines
       Place in secure, restricted access area
       Protect FAX servers with security hardware and software
Physical Security
 Physical Security Implementation (cont.)
    Physical Facility Controls
       Guards
       Guard dogs
       Fences
       Mantrap
       Bollards
       Lights
       Video cameras
       PC/laptop controls
         Tethers, etc.
Physical Security
 Physical Security Implementation (cont.)
    Physical Facility Controls (cont.)
       Locks
          Warded locks
             common padlock opened with a key
          Tumbler locks
             more secure locks that use pin tumblers, lever tumblers, or
              wafer tumblers
          Combination locks
             dials or series of wheels that require correct combination
          Programmable locks
             electronic or mechanical keypad or card-key
          Device locks
             used to secure equipment (cables, port block, etc.)
Physical Security
 Physical Security Implementation (cont.)
    Storage Media Controls
       Data encryption
       Cable locks (for laptops)
       Secure storage of paper and magnetic media
       Backing up data
       Storing critical data offsite
       Destroying paper documents and magnetic media
       Auditing media use and storage
Physical Security
 Physical Security Implementation (cont.)
    Storage Media Controls (cont.)
       Data Remanence and Object Reuse
         Data remanence is the data that remains on magnetic media
          following erasure
         Object reuse is the reusing of data storage media

       Data remanence safeguards
         Clearing – overwriting magnetic medium, usually done when
          media remain in the original environment
         Purging – degaussing or overwriting media intended to be
          removed from a monitored environment
         Destroying – physical destruction of the media
FIN