social engineering
DESCRIPTION
TRANSCRIPT
![Page 1: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/1.jpg)
Information Systems 365/765Information Systems Security and Strategy
Lecture 7Social Engineering
Lecture 7
![Page 2: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/2.jpg)
Today’s Chocolate Bar
• Nestle Crunch, created in 1938
• Current slogan is “For the kid in you”….BORING
• Bunch-a-crunch controversy
• "Betcha Can't Crunch This!"
![Page 3: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/3.jpg)
Warning
![Page 4: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/4.jpg)
WARNING
• I use REAL people as examples in this presentation
• I do this not to mock them, or intimidate them, but to impress upon them in the most real way I know of, the importance of sharing information about themselves only on a “need to know basis” in public forums
![Page 5: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/5.jpg)
Social Engineering
• No matter how many security measures you introduce, there is one which proves to be the most challening…
• How do we secure human beings?
![Page 6: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/6.jpg)
Social Engineering Defined
• The use of psychological tricks in order to get useful information about a system
• Using psychological tricks to build inappropriate trust relationships with insiders
![Page 7: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/7.jpg)
Kevin Mitnick
• World’s most famous Social Engineer
• “The weakest link in the security chain is the human element”
• Half of his exploits involved using social engineering
• See the master in action!
![Page 8: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/8.jpg)
Social Engineering
• Social Engineering goes back to the first lie ever told and will continue into the future.
• Social Engineering is successful because people are generally helpful, especially to those who are:
• Nice• Knowledgeable• Insistent
![Page 9: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/9.jpg)
Three Primary Methods of Social Engineering
• Flattery• Authority Impersonation• Threatening Behavior
![Page 10: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/10.jpg)
Helpful By Default
• We don’t see a motive to hack our network. “If I see it everyday, it can’t be important.“
• Industrial Espionage• Revenge• Just for fun
![Page 11: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/11.jpg)
How Does It Happen?
• “An ounce of prevention is worth a pound of cure!”
• The Social Engineer uses simple information found online, or by making a basic phone call into the office
• That stuff really isn’t that easy to get…Don’t be dramatic!
![Page 12: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/12.jpg)
Let’s Setup a Case Scenario Using a Method Called
Pretexting• Meet Angry Cow• Computer Science Student at
UW-Madison• Angry Cow just got an eviction
notice
![Page 13: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/13.jpg)
Case Continued – Simple Public Information is Found
• Angry Cow lives at the Regent
• The Regent’s website indicates that it is owned by Steve Brown Properties
• Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid
![Page 14: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/14.jpg)
Next – Finding A Way In…
• Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information
• Poor controls over data sharing• Lots of important information there
that might not seem important, but could be his first step in…
• Go to Facebook and search:“Steve Brown Apartments” to find an
appropriate unknowing accomplice
![Page 15: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/15.jpg)
![Page 16: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/16.jpg)
Let’s See – Danielle Treu
• Born July 24, 1988• Enjoys playing in the rain,
drinking coffee and spending money
• Works at Subway and as a Resident Assistant for Steve Brown Apartments
![Page 17: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/17.jpg)
Let’s See – David Klabanoff
• Born April 21, 1979• Likes Star Wars and
The Muppet Movie• Is a Concierge for
Steve Brown Apartments
![Page 18: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/18.jpg)
Let’s See – Andrew Baldinger – I think I might know this guy!
• March 30, 1986• Likes kayaking,
exploring, and getting lost
• Lives at the Regent
• Works as a Technology Support Specialist for Steve Brown Apartments!
![Page 19: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/19.jpg)
Let’s Start with Danielle Treu
• Her Facebook profile is public, but she is intelligent. She keeps her contact information private
• But, her profile does say that she attends UW-Madison…
• I wonder if they have some more public information about her
![Page 20: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/20.jpg)
The Research, Phase II• I’m so thankful for the UW
Whitepages!• Remember, this is PUBLIC
information!• I got her email address!
![Page 21: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/21.jpg)
Primary Contact
![Page 22: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/22.jpg)
Establishing the Trust
• Danielle talks to David, and since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew
• Angry Cow shows up later that day, David is expecting him
• Angry Cow identifies himself as Andrew and asks David for key to server room
![Page 23: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/23.jpg)
The Hack
• Angry Cow, gets physical access to server, uses Ophcrack (just like we did in class to get Admin username)
• Angry Cow logs into server and alters accounting files to indicate that his rent has been paid
![Page 24: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/24.jpg)
Summary of This Example
• Search for public information about your target, using both official and unofficial sources
• Build a trust ladder, Julie trusts Andrew and David trusts Julie, therefore David will trust Andrew—even if “Andrew” really is Angry Cow!
• Built a credible story• Based on PRETEXTING
![Page 25: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/25.jpg)
Let’s Watch Another Example
• Silence of the Lambs Movie scene
• Notice how they both establish trust through the use of kindness or perceived kindness
![Page 26: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/26.jpg)
How to Keep Social Engineering From Working
• Administrators need to:• Establish Policies• Train Employees• Run Drills• Office Workers:• Need to be aware of Social
Engineering tactics• Follow policies
![Page 27: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/27.jpg)
Let’s Watch the AT@T Internal Social Engineering Training
Video• Which Social Engineering
techniques can you identify in the video? (Flattery, Authority, Threats)
• How would you CLASSIFY this video (remember Data Classification)
• What is going on at AT&T?
![Page 28: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/28.jpg)
Pretexting• Pretexting is the
act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.
![Page 29: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/29.jpg)
Pretexting
• It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
![Page 30: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/30.jpg)
Is This Really a Threat to Businesses? PRETEXTING
• So far, this just looks like a technique employed by angry individuals.
• Did you know that Hewlett Packard regularly engaged in Social Engineering?
• They used the method of PRETEXTING in order to get phone records
• Let’s watch the testimony of Patricia Dunn, Director of HP
![Page 31: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/31.jpg)
Pretexting Will Likely Continue• As most U.S. companies still
authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future.
• Pretexting is the most common form of Social Engineering
![Page 32: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/32.jpg)
Phishing
• Phishing is the use of email as a means to extract personal information from a user
• A variant is called IVR Phone Phishing
![Page 33: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/33.jpg)
Phishing Continued
• Direct you towards bogus (fake) websites
• Purpose is to harvest information
• PayPal example – I don’t even have a PayPal account!
• Use common sense!• Don’t click on links directly!• Phishing Filter!
![Page 34: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/34.jpg)
TROJAN HORSE
• Is a virus or malware, disguised in such as way as to appeal to a person’s curiosity or greed
• Usually arrives in the form of an email with an attachment
• ILOVEYOU virus is an example of a Trojan Horse
• Adware hiding inside downloads is another example
![Page 35: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/35.jpg)
Road Apples• Road Apples are also known as
Baiting• Uses physical media and relies on
the curiosity or greed of the victim
• USB drives or CDs found in the parking lot, with label: 3M Executive Salaries
• Autorun on inserted media
![Page 36: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/36.jpg)
Quid Pro Quo
• Means “something for something”
• A person contacts people one by one, until he/she finds a person with a problem
• When they find a person, they “fix” their problem by introducing malware to their machine
![Page 37: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/37.jpg)
Summary – Today’s Take Aways
• Social Engineering involves manipulating others to get access
• Main techniques are: Flattery, Authority, Threatening
• Main types are: Pretexting, Phishing, Trojan Horses and Quid Pro Quo
![Page 38: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/38.jpg)
Ways to Combat Social Enginering
• Good security policy• Make sure your employees
understand dangers and threats
• Make sure employees understand what Data Classification means and what type of information you publicly give away
![Page 39: Social engineering](https://reader036.vdocument.in/reader036/viewer/2022062617/54b8de604a7959a61e8b458a/html5/thumbnails/39.jpg)
Most Important Gem of Wisdom in Defeating Social Engineering
• Never, Never give out username, password, account number, SSN, etc over the same channel used to initiate the request
• For example, if a phone call comes in, asking for a SSN, send the SSN via email or regular mail