the art of deception - controlling human element of security - shohei hagiwara november 17th, 2009
Post on 20-Dec-2015
218 views
TRANSCRIPT
![Page 1: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/1.jpg)
The Art of Deception
- Controlling Human Element of Security -
Shohei HagiwaraNovember 17th, 2009
![Page 2: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/2.jpg)
Topic: Infromation Security
Technologies Encryption, wirewall, anti-virus software, password
Focus: human...
Outline: Social engineering? A couple of examples of how attackers get access
to information
![Page 3: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/3.jpg)
The book...
Title: The Art of Deception
Year: 2002
Authors: Kevin Mitnick, William Simon Kevin Mitnick: ex-world-famous hacker, consultant
First crime: free bus ride when 12 years old
William Simon: writer/editor
![Page 4: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/4.jpg)
What is Social Engineering?
”uses influence and persuasion to deceive people by convincing them that the social engineer is someone he [or she] is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.”(from the book)
Pretend, deceive/manipulate, get information
![Page 5: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/5.jpg)
Human Factor of Security
Human Factor → the weakest link Emotion, mistakes, misjudgement, tiredness
”Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.” Albert Einstein
![Page 6: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/6.jpg)
6 Basic Tendencies of Human Nature
Suggested by Robert B. Cialdini 1. Authority 2. Liking 3. Reciprocation 4. Consistency 5. Social Validation 6. Scarcity
![Page 7: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/7.jpg)
Other Factors
National Characters Love thy neighbors
Organizational Innocence Sharing information, trust, little/no security
→ this is changing...
![Page 8: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/8.jpg)
When Innocent Information Isn't...
Information that is valuable Credit card number, PIN number, Password, etc
We won't give them away because we know they are valuable
What about Date of Birth, Pet's name, Student ID, Unit#
![Page 9: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/9.jpg)
Continued...
Seemingly useless information can be used to impersonate
Step to next more valuable information
![Page 10: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/10.jpg)
An example
Banks and CheCredit First Call to Bank: ”I am writing a book. What do
you give CheCredit to get credit record?” Second Call to Bank: ”I am calling from Checredit. I
am doing a survey to improve service.” ”hours of operation, how many employees, how
often call, what is Merchant ID, how long with the bank, suggestions?”
![Page 11: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/11.jpg)
Another example
Video shop
First call to a shop: ”I had a great experience with the shop and want to send a letter to the manager. And also, I want to send a letter to the company headquarter. What is your brunch number?”
Now you have manager's name and brunch number.
Continue...
![Page 12: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/12.jpg)
How to prevent
1. Classify information → what is and is not okay to be shared
2. Verify. Don't rely lingo and feelings. Get caller's name and phone number.
![Page 13: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/13.jpg)
Building Trust
Appearance, voice, talking, personality
Frequent contacts (ex) Video Shop
Call to another shop: pretend to be the manager of shop
Small requests, chats
Continue...
![Page 14: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/14.jpg)
Can you help me?
People like helping others
![Page 15: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/15.jpg)
Example of video shop
Another call to shop: ”system is down. Can you check a customer for me? Credit card number?”
![Page 16: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/16.jpg)
How to prevent
Verify verify verify! Call listed number
But you want employees to be helpful to each other at workplace.
![Page 17: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/17.jpg)
Dumpster Diving
Low risk and high return
Password, receipt, list, etc
Shredder may not work... Puzzle → whole list of company systems and
passwords
![Page 18: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/18.jpg)
How to Prevent Dumpster Diving
Lock the dumpster
Cross shredd
Mutilevel approach to information of different sensitivity
Background check on custodian
![Page 19: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/19.jpg)
Attack on Entry Level Employee
An easy target They don't know value of information They don't know the structure of company Likely to obey authority
![Page 20: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/20.jpg)
What is the best countermeasure?
Anti-virus? Firewall? Encryption? Code Names?
no.
Have trained, aware, concsioutious employees
![Page 21: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/21.jpg)
Train Employees
Not web page or panphlet
Not a one-day seminar → ongoing
Raise awareness!!! Procedures are not enough. There are threats Part of job to protect information against threats
Reward, encouragement
Awareness → specific techniques
![Page 22: The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d4c5503460f94a2ac4e/html5/thumbnails/22.jpg)
Question...
Questions?