1 / 10

Social Engineering

Social Engineering. Mark Shtern. Social Engineering. SE is manipulating a person into knowingly or unknowingly giving up information Psychological manipulation Trickery. Goals. Install spyware, other malicious software

louisharry
Download Presentation

Social Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering Mark Shtern

  2. Social Engineering • SE is manipulating a person into knowingly or unknowingly giving up information • Psychological manipulation • Trickery

  3. Goals • Install spyware, other malicious software • Trick persons into handing over passwords and/or other sensitive information

  4. Movie • http://www.youtube.com/watch?v=8TJ4XOvY7II&feature=related • http://www.youtube.com/watch?v=-kW1DPPp1VQ

  5. Tactics • Pretexting • Phishing • Fake Websites • Fake Pop-up • Reverse Social Engineering • Phone Social Engineering • Spoofing • CallerID • SMS • TinyURL

  6. Human nature • Reciprocity Principle - People tend to feel obliged to discharge perceived debts . • Authority Principle – People tend to respond to authority figures • Social Proof Principle – People tend to use people who are similar to themselves as behaviour models • Scarcity Principle – People value things they perceive as scarce more than things they perceive as common • Consistency / Commitment Principle – People tend to act to maintain their self image (even without conscious knowledge)

  7. Attack Pattern • Information gathering • Developing relationship • Exploitation • Execution

  8. Examples • Facebook • Made a fake Facebook account to get access to your friends list. • Twitter • photo advertising a video with girls posted • “new version of Adobe Flash” is required to watch the video

  9. Countermeasures • Management buy-in • Security policy • Physical security • Education/Awareness • Good security architecture • Limit data leakage • Incident response strategy • Security culture

  10. RSA: Phishing Attacks • Sent phishing e-mail • Subject • "2011 Recruitment Plan" • Attachment • Excel spreadsheet with discovered Adobe Flash zero day flaw CVE 20110609 • Trojan • Harvested credentials • Obtained privileged access to the targeted system

More Related