360 likes | 508 Views
Social Engineering: The Forgotten Information Assurance Risk. Marc Rogers PhD, CISSP, CCCI Associate Professor Department of Computer Technology Center for Education and Research in Information Assurance & Security (CERIAS) Purdue University. Outline. How Big is the Problem?
E N D
Social Engineering: The Forgotten Information Assurance Risk
Marc Rogers PhD, CISSP, CCCI Associate Professor Department of Computer Technology Center for Education and Research in Information Assurance & Security (CERIAS) Purdue University
Outline • How Big is the Problem? • What is Social Engineering? • Why is SE so Effective? • Anatomy of an SE Attack • How to Mitigate the Risk • Conclusions
How big is the Problem? • Deloitte 2004 Global Security Survey • Financial Institutions’ concern tied to regulatory compliance • 83% of respondents had suffered a compromise • PWC/Department of Trade & Industry: information Security Breaches Survey 2004 (UK) • Number of breaches increased • Average cost of incident to large business was roughly $250,000 • CSI/FBI 2004 • $141,496,560 decrease from last year ??? • Denial of Service most costly • Theft of IP second • 2002-03 Australian Cyber Crime Survey • Volume of attacks doubled since 2001
How big is the Problem? CERT/CC Stats Incidents Reported
How big is the Problem? • CSO 2003 Survey • Respondents who suffered the most damages from security incidents were two times more likely than the average respondent to plan on decreasingsecurity spending next year. • Those with the most damages were nearly half as likely to list staff training as one of their top three priorities. ???? ????
How big is the Problem? • We don’t really know???? • Lack of meaningful metrics • Trends indicate that it is increasing yearly • The monetary loss has been estimated from $400 Million - $12 Billion • Identity theft - fastest growing non-violent criminal activity • Phishing exploits seem to be on the rise
How big is the Problem? • ID Theft: Fastest growing non-violent criminal activity in the US – FTC
How big is the Problem? • “Phishing” • Fraudulent e-mail messages designed to fool the recipients into divulging personal authentication data. • account usernames and passwords, credit card numbers, social security numbers, ATM card PINs, • These e-mails look “official” and recipients trust the brand, they often respond to them, resulting in financial losses, identity theft, and other fraudulent activity.
Phishing • A Closer Look! • Complete email Headers: • Received: from customer-201-133-75-84.prod-infinitum.com.mx ([201.133.75.84]) by exchange.purdue.edu with Microsoft SMTPSVC(6.0.3790.0); Mon, 6 Sep 2004 18:05:57 -0500 • Whois on this domain: • Registered to a company on the Island of Curacao
Phishing Real site: www.citizensbank.com
Phishing: Source View • Snippet of the source: </A></a></font></p><p><font = color=3D"#FFFFFA">in 1847 Windows Me All the best you are stupid Napster = Kid Rock Costumes in 2005 ?????? smart in 1861 Hold on in 1822 Pokemon = Gold It's not for me Temptation Island Big Brother I can't answer it's = beautiful Just tonight no more Terra in 1861 going to Wrong number = </font></p></html>
What is Social Engineering? • Social/Psychological phenomenon • Original Definition “The practical application of sociological principles to particular social problems.” • Not necessarily a “negative” term • Persuasion • Various psychological/communications theories • Cognitive Dissonance • Language Expectation Theory • Has now become a negative technology issue
What is Social Engineering? • “Successful or unsuccessful attempts to influence a person(s) into either revealing information or acting in a manner that would result in; unauthorized access, unauthorized use, or unauthorized disclosure, to an information system, network or data.” (Rogers & Berti, 2001) • Basically using deception or persuasion to “con” someone into providing information or access they would not usually have provided.
Why is SE so Effective? • The Information Assurance/Security Field has focused primarily on technical security • Almost no attention to the person-machine interaction • Only as strong as the weakest link-People are the weakest link • Why spend time attacking the technology when a person will give you access? • Extremely hard to detect as there is no IDS for “lack of common sense” or more appropriately, ignorance
Why is SE so Effective? • 2 Primary Factors • Basic Human Nature & Business Environment • Human Nature: • Helpful • Trusting • Naïve • Business Environment • Service Oriented • Time Crunch/Multitasking • Distributed Locations • Virtual Offices • Transient Workforce
Anatomy of an SE Attack • Very similar to how Intelligence Agencies infiltrate their targets • 3 Phased Approach • Phase 1- Intelligence Gathering • Phase 2- “Victim” Selection • Phase 3 -The Attack • Usually a very methodical approach
Anatomy of an SE Attack • Phase 1 -Intelligence Gathering • Primarily Open Source Information • Dumpster Diving • Web Pages • Ex-employees • Contractors • Vendors • Strategic Partners • The foundation for the next phases
Anatomy of an SE Attack • Phase 2 -”Victim” Selection • Looking for weaknesses in the organization’s personnel • Help Desk • Tech Support • Reception • Admin. Support • Etc.
Anatomy of an SE Attack • Phase 3 - The Attack • Commonly known as the “con” • Primarily based on “peripheral” routes to persuasion • Authority • Liking & Similarity • Reciprocation • Commitment & Consistency • Uses emotionality as a form of distraction
The SE Attack • 4 General categories of attacks: • Technical Attacks • Ego Attacks • Sympathy Attacks • Intimidation Attacks
Anatomy of an SE Attack • The Technical Attack - (Authority/Consistency) • No direct interpersonal contact with victims • Attacker forges e-mail messages, pop ups, web sites, or some other medium • Pretends to be an authorized support or system admin. person legitimizes the request • Tries to obtain sensitive account information from users (e.g., passwords, user-ids, CC #s, PINs etc.) • “PHISHING” • Has been very successful to date
Anatomy of an SE Attack • The Ego Attack - (Reciprocation/Liking) • Attacker appeals to the vanity, or ego of the victim • Usually targets someone they sense is frustrated with their current job position • The victim wants to prove how smart or knowledgeable they are and provides sensitive information or even access to the systems or data • Attacker may pretend to be law enforcement, the victim feels honored to be helping • Victim usually never realizes
Anatomy of an SE Attack • Sympathy Attacks - (Liking/Commitment) • Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc. • There is some urgency to complete some task or obtain some information • Needs assistance or they will be in trouble or lose their job etc. • Plays on the empathy & sympathy of the victim • Attackers “shop around” until they find someone who will help • Very successful attack
Anatomy of an SE Attack • Intimidation Attack - (Authority) • Attacker pretends to be someone influential (e.g., authority figure, law enforcement) • Attempt to use their authority to coerce the victim into cooperation • If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.) • If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.
Mitigating the Risk • The Impact of SE is usually high • The ease of the Attack is high • Technical controls alone will not prevent the attack • Operational/Administrative controls alonewill not prevent it • Environmental controls alone will not prevent it
Mitigating the Risk • We need a combination of Operational/Administrative, Technical (logical), & Environmental (Physical) Control Principles • It really comes down to: • Technology • Policies • Education • Awareness • Training
Mitigating the Risk • All employees should have a security mind-set and question things • Need to recognize good “catches” • Have proper incident response procedures and teams to mitigate the damage if a breach occurs • Immediate notification of targeted groups • Apply technology where possible • Need to test your readiness periodically • IT Security reviews/assessments that include SE
Conclusions • SE Attacks are a serious threat • SE Attacks are very easy and very effective • We cannot forget about the person-machine interaction • Information Assurance/Security is a hardware, software, firmware, and “peopleware” problem • The best defense is proper education and awareness training combined with technical approaches
Parting Thoughts ” Those who fail to learn the lessons of history are doomed to repeat them." (Santayana)
Contact Information Dr. Marc Rogers rogersmk@exchange.purdue.edu Department of Computer Technology Purdue University 765-494-2561