1 / 18

Social Engineering

Learn about social engineering, exploiting trust & carelessness, dumpster diving to impersonation, and advanced tactics in cybersecurity. Stay vigilant against psychological manipulation.

haroldgreen
Download Presentation

Social Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering What Is Social Engineering?

  2. Social Engineering • Because there is no “patch” for human stupidity. • “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” -Kevin Mitnick

  3. What is Social Engineering • Uses Psychological Methods • Exploits human tendency to trust • Goals are the Same as Hacking

  4. Social Engineering Approaches • Carelessness • Comfort Zone • Helpfulness • Fear

  5. Careless Approach • Victim is Careless • Does not implement, use, or enforce proper countermeasures • Used for Reconnaissance • Looking for what is laying around • Dumpster Diving/Trashing • Building/Password Theft • Shoulder Surfing • Password Harvesting • Impersonation • Direct Theft • Smoking Zone

  6. Dumpster Diving/Trashing • Huge amount of information in the trash • Most of it does not seem to be a threat • The who, what and where of an organization • Knowledge of internal systems • Materials for greater authenticity • Intelligence Agencies have done this for years

  7. Building/Password Theft • Requires physical access • Looking for passwords or other information left out in the open • Little more information than dumpster diving

  8. Password Harvesting • Internet or mail-in sweepstakes • Based on the belief that people don’t change their password over different accounts . • Sadly, this is, for the most part true.

  9. Impersonation • Could be anyone • Tech Support • Co-Worker • Boss • CEO • User • Maintenance Staff • Delivery Driver • Generally Two Goals • Asking for a password • Building access - Careless Approach

  10. Other Methods • Shoulder Surfing • Direct Theft • Outside workplace • Wallet, id badge, or purse stolen • Smoking Zone • Attacker will sit out in the smoking area • Piggy back into the office when users go back to work

  11. Helpful Approach • People generally try to help even if they do not know who they are helping • Usually involves being in a position of obvious need • Attacker generally does not even ask for the help they receive • Piggybacking/Tailgating • Troubled user

  12. Piggybacking • Attacker will trail an employee entering the building • More Effective: • Carry something large so they hold the door open for you • Go in when a large group of employees are going in • Crutches • Pretend to be unable to find door key

  13. Troubled user • Calling organization numbers asking for help • I’m new in IT and the boss is going to kill me. I don’t need your password, but can you provide your username/log in name so I can verify you have the right IP? • Getting a username and asking to have a password reset • Calls up IT and says, I am kind of new and did something really stupid, I lost my password. Can you reset it for me, my username is xxxx.

  14. Fear Approach • Usually draws from the other approaches • Puts the user in a state of fear and anxiety • Very aggressive • Conformity • Importance • Time Frame

  15. Conformity • The user is the only one who has not helped out the attacker with this request in the past • I talked to Jan last week and she had no problem providing the information, why do you have to be so difficult? • Personal responsibility is diffused • User gets justification for granting an attack.

  16. Importance • Classic boss or director needs routine password reset • So would *you* like to explain to the vice president why *you* don’t think it would be a good idea to reset his password? I am absolutely sure he would be *thrilled* to hear just how important your job is. • Showing up from a utility after a natural occurrence (thunderstorm, tornado, etc.) • A semi-official looking “uniform” right after a small scale disaster can get you admittance anywhere. Check the back of the building for the phone carrier. • Hi, I am from Verizon, we are still having some line difficulties after the hurricane and think we have traced the issue to a loop in your circuit. I need access to your telecom rack.

  17. Time Frame • Fictitious deadline • Impersonates payroll bookkeeper, proposal coordinator • Look, I have 15 minutes to get this taken care of or there will be no paychecks this week. • Asks for password change

  18. Advanced Attacks • Offering a Service • Attacker contacts the user • Uses viruses, worms, or Trojans • User could be approached at home or at work • Once infected, attacker collects needed information • Reverse Social Engineering • Attacks puts themselves in a position of authority • Users ask attacker for help and information • Attacker takes information and asks for what they need while fixing the problem for the user

More Related