1 / 21

Social Engineering

Social Engineering. The Manipulation of People Printing with “Notes” enabled will provide a script for each slide. Bob Samson 8/1/2008. The Disclaimer.

kata
Download Presentation

Social Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering The Manipulation of People Printing with “Notes” enabled will provide a script for each slide Bob Samson 8/1/2008

  2. The Disclaimer Marriott Vacation Club International (MVCI) disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, or reliance on this course material. In issuing and making this course available, MVCI is not undertaking to render professional or other services for or on behalf of any person or entity. Nor is MVCI undertaking to perform any duty owed by any person or entity to someone else. Anyone using this course material should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstance.

  3. What is Social Engineering? “the art and science of getting people to comply with your wishes”

  4. So What is the Problem? • Buildings, computers, networks and software applications have been hardened – The human being has become the weak link in security • An outsider’s use of psychological tricks on legitimate associates, in order to obtain information needed to gain access to a facility or system • Getting needed information (for example, a password) from a person rather than breaking into a system • Social Engineering involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders

  5. How does it work? • Social engineers leverage trust, helpfulness, easily attainable information, knowledge of internal processes, impersonation of authority, technology • Often use several small attacks to reach their final goal • Social engineering is all about taking advantage of others to gather information and infiltrate an organization

  6. Here are some examples • Posing as a legitimate end-user • The irate Vice President • A published security vulnerability • Posing as a system administrator • Calling in looking for someone or specific information • Use of Search engines to glean information about a company and its associates

  7. Let’s Review Their Techniques • Pretexting • Phishing • Spear Phishing • IVR/Phone Phishing • Trojan Horse • Shoulder Surfing • Dumpster Diving • Road Apples • Quid pro quo – Something for something • Some Other Types

  8. Pretexting • Using an invented scenario over the phone to gain access to information • The pretext is the scenario – created with a little valid information to get more • SSN, mother’s maiden name, place of birth • Often used by private investigators to gain copies of personal records

  9. Phishing • Usually involves email but phone calls can be used • They appear to come from a legitimate business – one you use • They include a sense of urgency • There is usually a threat to your personal safety or security • You are asked to verify personal data • Banks and other Credit Card Shopping sites are frequent targets

  10. Spear Phishing • Highly targeted emails or phone calls • Appear as if they came from a legitimate person you know • A department head • An associate you work with • The Help Desk • They are just another Phish

  11. IVR/Phone Phishing • You are directed to call a phone number • The IVR appears legitimate • IVR directions include the entry of personal information • PIN • Password • SSN • You may even be transferred to a live agent who is part of the scam

  12. Trojan Horse • Uses your curiosity or greed to deliver “malware” • Arrives posing as something free • Attached to email • Screen Saver • Anti-Virus • Latest gossip • Opening attachment loads Trojan onto your computer • Tracks keystrokes, uploads address book, looks for financial software files

  13. Shoulder Surfing • Prevalent in aircraft, airports, coffee shops, public Wi-Fi areas in hotels, other public places • Observation discloses your logins and passwords • Disclosure of credit cards and other High Risk Data • Confidential materials can be disclosed • Bank ATMs, security locks, alarm keypads • Includes “piggy backing” – someone walking into a secure area based on your authentication

  14. Dumpster Diving • The term used for going through someone’s trash • What do they want? • Confidential Information, PII and credit card data • Banking information – blank credit applications • A phone list • It is not unusual for security to catch people going through trash bins • Cross-cut shred all confidential information TRASH

  15. Road Apples • Relies on physical media • CD, floppy, USB Flash Drive • Labeled to draw curiosity • “Executive Salary Survey” • “HR Staff Reduction Plan” • “Confidential Organizational Changes” • Once placed into PC to view, the “autorun” feature loads Trojan or virus to track keystrokes • Looks for IDs and passwords

  16. Quid pro quo • The Something for Something Scam • Two Examples: • Impersonation of a Help Desk • Gift in exchange for Information • Surveys continually show that people are willing to trade private information for relatively low value • Bottle cap contests • Sweepstakes • Surveys themselves

  17. Other Types of Social Engineering • Spoofing/hacking popular email IDs like Yahoo, Gmail, Hotmail • Peer-to-Peer free Wi-Fi connections • Web crawlers and email addresses • Use of proxy web diversions • ATM scams

  18. So what is the risk? • Not all associates need to be compromised, just one is enough • Social Engineering is based on gaining trust – for service oriented companies, this is a risk – Associates are trusting and want to help • Social Engineers are after an associate’s access rights • What can a criminal do if they have access to everything you have at work?

  19. What can you do? • Never share passwords – NEVER, NEVER, NEVER • Use different passwords for personal and business matters • Don’t discuss company confidential matters in public • Shred company confidential information • Find CD’s, USB thumb drives? Don’t use them • Know how to spot a phish – beware of email attachments • Never use a link within an email or call a phone number from within an email – look up the organization independently • Don’t forward or respond to unsolicited email, chain letters and other hoaxes • Screen lock your computer when you walk away • Don’t let strangers into secure areas – let them use their badge • Don’t share confidential information with strangers over the phone

  20. Questions

  21. Some YouTube Fun! • Click Here

More Related