1 / 28

Social Engineering

Social Engineering. By: Pete Guhl and Kurt Murrell . Techniques . Phases of Social Engineering. - Very similar to how Intelligence Agencies infiltrate their targets - 3 Phased Approach Phase 1- Intelligence Gathering Phase 2- “Victim” Selection Phase 3 -The Attack

leanna
Download Presentation

Social Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering By: Pete Guhl and Kurt Murrell

  2. Techniques

  3. Phases of Social Engineering - Very similar to how Intelligence Agencies infiltrate their targets - 3 Phased Approach • Phase 1- Intelligence Gathering • Phase 2- “Victim” Selection • Phase 3 -The Attack - Usually a very methodical approach

  4. Phase 1 -Intelligence Gathering - Phase 1 -Intelligence Gathering - Primarily Open Source Information • Dumpster Diving • Web Pages • Ex-employees • Contractors • Vendors • Strategic Partners - The foundation for the next phases

  5. Phase 2 -”Victim” Selection • Looking for weaknesses in the organization’s personnel • Help Desk • Tech Support • Reception • Admin. Support • Etc.

  6. - Phase 3 - The Attack • - Commonly known as the “con” • - Primarily based on “peripheral” routes to persuasion • Authority • Liking & Similarity • Reciprocation • - Uses emotionality as a form of distraction

  7. 3 General Types of Attack • Ego Attacks • Sympathy Attacks • Intimidation Attacks

  8. Intimidation Attack • Attacker pretends to be someone influential (e.g., authority figure, law enforcement) • Attempt to use their authority to coerce the victim into cooperation • If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.) • If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.

  9. Sympathy Attacks • Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc. • There is some urgency to complete some task or obtain some information • Needs assistance or they will be in trouble or lose their job etc. • Plays on the empathy & sympathy of the victim • Attackers “shop around” until they find someone who will help • Very successful attack

  10. The Ego Attack • Attacker appeals to the vanity, or ego of the victim • Usually targets someone they sense is frustrated with their current job position • The victim wants to prove how smart or knowledgeable they are and provides sensitive information or even access to the systems or data • Attacker may pretend to be law enforcement, the victim feels honored to be helping • Victim usually never realizes

  11. More info on attacks • Attacks can come from anywhere/anytime • Social Engineering can circumvent current security practices - What good is a password if everyone has it? • No one is immune - Everyone has information about the company

  12. Preventing Social Engineering

  13. Training • Warn Users of Imminent Attack - Users that are forewarned are less free with information

  14. Training • Define Sensitive Information

  15. Training • Define Sensitive Information Passwords

  16. Training • Define Sensitive Information Passwords DOB

  17. Training • Define Sensitive Information Passwords DOB Maiden Names

  18. Training • Define Sensitive Information Passwords DOB Maiden Names Social Security Number

  19. Training • Define Sensitive Information Passwords DOB Maiden Names Social Security Number Account Numbers

  20. Training • Define Sensitive Information Passwords DOB Maiden Names Social Security Number Account Numbers Billing Amounts

  21. Training • Users Passwords, phone numbers, other data

  22. Training • Users Passwords, phone numbers, other data • System Admins Tougher authentication protocol for password resets

  23. Testing • Users - Reveal seemingly innocuous data?

  24. Testing • Users - Reveal seemingly innocuous data? • System Admins – Divulge network information?

  25. Testing • Users - Reveal seemingly innocuous data? • System Admins – Divulge network information? • Helpdesk personnel – Reset passwords on faulty authentication?

  26. Removing the Weak Link • Remove the user’s ability to divulge information - Remove all non essential phones - Restrict to internal communications - Remove Internet access - Disable removable drives - Make false information accessible

  27. Removing the Weak Link • Forced strong authentication - Use secure software requiring strong authentication for password resets - Require callback to user’s directory listed number

  28. Removing the Weak Link • Secure Protected Doors - Employ Guards - Use Revolving Door - Two Door Checkpoint - Deploy CCTV to remote facility

More Related