110 likes | 206 Views
Social Engineering. Euphemism for cons Confidence schemes - note the word confidence Why technologically based security protection that ignores the human factor won’t work. Some examples. Some dinosaur cons – Count Lustig The OTB wire Identity theft Industrial espionage
E N D
Social Engineering • Euphemism for cons • Confidence schemes - note the word confidence • Why technologically based security protection that ignores the human factor won’t work
Some examples • Some dinosaur cons – Count Lustig • The OTB wire • Identity theft • Industrial espionage • A disgruntled employee
Relationship to Industrial Espionage • Fortune 1000 firms reported trade secret losses in 1999 of $45B, estimates for 2003 are $100B • Insiders commit 85% of industrial espionage crimes • Kites – expendable contractors that provide access and plausible deniability
The Problem of False Credentials • Minimal cost to purchase university degrees and transcripts – They may be back dated • Extent of resume fraud – recent research found that 11% of resumes that were checked misrepresented their qualifications
The Social Engineering Attack Cycle • Research • Developing rapport and trust • Exploiting trust • Utilizing information • Covering tracks
How Attackers Take Advantage • Use of authority • Being likable • Creating a situation where reciprocation is expected • Eliciting a public commitment then requesting an action that seems to be consistent with the commitment • Creating the belief that others have validated the action • Creating the illusion of scarcity
Posing as a fellow employee, vendor employee, law enforcement Posing as someone in authority Posing as a new employee requesting help Offering help if a problem occurs then making the problem occur Sending software or a patch for a victim to install Using insider lingo to gain trust Capturing victim keystrokes through different ruses Modifying a fax machine to make appear internal Getting a receptionist to receive and the forward faxes Asking for a file to be transferred to what appears to be an internal location Pretending to be from a remote office and asking for local e-mail access Getting a voice mailbox set up so callbacks perceive attacker as internal Common Social Engineering Methods
Target Type Unaware of value of information Special privileges Manufacturer/vendor Specific departments Examples Receptionists,telephone operators, administrative assistants, security guards Help desk, technical support, system administrators, computer operators, telephone system administrators Computer hardware, software manufacturers, voice mail sellers Accounting, HR Common Targets of Attacks
Seven Deadly Sins • Gullibility • Curiosity • Courtesy • Greed • Diffidence • Thoughtlessness • Apathy
Factors that Heighten Companies’ Vulnerability • Large number of employees • Multiple facilities • Information on employee whereabouts left on voice mail • Phone extension information made available • Lack of security training and awareness • No data classification system • No incident reporting/response plan in place
Verification and Data Classification in Response to Requests • Verification of identity • Verification of employee status • Procedure to determine need to know • Criteria for verifying non-employees • Data classification