1 / 27

Preventing Social Engineering Attacks

Kelly Corning Julie Sharp. Preventing Social Engineering Attacks. What is Social Engineering?. Human-based techniques: impersonation Computer-based techniques: malware and scams. Why is Social Engineering Effective?. Manipulates legitimate users into undermining their own security system

percival-levy
Download Presentation

Preventing Social Engineering Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kelly Corning Julie Sharp Preventing Social Engineering Attacks

  2. What is Social Engineering? • Human-based techniques: impersonation • Computer-based techniques: malware and scams

  3. Why is Social Engineering Effective? • Manipulates legitimate users into undermining their own security system • Abuses trusted relationships between employees • Very cheap for the attacker • Attacker does not need specialized equipment or skills

  4. Common Techniques • Impersonation • Help Desk • Third-party Authorization • Tech Support • Roaming the Halls • Repairman • Trusted Authority Figure • Snail Mail

  5. Common Techniques • Computer-Based Techniques • Pop-up windows • Instant Messaging and IRC • Email Attachments • Email Scams • Chain Letters and Hoaxes • Websites

  6. Impersonation: Help Desk • Hacker pretends to be an employee • Recovers “forgotten” password • Help desks often do not require adequate authentication

  7. Impersonation: Third-party Authorization • Targeted attack at someone who has information • Access to assets • Verification codes • Claim that a third party has authorized the target to divulge sensitive information • More effective if the third party is out of town

  8. Impersonation: Tech Support • Hacker pretends to be tech support for the company • Obtains user credentials for troubleshooting purposes. • Users must be trained to guard credentials.

  9. Impersonation: Roaming the Halls • Hacker dresses to blend in with the environment • Company uniform • Business attire • Looks for sensitive information that has been left unattended • Passwords written down • Important papers • Confidential conversations

  10. Impersonation: Repairman • Hacker wears the appropriate uniform • Often allowed into sensitive environments • May plant surveillance equipment • Could find sensitive information

  11. Impersonation: Trusted Authority Figure • Hacker pretends to be someone in charge of a company or department • Similar to “third-party authorization” attack • Examples of authority figures • Medical personnel • Home inspector • School superintendent • Impersonation in person or via telephone

  12. Impersonation: Snail Mail • Hacker sends mail that asks for personal information • People are more trusting of printed words than webpages • Examples • Fake sweepstakes • Free offers • Rewards programs • More effective on older generations

  13. Computer Attacks: Pop-up Windows • Window prompts user for login credentials • Imitates the secure network login • Users can check for visual indicators to verify security

  14. Computer Attacks: IM & IRC • Hacker uses IM, IRC to imitate technical support desk • Redirects users to malicious sites • Trojan horse downloads install surveillance programs.

  15. Computer Attacks: Email Attachments • Hacker tricks user into downloading malicious software • Programs can be hidden in downloads that appear legitimate • Examples • Executable macros embedded in PDF files • Camouflaged extension: “NormalFile.doc” vs. “NormalFile.doc.exe” • Often the final extension is hidden by the email client.

  16. Computer Attacks: Email Scams • More prevalent over time • Begins by requesting basic information • Leads to financial scams

  17. Computer Attacks: Chain Emails • More of a nuisance than a threat • Spread using social engineering techniques • Productivity and resource cost

  18. Computer Attacks: Websites • Offer prizes but require a created login • Hacker capitalizes on users reusing login credentials • Website credentials can then be used for illegitimate access to assets

  19. Best Practices • Never disclose passwords • Limit IT Information disclosed • Limit information in auto-reply emails • Escort guests in sensitive areas • Question people you don't know • Talk to employees about security • Centralize reporting of suspicious behavior

  20. Never disclose passwords • Remind employees to keep passwords secret • Don’t make exceptions • It’s not a grey area!

  21. Limit IT Information Disclosed • Only IT staff should discuss details about the system configuration with others • Don’t answer survey calls • Check that vendor calls are legitimate

  22. Limit Information in Auto-Reply Emails • Keep details in out-of-office messages to a minimum • Don’t give out contact information for someone else. • Route requests to a receptionist

  23. Escort Guests in Sensitive Areas • Guard all areas with network access • Empty offices • Waiting rooms • Conference rooms • This protects against attacks • “Repairman” • “Trusted Authority Figure”

  24. Question people you don't know • All employees should have appropriate badges • Talk to people who you don’t recognize • Introduce yourself and ask why they are there

  25. Talk to employees about security • Regularly talk to employees about common social engineering techniques • Always be on guard against attacks • Everyone should watch what they say and do.

  26. Centralize Reporting • Designate an individual or group • Social engineers use many points of contact • Survey calls • Presentations • Help desk calls • Recognizing a pattern can prevent an attack

  27. Resources Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013. <http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>. Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013. <http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>. "Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013. <http://www.npdn.org/social_engineering_types>.

More Related