330 likes | 806 Views
SOCIAL ENGINEERING. -Ramyah Rammohan. What is Social Engineering?. Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.
E N D
SOCIAL ENGINEERING -Ramyah Rammohan
What is Social Engineering? • Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. • Social engineering is emerging as one of the biggest challenges, as there is no technical defense against the exploitation of human weaknesses.
Why Social Engineering? • Easier than technical hacking • Hard to detect and track
Goals of a Social Engineer • Someone who tries to gain unauthorized access to your computer systems. • The mind of a Social Engineer make the victim want to give them the information they need. • It affects all kinds of systems.
To protect from social engineering attacks • Need to know what kinds of attack to expect. • Understand what the hacker wants. • Estimate what the loss might be worth to your organization.
Related Concepts • Pretexting -It is the act of creating and using an invented scenario to persuade a target to release information or perform an action and is typically done over the telephone. • Phishing - Deceiving a user into using a fake web site • Identity theft - Pretending to be someone else, e.g., calling support while on a trip (with no way to authenticate the call) • Trojans - Deceiving a user into running a malicious program
Importance of Trust Common tactic establish a trust relationship and exploit it. -Trust starts by identification Most S.E problems are related to identification without authentication - Fake badges, uniforms Identification by impression and persuasion -Logos -Theater confidence, dress, body language, tone of voice - Knowledge of specific information.
Social Engineering Threats and Defenses • Online • Telephone • Waste management • Personal approaches • Reverse social engineering
Online Threat • Obtaining private information. Reference - www.microsoft.com/technet/security/midsizebusiness/default.mspx
pop-up Applications • Theft of Personal Information • Download Malware • Download Hackers software.
Instant Messaging Reference - www.microsoft.com/technet/security/midsizebusiness/default.mspx
Telephone Threat • Request information. • Gain access to “free” telephone usage. • Gain access to communications network.
Waste Management Threats • Dumpster Diving/Trashing • Huge amount of information in the trash • Most of it does not seem to be a threat • The who, what and where of an organization • Knowledge of internal systems • Materials for greater authenticity • Intelligence Agencies have done this for years
To counteract • Company Confidential. Shred all company confidential waste documents before disposal in any bin. • Private. Shred all private waste documents before disposal in any bin. • Departmental. Shred all departmental waste documents before disposal in public dumpsters. • Public. Dispose of public documents in any bin or recycle them as waste paper.
Personal Approaches The simplest and cheapest way for a hacker to get information is for them to ask for it directly. • Persuasion. The most common forms of persuasion include flattery or name dropping. • Intimidation. This approach may involve the impersonation of an authority figure to coerce a target to comply with a request. • Ingratiation. This approach is usually a more long term ploy, in which a subordinate or peer coworker builds a relationship to gain trust and, eventually, information from a target. • Assistance. In this approach, the hacker offers to help the target. The assistance will ultimately require the target to divulge personal information that will enable the hacker to steal the target’s identity.
Reverse Social Engineering • It describes a situation in which the target or targets make the initial approach and offer the hacker the information that they want
Cntd.. • Try to recognize possible attack situations • Follow procedures and policies - Inform yourself of what they are - If you're in charge, do you have security procedures? • Did you train your employees? - Regular employees should take note of suspicious people inside the building.Ask around if anyone vouches for them Don't confront them – Report them to security – Propped-open security doors must be attended by a guard
Designing Defenses against Social Engineering Threats • Develop a security management framework. • Undertake risk management assessments. • Implement social engineering defenses within your security policy.
Developing a Security Management Framework • Security sponsor. A senior manager, probably board-level, who can provide the necessary authority to ensure that all staff take the business of security seriously. • Security manager. A management-level employee who has responsibility for orchestrating the development and upkeep of a security policy. • IT security officer. A technical staff member who has responsibility for developing the IT infrastructure and operational security policies and procedures. • Facilities security officer. A member of the facilities team who is responsible for developing site and operational security policies and procedures. • Security awareness officer. A management-level member of staff—often from within the human resources or personnel development department—who is responsible for the development and execution of security awareness campaigns.
Risk Assessment • Confidential information • Business credibility • Business availability • Resources • Money
Risk Assessment • Online -Email Policy on types of attachments and how to manage them. -Internet usage policy -pop up applications what to do with unexpected dialog boxes. -IM supported and allowable IM clients. • Telephone -PBX support management -Service Desk provision of data access
Risk Assessment • Waste Management -paper waste paper management -dumpster management guidelines -Electronic electronic media waste materials. • Personal Approaches -Physical Security visitor management. -Office security-Policy for user ID and password management – no writing passwords on a sticky note and attaching it to a screen.
Implementing Defenses Against SE Threats • Awarenessstructured training, less formal meetings, poster campaigns, or other events to publicize the security policies • Managing Incidents • Operational Considerations Reference - www.microsoft.com/technet/security/midsizebusiness/default.mspx
Conclusion • Socialengineering is the easiest method of obtaining company’s information. • An Social Engineer can create severe damages in the organization than by virus, spyware, adware. • Difficult to find the insider as there is no technical defense against the exploitation of human weaknesses. • Policies, procedures, and awareness, should be implemented to defend against Social Engineering. • Physical Security. • Organization can train the employees to avoid Social Engineering.
References • www.microsoft.com/technet/security/midsizebusiness/default.mspx • http://en.wikipedia.org/wiki/Social_engineering • Idea.Group.Publishing.Enterprise.Information.Systems.Assurance.and.System.Security.Mar.2006.pdf • http://labmice.techtarget.com/security/socialengineering.htm • http://www.purdue.edu/securepurdue/docs/socialEngineering.pdf
Questions? Thank You.