1 / 27

SOCIAL ENGINEERING

SOCIAL ENGINEERING. -Ramyah Rammohan. What is Social Engineering?. Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.

yorick
Download Presentation

SOCIAL ENGINEERING

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SOCIAL ENGINEERING -Ramyah Rammohan

  2. What is Social Engineering? • Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. • Social engineering is emerging as one of the biggest challenges, as there is no technical defense against the exploitation of human weaknesses.

  3. Why Social Engineering? • Easier than technical hacking • Hard to detect and track

  4. Goals of a Social Engineer • Someone who tries to gain unauthorized access to your computer systems. • The mind of a Social Engineer make the victim want to give them the information they need. • It affects all kinds of systems.

  5. To protect from social engineering attacks • Need to know what kinds of attack to expect. • Understand what the hacker wants. • Estimate what the loss might be worth to your organization.

  6. Related Concepts • Pretexting -It is the act of creating and using an invented scenario to persuade a target to release information or perform an action and is typically done over the telephone. • Phishing - Deceiving a user into using a fake web site • Identity theft - Pretending to be someone else, e.g., calling support while on a trip (with no way to authenticate the call) • Trojans - Deceiving a user into running a malicious program

  7. Importance of Trust Common tactic establish a trust relationship and exploit it. -Trust starts by identification Most S.E problems are related to identification without authentication - Fake badges, uniforms Identification by impression and persuasion -Logos -Theater confidence, dress, body language, tone of voice - Knowledge of specific information.

  8. Social Engineering Threats and Defenses • Online • Telephone • Waste management • Personal approaches • Reverse social engineering

  9. Online Threat • Obtaining private information. Reference - www.microsoft.com/technet/security/midsizebusiness/default.mspx

  10. pop-up Applications • Theft of Personal Information • Download Malware • Download Hackers software.

  11. Instant Messaging Reference - www.microsoft.com/technet/security/midsizebusiness/default.mspx

  12. Telephone Threat • Request information. • Gain access to “free” telephone usage. • Gain access to communications network.

  13. Waste Management Threats • Dumpster Diving/Trashing • Huge amount of information in the trash • Most of it does not seem to be a threat • The who, what and where of an organization • Knowledge of internal systems • Materials for greater authenticity • Intelligence Agencies have done this for years

  14. To counteract • Company Confidential. Shred all company confidential waste documents before disposal in any bin. • Private. Shred all private waste documents before disposal in any bin. • Departmental. Shred all departmental waste documents before disposal in public dumpsters. • Public. Dispose of public documents in any bin or recycle them as waste paper.

  15. Personal Approaches The simplest and cheapest way for a hacker to get information is for them to ask for it directly. • Persuasion. The most common forms of persuasion include flattery or name dropping. • Intimidation. This approach may involve the impersonation of an authority figure to coerce a target to comply with a request. • Ingratiation. This approach is usually a more long term ploy, in which a subordinate or peer coworker builds a relationship to gain trust and, eventually, information from a target. • Assistance. In this approach, the hacker offers to help the target. The assistance will ultimately require the target to divulge personal information that will enable the hacker to steal the target’s identity.

  16. Reverse Social Engineering • It describes a situation in which the target or targets make the initial approach and offer the hacker the information that they want

  17. Cntd.. • Try to recognize possible attack situations • Follow procedures and policies - Inform yourself of what they are - If you're in charge, do you have security procedures? • Did you train your employees? - Regular employees should take note of suspicious people inside the building.Ask around if anyone vouches for them Don't confront them – Report them to security – Propped-open security doors must be attended by a guard

  18. Security

  19. Designing Defenses against Social Engineering Threats • Develop a security management framework. • Undertake risk management assessments. • Implement social engineering defenses within your security policy.

  20. Developing a Security Management Framework • Security sponsor. A senior manager, probably board-level, who can provide the necessary authority to ensure that all staff take the business of security seriously. • Security manager. A management-level employee who has responsibility for orchestrating the development and upkeep of a security policy. • IT security officer. A technical staff member who has responsibility for developing the IT infrastructure and operational security policies and procedures. • Facilities security officer. A member of the facilities team who is responsible for developing site and operational security policies and procedures. • Security awareness officer. A management-level member of staff—often from within the human resources or personnel development department—who is responsible for the development and execution of security awareness campaigns.

  21. Risk Assessment • Confidential information • Business credibility • Business availability • Resources • Money

  22. Risk Assessment • Online -Email Policy on types of attachments and how to manage them. -Internet usage policy -pop up applications what to do with unexpected dialog boxes. -IM supported and allowable IM clients. • Telephone -PBX support management -Service Desk provision of data access

  23. Risk Assessment • Waste Management -paper waste paper management -dumpster management guidelines -Electronic electronic media waste materials. • Personal Approaches -Physical Security visitor management. -Office security-Policy for user ID and password management – no writing passwords on a sticky note and attaching it to a screen.

  24. Implementing Defenses Against SE Threats • Awarenessstructured training, less formal meetings, poster campaigns, or other events to publicize the security policies • Managing Incidents • Operational Considerations Reference - www.microsoft.com/technet/security/midsizebusiness/default.mspx

  25. Conclusion • Socialengineering is the easiest method of obtaining company’s information. • An Social Engineer can create severe damages in the organization than by virus, spyware, adware. • Difficult to find the insider as there is no technical defense against the exploitation of human weaknesses. • Policies, procedures, and awareness, should be implemented to defend against Social Engineering. • Physical Security. • Organization can train the employees to avoid Social Engineering.

  26. References • www.microsoft.com/technet/security/midsizebusiness/default.mspx • http://en.wikipedia.org/wiki/Social_engineering • Idea.Group.Publishing.Enterprise.Information.Systems.Assurance.and.System.Security.Mar.2006.pdf • http://labmice.techtarget.com/security/socialengineering.htm • http://www.purdue.edu/securepurdue/docs/socialEngineering.pdf

  27. Questions? Thank You.

More Related