“Hi, I ’ m Tom from IT” Social Engineering In the Real World

1. “Hi, I’m Tom from IT”Social Engineering In the Real World Tom DeSot EVP, Chief Information Officer

2. Background Slide on Tom

3. Company Background Founded in 1999, Digital Defense, Inc. (DDI) is the premier provider of managed security risk assessment solutions protecting billions in assets for small businesses to Fortune companies in over 65 countries. DDI’s dedicated team of experts helps organizations establish a culture of security through regular information security assessments, awareness education and decisive security intelligence. This proven method bolsters the capability of organizations to reduce risk and keep information, intellectual property and reputations secure.

4. Agenda • What is Social Engineering? • Real World Examples • Social Engineering Methodologies • Remote Social Engineering • Onsite Social Engineering • Preventing Social Engineering Attacks • Questions?

5. What Is Social Engineering? • “…the art of manipulating people into performing actions or divulging confidential information.” (Wikipedia)

6. Cyber War “It is said that… If you know your enemies and know yourself, you will not be imperiled in a hundred battles If you do not know your enemies but do know yourself, you will win one and lose one If you do not know your enemies nor yourself, you will be imperiled in every single battle.” Sun Tzu 孫子; Sūn Zǐ; (c. 6th century BC) Chinese General, Military Strategist, and author of The Art of War

7. The Numbers Don’t Lie 48% of enterprises have been victims of social engineering attacks 75% Success rate with social engineering phone calls to businesses Veracode

8. Real World Examples • An individual called into Citibank’s customer service bureau claiming to be Paul Allen (Co-founder of Microsoft) • Caller claimed he had misplaced his debit card (did not want to report it stolen) • Caller was able to change the mailing address for the account to his residence in Pittsburgh over the phone • Had a new card overnighted • Card was used to make a $658 payment to a bank loan account • Attempted to make a $15,000 wire transfer and a purchase at Game Stop, but transactions were denied Source: “FBI Says Citibank Gave Paul Allen’s Debit Card to Thief”, http://www.wired.com/threatlevel/2012/03/paul-allen-debit-card-caper/

9. Real World Examples A man dressed as an employee of Brinks walked into a Wachovia branch in downtown Washington D.C. and walked out with more than $350,000. Wasn’t until the real Brink’s driver showed up did they realize they had been robbed. Source: http://www.schneier.com/blog/archives/2008/01/socialengineeri.html

10. Real World Examples Tareq and Michaele Salahi were able to crash a reception for President Obama • “They looked like they belonged…”

11. Remote Social Engineering Tactics Help Us Out! • Scenario • Inbound telephone calls to employees • Caller attempts to persuade a user to visit a fake website and enter his/her credentials to validate their password(s) • Outbound caller ID is spoofed • Captures usernames and passwords

12. Fake Site Example

13. Remote Social Engineering Tactics The Patch • Scenario • Inbound telephone calls to employees • Direct user to fake website to download and execute the “patch” • Executable actually sends username, IP address and hostname to Internet

14. Sample Site

15. Sample Dialog Box

16. Remote Social Engineering Tactics The Patch (E-Mail) • Send e-mails to targeted users to persuade them to visit a “patch” site to “fix” a zero-day vulnerability • Similar to Scenario 2 (Phone) • Executable actually sends username, IP address and hostname to Internet

17. Fake Email

18. Remote Social Engineering Tactics BonusPlan2013.xls • The analyst will drop USB fobs in areas where employees congregate • The test focuses on determining if employees will insert unknown removable media into corporate computers • When inserted, Excel spreadsheets are shown with file names like “BonusPlan2013.xls” • Excel does not open; the program silently sends the IP address, hostname and username of the individual to a DDI server Bonus Plan

19. How Successful Are We? 95-98% Successful

20. What Is Onsite Social Engineering? Onsite Social Engineering uses several onsite testing methods, including… • attempting to gain physical access to the premises • attempting to obtain records, files, equipment, sensitive information, network access, etc. • Attempting to garner information to permit unauthorized network access

21. Onsite Social Engineering Tactics Scenario 1: New Employee • The analyst pretends to be a new employee and enters through employee entrance • Will typically have already “cased” the organization and will wear the appropriate attire • Will already have a fake badge before they come onsite

22. Onsite Social Engineering Tactics Scenario 2: Trusted Vendor • The analyst pretends to be someone from a trusted vendor such as the local telephone company, A/C repair, etc. • Will typically have already called in to see what firms the organization uses • Shirts are easy to buy at local thrift stores or to have made

23. How Successful Are We? 90-95% Successful

24. What Can You Do to Prevent an Attack?

25. What About My Badge System?

26. What About My Door Locks?

27. What About My Cameras?

28. Don’t Give Up!

29. Remember…Knowledge is Power Security Awareness Training Hacking and social engineering can result in data breaches that expose millions of companies worldwide to enormous risks, including financial liability and damage to their brand reputations. Companies that want to protect vial commercial assets and customer data should look to ongoing security training and awareness programs to help build a culture of security.

30. Questions? Digital Defense, Inc. 9000 Tesoro Drive, Suite 100 San Antonio, TX 78217 888.273.1412 www.DDIFRONTLINE.COM tom.desot@ddifrontline.com