Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Published byChristian Ansell Modified over 9 years ago

Similar presentations

Presentation on theme: "Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering."— Presentation transcript:

1 Social Engineering Training

2 Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering attempts. Spot sophisticated e-mail phishing attempts. Avoid phone-based information elicitation. Detect “baiting” attacks via USB keys, CDs, and other physical media.

3 Why Social Engineering Training? DOE Red Team Tests The Red Team used Social Engineering tactics to attempt to infiltrate the laboratories in Spring 2008. They were successful in gaining access and maneuvering without detection at two DOE laboratories and one Site Office. Increased use and sophistication of Social Engineering tactics.

4 Overview Definition Attacker Motivation Techniques Tests Summary

5 Definition What is social engineering? Art of manipulating people into performing actions or divulging confidential information. Using trickery to gather information or computer system access. In most cases the attacker never comes face-to- face with the victim.

6 What motivates social engineers? Obtaining personal information. Gaining unauthorized access. Circumventing established procedures. Because they can.

7 Pretexting Invented scenario Can use any communication medium. Phone Calls E-mail Physical media General Prevention Think about motivation – how could this be used maliciously? Be polite (it could be legitimate). Record available contact information. Ask a question for which the answer is not publicly available.

8 Tools Used in Pretexting Any publicly available information Postings on public web pages. Phone book information. Professional information. Personal and professional relationships Association with ISU. Association with DOE. Conferences and collaborations in field of expertise.

9 Specific Techniques Phone Cold Calls / Scams E-Mail Phishing 1 Trojan Horse 1 Physical Media Baiting 1,2 1 The DOE Red Team used these techniques in their latest successful attacks on two DOE laboratories and one site office. 2 The DOE Red Team was successful using these methods to infiltrate DOE laboratories in the past.

10 Phone Scams Unexpected / Unsolicited Phone Calls Attempt to elicit personal or organizational information.. Example Pretexts Offer to perform a service. Ask for information about organization (i.e. reporters, prospective students). Claim to be calling for a friend or family members that need access to something. Prevention Be polite. Ask for a number to call *them* back; may allow tracing later. Ask a question for which the answer is not publicly available.

11 E-Mail Unsolicited / Unexpected E-Mail - entice user to: Click on a link to a fraudulent web page. View or execute an attachment. Reply to message. Example Pretexts Standard Viagra, off-shore lottery, etc…spam. Notice from DOE, ISU or other requiring a quick response and personal information. Unsolicited CVs, proposals, professional requests.

12 E-Mail – Trojan Horse Malicious software delivered via e-mail Attachment Web link Pretext Cool screen saver. Important anti-virus or system upgrade. Latest gossip about a celebrity.

13 E-Mail - Prevention Verify Web Links Known Site. URL and text match. Copy and paste rather than click. Verify sender prior to opening attachments or clicking on web links. Contact through different medium (i.e. call sender). Verify via an associate of sender, if known. Examine e-mail headers Forward suspect e-mail to abuse@ameslab.govabuse@ameslab.gov

14 Email Example - Links

15 Email Example - Headers

16

17 Email Example - Attachments

18 What you see: What you don’t see: Attacker’s Server

19 Physical Media - Baiting Deliver malware via infected CD ROM or USB flash drive. Pretexts “Lost” in a location sure to be found (bathroom, elevator, sidewalk, parking lot). Delivered with a legitimate looking curiosity-piquing label and simply waits for the victim to use the device.

20 Physical Media - Prevention Verify unexpected mailings with sender. Never put anything into your computer if you don’t know where it’s been. Bring found USB keys, CD-ROMs, or other digital media to IS for examination.

21 Quick Tests Name 3 clues in this e-mail that should make you suspicious

22 Quick Tests – Solution

23 Quick Tests Which of these emails is legitimate? Which is fake?

24 Quick Tests The left email is a Red Team attack. The right email is from DOE.

25 Quick Tests Can you think of ways the information on Ames Laboratory’s public web page could be exploited to execute a social engineering attack? Can you think of an unsolicited e-mail, phone call, or physical mail attack which would be impossible to verify or handle safely?

26 When to report Social Engineering What to report Spam emails with local information. Unusual DOE/Ames Laboratory emails. Unsolicited phone calls digging for information/contacts. What not to report General spam.

27 How to report Social Engineering If Social Engineering techniques are attempted while at work… If you believe you might have revealed sensitive information about the Ames Laboratory… Report it to the IS office at: Phone: 4-8348 Email: abuse@ameslab.gov This will alert us to any suspicious or unusual activity.

28 Summary Be suspicious. Think about motivation when revealing information. Verify identity. Be careful what you click on. No one will catch everything – Be willing to ask for help.

29 Thanks for Attending

30

Download ppt "Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
THE DHS PHISHING IQ TEST PART 2 LEGITIMATE EMAIL V PHISHING EMAIL How do you know if an email is legitimate, or is a phony, phishing email? Take the.

THE DHS PHISHING IQ TEST PART 2 LEGITIMATE V PHISHING How do you know if an is legitimate, or is a phony, phishing ? Take the.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Stay Safe Online in Six Steps Presented by: Scott Rhinehart 540 Lake Center Parkway, Suite 102 Cumming, GA 30040 Office: 678-513-1864 ext 58727 Fax: 770-887-9339.

Stay Safe Online in Six Steps Presented by: Scott Rhinehart 540 Lake Center Parkway, Suite 102 Cumming, GA Office: ext Fax:
What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.

SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.
The Art of Social Hacking

The Art of Social Hacking
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.

NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Computer Viruses.

Computer Viruses.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Quiz Review.

Quiz Review.
Discovering Computers 2010

Discovering Computers 2010
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Security Issues: Phishing, Pharming, and Spam

Security Issues: Phishing, Pharming, and Spam
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Social Engineering UTHSC Information Security Team.

Social Engineering UTHSC Information Security Team.

Similar presentations

Ads by Google