Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social-engineering for engineers

Similar presentations

Presentation on theme: "Social-engineering for engineers"— Presentation transcript:

1 Social-engineering for engineers
The Whats, Whys, Wheres and Hows of social-engineering

2 Agenda On-going technology development Social-engineering
What's the story with the frauds? How to prevent and defend against them? And what to do if we fail to do the above? What else should be done?

3 On-going technology development
For the last 20 years (or so), we've been witnessing an amazing technological development. The challenge is not to be the first or the best but not to be the last. It's not easy however.

4 On-going technology development
Who's having the problems then? Content and service providers Software and hardware vendors Legislators and law enforcement Internet users

5 On-going technology development
For millions of years, mankind lived just like the animals. Then something happened which unleashed the power of our imagination. We learned to talk and we learned to listen... Nope, that's not Pink Floyd. It's Stephen Hawking. But Internet-based communication is much more than text and sound.

6 On-going technology development
Pictures Video Instant messaging and VoIP Memes And more to come sooner or later

7 On-going technology development
Still there are things that haven't changed e.g. non-verbal communication. For ages our behaviour's been based on the same rules. So what? Well, IT systems and applications are prone to errors just like the humans who develop and operate them.

8 Social-engineering The practice of making laws or using other methods to influence public opinion and solve social problems or improve social conditions. source: Merriam-Webster Dictionary In the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. source:

9 Social-engineering Baiting Pretexting Phishing Quid pro quo

10 Social-engineering Robert Cialdini's six rules of influence:
Reciprocity Commitment and Consistency Social Proof Authority Liking Scarcity

11 Reciprocity Nigerian scams - an African king (or Asian general, or South-American dictator) asks for your help in recovering his huge money assets locked in the country of his origin. You'll be rewarded but first, you have to help. Some encouragement follows. Favours - someone pretending to be an IT help-desk specialist, calls you and offers help in sorting out your PC's problem (apparently caused by himself). For this, you'll give him - for example - your password.

12 Commitment and Consistency
"Free" IQ tests - its results shall be shown once you send a premium-rate text message (does it affect the overall score BTW? ;) Limited content - to view a full article or video you need to pay money or follow a dodgy link. Mobile apps - if you clicked "download", "install", will you click "no, I don't want you to access my contacts, texts, data connection and location"?

13 Liking Phishing - fake s and websites look really like the genuine ones (well, not in Poland, how's it in Georgia? ;) Funny or hot content - you can't view the funny content unless you install a "missing plugin". Which is we-all-exactly-know-what. Share - content liked or shared by our "friends" (whom we like or at least know) is perceived as legitimate.

14 Authority Donations - on-line payment and money exchange services, together with Bitcoin, make for a good base for money-laundering and other frauds. Voice phishing - some people reveal their personal or financial information when called "by THE bank", just because they're told it's "THE bank" calling.

15 Scarcity "Last minute" offers - some people will pay for goods or services difficult to obtain or time-limited. YOU are the 999. person on this website - and if you follow the link you'll win an iPad... Or will you? Slashdot effect - people desperately wanting to be (all) the first to see the news will DDoS the website. Like ACTA-case in Poland. Err, soft of.

16 Some numbers... discounts guarantees trial periods returns Service
Price Credit card data USD Actual cards 190 USD Skimming device USD Fake ATMS USD e-Bank credentials USD Money transfers % Fake e-commerce sites price per project Spam 10 USD per 1M s Data leaks 2013 Adobe 2,9 mln 2011 Sony PSN 77 mln 2009 Heartland Payment Systems 130 mln 2008 Hannaford Brothers 4,6 mln 2007 TJX Companies 45 mln 2005 CardSystems Solutions 40 mln discounts guarantees trial periods returns

17 How do they happen? In a number of ways:
sometimes a simple phone call is enough malware leading to an APT attack network snooping IP / MAC / / Called-ID spoofing credit cards skimming dumpster diving (no, really!) But it's not all about the technology.

18 How to prevent and detect them?
DLP (Data Leak Prevention) IPS / IDS (Intrusion Prevention/Detection Systems) Application firewall URL filtering BGP / DNS blackholing SIEM (monitoring) Host agents Threat intelligence and whistle-blowers But...

19 How to prevent and detect them?
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier You can't defend. You can't prevent. The only thing you can do is detect and respond. Source:

20 And what to do if we fail to do the above?
Detection should be based on both: user awareness and network / system monitoring - one won't work without another. Incident response must be a process with appropriate procedures, staffing, support, funding and tools. Computer forensics is just a tool in incident responders' hands. A powerful one but...

21 Computer forensics With all this cloud, big data, BYOD, data encryption and huge HDDs it's really hard to respond to incidents efficiently. That's when live forensics come into play: Volatile data (e.g. RAM) acquisition Imaging of unencrypted encrypted disk drives Preservation of data in the cloud Minimising delays in availability

22 Computer forensics Triage is a simple way to preserve and examine computer evidence faster and more efficiently while keeping up with the standards and regulatory requirements (e.g. chain of custody). Triage can be performed by a trained incident responder ("a rescue team" member) on the scene. Computer forensics expert ("a surgeon") doesn't have to be involved yet.

23 CSIRTs / CERTs Computer Security Incident Response Teams (CSIRTs) provide professional incident response capabilities. Effectiveness of their work depends on appropriate communication and co-operations with other governmental and business CSIRTs/CERTs. Maintaining defense capabilities and readiness on high level means exercising and constantly improving.

24 Security Quality Management
CSIRT Services Reactive Proactive Security Quality Management Alerts and Warnings Incident Handling – Incident analysis – Incident response on site – Incident response support – Incident response coordination Vulnerability Handling – Vulnerability analysis – Vulnerability response – Vulnerability response coordination Artifact Handling – Artifact analysis – Artifact response – Artifact response coordination Announcements Technology Watch Security Audits or Assessments Configuration and Maintenance of Security Tools, Applications, and Infrastructures Development of Security Tools Intrusion Detection Services Security-Related Information Dissemination Risk Analysis Business Continuity and Disaster Recovery Planning Security Consulting Awareness Building Education/Training Product Evaluation or Certification

25 And the conclusion is... People are the first and the last line of defense from the attacks against them and the technology. The difference between us and the computers is that we think. Sometimes too much. It causes problems but that can also help avoid them. So it's always better to think twice.

26 Quiz

Download ppt "Social-engineering for engineers"

Similar presentations

Ads by Google