Presentation on theme: "Social-engineering for engineers"— Presentation transcript:
1Social-engineering for engineers The Whats, Whys, Wheres and Hows of social-engineering
2Agenda On-going technology development Social-engineering What's the story with the frauds?How to prevent and defend against them?And what to do if we fail to do the above?What else should be done?
3On-going technology development For the last 20 years (or so), we've been witnessing an amazing technological development. The challenge is not to be the first or the best but not to be the last. It's not easy however.
4On-going technology development Who's having the problems then?Content and service providersSoftware and hardware vendorsLegislators and law enforcementInternet users
5On-going technology development For millions of years, mankind lived just like the animals. Then something happened which unleashed the power of our imagination. We learned to talk and we learned to listen... Nope, that's not Pink Floyd. It's Stephen Hawking. But Internet-based communication is much more than text and sound.
6On-going technology development Pictures Video Instant messaging and VoIP Memes And more to come sooner or later
7On-going technology development Still there are things that haven't changed e.g. non-verbal communication. For ages our behaviour's been based on the same rules. So what? Well, IT systems and applications are prone to errors just like the humans who develop and operate them.
8Social-engineeringThe practice of making laws or using other methods to influence public opinion and solve social problems or improve social conditions.source: Merriam-Webster DictionaryIn the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.source:
9Social-engineering Baiting Pretexting Phishing Quid pro quo Boooooriiiiinnnngggg...
10Social-engineering Robert Cialdini's six rules of influence: ReciprocityCommitment and ConsistencySocial ProofAuthorityLikingScarcity
11ReciprocityNigerian scams - an African king (or Asian general, or South-American dictator) asks for your help in recovering his huge money assets locked in the country of his origin. You'll be rewarded but first, you have to help. Some encouragement follows. Favours - someone pretending to be an IT help-desk specialist, calls you and offers help in sorting out your PC's problem (apparently caused by himself). For this, you'll give him - for example - your password.
12Commitment and Consistency "Free" IQ tests - its results shall be shown once you send a premium-rate text message (does it affect the overall score BTW? ;) Limited content - to view a full article or video you need to pay money or follow a dodgy link. Mobile apps - if you clicked "download", "install", will you click "no, I don't want you to access my contacts, texts, data connection and location"?
13LikingPhishing - fake s and websites look really like the genuine ones (well, not in Poland, how's it in Georgia? ;) Funny or hot content - you can't view the funny content unless you install a "missing plugin". Which is we-all-exactly-know-what. Share - content liked or shared by our "friends" (whom we like or at least know) is perceived as legitimate.
14AuthorityDonations - on-line payment and money exchange services, together with Bitcoin, make for a good base for money-laundering and other frauds. Voice phishing - some people reveal their personal or financial information when called "by THE bank", just because they're told it's "THE bank" calling.
15Scarcity"Last minute" offers - some people will pay for goods or services difficult to obtain or time-limited. YOU are the 999. person on this website - and if you follow the link you'll win an iPad... Or will you? Slashdot effect - people desperately wanting to be (all) the first to see the news will DDoS the website. Like ACTA-case in Poland. Err, soft of.
16Some numbers... discounts guarantees trial periods returns Service PriceCredit card dataUSDActual cards190 USDSkimming deviceUSDFake ATMSUSDe-Bank credentialsUSDMoney transfers%Fake e-commerce sitesprice per projectSpam10 USD per 1M sData leaks2013Adobe2,9 mln2011Sony PSN77 mln2009Heartland Payment Systems130 mln2008Hannaford Brothers4,6 mln2007TJX Companies45 mln2005CardSystems Solutions40 mlndiscountsguaranteestrial periodsreturns
17How do they happen? In a number of ways: sometimes a simple phone call is enoughmalware leading to an APT attacknetwork snoopingIP / MAC / / Called-ID spoofingcredit cards skimmingdumpster diving (no, really!)But it's not all about the technology.
18How to prevent and detect them? DLP (Data Leak Prevention)IPS / IDS (Intrusion Prevention/Detection Systems)Application firewallURL filteringBGP / DNS blackholingSIEM (monitoring)Host agentsThreat intelligence and whistle-blowersBut...
19How to prevent and detect them? If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier You can't defend. You can't prevent. The only thing you can do is detect and respond.Source:
20And what to do if we fail to do the above? Detection should be based on both: user awareness and network / system monitoring - one won't work without another. Incident response must be a process with appropriate procedures, staffing, support, funding and tools. Computer forensics is just a tool in incident responders' hands. A powerful one but...
21Computer forensicsWith all this cloud, big data, BYOD, data encryption and huge HDDs it's really hard to respond to incidents efficiently.That's when live forensics come into play:Volatile data (e.g. RAM) acquisitionImaging of unencrypted encrypted disk drivesPreservation of data in the cloudMinimising delays in availability
22Computer forensicsTriage is a simple way to preserve and examine computer evidence faster and more efficiently while keeping up with the standards and regulatory requirements (e.g. chain of custody). Triage can be performed by a trained incident responder ("a rescue team" member) on the scene. Computer forensics expert ("a surgeon") doesn't have to be involved yet.
23CSIRTs / CERTsComputer Security Incident Response Teams (CSIRTs) provide professional incident response capabilities. Effectiveness of their work depends on appropriate communication and co-operations with other governmental and business CSIRTs/CERTs. Maintaining defense capabilities and readiness on high level means exercising and constantly improving.
24Security Quality Management CSIRT ServicesReactiveProactiveSecurity Quality ManagementAlerts and WarningsIncident Handling– Incident analysis– Incident response on site– Incident response support– Incident response coordinationVulnerability Handling– Vulnerability analysis– Vulnerability response– Vulnerability response coordinationArtifact Handling– Artifact analysis– Artifact response– Artifact response coordinationAnnouncementsTechnology WatchSecurity Audits or AssessmentsConfiguration and Maintenance of Security Tools, Applications, and InfrastructuresDevelopment of Security ToolsIntrusion Detection ServicesSecurity-Related Information DisseminationRisk AnalysisBusiness Continuity and Disaster Recovery PlanningSecurity ConsultingAwareness BuildingEducation/TrainingProduct Evaluation or Certification
25And the conclusion is...People are the first and the last line of defense from the attacks against them and the technology. The difference between us and the computers is that we think. Sometimes too much. It causes problems but that can also help avoid them. So it's always better to think twice.