Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social-engineering for engineers The Whats, Whys, Wheres and Hows of social-engineering 1.

Similar presentations


Presentation on theme: "Social-engineering for engineers The Whats, Whys, Wheres and Hows of social-engineering 1."— Presentation transcript:

1 Social-engineering for engineers The Whats, Whys, Wheres and Hows of social-engineering 1

2 Agenda  On-going technology development  Social-engineering  What's the story with the frauds?  How to prevent and defend against them?  And what to do if we fail to do the above?  What else should be done? 2

3 On-going technology development For the last 20 years (or so), we've been witnessing an amazing technological development. The challenge is not to be the first or the best but not to be the last. It's not easy however. 3

4 On-going technology development Who's having the problems then?  Content and service providers  Software and hardware vendors  Legislators and law enforcement  Internet users 4

5 On-going technology development For millions of years, mankind lived just like the animals. Then something happened which unleashed the power of our imagination. We learned to talk and we learned to listen... Nope, that's not Pink Floyd. It's Stephen Hawking. But Internet-based communication is much more than text and sound. 5

6 On-going technology development Pictures Video Instant messaging and VoIP Memes And more to come sooner or later 6

7 On-going technology development Still there are things that haven't changed e.g. non- verbal communication. For ages our behaviour's been based on the same rules. So what? Well, IT systems and applications are prone to errors just like the humans who develop and operate them. 7

8 Social-engineering The practice of making laws or using other methods to influence public opinion and solve social problems or improve social conditions. source: Merriam-Webster Dictionary In the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. source: 8

9 Social-engineering  Baiting  Pretexting  Phishing  Quid pro quo  Boooooriiiiinnnngggg... 9

10 Social-engineering Robert Cialdini's six rules of influence:  Reciprocity  Commitment and Consistency  Social Proof  Authority  Liking  Scarcity 10

11 Reciprocity Nigerian scams - an African king (or Asian general, or South-American dictator) asks for your help in recovering his huge money assets locked in the country of his origin. You'll be rewarded but first, you have to help. Some encouragement follows. Favours - someone pretending to be an IT help-desk specialist, calls you and offers help in sorting out your PC's problem (apparently caused by himself). For this, you'll give him - for example - your password. 11

12 Commitment and Consistency "Free" IQ tests - its results shall be shown once you send a premium-rate text message (does it affect the overall score BTW? ;) Limited content - to view a full article or video you need to pay money or follow a dodgy link. Mobile apps - if you clicked "download", "install", will you click "no, I don't want you to access my contacts, texts, data connection and location"? 12

13 Liking Phishing - fake s and websites look really like the genuine ones (well, not in Poland, how's it in Georgia? ;) Funny or hot content - you can't view the funny content unless you install a "missing plugin". Which is we-all-exactly-know-what. Share - content liked or shared by our "friends" (whom we like or at least know) is perceived as legitimate. 13

14 Authority Donations - on-line payment and money exchange services, together with Bitcoin, make for a good base for money-laundering and other frauds. Voice phishing - some people reveal their personal or financial information when called "by THE bank", just because they're told it's "THE bank" calling. 14

15 Scarcity "Last minute" offers - some people will pay for goods or services difficult to obtain or time-limited. YOU are the 999. person on this website - and if you follow the link you'll win an iPad... Or will you? Slashdot effect - people desperately wanting to be (all) the first to see the news will DDoS the website. Like ACTA-case in Poland. Err, soft of. 15

16 Some numbers ServicePrice Credit card data USD Actual cards190 USD Skimming device USD Fake ATMS USD e-Bank credentials USD Money transfers % Fake e-commerce sitesprice per project Spam10 USD per 1M s  discounts  guarantees  trial periods  returns Data leaks 2013Adobe2,9 mln 2011Sony PSN77 mln 2009 Heartland Payment Systems 130 mln 2008Hannaford Brothers4,6 mln 2007TJX Companies45 mln 2005CardSystems Solutions40 mln

17 How do they happen? In a number of ways:  sometimes a simple phone call is enough  malware leading to an APT attack  network snooping  IP / MAC / / Called-ID spoofing  credit cards skimming  dumpster diving (no, really!) But it's not all about the technology. 17

18 How to prevent and detect them?  DLP (Data Leak Prevention)  IPS / IDS (Intrusion Prevention/Detection Systems)  Application firewall  URL filtering  BGP / DNS blackholing  SIEM (monitoring)  Host agents  Threat intelligence and whistle-blowers But... 18

19 How to prevent and detect them? If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier You can't defend. You can't prevent. The only thing you can do is detect and respond. Bruce Schneier 19 Source:

20 And what to do if we fail to do the above? Detection should be based on both: user awareness and network / system monitoring - one won't work without another. Incident response must be a process with appropriate procedures, staffing, support, funding and tools. Computer forensics is just a tool in incident responders' hands. A powerful one but... 20

21 Computer forensics With all this cloud, big data, BYOD, data encryption and huge HDDs it's really hard to respond to incidents efficiently. That's when live forensics come into play:  Volatile data (e.g. RAM) acquisition  Imaging of unencrypted encrypted disk drives  Preservation of data in the cloud  Minimising delays in availability 21

22 Computer forensics Triage is a simple way to preserve and examine computer evidence faster and more efficiently while keeping up with the standards and regulatory requirements (e.g. chain of custody). Triage can be performed by a trained incident responder ("a rescue team" member) on the scene. Computer forensics expert ("a surgeon") doesn't have to be involved yet. 22

23 CSIRTs / CERTs Computer Security Incident Response Teams (CSIRTs) provide professional incident response capabilities. Effectiveness of their work depends on appropriate communication and co-operations with other governmental and business CSIRTs/CERTs. Maintaining defense capabilities and readiness on high level means exercising and constantly improving. 23

24 CSIRT Services 24 ReactiveProactiveSecurity Quality Management Alerts and Warnings Incident Handling – Incident analysis – Incident response on site – Incident response support – Incident response coordination Vulnerability Handling – Vulnerability analysis – Vulnerability response – Vulnerability response coordination Artifact Handling – Artifact analysis – Artifact response – Artifact response coordination Announcements Technology Watch Security Audits or Assessments Configuration and Maintenance of Security Tools, Applications, and Infrastructures Development of Security Tools Intrusion Detection Services Security-Related Information Dissemination Risk Analysis Business Continuity and Disaster Recovery Planning Security Consulting Awareness Building Education/Training Product Evaluation or Certification

25 And the conclusion is... People are the first and the last line of defense from the attacks against them and the technology. The difference between us and the computers is that we think. Sometimes too much. It causes problems but that can also help avoid them. So it's always better to think twice. 25

26 Quiz https://www.paypal.com/webapps/mpp/security/antiphishing-canyouspotphishing


Download ppt "Social-engineering for engineers The Whats, Whys, Wheres and Hows of social-engineering 1."

Similar presentations


Ads by Google