Presentation on theme: "Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger."— Presentation transcript:
Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger. n Social Engineering: “Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it.” - Kevin Mitnick n The Social Engineers’ Modus Operandi: Gather as much information about the target as possible, and use that information to gain the trust as an insider. Then go for the jugular!
The Art of the Attacker n Innocuous Information: “Much of the seemingly innocuous information in a company’s possession is prized by a social engineering attacker because it can play a vital role in his effort to dress him or her self in a cloak of believability.” As you’ll notice repeatedly in these examples, knowledge of a company’s lingo, and of its corporate structure - its various offices and departments, what each one does, and what information each has - is part of the essential bag of tricks of the successful social engineer.
The Art of the Attacker n CreditChex Example. –This entire ruse was based on one of the fundamental tactics of social engineering: gaining access to information that a company employee treats as innocuous, when it isn’t. n More “Worthless” Information –Peter Abels’ phone call. –The moral of the story is, don’t give out any personal or company information or identifiers to anyone, unless you recognize his or her voice and the requester has a need to know.
Techniques of the Social Engineer n The Direct Attack: Just Asking For It. –Stevie’s Scam n This is a perfect example of how easy it can be for a social engineer to get what they want by “just asking for it.” n Building Trust –Trust is the key to deception. The more a social engineer can make his contact seem like business as usual, the more he allays suspicion. –Once he/she has your trust, the drawbridge is lowered and the castle door thrown open so he/she can enter and take whatever information they want.
Techniques of the Social Engineer n Doyle Lonnegan’s Story n C.T. (How he gained the store clerks trust) The initial calls to Ginny were simply to build up trust. When the time came for the attack, she let her guard down and accepted Tommy for who he claimed to be, the manager at another store in the chain. n Building a sense of trust doesn’t necessarily demand a series of phone calls with the victim. n Surprised, Dad n The Moral –Trust Wisely (Would you give your worst enemy your information)
Techniques of the Social Engineer n “Let Me Help You.” –The Network Outage n Reverse Social Engineering- When the attacker puts the target in a situation where they call the attacker for help. (This gives the attacker instant credibility. If someone thinks that they are talking to the help desk they are not going to ask that person to prove their identity.) n “Can You Help Me?” n Vulnerable Security Practices –Candy Security - A term coined by Belloviin and Cheswick of Bell Labs to describe a security scenario where the outer perimeter, such as the firewall, is strong, but the infrastructure behind it is weak.
Techniques of the Social Engineer n Speakeasy Security - Security that relies on knowing where desired information is, and using a worker’s id number or name to gain access to that information or computer system. n Security Through Obscurity - An ineffective method of computer security that relies on keeping secret the details of how the system works (protocols, algorithms, and internal systems). Security through obscurity relies on the false assumption that no one outside the trusted group of people will be able to circumvent the system.
Safe Security Practices n The Golden Questions: –How do I know this person is who he says he is? –How do I know this person has the authority to make this request? n NEVER disclose your password under any circumstances. n Follow procedures for disclosure of internal information. n When in doubt, Verify, Verify, Verify. n Treat your seemingly innocuous information like ATM pin numbers. n Ask yourself if you would give the requested information to your worst enemy and what would be the repercussions for doing so. n Never be so eager to help out a caller that the security of the business is compromised.
“Only two things are infinite, the universe and human stupidity, and I’m not sure about the former”. - Albert Einstein