Manipulates legitimate users into undermining their own security system Abuses trusted relationships between employees Very cheap for the attacker Attacker does not need specialized equipment or skills
Impersonation Help Desk Third-party Authorization Tech Support Roaming the Halls Repairman Trusted Authority Figure Snail Mail
Computer-Based Techniques Pop-up windows Instant Messaging and IRC Email Attachments Email Scams Chain Letters and Hoaxes Websites
Hacker pretends to be an employee Recovers “forgotten” password Help desks often do not require adequate authentication
Targeted attack at someone who has information Access to assets Verification codes Claim that a third party has authorized the target to divulge sensitive information More effective if the third party is out of town
Hacker pretends to be tech support for the company Obtains user credentials for troubleshooting purposes. Users must be trained to guard credentials.
Hacker dresses to blend in with the environment Company uniform Business attire Looks for sensitive information that has been left unattended Passwords written down Important papers Confidential conversations
Hacker wears the appropriate uniform Often allowed into sensitive environments May plant surveillance equipment Could find sensitive information
Hacker pretends to be someone in charge of a company or department Similar to “third-party authorization” attack Examples of authority figures Medical personnel Home inspector School superintendent Impersonation in person or via telephone
Hacker sends mail that asks for personal information People are more trusting of printed words than webpages Examples Fake sweepstakes Free offers Rewards programs More effective on older generations
Window prompts user for login credentials Imitates the secure network login Users can check for visual indicators to verify security
Hacker uses IM, IRC to imitate technical support desk Redirects users to malicious sites Trojan horse downloads install surveillance programs.
Hacker tricks user into downloading malicious software Programs can be hidden in downloads that appear legitimate Examples Executable macros embedded in PDF files Camouflaged extension: “NormalFile.doc” vs. “NormalFile.doc.exe” Often the final extension is hidden by the email client.
More prevalent over time Begins by requesting basic information Leads to financial scams
More of a nuisance than a threat Spread using social engineering techniques Productivity and resource cost
Offer prizes but require a created login Hacker capitalizes on users reusing login credentials Website credentials can then be used for illegitimate access to assets
Never disclose passwords Limit IT Information disclosed Limit information in auto-reply emails Escort guests in sensitive areas Question people you don't know Talk to employees about security Centralize reporting of suspicious behavior
Remind employees to keep passwords secret Don’t make exceptions It’s not a grey area!
Only IT staff should discuss details about the system configuration with others Don’t answer survey calls Check that vendor calls are legitimate
Keep details in out-of-office messages to a minimum Don’t give out contact information for someone else. Route requests to a receptionist
Guard all areas with network access Empty offices Waiting rooms Conference rooms This protects against attacks “Repairman” “Trusted Authority Figure”
All employees should have appropriate badges Talk to people who you don’t recognize Introduce yourself and ask why they are there
Regularly talk to employees about common social engineering techniques Always be on guard against attacks Everyone should watch what they say and do.
Designate an individual or group Social engineers use many points of contact Survey calls Presentations Help desk calls Recognizing a pattern can prevent an attack
Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013.. Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013.. "Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013..