Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.

Similar presentations


Presentation on theme: "Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams."— Presentation transcript:

1 Kelly Corning Julie Sharp

2  Human-based techniques: impersonation  Computer-based techniques: malware and scams

3  Manipulates legitimate users into undermining their own security system  Abuses trusted relationships between employees  Very cheap for the attacker  Attacker does not need specialized equipment or skills

4  Impersonation  Help Desk  Third-party Authorization  Tech Support  Roaming the Halls  Repairman  Trusted Authority Figure  Snail Mail

5  Computer-Based Techniques  Pop-up windows  Instant Messaging and IRC  Attachments  Scams  Chain Letters and Hoaxes  Websites

6  Hacker pretends to be an employee  Recovers “forgotten” password  Help desks often do not require adequate authentication

7  Targeted attack at someone who has information  Access to assets  Verification codes  Claim that a third party has authorized the target to divulge sensitive information  More effective if the third party is out of town

8  Hacker pretends to be tech support for the company  Obtains user credentials for troubleshooting purposes.  Users must be trained to guard credentials.

9  Hacker dresses to blend in with the environment  Company uniform  Business attire  Looks for sensitive information that has been left unattended  Passwords written down  Important papers  Confidential conversations

10  Hacker wears the appropriate uniform  Often allowed into sensitive environments  May plant surveillance equipment  Could find sensitive information

11  Hacker pretends to be someone in charge of a company or department  Similar to “third-party authorization” attack  Examples of authority figures  Medical personnel  Home inspector  School superintendent  Impersonation in person or via telephone

12  Hacker sends mail that asks for personal information  People are more trusting of printed words than webpages  Examples  Fake sweepstakes  Free offers  Rewards programs  More effective on older generations

13  Window prompts user for login credentials  Imitates the secure network login  Users can check for visual indicators to verify security

14  Hacker uses IM, IRC to imitate technical support desk  Redirects users to malicious sites  Trojan horse downloads install surveillance programs.

15  Hacker tricks user into downloading malicious software  Programs can be hidden in downloads that appear legitimate  Examples  Executable macros embedded in PDF files  Camouflaged extension: “NormalFile.doc” vs. “NormalFile.doc.exe”  Often the final extension is hidden by the client.

16  More prevalent over time  Begins by requesting basic information  Leads to financial scams

17  More of a nuisance than a threat  Spread using social engineering techniques  Productivity and resource cost

18  Offer prizes but require a created login  Hacker capitalizes on users reusing login credentials  Website credentials can then be used for illegitimate access to assets

19  Never disclose passwords  Limit IT Information disclosed  Limit information in auto-reply s  Escort guests in sensitive areas  Question people you don't know  Talk to employees about security  Centralize reporting of suspicious behavior

20  Remind employees to keep passwords secret  Don’t make exceptions  It’s not a grey area!

21  Only IT staff should discuss details about the system configuration with others  Don’t answer survey calls  Check that vendor calls are legitimate

22  Keep details in out-of-office messages to a minimum  Don’t give out contact information for someone else.  Route requests to a receptionist

23  Guard all areas with network access  Empty offices  Waiting rooms  Conference rooms  This protects against attacks  “Repairman”  “Trusted Authority Figure”

24  All employees should have appropriate badges  Talk to people who you don’t recognize  Introduce yourself and ask why they are there

25  Regularly talk to employees about common social engineering techniques  Always be on guard against attacks  Everyone should watch what they say and do.

26  Designate an individual or group  Social engineers use many points of contact  Survey calls  Presentations  Help desk calls  Recognizing a pattern can prevent an attack

27 Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, Web. 26 Mar "Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, Web. 26 Mar


Download ppt "Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams."

Similar presentations


Ads by Google