Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Engineering By: Pete Guhl and Kurt Murrell.

Published byHoward Golden Modified over 8 years ago

Similar presentations

Presentation on theme: "Social Engineering By: Pete Guhl and Kurt Murrell."— Presentation transcript:

1 Social Engineering By: Pete Guhl and Kurt Murrell

2 Techniques

3 Phases of Social Engineering - Very similar to how Intelligence Agencies infiltrate their targets - 3 Phased Approach Phase 1- Intelligence Gathering Phase 2- “Victim” Selection Phase 3 -The Attack - Usually a very methodical approach

4 Phase 1 -Intelligence Gathering - Phase 1 -Intelligence Gathering - Primarily Open Source Information Dumpster Diving Web Pages Ex-employees Contractors Vendors Strategic Partners - The foundation for the next phases

5 Phase 2 -”Victim” Selection Looking for weaknesses in the organization’s personnel Help Desk Tech Support Reception Admin. Support Etc.

6 - Phase 3 - The Attack - Commonly known as the “con” - Primarily based on “peripheral” routes to persuasion Authority Liking & Similarity Reciprocation - Uses emotionality as a form of distraction

7 3 General Types of Attack Ego Attacks Sympathy Attacks Intimidation Attacks

8 Intimidation Attack Attacker pretends to be someone influential (e.g., authority figure, law enforcement) Attempt to use their authority to coerce the victim into cooperation If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.) If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.

9 Sympathy Attacks Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc. There is some urgency to complete some task or obtain some information Needs assistance or they will be in trouble or lose their job etc. Plays on the empathy & sympathy of the victim Attackers “shop around” until they find someone who will help Very successful attack

10 The Ego Attack Attacker appeals to the vanity, or ego of the victim Usually targets someone they sense is frustrated with their current job position The victim wants to prove how smart or knowledgeable they are and provides sensitive information or even access to the systems or data Attacker may pretend to be law enforcement, the victim feels honored to be helping Victim usually never realizes

11 More info on attacks Attacks can come from anywhere/anytime Social Engineering can circumvent current security practices - What good is a password if everyone has it? No one is immune - Everyone has information about the company

12 Preventing Social Engineering

13 Training Warn Users of Imminent Attack - Users that are forewarned are less free with information

14 Training Define Sensitive Information

15 Training Define Sensitive Information Passwords

16 Training Define Sensitive Information Passwords DOB

17 Training Define Sensitive Information Passwords DOB Maiden Names

18 Training Define Sensitive Information Passwords DOB Maiden Names Social Security Number

19 Training Define Sensitive Information Passwords DOB Maiden Names Social Security Number Account Numbers

20 Training Define Sensitive Information Passwords DOB Maiden Names Social Security Number Account Numbers Billing Amounts

21 Training Users Passwords, phone numbers, other data

22 Training Users Passwords, phone numbers, other data System Admins Tougher authentication protocol for password resets

23 Testing Users - Reveal seemingly innocuous data?

24 Testing Users - Reveal seemingly innocuous data? System Admins – Divulge network information?

25 Testing Users - Reveal seemingly innocuous data? System Admins – Divulge network information? Helpdesk personnel – Reset passwords on faulty authentication?

26 Removing the Weak Link Remove the user’s ability to divulge information - Remove all non essential phones - Restrict to internal communications - Remove Internet access - Disable removable drives - Make false information accessible

27 Removing the Weak Link Forced strong authentication - Use secure software requiring strong authentication for password resets - Require callback to user’s directory listed number

28 Removing the Weak Link Secure Protected Doors - Employ Guards - Use Revolving Door - Two Door Checkpoint - Deploy CCTV to remote facility

Download ppt "Social Engineering By: Pete Guhl and Kurt Murrell."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.

Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.

Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do To Avoid Becoming a Victim?

1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do To Avoid Becoming a Victim?
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Identity Theft Someone steals your personal information for his/her own gain It’s a crime!

Identity Theft Someone steals your personal information for his/her own gain It’s a crime!
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
Information Security Awareness Training

Information Security Awareness Training
CIT 1100. In this chapter you will learn how to:  Explain the threats to your computers and data  Describe key security concepts and technologies.

CIT In this chapter you will learn how to:  Explain the threats to your computers and data  Describe key security concepts and technologies.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Social Engineering Networks Reid Chapman Ciaran Hannigan.

Social Engineering Networks Reid Chapman Ciaran Hannigan.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.

The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
1 Social Engineering Dr.Talal Alkharobi. 2 Social Engineering - Definition Webster — management of human beings in accordance with their place and function.

1 Social Engineering Dr.Talal Alkharobi. 2 Social Engineering - Definition Webster — management of human beings in accordance with their place and function.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

Similar presentations

Ads by Google