SOCIAL ENGINEERING PART IA: HOW SCAMMERS MANIPULATE EMPLOYEES TO GAIN INFORMATION.

Slides:



Advertisements
Similar presentations
Online Privacy A Module of the CYC Course – Personal Security
Advertisements

2.02 Questions and Answers.
1 Identification Who are you? How do I know you are who you say you are?
SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
NAU HIPAA Awareness Training
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
P ASSWORD S ECURITY. I F SOMEONE HAS YOUR PASSWORD, EITHER FROM YOU GIVING IT OUT OR THEM FIGURING OUT, THEY COULD : 1.Send abusive or threatening .
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Aleksandra Kurbatova IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.
What is identity theft, and how can you protect yourself from it?
Information Security Awareness Training
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Stranger Danger: Internet Safety. Not everyone on the internet are who they say they are…  Sometimes a stranger can try to gain your trust by pretending.
Using internet and cell phones safely
Social Engineering Networks Reid Chapman Ciaran Hannigan.
Presented by: Casey Mullins Social Engineering - Persuasion -
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Never share your passwords. Even with your significant other or your BFF! Yes, with parents. Especially if they ask. If someone in the lab was watching.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
HIPAA Privacy & Security EVMS Health Services 2004 Training.
TRACs Security Awareness FY2009 Office of Information Technology Security 1.
Practical Information Management
Social impacts of the use of it By: Mohamed Abdalla.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
How can you protect yourself from online identity theft?
Arkansas State Law Which Governs Sensitive Information…… Part 3B
Use of U.T. Austin Property Computers: Security & Acceptable Use The University of Texas at Austin General Compliance Training Program.
Information Security Awareness Training. Why Information Security? Information is a valuable asset for all kinds of business More and more information.
Social Engineering Euphemism for cons –Confidence schemes - note the word confidence Why technologically based security protection that ignores the human.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
Topic 5: Basic Security.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. Cyber.
INTERNAL CONTROLS What are they? Why should I care?
Revision Q1: Explain the term HACKING?
Computer Security By Duncan Hall.
December 10, 2002 Bob Cowles, Computer Security Officer
TOP 10 DHS IT SECURITY & PRIVACY BEST PRACTICES #10 Contact The Office of Systems & Technology for appropriate ways to proceed if you need access to.
Staff addresses Availability tradeoffs December 13, 2012.
5 different ways to get tricked on the internet. 1. Viruses A virus is a computer malware program that copies it’s files to the computer. This may allow.
Social Engineering Mark Shtern. Social Engineering SE is manipulating a person into knowingly or unknowingly giving up information – Psychological manipulation.
Sources of Network Intrusion Security threats from network intruders can come from both internal and external sources.  External Threats - External threats.
Designed By: Jennifer Gohn.  “Getting people to do things they wouldn’t ordinarily do for a stranger” –Kevin Mitnick  There are several different.
that keeping money and personal information safe is very important That losing money or having personal information stolen can be distressing.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
HIPAA Privacy What Every Staff Member Needs to Know.
JANELL LAYSER Training Manual. AWARENESS! Social Engineers are out there, and everyone should be prepared to deal with them! They can contact you by phone,
3.6 Fundamentals of cyber security
Survival Guide to Help avoid being Conned!
Social Engineering Brock’s Cyber Security Awareness Committee
Social Engineering Charniece Craven COSC 316.
Social Engineering Brock’s Cyber Security Awareness Committee
Cybersecurity Awareness
2016 Annual CPNI Training CPNI & PI Awareness Beth Slough,
Malware, Phishing and Network Policies
The new data protection rules
CS 465 Social Engineering Last Updated: Dec 14, 2017.
Business Compromise and Cyber Threat
social Engineering and its importance during Security Audits
Presentation transcript:

SOCIAL ENGINEERING PART IA: HOW SCAMMERS MANIPULATE EMPLOYEES TO GAIN INFORMATION

When money or goods are stolen, somebody will notice they are gone. When information is stolen, most of the time no one will notice because the information is still there DHS IT Security & Privacy Training 2

WHAT IS SOCIAL ENGINEERING? It’s an art -- of manipulating people into saying or doing something that reveals confidential information or access to it. It often involves tricking other people to break normal security procedures. It relies on the natural helpfulness of people as well as on their weaknesses. It is sometimes called a "con game." 2014 DHS IT Security & Privacy Training 3

STOPPING SOCIAL ENGINEERING There is no technology in the world that can stop social engineering attacks DHS IT Security & Privacy Training 4

PROTECTING DHS SENSITIVE INFORMATION How do we protect DHS sensitive information? How do you protect your personal information? 2014 DHS IT Security & Privacy Training 5

HOW DO WE PROTECT SENSITIVE INFORMATION IF TECHNOLOGY CAN'T? 1.Educate every employee on DHS security and privacy policies and procedures; this leads to  Social Awareness. 2.Understand how attackers manipulate people to get information. 3.Learn appropriate and inappropriate behavior related to providing information DHS IT Security & Privacy Training 6

THE PROBLEM IS … WHO IS ASKING FOR SENSITIVE INFORMATION We don’t want to stop being helpful to coworkers or to customers. So, we need to have specific verification procedures to use when anybody makes a request for computer access or confidential information. That way we can be helpful to those who need information, but at the same time we will protect DHS information assets and computer systems DHS IT Security & Privacy Training 7

HOW ATTACKERS TAKE ADVANTAGE OF US Social engineering = manipulation. Attackers try to manipulate us to obtain our compliance with their requests for information. There are several key methods attackers use to manipulate us to obtain information DHS IT Security & Privacy Training 8

WHAT IT BOILS DOWN TO By giving out information, we may unintentionally be giving manipulators information they should not have. This information may hurt: DHS, DHS clients, or DHS employees. Complying with inappropriate requests may also mean DHS employees lose personal information, including personal passwords. This make DHS vulnerable if the employees use the same passwords at DHS and at home DHS IT Security & Privacy Training 9

MANIPULATION ATTACKS TAKE MANY FORMS We are most experienced with manipulation through attacks – and we’re not very good at foiling those. But manipulation can take many forms, and the scammers are patient, and willing to do whatever it takes to get the information they want DHS IT Security & Privacy Training 10

HOW SOCIAL ENGINEERS ATTEMPT TO MANIPULATE US These behaviors are used in the majority of manipulation attempts: 2014 DHS IT Security & Privacy Training 11 The next slides explain these behaviors and give examples of how they are used to manipulate us. BehaviorDefinition AuthorityPeople tend to listen to the advice of those in a position of authority. LikingPeople tend to say yes to those they like, and also to attractive people. ReciprocationSomeone is given a "token" and feels compelled to take action. ConsistencyCertain behavior patterns are consistent from person to person. Social ValidationSomeone is compelled to do what everyone else is doing.

THE MANIPULATION ATTACK PROCESS 2014 DHS IT Security & Privacy Training 12

THE MANIPULATION ATTACK PROCESS 1.Gather Information: Attackers use a variety of techniques to gather information about their targets, such as phone lists, Social Security numbers, dates of birth, mothers' maiden names, system designs or organizational structures/procedures. The gathered information will be used to build a relationship, however temporary, with someone connected to the eventual target. 2.Develop Relationship: It's human nature to be somewhat trusting. Attackers exploit this tendency to develop a rapport with their targets. In some cases, this takes place in a single phone call; in others, it can span weeks or longer. By developing a relationship, attackers place themselves in a position of trust, which can then be exploited DHS IT Security & Privacy Training 13

THE MANIPULATION ATTACK PROCESS 3.Exploit Relationship: The attacker exploits the target into revealing information (e.g., passwords, credit card numbers or vacation schedules) or performing an action (e.g., creating an account or reversing telephone charges) that would not normally occur. This information or action can be the end objective or can be used to stage the next attack/cycle of attack. 4.Use Information to Achieve Objective: The attacker uses the information to achieve the end objective. Often an attack can include a number of these cycles to achieve the end objective DHS IT Security & Privacy Training 14

When in doubt, don’t give it out DHS IT Security & Privacy Training 15

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.