Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Engineering UTHSC Information Security Team.

Published byJared Lucas Modified over 8 years ago

Similar presentations

Presentation on theme: "Social Engineering UTHSC Information Security Team."— Presentation transcript:

1 Social Engineering UTHSC Information Security Team

2 What is Social Engineering? Attacker uses human interaction to obtain or compromise information Attacker my appear unassuming or respectable o Pretend to be a new employee, repair man, etc. o May even offer credentials By asking questions, the attacker may piece enough information together to infiltrate a companies network o May attempt to get information from many sources

3 What is Social Engineering… At its core it is manipulating a person into knowingly or unknowingly giving up information; essentially 'hacking' into a person to steal valuable information.  Psychological manipulation  Trickery or Deception for the purpose of information gathering

4 What is Social Engineering… It is a way for criminals to gain access to information systems. The purpose of social engineering is usually to secretly install spyware, other malicious software or to trick persons into handing over passwords and/or other sensitive financial or personal information

5 What is Social Engineering… Social engineering is one of the most effective routes to stealing confidential data from organizations, according to Siemens Enterprise Communications, based in Germany. In a recent Siemens test, 85 percent of office workers were duped by engineering. “Most employees are utterly unaware that they are being manipulated,” says Colin Greenlees, security and counter-fraud consultant at Siemens.

6 Watch this video…

7 Types of Attacks Phishing Impersonation on help desk calls Quid Pro Quo - Something for something Baiting Pretexting Invented Scenario Diversion Theft - A con Physical access (such as tailgating) Shoulder surfing Dumpster diving Stealing important documents Fake software Trojans

8 Phishing Use of deceptive mass mailing Can target specific entities (“spear phishing”) Prevention:  Honeypot email addresses  Education  Awareness of network and website changes

9 Impersonation on help desk calls Calling the help desk pretending to be someone else Usually an employee or someone with authority Prevention:  Assign pins for calling the help desk  Don’t do anything on someone’s order  Stick to the scope of the help desk

10 Quid Pro Quo Something for Something o Call random numbers at a company, claiming to be from technical support. o Eventually, you will reach someone with a legitamite problem o Grateful you called them back, they will follow your instructions o The attacker will "help" the user, but will really have the victim type commands that will allow the attacker to install malware

11 Baiting o Uses physical media o Relies on greed/curiosity of victim o Attacker leaves a malware infected cd or usb drive in a location sure to be found o Attacker puts a legitimate or curious label to gain interest o Ex : "Company Earnings 2009" left at company elevator  Curious employee/Good Samaritan uses  User inserts media and unknowingly installs malware

12 Pretexting Invented Scenario o Prior Research/Setup used to establish legitimacy  Give information that a user would normally not divulge o This technique is used to impersonate  Authority etc.  Using prepared answers to victims questions  Other gathered information o Ex : Law Enforcement  Threat of alleged infraction to detain suspect and hold for questioning

13 Pretexting Real Example: Signed up for Free Credit Report Saw Unauthorized charge from another credit company o Called to dispute charged and was asked for Credit Card Number  They insisted it was useless without the security code o Asked for Social Security number Talked to Fraud Department at my bank

14 Diversion Theft A Con o Persuade deliver person that delivery is requested elsewhere - " Round the Corner " o When deliver is redirected, attacker persuades delivery driver to unload delivery near address o Ex : Attacker parks security van outside a bank. Victims going to deposit money into a night safe are told that the night safe is out of order. Victims then give money to attacker to put in the fake security van o Most companies do not prepare employees for this type of attack

15 Physical access Tailgating Ultimately obtains unauthorized building access Prevention  Require badges  Employee training  Security officers  No exceptions!

16 Shoulder surfing Someone can watch the keys you press when entering your password Probably less common Prevention:  Be aware of who’s around when entering your password

17 Dumpster diving Looking through the trash for sensitive information Doesn’t have to be dumpsters: any trashcan will do Prevention:  Easy secure document destruction  Lock dumpsters  Erase magnetic media

18 Stealing important documents Can take documents off someone’s desk Prevention:  Lock your office  If you don’t have an office: lock your files securely  Don’t leave important information in the open

19 Fake Software Fake login screens The user is aware of the software but thinks it’s trustworthy Prevention:  Have a system for making real login screens obvious (personalized key, image, or phrase)  Education  Antivirus (probably won’t catch custom tailored attacks)

20 Trojans Appears to be useful and legitimate software before running Performs malicious actions in the background Does not require interaction after being run Prevention:  Don‘t run programs on someone else’s computer  Only open attachments you’re expecting  Use an antivirus

21 Weakest Link? No matter how strong your: o Firewalls o Intrusion Detection Systems o Cryptography o Anti-virus software YOU are the weakest link in computer security! o People are more vulnerable than computers " The weakest link in the security chain is the human element " -Kevin Mitnick

22 General Safety Before transmitting personal information over the internet, check the connection is secure and check the url is correct If unsure if an email message is legitimate, contact the person or company by another means to verify Be paranoid and aware when interacting with anything that needs protected o The smallest information could compromise what you're protecting

23 Ways to Prevent Social Engineering Training User Awareness o User knows that giving out certain information is frowned upon o Complete Information Security TrainingPolicies Employees are not allowed to divulge private information Prevents employees from being socially pressured or tricked…

24 Ways to Prevent Social Engineering (con…) Ethical Hacker3rd Party test - Ethical Hacker o Have a third party come to your company and attempted to hack into your network o 3rd party will attempt to glean information from employees using social engineering people o Helps detect problems people have with security Be suspicious Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about internal information Do not provide personal information Do not provide personal information, information about the company(such as internal network) unless authority of person is verified

25 Responding… You’ve been attacked: now what? What damage has been done? What damage can still be done? Has a crime actually taken place? Report the incident or event IMMEDIATELY! Take responsibility and be honest Contact UTHSC Help Desk

26 Summary Be suspicious. Think about motivation when revealing information. Verify identity. Be careful what you click on. No one will catch everything – Be willing to ask for help.  IMMEDIATELY Contact your UTHSC Information Security Team! Security is Everyone's Responsibility – See Something, Say Something!

27 UTHSC Information Security Team L. Kevin Watson lwatso20@uthsc.edu (901) 448-7010 Frank Davison fdavison@uthsc.edu (901) 448-1260 Jessica McMorris jmcmorr1@uthsc.edu (901) 448-1579 Ammar aammar@uthsc.edu (901) 448-2163 Information Security Email: itsecurity@uthsc.eduitsecurity@uthsc.edu Website: security.uthsc.edusecurity.uthsc.edu To report phishing and spam email forward it to abuse@uthsc.eduabuse@uthsc.edu UTHSC Help Desk: (901) 448-2222 ext. 1 or helpdesk@uthsc.eduhelpdesk@uthsc.edu

Download ppt "Social Engineering UTHSC Information Security Team."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.

SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.

Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
The Art of Social Hacking

The Art of Social Hacking
BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.

BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.
Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.

Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.
Protect Yourself Against Phishing. The good news: The number of US adult victims of identity fraud decreased from 9.3 million in 2005, to 8.4 million.

Protect Yourself Against Phishing. The good news: The number of US adult victims of identity fraud decreased from 9.3 million in 2005, to 8.4 million.
Aleksandra Kurbatova 111611 IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.

Aleksandra Kurbatova IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.
What is identity theft, and how can you protect yourself from it?

What is identity theft, and how can you protect yourself from it?
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Social Engineering: The Human Element How Does Social Engineering Work and to What Purpose? Chuck McGann.

Social Engineering: The Human Element How Does Social Engineering Work and to What Purpose? Chuck McGann.
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.

Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
Social Engineering Networks Reid Chapman Ciaran Hannigan.

Social Engineering Networks Reid Chapman Ciaran Hannigan.
Protecting Your Identity. What is IA? Committee on National Security Systems definition: –Measures that protect and defend information and information.

Protecting Your Identity. What is IA? Committee on National Security Systems definition: –Measures that protect and defend information and information.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
© 2008. Oklahoma State Department of Education. All rights reserved. 1 Beware! Consumer Fraud Standard 9. 1 Fraud and Identity Theft.

© Oklahoma State Department of Education. All rights reserved. 1 Beware! Consumer Fraud Standard 9. 1 Fraud and Identity Theft.

Similar presentations

Ads by Google