Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.

Published byPierce Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments."— Presentation transcript:

1 Social Engineering Training

2 Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments of DOE laboratories. The Red Team used Social Engineering tactics to attempt to infiltrate the laboratories in Spring 2008. They were successful in gaining access and maneuvering without detection at two DOE laboratories and one Site Office. This training class was developed to provide the tools required to identify, detect and deter advanced Social Engineering attempts.

3 Definition What is social engineering? Art of manipulating people into performing actions or divulging confidential information. Using trickery to gather information or computer system access. In most cases the attacker never comes face-to- face with the victim.

4 What motivates social engineering? Obtaining personal information for profit. Gaining unauthorized access to an organization. Circumventing established procedures. Just because they can.

5 Techniques Pretexting Phishing 1 Trojan Horse 1 Baiting 1,2 1 The DOE Red Team used these techniques in their latest successful attacks on two DOE laboratories and one site office. 2 The DOE Red Team was successful using these methods to infiltrate DOE laboratories in the past.

6 Pretexting Description Create and use an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action, typically over the telephone. Phone Calls Claim a need to perform a service. Ask for information about organization (i.e. reporters, prospective students). Claim to be calling for a friend or family members need access to something. Prevention Be polite. Ask for a number to call *them* back; may allow tracing later. Ask a question for which the answer is not publicly available.

7 Phishing Description The attacker sends an e-mail that appears to come from a legitimate business (bank, credit card company) requesting “verification” of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate and may include company logos and content. Types of e-mail Standard Viagra, off-shore lottery, etc…spam. Easy to spot and avoid. E-mail claiming to be from DOE, ISU or a bank requiring a quick response and personal information. Unsolicited CVs, requests for feedback on proposals, requests *for* proposals.

8 Phishing Prevention Examine e-mail headers http://www.internal.ameslab.gov/is/desktopprocedures/FAQ/email- analysis.html Verify sender prior to opening attachments or clicking on web links. Call sender. Contact an associate or representative of sender, if known. Instead of clicking on e-mail web links, copy and paste them into a browser. Forward suspicious e-mail to cybersec@ameslab.gov for verification. cybersec@ameslab.gov

9 Phishing – Email Links

10 Phishing - Email Headers

11 Trojan Horse Description The “e-mail virus” arrives as an e-mail attachment promising anything from a “cool” screen saver, an important anti-virus or system upgrade, or the latest gossip about a celebrity.

12 Baiting Description Attacker leaves a malware infected CD ROM or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. Attacker sends the infected device via “Snail”-mail

13 Baiting Types of mail Unsolicited CDs/DVDs. Claim to provide training, information but really installs malware. Unsolicited thumb drives. “Lost” CDs, thumb drives, other media. Prevention Verify unexpected mailings with sender. Never put anything into your computer if you don’t know where it’s been. Bring “lost” items to IS for examination. If unsure, ask the IS office.

14 Tools used by Social Engineers Any publicly available information Postings on public web pages. Phone book information. Professional information. Personal and professional relationships Association with ISU. Association with DOE. Conferences and collaborations in field of expertise.

15 Quick Tests Which of these emails in legitimate? Which is fake?

16 Quick Tests Can you think of ways the information on Ames Laboratory’s public web page could be exploited to execute a social engineering attack? Can you think of an unsolicited e-mail, phone call, or snail-mail attack which would be impossible to verify or handle safely?

17 How to avoid Social Engineering tactics Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. Be certain of a person’s authority to have the information before providing personal information or information about your organization, including its structure or networks.

18 How to avoid Social Engineering Tactics (Cont) Never reveal personal or financial information in email or respond to email solicitations for this information. This includes following links sent in an email. Check a website’s security before sending sensitive information over the internet. Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g.,.com vs..net).

19 How to avoid Social Engineering Tactics (Cont) If you are unsure whether an email request is legitimate, try to verify it by contacting the company or person directly. Check previous statements for contact information rather than using contact information provided on a web site connected to the request or in an email sent to you. Install and maintain anti-virus software, firewalls, and email filters to reduce unwanted traffic.

20 How to report Social Engineering If Social Engineering techniques are attempted while at work… If you believe you might have revealed sensitive information about the Ames Laboratory… Report it to the IS office at: Phone: 4-8348 Email: cybersec@ameslab.gov This will alert us to any suspicious or unusual activity.

21 Certificate of Completion This certifies the individual listed below has successfully completed the course entitled Social Engineering Training Prepared by the Ames Laboratory Information Systems Office Employee Name Employee # Date

Download ppt "Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments."

Similar presentations

How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.

SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.
Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,
The Art of Social Hacking

The Art of Social Hacking
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
What is identity theft, and how can you protect yourself from it?

What is identity theft, and how can you protect yourself from it?
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
8 Mistakes That Expose You to Online Fraud to Online Fraud.

8 Mistakes That Expose You to Online Fraud to Online Fraud.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Quiz Review.

Quiz Review.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Similar presentations

Ads by Google