90 likes | 107 Views
Learn about the collection of techniques used to manipulate people into divulging confidential information, including pretexting, phishing, Trojan horse, road apple, and quid pro quo. Discover why social engineering works, including cognitive biases, and explore the case of Kevin Mitnick, a notorious hacker who used social engineering to steal passwords and intellectual property. Find out how to defend against social engineering through education, policies, and well-known procedures.
E N D
Social Engineering Dana Leonard CSPC 620
Overview • What is Social Engineering? • Techniques • Targets • Why does it work? • Kevin Mitnick • Defenses
What is Social Engineering • collection of techniques used to manipulate people into performing actions or divulging confidential information
Techniques • Pretexting • Persuading a target to hand over confidential information through the use of a false scenario; generally done over the phone • Phishing • Convincing a target that the information requested is going to an official source but it is instead going to the attacker; generally through e-mail • Trojan Horse • Malware designed to open the targeted computer to the attacker; installed by the victim themselves thinking it was something else • Road Apple • Attacker leaves infected media (CD-ROM, USB key) where it will be found and waits for a curious victim to insert it into their PC • Quid Pro Quo • “something for something”; • Example: an attacker calls various numbers in a company pretending to be from tech support. Eventually he/she finds someone with a problem, helps them solve it, and at the same time gets them to open a backdoor or install malware for the attacker
Targets • Companies • Passwords • IPs • Valuables of interest: • Software, financial data, customer data • Individuals • Social Security Number • Passwords • Valuables of interest: • Banking information, credit card info, personal data for identity theft
Why Does It Work? • Cognitive Biases • “a pattern of deviation in judgment that occurs in particular situations” • Examples: • Bandwagon Effect • Following what others have done previously • Neglect of Probability • Disregard of probability when making choices under uncertainty • Optimism Bias • systematic tendency for people to be over-optimistic about the outcome of planned actions
Kevin Mitnick • Arrested and convicted on several counts of computer crime, including hacking and theft of intellectual property • Began at age 12 with faking punch cards for the bus system to gain free rides and continued on to phone phreaking. • Used social engineering to steal passwords to company systems. • He still believes this is far easier to do, even today, than hacking into a system. • Since his release from prison, Kevin has started his own computer security company and gives talks around the country about social engineering and other security topics.
Defenses • Education • Speakers like Kevin Mitnick • Books like “The Art of Deception” • Policies • Strict policies at the workplace about divulging information • Well known procedures for things like resetting passwords