1 / 61

Presenter: Joseph A. Juchniewicz Senior Consultant - Assessment and Compliance

A 21 st Century Con Game. Presenter: Joseph A. Juchniewicz Senior Consultant - Assessment and Compliance. agenda. About Us. Phishing. Social Engineering. Questions. the. foundation. we have built. BREADTH OF SERVICE: Eight complementary practice areas with synergistic solutions

edna
Download Presentation

Presenter: Joseph A. Juchniewicz Senior Consultant - Assessment and Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A 21st Century ConGame Presenter: Joseph A. Juchniewicz Senior Consultant - Assessment and Compliance

  2. agenda About Us Phishing Social Engineering Questions

  3. the foundation we have built BREADTH OF SERVICE: Eight complementary practice areas with synergistic solutions 100+ full-time engineers & a dedicated Pre-Sales Engineering team Enterprise class service without the cost LONG-TERM CLIENT RELATIONSHIPS: Focused solutions Responsible & flexible Constant performance evaluation Feedback & insights TRUSTED ADVISORS: 31 years of experience Privately owned No debt or venture capital Stong partner alliances

  4. 21st Century Con Game Phishing and Social Engineering Why are they still thriving today?

  5. 21st Century Con Game What is the confidence game and why it still survives • A confidence trick (synonyms include confidence scheme and scam) is an attempt to defraud a person or group after first gaining their confidence, in the classical sense of trust. • A confidence artist (or con artist) is an individual, operating alone or in concert with others, who exploits characteristics of the human psyche such as dishonesty, honesty, vanity, compassion, credulity, irresponsibility, naïveté, or greed. • These cons have been transferred into the cyber world.

  6. 21stCentury Con Game What we are dealing with today... • Phishing is the act of attempting to acquire sensitive information, such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. • Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access in that it is often one of many steps in a more complex fraud scheme. The Short Con The Long Con

  7. Types of Phishing Different types of attacks... • Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. • Clone phishing is whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. • Phishing which is directed specifically at senior executives and other high-profile targets within businesses may be referred to as whaling.

  8. Phishing Why Phishing Still Exists. • An easy may to lure a large pool of people unsuspecting public

  9. Phishing Why Phishing Still Exists: • An easy way to lure a large pool of unsuspecting people • Was considered a victimless crime – now part of most criminal activity • Has developed over time and morphed to meet the changing environment • 1864 Spam message • 1978 DARPA network spam/phishing email • 1987 True phishing email with payload • 1995 AOL - associated with the warez community that exchanged pirated software and the hacking scene • Criminal Elements – buy email addresses, accounts and information

  10. Why Phishing Still Works Excuses why this still works..... • Lack of computer system knowledge. • Lack of knowledge of security and security indicators • Visually deceptive text • Images masking underlying text • Lack of attention to security indicators. • Lack of attention to the absence of security indicators. EDUCATION Dhamija, Rachna, Tygar, J.D. and Hearst, Marti “Why Phishing Works.” Conference on Human Factors in Computing Systems, April 2006

  11. Costof Phishing Impact of Email Cyberthreats... SANS INSTITUTE Allen Paller, Director of Research 2012 VERIZON DATA BREACH INVESTIGATION REPORT Marcus Sanchs, VP National Security Policy CARTNER SURVEY OF US CONSUMERS Consumer behavor impact from phishing

  12. Timing of Phishing Events Impact of Email Cyberthreats... 2013 MANDIANT - Annual Threat Report on Advanced Targeted Attacks A FireEye Company

  13. Current Costs… 2013 Panda Security Report – The Cyber Crime Black Market: Uncovered

  14. Cost of Phishing • Verizon 2013 report - phishing attacks launched globally • 450,000 attacks the current record • USD $5.9 billion estimated loss

  15. Criminal Element How easy is it? For $700, a three-month license for BlackHole is available online. It includes support!

  16. Criminal Element Blackhole Statistics...

  17. Criminal Element Blackhole Threads...

  18. Criminal Element Blackhole Prefernces...

  19. Criminal Element Who needs to pay for it.... • Free tools like the Social Engineering Toolkit is now in: • Backtrack • KALI

  20. Criminal Element

  21. Criminal Element

  22. Criminal Element

  23. Criminal Element

  24. Criminal Element

  25. Criminal Element

  26. Part of the Puzzle Limited attack • Can only collect so much info • AV/IDS/Firewalls are getting better • Education/Re-education programs being created Ways to improve the attack • Phishing is part of a larger attack structure • The bad guys are getting better organized

  27. Social Engineering Acts of the play… To take a page out of history, the concepts of the con game were brought to life on the big screen by the movie TheSting*where Johnny Hooker (Redford) and Gondorff (Newman) beat the gangsters at their own game. The film is notable for many reasons; one is how the con is actually revealed to the audience. In addition, the film is unique in that it divides the different pieces of the con into several parts, like acts of a play; each part setting the stage for the next act and which ultimately creates the sting. The parts of the con are the Set-up, the Hook, the Tale, and the Sting. * The Sting. Director George Roy Hill. Universal Pictures, 1973.

  28. * The Sting. Director George Roy Hill. Universal Pictures, 1973.

  29. The Set-Up Tricks of the trade • The setup is where the con artist tricks or exploits human weaknesses: • Greed • Dishonesty • Vanity • But also virtues like: • Honesty • Compassion • Or a naïve expectation of good faith on the part of the con artist

  30. * The Sting. Director George Roy Hill. Universal Pictures, 1973.

  31. The Hook… Hooking the mark... • The hook is to get the mark (the person the con is being played against) the hook on the idea/notion that they will get a large return for a minimum amount of effort. • The Hook uses everything from fake franchises, to the "sure things", how-to-get-rich plans, gurus, sure-fire inventions, useless products, fortunetellers, quack doctors, and miracle pharmaceuticals, anything to focus the person attention away from them so they can run the con.

  32. * The Sting. Director George Roy Hill. Universal Pictures, 1973.

  33. The Tale… Weaving the story... • The tale is where the con artist uses his skills to weave their story and make the con seem more real. • This is where the pieces of the setup and the hood come together and merge into this incredible tale. The con artist injects some variety of “human characteristics” into the story.

  34. The Tale… Playing on their character... • These characteristics include: • Human flaws • Superior people/attitudes • Someone is out to get them • They need the victim’s help to succeed and they are the only person that can help, or • Depending on the scam, using their religious or moral values to help them out.

  35. * The Sting. Director George Roy Hill. Universal Pictures, 1973.

  36. The Sting… • The sting is where all of the elaborate pieces of the puzzle come together. This is where they get the information, money, etc… • However, when they do have face-to-face contact with their mark, they are usually not caught. Due to playing their playing their part so well, they are nothing but believable. This only happens to people that are not prepared Don’t believe it?

  37. Anonymous “Social Engineering” .n.d and www.google.com/search socialengineering/pictures Tareq and Michaele Salahi Jan 20, 2011.

  38. Security Assessments What is needed to execute a social engineering assessment Our Setup, Hook and Tail • Initial Scoping • What the client is trying to find out • Parameters of the engagement • Reconnaissance • Targets • “Get out of jail free” letter • Assessment • Actual physical/computer attacks • Reporting / Presentation

  39. What’s involved Prep Work... • Site observation • Physical / Wireless observation • Phishing • Email • Phone phishing • Social Engineering • Access to perimeter/building • Access to network • Access to systems

  40. Social Engineering Tool Kit What tools every social engineer needs...

  41. Engagements Ladies and gentlemen: the stories you are about to hear is true. Only the names have been changed to protect the innocent* • Bank • Hospital • University • US Trucking Company * Dragnet, "Intro," Dragnet, http://www.dvdempire.com/Exec/v4_item.asp?item_id=1510115

  42. Bank Job A regional Texas bank • Branches • IT employee with a contractor badge • Used a virus scare to get in (USB tool) • Drop names • Used intimidation on employees – fake form to refuse work • Main office • Conducted a phishing assessment • Tailgated an employee in at receiving dock • Followed employees into secure areas • Set up scanning and phone phishing from empty conference room

  43. Bank Job Findings... • Policies and procedures not being followed • Training inaccuracy • Issues in physical security processes • Issues in computer security processes

  44. Hospital Job A Texas Hospital • Branches • IT employee • Used a virus scare to get in (USB tool) • Drop names • Talked to employees, and made friends • Main office • Created fake badge • Followed employees/talk my way into secure areas • Conducted interviews for additional intelligence

  45. Hospital Job Findings... • Policies and procedures not being followed • Training inaccuracy • Issues in physical security processes • Issues in computer security processes

  46. University Job A Community College in Texas • Main Campus • Conducted a phishing assessment • Student working for the IT group • Spot-checking Windows Updates • Checking on any other computer issues • Live network jacks in common areas • Offsite • Checking Windows Updates • Requested to help enhance process and procedures

  47. University Job Findings... • Policies and procedures not being followed • Lack of employee badging • Lack of reporting • Training inaccuracy • Lack of clean desk policy • Issues in physical security processes • Issues in computer security processes

  48. Trucking Company A US Trucking Company • Offsite • Posed as an IT employee • Checking on computer issues • Issues with the wireless access in the shop area • Obtain information about systems and networks to use at other sites • Main building • Used the wireless issues to investigate drop signals • Gain access to server room • Conducted phone phishing

  49. Trucking Company Findings... • Policies and procedures not being followed • No wireless policies and procedures • Wireless network not configured correctly • Training inaccuracy • Issues in physical security processes • Alarm codes • Modems • Issues in computer security processes

  50. Defenses Be on the lookout... • These signs might include such behaviors as: • Refusal to give contact information • Rushing the process • Name-dropping • Intimidation • Small mistakes • Requesting forbidden information or access

More Related