1 / 11

Social Engineering

Social Engineering. Euphemism for cons Confidence schemes - note the word confidence Why technologically based security protection that ignores the human factor won’t work. Some examples. Some dinosaur cons – Count Lustig The OTB wire Identity theft Industrial espionage

lore
Download Presentation

Social Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering • Euphemism for cons • Confidence schemes - note the word confidence • Why technologically based security protection that ignores the human factor won’t work

  2. Some examples • Some dinosaur cons – Count Lustig • The OTB wire • Identity theft • Industrial espionage • A disgruntled employee

  3. Relationship to Industrial Espionage • Fortune 1000 firms reported trade secret losses in 1999 of $45B, estimates for 2003 are $100B • Insiders commit 85% of industrial espionage crimes • Kites – expendable contractors that provide access and plausible deniability

  4. The Problem of False Credentials • Minimal cost to purchase university degrees and transcripts – They may be back dated • Extent of resume fraud – recent research found that 11% of resumes that were checked misrepresented their qualifications

  5. The Social Engineering Attack Cycle • Research • Developing rapport and trust • Exploiting trust • Utilizing information • Covering tracks

  6. How Attackers Take Advantage • Use of authority • Being likable • Creating a situation where reciprocation is expected • Eliciting a public commitment then requesting an action that seems to be consistent with the commitment • Creating the belief that others have validated the action • Creating the illusion of scarcity

  7. Posing as a fellow employee, vendor employee, law enforcement Posing as someone in authority Posing as a new employee requesting help Offering help if a problem occurs then making the problem occur Sending software or a patch for a victim to install Using insider lingo to gain trust Capturing victim keystrokes through different ruses Modifying a fax machine to make appear internal Getting a receptionist to receive and the forward faxes Asking for a file to be transferred to what appears to be an internal location Pretending to be from a remote office and asking for local e-mail access Getting a voice mailbox set up so callbacks perceive attacker as internal Common Social Engineering Methods

  8. Target Type Unaware of value of information Special privileges Manufacturer/vendor Specific departments Examples Receptionists,telephone operators, administrative assistants, security guards Help desk, technical support, system administrators, computer operators, telephone system administrators Computer hardware, software manufacturers, voice mail sellers Accounting, HR Common Targets of Attacks

  9. Seven Deadly Sins • Gullibility • Curiosity • Courtesy • Greed • Diffidence • Thoughtlessness • Apathy

  10. Factors that Heighten Companies’ Vulnerability • Large number of employees • Multiple facilities • Information on employee whereabouts left on voice mail • Phone extension information made available • Lack of security training and awareness • No data classification system • No incident reporting/response plan in place

  11. Verification and Data Classification in Response to Requests • Verification of identity • Verification of employee status • Procedure to determine need to know • Criteria for verifying non-employees • Data classification

More Related