View
228
Download
1
Category
Preview:
Citation preview
Hacking the HumanSocial Engineering Attacks
April 14, 2015
CBIZ MHM, LLC – Kansas City
PresentersKyle Konopasek, CIA, CICAManager – CBIZ MHM, LLC11440 Tomahawk Creek ParkwayLeawood, KS 66211
Direct: (913) 234-1020Email: kkonopasek@cbiz.com
Cory Kaiser, CPAManager – CBIZ MHM, LLC11440 Tomahawk Creek ParkwayLeawood, KS 66211
Direct: (913) 234-1238Email: ckaiser@cbiz.com
Effective May 1, 2015 our new office address will be:
700 West 47th Street, Suite 1100Kansas City, Missouri 64112.
After May 1st, please direct all calls to our new numbers:
Kyle Konopasek Cory Kaiser(816) 945-5512 (816) 945-5628
1) Understand what social engineering is and the various types of attacks.
2) Learn how to identify a social engineering attack.3) Understand the impact to an organization as a result of
a social engineering attack.4) Learn who is most susceptible to a social engineering
attack.5) Gain insight on how social engineering attacks can be
mitigated.
Learning Objectives
1) The clever manipulation of the natural human tendency to trust.
2) Manipulating people into willingly doing something rather than by breaking in using technical or brute force means.
3) The act of manipulating a person to take an action that may or may not be in the target’s best interest. ~ Chris Hadnagy
4) The art of intentionally manipulating behavior using specially crafted communication techniques. ~ Gavin Watson
What Is Social Engineering?
4%
14%
40%
46%
51%
0% 10% 20% 30% 40% 50% 60%
Other
Revenge or personal vendetta
Competitive advantage
Access to proprietary information
Financial gain
Motivations for Social Engineering Attacks
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
• Sensitive Personally Identifiable Information
• System usernames and passwords
• High-value assets
• Trade secrets and proprietary information
Social Engineering Targets
32%
12%
13%
13%
30%
38%
14%
16%
13%
19%
0% 10% 20% 30% 40%
Less than $10,000
$10,000 - $25,000
$25,000 - $50,000
$50,000 - $100,000
More than $100,000
All companies
More than 5,000employees
Typical Cost Per Social Engineering Incident
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
20%
32%
15%
33%
32%
36%
20%
12%
0% 10% 20% 30% 40%
Less than 5 times
5 - 24
25 - 50
More than 50 times
All companies
More than 5,000employees
Frequency of Social Engineering AttacksOver 2-year Period
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
• Dumpster diving– Company directory and phone list with email addresses.– Client sensitive personally identifiable information.– Employee usernames and passwords to company systems.– Company policies, procedures, systems, vendors.– Vertical cut shred in trash bag in dumpster.– Hand torn documents in trash in dumpster.
An Attack In Action – Stories and Examples
• Pretexting, Baiting, and Piggy-backing
– Impersonate telecom, janitorial, security personnel, employees.
– Drop a CD or USB thumb drive with a creative label.
– Follow employees through secured doors.
– Develop rapport and level of comfort.
An Attack In Action – Stories and Examples
• Email phishing– New paid time off policy and tracking system.– Obtain false website address – Create a mirror image false website.– Use employee directory from dumpster to email false link to website.– Require Windows login to gain access.– Ask employees to update paid time off balances and requests.
• Provide personal incentive to click the link.
An Attack In Action – Stories and Examples
https://www.principal.com/
https://www.princlpal.com/
Fake Web Address Example
5%6%12%
21%
56% Vishing
Other
Criminals
Phishing
Lack of EmployeeAwareness
Social Engineering Threats To Organizations
Source: 2014 Poll: Employees Clueless About Social Engineering, InformationWeek-Dark Reading
60%
44%
38%
33% 32%
23%
New employeesContractorsExecutive assistantsHuman resourcesBusiness leadersIT personnel
Risk of Falling for Social Engineering Attack
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
Social engineering attacks cannot be prevented—only mitigated and deterred.
• Policies– Employees are not allowed to divulge information.
– Prevents employees from being socially pressured or tricked.
– Policies MUST be enforced to be effective.
• Training– User awareness—user knows giving out information is bad.
Mitigating A Social Engineering Attack
• Password management• Physical security• Network defenses may only temporarily repel attacks.
– Virus protection
– Email attachment scanning
– Firewalls, etc.
– Intrusion detection system and intrusion protection system
– Encrypted data at rest
• Security must be tested and updated periodically.
Mitigating A Social Engineering Attack
• Third-party testing– IMPORTANT! This is strictly intended to be a learning tool for the
organization—not a punishment for individual employees.
– Have the third-party attempt to acquire information from employees using social engineering techniques.
• Acquire information from external sources – website, marketing materials, trash and dumpsters in business parking lot.
• Attack strategically targeted areas of the organization.
– May include technical testing of malware and other abnormalities.
Mitigating A Social Engineering Attack
• What a third party tester should not and cannot do.– Illegal examples from a pretexting perspective
• Law enforcement
• Fire
• Paramedics
• Public safety personnel in general
• Military personnel
• Government official
Mitigating A Social Engineering Attack
• Who should consider testing?• Information security focused risk assessment
– Identify weaknesses and most valuable information and assets.
• Planning– Scripts are fully documented and approved by management.
• Reporting– Highly detailed describing each step of testing and the results.– Should not “name names”—not intended to implicate individuals.
• Follow-up training and consulting– Assist in policy development and facilitate quarterly training.
Third Party Social Engineering Testing
Develop Internal ProgramsInformation Security ProgramThe written plan created and implemented by the organization to identify and control risks to information and information systems and to properly dispose of information.
Security Awareness ProgramSecurity awareness reflects an organization’s attitudetoward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets.
• No matter how robust an organization’s . . .– Firewalls,
– Intrusion detection systems,
– Anti-virus/malware software,
– Other technological and physical safeguards . . .
• The human is always the weakest link when dealing with security and protecting valuable information.
Weakest Link
• Good habits drive security culture and there are no technologies that will ever make up for poor security culture.
• Awareness programs, when properly executed, provide knowledge that instills behavior.
• Social engineering testing is an effective method commonly used to assess the condition of the overall security culture.
It is better to fail a test in a controlled environment than to be attacked without knowing how much information will be lost.
Conclusion
QUESTIONS?
Recommended