Embed Size (px)
DESCRIPTION
Kelly Corning Julie Sharp. Preventing Social Engineering Attacks. What is Social Engineering?. Human-based techniques: impersonation Computer-based techniques: malware and scams. Why is Social Engineering Effective?. Manipulates legitimate users into undermining their own security system - PowerPoint PPT Presentation
Citation preview
Preventing Social Engineering Attacks
Kelly CorningJulie Sharp
What is Social Engineering? Human-based techniques:
impersonation Computer-based techniques:
malware and scams
Why is Social Engineering Effective? Manipulates legitimate users into
undermining their own security system
Abuses trusted relationships between employees
Very cheap for the attacker Attacker does not need specialized
equipment or skills
Common Techniques
Impersonation Help Desk Third-party Authorization Tech Support Roaming the Halls Repairman Trusted Authority Figure Snail Mail
Common Techniques
Computer-Based Techniques Pop-up windows Instant Messaging and IRC Email Attachments Email Scams Chain Letters and Hoaxes Websites
Impersonation: Help Desk Hacker pretends to be an employee Recovers “forgotten” password Help desks often do not require
adequate authentication
Impersonation: Third-party Authorization
Targeted attack at someone who has information Access to assets Verification codes
Claim that a third party has authorized the target to divulge sensitive information
More effective if the third party is out of town
Impersonation: Tech Support
Hacker pretends to be tech support for the company
Obtains user credentials for troubleshooting purposes.
Users must be trained to guard credentials.
Impersonation: Roaming the Halls Hacker dresses to blend in with the
environment Company uniform Business attire
Looks for sensitive information that has been left unattended Passwords written down Important papers Confidential conversations
Impersonation: Repairman Hacker wears the appropriate
uniform Often allowed into sensitive
environments May plant surveillance equipment Could find sensitive information
Impersonation: Trusted Authority Figure
Hacker pretends to be someone in charge of a company or department
Similar to “third-party authorization” attack
Examples of authority figures Medical personnel Home inspector School superintendent
Impersonation in person or via telephone
Impersonation: Snail Mail Hacker sends mail that asks for
personal information People are more trusting of printed
words than webpages Examples
Fake sweepstakes Free offers Rewards programs
More effective on older generations
Computer Attacks: Pop-up Windows Window prompts user for login
credentials Imitates the secure network login Users can check for visual indicators
to verify security
Computer Attacks: IM & IRC
Hacker uses IM, IRC to imitate technical support desk
Redirects users to malicious sites Trojan horse downloads install
surveillance programs.
Computer Attacks: Email Attachments
Hacker tricks user into downloading malicious software
Programs can be hidden in downloads that appear legitimate
Examples Executable macros embedded in PDF files Camouflaged extension: “NormalFile.doc” vs.
“NormalFile.doc.exe” Often the final extension is hidden by the
email client.
Computer Attacks: Email Scams More prevalent over time Begins by requesting basic
information Leads to financial scams
Computer Attacks: Chain Emails More of a nuisance than a threat Spread using social engineering
techniques Productivity and resource cost
Computer Attacks: Websites Offer prizes but require a created
login Hacker capitalizes on users reusing
login credentials Website credentials can then be
used for illegitimate access to assets
Best Practices
Never disclose passwords Limit IT Information disclosed Limit information in auto-reply
emails Escort guests in sensitive areas Question people you don't know Talk to employees about security Centralize reporting of suspicious
behavior
Never disclose passwords Remind employees to keep
passwords secret Don’t make exceptions It’s not a grey area!
Limit IT Information Disclosed Only IT staff should discuss details
about the system configuration with others
Don’t answer survey calls Check that vendor calls are
legitimate
Limit Information in Auto-Reply Emails
Keep details in out-of-office messages to a minimum
Don’t give out contact information for someone else.
Route requests to a receptionist
Escort Guests in Sensitive Areas Guard all areas with network access
Empty offices Waiting rooms Conference rooms
This protects against attacks “Repairman” “Trusted Authority Figure”
Question people you don't know All employees should have
appropriate badges Talk to people who you don’t
recognize Introduce yourself and ask why they
are there
Talk to employees about security Regularly talk to employees about
common social engineering techniques
Always be on guard against attacks Everyone should watch what they
say and do.
Centralize Reporting
Designate an individual or group Social engineers use many points of
contact Survey calls Presentations Help desk calls
Recognizing a pattern can prevent an attack
ResourcesDavidson, Justin. "Best Practices to Prevent Social
Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013. <http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>.
Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013. <http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>.
"Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013. <http://www.npdn.org/social_engineering_types>.
