Social EngineeringBy: Pete Guhl and Kurt Murrell

Techniques

Phases of Social Engineering- Very similar to how Intelligence

Agencies infiltrate their targets- 3 Phased Approach

Phase 1- Intelligence Gathering Phase 2- “Victim” Selection Phase 3 -The Attack

- Usually a very methodical approach

Phase 1 -Intelligence Gathering

- Phase 1 -Intelligence Gathering- Primarily Open Source Information

Dumpster Diving Web Pages Ex-employees Contractors Vendors Strategic Partners

- The foundation for the next phases

Phase 2 -”Victim” Selection

Looking for weaknesses in the organization’s personnel Help Desk Tech Support Reception Admin. Support Etc.

- Phase 3 - The Attack

- Commonly known as the “con” - Primarily based on “peripheral”

routes to persuasion Authority Liking & Similarity Reciprocation

- Uses emotionality as a form of distraction

3 General Types of AttackEgo AttacksSympathy AttacksIntimidation Attacks

Intimidation Attack Attacker pretends to be someone

influential (e.g., authority figure, law enforcement)

Attempt to use their authority to coerce the victim into cooperation

If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.)

If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.

Sympathy Attacks Attacker pretends to be a fellow employee

(new hire), contractor, or a vendor, etc. There is some urgency to complete some

task or obtain some information Needs assistance or they will be in trouble

or lose their job etc. Plays on the empathy & sympathy of the

victim Attackers “shop around” until they find

someone who will help Very successful attack

The Ego Attack Attacker appeals to the vanity, or ego of the

victim Usually targets someone they sense is

frustrated with their current job position The victim wants to prove how smart or

knowledgeable they are and provides sensitive information or even access to the systems or data

Attacker may pretend to be law enforcement, the victim feels honored to be helping

Victim usually never realizes

More info on attacks Attacks can come from

anywhere/anytime Social Engineering can circumvent

current security practices- What good is a password if everyone has it? No one is immune- Everyone has information about the company

Preventing Social Engineering

Training Warn Users of Imminent Attack - Users that are forewarned are

less free with information

Training Define Sensitive Information

Training Define Sensitive Information

Passwords

Training Define Sensitive Information

PasswordsDOB

Training Define Sensitive Information

PasswordsDOBMaiden Names

Training Define Sensitive Information

PasswordsDOBMaiden NamesSocial Security Number

Training Define Sensitive Information

PasswordsDOBMaiden NamesSocial Security NumberAccount Numbers

Training Define Sensitive Information

PasswordsDOBMaiden NamesSocial Security NumberAccount NumbersBilling Amounts

Training Users Passwords, phone numbers, other

data

Training Users Passwords, phone numbers, other

data

System Admins Tougher authentication protocol

for password resets

Testing Users - Reveal seemingly innocuous

data?

Testing Users - Reveal seemingly innocuous

data? System Admins – Divulge network

information?

Testing Users - Reveal seemingly innocuous

data? System Admins – Divulge network

information?

Helpdesk personnel – Reset passwords on faulty authentication?

Removing the Weak Link Remove the user’s ability to divulge

information - Remove all non essential phones

- Restrict to internal communications

- Remove Internet access - Disable removable drives

- Make false information accessible

Removing the Weak Link Forced strong authentication - Use secure software requiring

strong authentication for password resets

- Require callback to user’s directory listed number

Removing the Weak Link Secure Protected Doors

- Employ Guards- Use Revolving Door

- Two Door Checkpoint- Deploy CCTV to remote facility