Upload
howard-golden
View
224
Download
1
Embed Size (px)
DESCRIPTION
Phases of Social Engineering - Very similar to how Intelligence Agencies infiltrate their targets - 3 Phased Approach Phase 1- Intelligence Gathering Phase 2- “Victim” Selection Phase 3 -The Attack - Usually a very methodical approach
Citation preview
Social EngineeringBy: Pete Guhl and Kurt Murrell
Techniques
Phases of Social Engineering- Very similar to how Intelligence
Agencies infiltrate their targets- 3 Phased Approach
Phase 1- Intelligence Gathering Phase 2- “Victim” Selection Phase 3 -The Attack
- Usually a very methodical approach
Phase 1 -Intelligence Gathering
- Phase 1 -Intelligence Gathering- Primarily Open Source Information
Dumpster Diving Web Pages Ex-employees Contractors Vendors Strategic Partners
- The foundation for the next phases
Phase 2 -”Victim” Selection
Looking for weaknesses in the organization’s personnel Help Desk Tech Support Reception Admin. Support Etc.
- Phase 3 - The Attack
- Commonly known as the “con” - Primarily based on “peripheral”
routes to persuasion Authority Liking & Similarity Reciprocation
- Uses emotionality as a form of distraction
3 General Types of AttackEgo AttacksSympathy AttacksIntimidation Attacks
Intimidation Attack Attacker pretends to be someone
influential (e.g., authority figure, law enforcement)
Attempt to use their authority to coerce the victim into cooperation
If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.)
If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.
Sympathy Attacks Attacker pretends to be a fellow employee
(new hire), contractor, or a vendor, etc. There is some urgency to complete some
task or obtain some information Needs assistance or they will be in trouble
or lose their job etc. Plays on the empathy & sympathy of the
victim Attackers “shop around” until they find
someone who will help Very successful attack
The Ego Attack Attacker appeals to the vanity, or ego of the
victim Usually targets someone they sense is
frustrated with their current job position The victim wants to prove how smart or
knowledgeable they are and provides sensitive information or even access to the systems or data
Attacker may pretend to be law enforcement, the victim feels honored to be helping
Victim usually never realizes
More info on attacks Attacks can come from
anywhere/anytime Social Engineering can circumvent
current security practices- What good is a password if everyone has it? No one is immune- Everyone has information about the company
Preventing Social Engineering
Training Warn Users of Imminent Attack - Users that are forewarned are
less free with information
Training Define Sensitive Information
Training Define Sensitive Information
Passwords
Training Define Sensitive Information
PasswordsDOB
Training Define Sensitive Information
PasswordsDOBMaiden Names
Training Define Sensitive Information
PasswordsDOBMaiden NamesSocial Security Number
Training Define Sensitive Information
PasswordsDOBMaiden NamesSocial Security NumberAccount Numbers
Training Define Sensitive Information
PasswordsDOBMaiden NamesSocial Security NumberAccount NumbersBilling Amounts
Training Users Passwords, phone numbers, other
data
Training Users Passwords, phone numbers, other
data
System Admins Tougher authentication protocol
for password resets
Testing Users - Reveal seemingly innocuous
data?
Testing Users - Reveal seemingly innocuous
data? System Admins – Divulge network
information?
Testing Users - Reveal seemingly innocuous
data? System Admins – Divulge network
information?
Helpdesk personnel – Reset passwords on faulty authentication?
Removing the Weak Link Remove the user’s ability to divulge
information - Remove all non essential phones
- Restrict to internal communications
- Remove Internet access - Disable removable drives
- Make false information accessible
Removing the Weak Link Forced strong authentication - Use secure software requiring
strong authentication for password resets
- Require callback to user’s directory listed number
Removing the Weak Link Secure Protected Doors
- Employ Guards- Use Revolving Door
- Two Door Checkpoint- Deploy CCTV to remote facility