Embed Size (px)
Citation preview
Social Engineering
Hacking the Human
Kyle Konopasek, CIA
CBIZ MHM, LLC – Kansas City
Tony Coble, CPA
Managing Director – CBIZ MHM and
Shareholder, MHM
11440 Tomahawk Creek Parkway
Leawood, KS 66211
Direct: (913) 234-1031
Email: [email protected]
Presenters
Kyle Konopasek, CIA, CICA
Manager – CBIZ MHM, LLC
11440 Tomahawk Creek Parkway
Leawood, KS 66211
Direct: (913) 234-1020
Email: [email protected]
About CBIZ and Mayer Hoffman McCann P.C.
With offices in major cities throughout the United States, CBIZ is one of
the nations leading providers of outsourced business services, including
accounting and tax, internal audit, risk management, and a wide range
of consulting services. CBIZ is strategically associated with Mayer
Hoffman McCann P.C. (MHM). MHM is an independent public
accounting firm with more than 280 shareholders in more than 35
offices. MHM specializes in attest services for mid-market and growing
businesses, with a specialty practice devoted to financial institutions.
Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top
accounting providers in the country.
Learning Objectives
• Understand regulatory compliance issues
• Learn exactly what social engineering is and the various
types used.
• Understand how to identify a social engineering attack.
• Gain insight on methods to deter or mitigate social
engineering risk.
The Regulatory Scene
• Important security regulations and industry
standards:
– Gramm-Leach Bliley Act (GLBA)
– Fair and Accurate Credit Transactions Act (FACTA)
– Payment Card Industry Data Security Standards (PCI
DSS)
Gramm-Leach-Bliley Act (GLBA)
• Requirements
– Implementing and maintaining a comprehensive
information security program
– Assessing and evaluating threats
– Implementing controls commensurate with associated
risks
– “Pretexting protection”, which includes safeguards
against social engineering attacks
– Oversight of service providers
– Board of Directors involvement and approval
Fair and Accurate Credit Transactions Act (FACTA)
• FACTA is targeted to the growing problem of identity
theft. The red flags rules require:
– Ongoing and comprehensive risk assessments to identify covered
accounts and related threats
– Based on the risk assessment, a comprehensive identity theft
program.
– Formal change of address procedures
– Employee training
– Development of specific policies, procedures and practices to
combat identity theft
– Oversight of third party providers
Payment Card Industry Data Security Standards (PCI
DSS)
• PCI is a standard, not a regulation. One of the
requirements to be PCI compliant:
– Perform external and internal penetration tests at least once a
year and after any significant infra-structure or application
upgrades.
Social Engineering as a tool
• Social engineering is highly encouraged for GLBA, as it
offers steps against pretexting.
• Social engineering serves as an exceptional tools to
counter identity theft.
• What is Social Engineering? o Manipulate people into doing something rather than
by breaking in using technical means.
• Attacker uses human interaction to obtain or compromise
information.
• Attacker may appear unassuming or respectable.
– Pretend to be a new employee, repair man, utility provider, etc.
– May even offer credentials.
What is social engineering?
• By asking questions, the attacker may piece
enough information together to infiltrate an
organization’s network.
– May attempt to get information from many sources.
What is social engineering?
• Quid Pro Quo
– Something for something.
• Phishing
– Fraudulently obtaining private information.
• Baiting
– Real world Trojan horse.
• Pretexting
– Invented scenario.
• Diversion Theft
– Lying and convincing others of a false truth—a con.
Types of social engineering
• Something for something
– Call random phone numbers at an organization claiming to be
from technical support.
– Eventually you will reach someone with a legitimate problem.
– Grateful you called them, they will follow your instructions.
– The attacker will “help” the user, but will really have the victim type
commands that will allow the attacker to install malware.
Quid Pro Quo
• Fraudulently obtaining private information
– Send an email that looks like it came from a legitimate business.
– Request verification of information and warn of some
consequence if not provided.
– Usually contains a link to a fraudulent web page that looks
legitimate.
• Example: Update login information to new HR portal.
– User gives information to the social engineer/attacker.
Phishing
• Spear phishing
– Specific phishing that include your name or demographic info.
• Vishing
– Phone phishing—may be a voice system asking for call back.
Phishing - continued
• Real example
– Obtain email address of many employees in target organization
including key individual targets like Controller, Staff Accountant,
Executive Assistant, etc.
– Develop website to “change password” or “setup new account” for
a human resources vacation request system.
• Actual organization website is “Western States Credit Union”
• Link to attacker’s website is “Western States Credlt Union”
– Email website link to obtained email addresses.
Phishing - continued
• Real world Trojan horse
– Uses physical media.
– Relies on greed and/or the curiosity of the target/victim.
– Attacker leaves a malware infected CD or USB thumb drive in an
obvious location so that it is easily found.
– Attacker uses an intriguing r curious label to gain interest.
• Example: “Employee Salaries and Bonuses 2014”
– Curious employee uses the media and unknowingly installs
malware.
Baiting
• Invented scenario
– Involves prior research and a setup used to establish legitimacy.
• Give information that a user would normally not divulge.
– This technique is used to impersonate and imitate authority.
• Uses prepared answers to a target’s questions.
• Other useful information is gathered for future attacks.
• Example: “VP of Facilities” visiting a branch.
Pretexting
– Illegal examples from an inside testing perspective
• Law enforcement
• Fire
• Military/government official
Pretexting - continued
• Real example – Telecom provider
Pretexting - continued
• Real example
– Pose as a major telecom provider.
– Props:
• rented white van with magnetic logo
• logo polo shirts and hats
• business cards
• work order
• ID badge.
– Enter credit union branch and ask to inspect the “roving telecom
adapter” because they have been recalled.
Pretexting - continued
• Con
– Persuade deliver person that delivery has been requested
elsewhere.
• When delivery is redirected, attacker persuades delivery driver to
unload near a desired address.
• Example: Attacker parks a “security vehicle” in bank parking lot.
Target attempts to deposit money in night drop or ATM but is told by
attacker that it is out of order. Target then gives money to attacker for
deposit and safekeeping.
Diversion Theft
• Scavenging key bits of information from many documents
put out in the trash.
– Literally involves getting in a dumpster during off-peak hours and
looking for information.
– Janitorial crews could be involved. Are they bonded?
• Document shredders are not always the answer
– Vertical cut, cross cut, micro cut, and security cut.
Dumpster diving
• No matter how robust an organization’s:
– Firewalls
– Intrusion detection systems
– Anti-virus/malware software
– Other technological and physical safeguards
• The human is always the weakest link when dealing with
security and protecting valuable information.
• Knowledge is power.
– People sometimes want others to “know what they know” to
demonstrate importance.
Weakest Link?
• Training
– User awareness
• User knows that giving out certain information is bad.
• Policies
– Employees are not allowed to divulge information.
– Prevents employees from being socially pressured or tricked.
– Polices MUST be enforced to be effective.
How to prevent social engineering?
• Every organization must decide what information is
sensitive and should not be shared.
• Password management
• Physical security
• Network defenses may only repel attacks
– Virus protection
– Email attachment scanning
– Firewalls, etc.
• Security must be tested periodically.
How to prevent social engineering?
• Third-party testing
– Hire a third-party to attempt to attack targeted areas of the
organization.
– Have the third-party attempt to acquire information from
employees using social engineering techniques.
– Learning tool for the organization—not a punishment for
employees.
How to prevent social engineering?
Questions?
