28
© Agnel2012

Social engineering

Tags:

Embed Size (px)

DESCRIPTION

Ethical Hacking

Citation preview

Page 1: Social engineering

© Agnel2012

Page 2: Social engineering

“You could spend a fortune purchasing

technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”

-Kevin Mitnick

@AgN

Page 3: Social engineering

Uses Psychological Methods Exploits human tendency to trust Goals are the Same as Hacking

@AgN

Page 4: Social engineering

Easier than technical hacking Hard to detect and track

@AgN

Page 5: Social engineering

More like actors than hackers Learn to know how people feel by observing

their actions can alter these feelings by changing what

they say and do make the victim want to give them the

information they need

@AgN

Page 6: Social engineering

Carelessness Comfort Zone Helpfulness Fear

@AgN

Page 7: Social engineering

Victim is Careless

Does not implement, use, or enforce proper countermeasures

Used for Reconnaissance Looking for what is laying around

@AgN

Page 8: Social engineering

Dumpster Diving/Trashing

Huge amount of information in the trash

Most of it does not seem to be a threat

The who, what and where of an organization

Knowledge of internal systems

Materials for greater authenticity

Intelligence Agencies have done this for years

@AgN

Page 9: Social engineering

Building/Password Theft

Requires physical access

Looking for passwords or other information left out in the open

Little more information than dumpster diving

@AgN

Page 10: Social engineering

Password Harvesting

Internet or mail-in sweepstakes

Based on the belief that people don’t change their passwords over different accounts

@AgN

Page 11: Social engineering

Victim organization members are in a comfortable environment

Lower threat perception

Usually requires the use of another approach

@AgN

Page 12: Social engineering

Impersonation Could be anyone

▪ Tech Support

▪ Co-Worker

▪ Boss

▪ CEO

▪ User

▪ Maintenance Staff

Generally Two Goals▪ Asking for a password

▪ Building access - Careless Approach

@AgN

Page 13: Social engineering

Shoulder Surfing Direct Theft Outside workplace

Wallet, id badge, or purse stolen Smoking Zone Attacker will sit out in the smoking area

Piggy back into the office when users go back to work

@AgN

Page 14: Social engineering

Insider Threats

Legitimate employee

Could sell or use data found by “accident”

Result of poor access control

Asking for favors from IT staff for information

▪ Usually spread out over a long period of time

@AgN

Page 15: Social engineering

People generally try to help even if they do not know who they are helping

Usually involves being in a position of obvious need

Attacker generally does not even ask for the help they receive

@AgN

Page 16: Social engineering

Piggybacking Attacker will trail an employee entering the

building

More Effective:▪ Carry something large so they hold the door open for

you

▪ Go in when a large group of employees are going in

Pretend to be unable to find door key

@AgN

Page 17: Social engineering

Troubled user

Calling organization numbers asking for help

Getting a username and asking to have a password reset

@AgN

Page 18: Social engineering

Usually draws from the other approaches Puts the user in a state of fear and anxiety Very aggressive

@AgN

Page 19: Social engineering

Conformity

The user is the only one who has not helped out the attacker with this request in the past

Personal responsibility is diffused

User gets justification for granting an attack.

@AgN

Page 20: Social engineering

Time Frame

Fictitious deadline

Impersonates payroll bookkeeper, proposal coordinator

Asks for password change

@AgN

Page 21: Social engineering

Importance

Classic boss or director needs routine password reset

Showing up from a utility after a natural occurrence (thunderstorm, tornado, etc)

@AgN

Page 22: Social engineering

Offering a Service

Attacker contacts the user

Uses viruses, worms, or trojans

User could be approached at home or at work

Once infected, attacker collects needed information

@AgN

Page 23: Social engineering

Reverse Social Engineering

Attacks puts themselves in a position of authority

Users ask attacker for help and information

Attacker takes information and asks for what they need while fixing the problem for the user

@AgN

Page 24: Social engineering

User Education and Training Identifying Areas of Risk

Tactics correspond to Area

Strong, Enforced, and Tested Security Policy

@AgN

Page 25: Social engineering

Security Orientation for new employees Yearly security training for all employees Weekly newsletters, videos, brochures, games and

booklets detailing incidents and how they could have been prevented

Signs, posters, coffee mugs, pens, pencils, mouse pads, screen savers, etc with security slogans (I.e. “Loose lips sink ships”).

@AgN

Page 26: Social engineering

Certain areas have certain risks What are the risks for these areas?

Help Desk, Building entrance, Office, Mail Room, Machine room/Phone Closet, Dumpsters, Intranet/Internet, Overall

@AgN

Page 27: Social engineering

Management should know the importance of protecting against social engineering attacks

Specific enough that employees should not have to make judgment calls

Include procedure for responding to an attack

@AgN

Page 28: Social engineering

Social Engineering is a very real threat Realistic prevention is hard Can be expensive Militant Vs. Helpful Helpdesk Staff Reasonable Balance

@AgN


Social Engineering Notes

Social Engineering Notes

Documents
Burnham Social Engineering

Burnham Social Engineering

Documents
Social Engineering Abuses

Social Engineering Abuses

Documents
Social Engineering Techniques

Social Engineering Techniques

Documents
Automating Social Engineering

Automating Social Engineering

Documents
Social Engineering. Survey Results What is Social Engineering? “Social engineering, in the context of information security, refers to psychological manipulation

Social Engineering. Survey Results What is Social Engineering? “Social engineering, in the context of information security, refers to psychological manipulation

Documents
social engineering toolkit

social engineering toolkit

Documents
SOCIAL ENGINEERING 1 - Dissertation Help & Writing … · SOCIAL ENGINEERING 1 Topic:Social Engineering Risk and Management in Organisations

SOCIAL ENGINEERING 1 - Dissertation Help & Writing … · SOCIAL ENGINEERING 1 Topic:Social Engineering Risk and Management in Organisations

Documents
Engineering Social Change

Engineering Social Change

Presentations & Public Speaking
Social Engineering Fundamentals

Social Engineering Fundamentals

Documents
Social Engineering Training

Social Engineering Training

Documents
Social Engineering - Bathnes

Social Engineering - Bathnes

Documents
Social engineering

Social engineering

Education
Social Engineering Training

Social Engineering Training

Documents
Presentation Social Engineering OWASP 2014 v2 · Social Engineering: Content • Content: – What is social engineering? – Types of social engineering & new age threats – How

Presentation Social Engineering OWASP 2014 v2 · Social Engineering: Content • Content: – What is social engineering? – Types of social engineering & new age threats – How

Documents
Social engineering - DC9723

Social engineering - DC9723

Technology
Social Engineering 2.0

Social Engineering 2.0

Technology
Vortrag social engineering

Vortrag social engineering

Documents
The Official Social Engineering Framework - Computer Based Social Engineering Tools_ Social Engineer Toolkit (SET

The Official Social Engineering Framework - Computer Based Social Engineering Tools_ Social Engineer Toolkit (SET

Documents
Social Engineering to Increase Social Capital

Social Engineering to Increase Social Capital

Documents