Upload
jitendra-kumar-dash
View
217
Download
0
Embed Size (px)
Citation preview
8/9/2019 hacking Module 09
1/16
NMCSP2008 Batch-I
Module IX
Social Engineering
8/9/2019 hacking Module 09
2/16
8/9/2019 hacking Module 09
3/16
Module Objectives
What is Social Engineering?
Common Types of Attacks
Social Engineering by Phone
Dumpster Diving
Online Social Engineering
Reverse Social Engineering
Policies and Procedures
Employee Education
8/9/2019 hacking Module 09
4/16
Module Flow
Aspects of Social Engineering
Policies and Procedures
Reverse Social EngineeringComputer Based
Social Engineering
Social Engineering Types
8/9/2019 hacking Module 09
5/16
What is Social Engineering?
Social Engineering is the use of influence andpersuasion to deceive people for the purpose ofobtaining information or persuading the victimto perform some action.
Companies with authentication processes,firewalls, virtual private networks, and networkmonitoring software are still wide open toattacks.
An employee may unwittingly give away keyinformation in an email or by answeringquestions over the phone with someone theydon't know or even by talking about a project
with co workers at a local pub after hours.
8/9/2019 hacking Module 09
6/16
Art of Manipulation
Social Engineering includes acquisition ofsensitive information or inappropriate accessprivileges by an outsider, based upon the
building of inappropriate trust relationshipswith outsiders.
The goal of a social engineer is to trick someoneinto providing valuable information or access to
that information. It preys on qualities of human nature, such as
the desire to be helpful, the tendency to trustpeople and the fear of getting in trouble.
8/9/2019 hacking Module 09
7/16
Human Weakness
People are usually theweakest link in thesecurity chain.
A successful defense
depends on having goodpolicies in place andeducating employees tofollow the policies.
Social Engineering is thehardest form of attack todefend against because itcannot be defended withhardware or softwarealone.
8/9/2019 hacking Module 09
8/16
Common Types of Social Engineering
Social Engineering canbe broken into two types:human based andcomputer based.
1.Human-based SocialEngineering refers toperson to personinteraction to retrieve thedesired information.
2. Computer based SocialEngineering refers tohaving computer softwarethat attempts to retrievethe desired information.
8/9/2019 hacking Module 09
9/16
Human based socialengineering techniques can be
broadly categorized into:
Impersonation
Posing as Important User
Third-person Approach
Technical Support
In Person Dumpster Diving
Shoulder Surfing
Human based - Impersonation
8/9/2019 hacking Module 09
10/16
Example
8/9/2019 hacking Module 09
11/16
Example
8/9/2019 hacking Module 09
12/16
Computer Based Social Engineering
These can be divided into
the following broad
categories:
Mail/IM attachments
Pop-up Windows
Websites/Sweepstakes
Spam Mail
8/9/2019 hacking Module 09
13/16
Reverse Social Engineering
More advanced method of gaining illicitinformation is known as "reverse socialengineering.
This is when the hacker creates a persona thatappears to be in a position of authority so thatemployees will ask him for information, ratherthan the other way around.
The three parts of reverse social engineeringattacks are sabotage, advertising and assisting.
8/9/2019 hacking Module 09
14/16
8/9/2019 hacking Module 09
15/16
Security Policies - Checklist
Account Setup
Password Change Policy
Help Desk Procedures
Access Privileges Violations
Employee Identification
Privacy Policy
Paper Documents Modems
Physical Access Restrictions
Virus Control
8/9/2019 hacking Module 09
16/16
Summary
Social Engineering is the use of influence andpersuasion to deceive people for the purpose ofobtaining information or persuading the victim toperform some action.
Social Engineering involves acquiring sensitiveinformation or inappropriate access privileges by anoutsider.
Human-based Social Engineering refers to person toperson interaction to retrieve the desired information.
Computer based Social Engineering refers to havingcomputer software that attempts to retrieve the desiredinformation.
A successful defense depends on having good policies inplace and diligent implementation.