Good Guys vs. Bad Guys: Security Awareness & Social Engineering
Chris Blow, Director Dustin Hutchison, Director
Agenda
• What is Social Engineering?
• The Social Engineering Cycle
• Types of Social Engineering
• Real World Examples and Countermeasures
• Q&A
What is Social Engineering?
"...the art and science of getting people to comply with your wishes."
- Harl, 'People Hacking'
What is Social Engineering? • "Social engineering, in the context of information security, refers to psychological manipulation of people into
performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme." -Wikipedia
• "[...] the process of deceiving people into giving away access or confidential information." -Social Engineering Framework
• "Although it has been given a bad name by the plethora of "free pizza", "free coffee", and "how to pick up chicks" sites, aspects of social engineering actually touch on many parts of daily life." -Social Engineering Framework
• Exploiting what you learned as a kid on Sesame Street: TRUST!
• Many consider Social Engineering to be the greatest risk to Information Security.
Is Social Engineering Really a Threat?
48% of large organizations have had more than 25 successful SE attacks resulting in losses between $25K and $100K (Check Point study 9/2011) and those numbers went up by 2012 (because it works)
Source: Verizon Data Breach Investigations Report 2013
Types of Social Engineers • Hackers
• Penetration Testers
• Spies or Espionage
• Identity Thieves
• Disgruntled Employees
• Scam Artists
• Sales People (Sorry Mike, Brandy, & Chad)
• Everyday People
But what about hacking and stuff!?
• There's no patch for humans (but there is training and awareness)
• People are the largest vulnerability in any network
• The path of least resistance
• Spend hours/days/weeks trying to get into a company's network vs. making a few phone calls
Goals/Motivators of Social Engineering Reinterpretation of the old FBI counter-intelligence term MICE:
Money Ego Entertainment Cause Entry to Social Group Status
* Reference: Dr. Max Klinger -- "The Honeynet Project"
Maslow's Hierarchy of Needs
Physiological
Safety
Belonging/Love
Self-Esteem
Self-Actualization Personal growth/fulfillment
Achievement, responsibility, status, reputation
Family, affection, love, relationships, work group, etc.
Protection, security, order, law, limits, etc.
Basic life needs: air, food, drink, shelter, etc.
Social Engineering Cycle
Information Gathering
Developing Relationships Exploitation Execution
• Information examples: • Phone/Email lists • Company organizational charts • IP address schemas
• Open Source Intelligence (OSINT) Gathering Tools • Social Engineering Toolkit (SET) • Maltego • Shodan • Metagoofil • Google Hacking Database (GHDB) • FOCA • EXIF Data Viewers
Information Gathering
Developing Relationships Exploitation Execution
Social Engineering Toolkit (SET)
Maltego
Shodan
• BUILDING TRUST
• Use the information from the previous phase
• Elicitation
• Online: Spoofed emails, malicious websites, etc.
• In Person: Preloading, asking the proper types of questions (open-ended, close-ended, leading, assumptive, neutral), and other psychological methods
Information Gathering
Developing Relationships Exploitation Execution
• At the point, the 'trusted' party can now have the target reveal information or perform an action(s) that would not normally occur.
• Passwords
• Create accounts
• Click on a link
• Could be the end of the attack or the beginning of the next stage
Information Gathering
Developing Relationships Exploitation Execution
• The social engineer now has the information he/she was needing and can utilize this information
• Fraudulent charges on credit cards
• Use corporate credentials to login to user's email/VPN
• Grab confidential/sensitive documents
• Leave malware/command & control (C&C) software on useful systems
Information Gathering
Developing Relationships Exploitation Execution
Types of Social Engineering • Human-Based Methods
• Impersonation • "Tech Support" • Calling the Help Desk • Third-Party Authorization • "Roaming the Halls" • Trusted Authority Figure • Repairman • Snail Mail
• Computer-Based Techniques • Instant Messaging • Pop-Up Windows • Email Attachments • Email Scams • Websites
Let the Fun Begin!
• The Exterminator
• The Tech Support Call
• "We're Improving Our VPN" Email
• Free USB Thumb Drive
The Exterminator
• SE has custom work shirt with embroidery created
• SE performs OSINT on corporation
• SE creates a work order and paid invoice with CFO's name
The Exterminator
The Exterminator
Countermeasures
• Who let this guy in?
• Who accompanied this guy around?
• Who asked this guy what he was doing?
• Why was all this stuff readily available and accessible?
The Tech Support Call • "Hello, I'm from Microsoft and you appear to
have a virus"
• "Hi, this is Chris from the Help Desk (security team, network team, etc.)"
Countermeasures
• Is this normal?
• Do your users have caller ID?
• Do you block remote control software (and explicitly allow your organization's selected tool)?
We're Improving Our VPN! • Spear Phishing campaign
• Social Engineering Toolkit (SET)
• List of users to email
• Use free emailing service to change headers to appear it's a legit email from the Help Desk
• Obfuscated link in email which leads to SSL VPN page - copied from legit page with SET
• Users instructed to login to download new software
• Credentials harvested in real-time as users login
We're Improving Our VPN!
We're Improving Our VPN!
Countermeasures
• Do you have a specific email address or template that your organization uses (official letterhead, etc.)?
• Would your users question the validity of the message?
The Free USB Thumb Drive
• Don't need physical access to the building - can be left in the parking lots, in cars, etc.
• Autorun is a good friend of the Social Engineer
• January 2013, two US power plants were infected (SCADA systems did not have anti-virus)
Countermeasures
• Tools exist to allow specific devices and otherwise deny
• Disable autorun (or USB if possible)
• Would your users plug in a non-standard device?
• Is your AV up to date?
Wrap-Up • Social Engineering attacks are on the rise
• Physical access often defeats any other safeguard you have implemented
• People are not comfortable with confronting strangers, make it a part of your culture and make sure your first line of defense (receptionists, initial access) is strong
• Layer your physical access controls (clean desk policy, locked data center / network closets, lock workstations)
• Educate your employees on how IT will engage them – phone calls, emails
• Educate your employees about devices (compliment this with technical controls)
Questions?