Social Engineering – Posing Challenges ToThe Thinking Security Professional
Paul Devassy, CPP,Chairman ASIS Mumbai – India Chapter
December 12, 20132
Points to be covered
What does Social Engineering mean?1.
Practitioners through the ages2.
What are “Social engineers” looking for?3.
Human frailties4.
Who is at risk?5.
Cycle and Types of attack6.
What can we do?7.
Protection for us?8.
Disclaimer
All views expressed in this lecture is personal and is gathered fromexperiential information.
Examples quoted is just a means to emphasize a point and is in no waybeing judgemental of the person, actions or even events.
Definition of Social engineering
Merriam Webster's dictionary “Management of human beings in accordancewith their place and function in society, applied social science”
• "People inherently want to be helpfuland therefore are easily duped"
• "They assume a level of trust in orderto avoid conflict"
• "It's all about gaining access toinformation that people think isinnocuous when it isn't"
Practitioners through the ages
What are they are looking for?
Exploitation of Human frailties
Lack of training and awareness
Who is at risk?Do the social engineers only target these types people?
Or is everybody a potential target?
Cycle of an attack
Types of attacks
So what do we do?
Protection for us?
Protection 1
Protection 2
Training and awareness at all levels is a must
Questions?
ResourcesBibliographyGranger, Sarah "Social Engineering Fundamentals, Part I: Hacker Tactics"December 18, 2001 URL: http://www.securityfocus.com/infocus/1527 searchSecurity.com Definitions, whatis.com 2004 URLhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html
"Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013.<http://www.npdn.org/social_engineering_types>.
Mitnick, Kevin and Simon, William L. The Art of Deception Wiley Publishing 2002 Information Security Policy and Disaster Recovery Associates, UKURL: http://www.yourwindow.to/information-security/gl_dataclassification.htm.
Wilson, Sam "Combating the Lazy User: An Examination of Various Password Policies and Guidelines" Sept. 16, 2002. URL:http://www.sans.org/rr/papers/6/142.pdf.
Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013.<http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>.
Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013.<http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>.
Mandia, Kevin & Prosise Chris Incident Response McGraw-Hill 2001.Background Check International, LLC. URL: http://www.bcint.com/services.html
David Harley – Refloating the Titanic: Dealing with Social Engineering Attacks
Thank you!