27
Masoud Khademi Amirkabir University of Technology - Tehran Polytechnic

Social engineering for security attacks

Embed Size (px)

Citation preview

Page 1: Social engineering for security attacks

Masoud KhademiAmirkabir University of Technology - Tehran Polytechnic

Page 2: Social engineering for security attacks

Human-based techniques: impersonation

Computer-based techniques: malware and scams

Page 3: Social engineering for security attacks

Manipulates legitimate users into undermining their own security system

Abuses trusted relationships between employees

Very cheap for the attackerAttacker does not need specialized

equipment or skills

Page 4: Social engineering for security attacks

Impersonation Help Desk Third-party Authorization Tech Support Roaming the Halls Repairman Trusted Authority Figure Snail Mail

Page 5: Social engineering for security attacks

Computer-Based Techniques Pop-up windows Instant Messaging and IRC Email Attachments Email Scams Chain Letters and Hoaxes Websites

Page 6: Social engineering for security attacks

Hacker pretends to be an employeeRecovers “forgotten” passwordHelp desks often do not require

adequate authentication

Page 7: Social engineering for security attacks

Targeted attack at someone who has information Access to assets Verification codes

Claim that a third party has authorized the target to divulge sensitive information

More effective if the third party is out of town

Page 8: Social engineering for security attacks

Hacker pretends to be tech support for the company

Obtains user credentials for troubleshooting purposes.

Users must be trained to guard credentials.

Page 9: Social engineering for security attacks

Hacker dresses to blend in with the environment Company uniform Business attire

Looks for sensitive information that has been left unattended Passwords written down Important papers Confidential conversations

Page 10: Social engineering for security attacks

Hacker wears the appropriate uniform

Often allowed into sensitive environments

May plant surveillance equipment Could find sensitive information

Page 11: Social engineering for security attacks

Hacker pretends to be someone in charge of a company or department

Similar to “third-party authorization” attack

Examples of authority figures Medical personnel Home inspector School superintendent

Impersonation in person or via telephone

Page 12: Social engineering for security attacks

Hacker sends mail that asks for personal information

People are more trusting of printed words than webpages

Examples Fake sweepstakes Free offers Rewards programs

More effective on older generations

Page 13: Social engineering for security attacks

Window prompts user for login credentials

Imitates the secure network loginUsers can check for visual indicators

to verify security

Page 14: Social engineering for security attacks

Hacker uses IM, IRC to imitate technical support desk

Redirects users to malicious sitesTrojan horse downloads install

surveillance programs.

Page 15: Social engineering for security attacks

Hacker tricks user into downloading malicious software

Programs can be hidden in downloads that appear legitimate

Examples Executable macros embedded in PDF files Camouflaged extension: “NormalFile.doc”

vs. “NormalFile.doc.exe” Often the final extension is hidden by the

email client.

Page 16: Social engineering for security attacks

More prevalent over timeBegins by requesting basic

informationLeads to financial scams

Page 17: Social engineering for security attacks

More of a nuisance than a threatSpread using social engineering

techniquesProductivity and resource cost

Page 18: Social engineering for security attacks

Offer prizes but require a created login

Hacker capitalizes on users reusing login credentials

Website credentials can then be used for illegitimate access to assets

Page 19: Social engineering for security attacks

Never disclose passwordsLimit IT Information disclosedLimit information in auto-reply

emailsEscort guests in sensitive areasQuestion people you don't knowTalk to employees about securityCentralize reporting of suspicious

behavior

Page 20: Social engineering for security attacks

Remind employees to keep passwords secret

Don’t make exceptions It’s not a grey area!

Page 21: Social engineering for security attacks

Only IT staff should discuss details about the system configuration with others

Don’t answer survey callsCheck that vendor calls are

legitimate

Page 22: Social engineering for security attacks

Keep details in out-of-office messages to a minimum

Don’t give out contact information for someone else.

Route requests to a receptionist

Page 23: Social engineering for security attacks

Guard all areas with network access Empty offices Waiting rooms Conference rooms

This protects against attacks “Repairman” “Trusted Authority Figure”

Page 24: Social engineering for security attacks

All employees should have appropriate badges

Talk to people who you don’t recognize

Introduce yourself and ask why they are there

Page 25: Social engineering for security attacks

Regularly talk to employees about common social engineering techniques

Always be on guard against attacksEveryone should watch what they

say and do.

Page 26: Social engineering for security attacks

Designate an individual or groupSocial engineers use many points of

contact Survey calls Presentations Help desk calls

Recognizing a pattern can prevent an attack

Page 27: Social engineering for security attacks

Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013. <http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>.

Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013. <http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>.

"Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013. <http://www.npdn.org/social_engineering_types>.