Good Guys vs. Bad Guys: Security Awareness & Social Engineering

Good Guys vs. Bad Guys: Security Awareness & Social Engineering

Chris Blow, Director Dustin Hutchison, Director

Agenda

•  What is Social Engineering?

•  The Social Engineering Cycle

•  Types of Social Engineering

•  Real World Examples and Countermeasures

•  Q&A

What is Social Engineering?

"...the art and science of getting people to comply with your wishes."

- Harl, 'People Hacking'

What is Social Engineering? •  "Social engineering, in the context of information security, refers to psychological manipulation of people into

performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme." -Wikipedia

•  "[...] the process of deceiving people into giving away access or confidential information." -Social Engineering Framework

•  "Although it has been given a bad name by the plethora of "free pizza", "free coffee", and "how to pick up chicks" sites, aspects of social engineering actually touch on many parts of daily life." -Social Engineering Framework

•  Exploiting what you learned as a kid on Sesame Street: TRUST!

•  Many consider Social Engineering to be the greatest risk to Information Security.

Is Social Engineering Really a Threat?

48% of large organizations have had more than 25 successful SE attacks resulting in losses between $25K and $100K (Check Point study 9/2011) and those numbers went up by 2012 (because it works)

Source: Verizon Data Breach Investigations Report 2013

Types of Social Engineers •  Hackers

•  Penetration Testers

•  Spies or Espionage

•  Identity Thieves

•  Disgruntled Employees

•  Scam Artists

•  Sales People (Sorry Mike, Brandy, & Chad)

•  Everyday People

But what about hacking and stuff!?

•  There's no patch for humans (but there is training and awareness)

•  People are the largest vulnerability in any network

•  The path of least resistance

•  Spend hours/days/weeks trying to get into a company's network vs. making a few phone calls

Goals/Motivators of Social Engineering Reinterpretation of the old FBI counter-intelligence term MICE:

Money Ego Entertainment Cause Entry to Social Group Status

* Reference: Dr. Max Klinger -- "The Honeynet Project"

Maslow's Hierarchy of Needs

Physiological

Safety

Belonging/Love

Self-Esteem

Self-Actualization Personal growth/fulfillment

Achievement, responsibility, status, reputation

Family, affection, love, relationships, work group, etc.

Protection, security, order, law, limits, etc.

Basic life needs: air, food, drink, shelter, etc.

Social Engineering Cycle

Information Gathering

Developing Relationships Exploitation Execution

•  Information examples: •  Phone/Email lists •  Company organizational charts •  IP address schemas

•  Open Source Intelligence (OSINT) Gathering Tools •  Social Engineering Toolkit (SET) •  Maltego •  Shodan •  Metagoofil •  Google Hacking Database (GHDB) •  FOCA •  EXIF Data Viewers



Social Engineering Toolkit (SET)

Maltego

Shodan

•  BUILDING TRUST

•  Use the information from the previous phase

•  Elicitation

•  Online: Spoofed emails, malicious websites, etc.

•  In Person: Preloading, asking the proper types of questions (open-ended, close-ended, leading, assumptive, neutral), and other psychological methods



•  At the point, the 'trusted' party can now have the target reveal information or perform an action(s) that would not normally occur.

•  Passwords

•  Create accounts

•  Click on a link

•  Could be the end of the attack or the beginning of the next stage



•  The social engineer now has the information he/she was needing and can utilize this information

•  Fraudulent charges on credit cards

•  Use corporate credentials to login to user's email/VPN

•  Grab confidential/sensitive documents

•  Leave malware/command & control (C&C) software on useful systems



Types of Social Engineering •  Human-Based Methods

•  Impersonation •  "Tech Support" •  Calling the Help Desk •  Third-Party Authorization •  "Roaming the Halls" •  Trusted Authority Figure •  Repairman •  Snail Mail

•  Computer-Based Techniques •  Instant Messaging •  Pop-Up Windows •  Email Attachments •  Email Scams •  Websites

Let the Fun Begin!

•  The Exterminator

•  The Tech Support Call

•  "We're Improving Our VPN" Email

•  Free USB Thumb Drive

The Exterminator

•  SE has custom work shirt with embroidery created

•  SE performs OSINT on corporation

•  SE creates a work order and paid invoice with CFO's name

The Exterminator

The Exterminator

Countermeasures

•  Who let this guy in?

•  Who accompanied this guy around?

•  Who asked this guy what he was doing?

•  Why was all this stuff readily available and accessible?

The Tech Support Call •  "Hello, I'm from Microsoft and you appear to

have a virus"

•  "Hi, this is Chris from the Help Desk (security team, network team, etc.)"

Countermeasures

•  Is this normal?

•  Do your users have caller ID?

•  Do you block remote control software (and explicitly allow your organization's selected tool)?

We're Improving Our VPN! •  Spear Phishing campaign

•  Social Engineering Toolkit (SET)

•  List of users to email

•  Use free emailing service to change headers to appear it's a legit email from the Help Desk

•  Obfuscated link in email which leads to SSL VPN page - copied from legit page with SET

•  Users instructed to login to download new software

•  Credentials harvested in real-time as users login

We're Improving Our VPN!

We're Improving Our VPN!

Countermeasures

•  Do you have a specific email address or template that your organization uses (official letterhead, etc.)?

•  Would your users question the validity of the message?

The Free USB Thumb Drive

•  Don't need physical access to the building - can be left in the parking lots, in cars, etc.

•  Autorun is a good friend of the Social Engineer

•  January 2013, two US power plants were infected (SCADA systems did not have anti-virus)

Countermeasures

•  Tools exist to allow specific devices and otherwise deny

•  Disable autorun (or USB if possible)

•  Would your users plug in a non-standard device?

•  Is your AV up to date?

Wrap-Up •  Social Engineering attacks are on the rise

•  Physical access often defeats any other safeguard you have implemented

•  People are not comfortable with confronting strangers, make it a part of your culture and make sure your first line of defense (receptionists, initial access) is strong

•  Layer your physical access controls (clean desk policy, locked data center / network closets, lock workstations)

•  Educate your employees on how IT will engage them – phone calls, emails

•  Educate your employees about devices (compliment this with technical controls)

Questions?

Social Media

Good Guys vs. Bad Guys: Security Awareness & Social Engineering