Preventing Social Engineering Attacks: The Critical Elements

Preventing Social Engineering Attacks: The Critical Elements

Can I Have All Your Passwords Today?Presenter: Nipun Jaswal

About MeDirector of Cyber Security, Lucrypt LimitedChair Member, National Cyber Defense and Research Center7 Years of Infosec ExperienceWorked with Several Elite LEAs in the WorldAuthor of Mastering Metasploit15+ Security Hall of FamesExpertise: Exploit ResearchVAPTOSINT and Social EngineeringSurveillance Products and MonitoringMalware and Trojan DevelopmentPhysical Security Assessment Products

Introduction to Social EngineeringAny act where you try to manipulate a person to accomplish a goal, and that goal may or may not be in the target's interestsi.e. disclosure of informationoften goes hand-in-hand with OSINT reconnaissance

Why Social Engineering on a High?Easiest of the WaysBeneficial in Closed NetworksReverse Connections likely filtered lessAccessing the Workplace is far easier than accessing the unknown networkVulnerabilities get patched but backdoors dont (unless found)

Target OrganizationServerFirewall

6 Laws Threatening Human Elements of Security

Reciprocity

I Must Help Those who Helped MeReal World Scenario:Having to Giveaway Email Address and personal details for a free webcast or white paper

Exploitation Example:A scam which offers a refund for poor tech support, but requires your bank information to deposit the money

Consistency

I am Consistent , Everywhere! Past , Present and FutureReal World Scenario:Installers and Adware uses this to attack usersExploitation Example:Installation of Browser Plugins along with any free tool because Please Generally press Next without even seeing itFile Binders are one common example

Social Proof

When I am Unsure, I will act like Others who I may or may not knowReal World Scenario:Attacker might show receipts and documents from other people who complied to their requestExploitation Example:We have been selected as #1 Infrastructure Company by ABCTrusted By XYZ ,ABC

Liking

I Will follow what I LikeReal World Scenario:People accept offers from those things, places or persons which they like

Exploitation Example:In Case of Tailgating, Women Intruders have 500% more impact than Men

Authority

I will do all what Authorities Tell me to do Real World Scenario:People generally revert to their bosses no matter even if its 3 am in the morningExploitation Example:Getting a mail from someone at the higher authority with configuration files for the new server deployment are 80 times more likely to get opened than any other mailsEx- Forbes Hack

Scarcity

I will buy the last piece before someone else doesReal World Scenario:Bank Account Seizure emails generally contains a Deadline in order to retain the holders accountExploitation Example:Banking Frauds that cause ATM and Credit Card Pin Number Change Request Via Emails

New Addons to SE

Android MobilesPolymorphic USB DrivesPhison Chip (BadUSB)Raspberry PiBeagle BonesWe Still arent counting Laptops, Tablets, Phishy Emails etc.

Demos

Android MobilesPolymorphic USB DrivesPhison Chip (BadUSB)Raspberry PiBeagle BonesWe Still arent counting Laptops, Tablets, Phishy Emails etc.

SE using Android (Request for Charging)

Did anyone asked you to charge their mobile phone from your laptop?Attacker can pull off an Attack with which a system is forced to open a particular malicious link, which may contain exploits etc.Preventions:Dont Plug Unknown DevicesImplement USB Descriptor Security Policy to prevent such attacks(Can be Broken As Well) But will limit 80% of the attempts

Real Websites High Infection Rate!

SE using Android (Request for Charging)

SE using Polymorphic Drives

Some More

Android MobilesPolymorphic USB DrivesPhison Chip (BadUSB)Raspberry PiBeagle BonesWe Still arent counting Laptops, Tablets, Phish Emails etc.

Preventions at the Technological End

Strong USB Descriptor Based SecurityDisable Unnecessary PortsClose all Open Network EndsMonitor not only the Ethernet Ends but the Wireless Ends as WellEnforce Strong Password Policy and 2 Factor Auth.

Preventions on the In person/Direct Communication End

Preventions on the In person/Direct Communication End

When Meeting someone Unknown-Figure out BaselineSee where a person goes uncomfortableWatch for the soft spotsAnalyze and conclude

7 Ways to Prevent SE Attacks

NEVER provide confidential information or, for that matter, even non-confidential data and credentials via email, chat messenger, phone or in person to unknown or suspicious sources.

If you receive an email with a link to an unknown site AVOID the instinct to click it immediately even if it seems to have been sent from one of your contacts. Take a look at the URL to see if it looks suspicious. Often the email might seem to have arrived from one of your contacts but if you check the email address you will see that it is not legitimate. REMEMBER if it looks fishy, it probably is!BEFORE clicking on links both in emails and on websites keep an eye out for for misspellings, @ signs and suspicious sub-domains.When clicking on links sent via email or on websites, always keep a watch out for uninitiated or automatic downloads. It could be a malware piggybacking on to your system. All such activity should be reported IMMEDIATELY to your security manager.

Website administrators should CHECK their website regularly to look for private and confidential information that could have been uploaded mistakenly.

BLOCK USB devices in order to reduce the risk of Baiting

Follow the ATE AWARENESS, TRAINING and EDUCATION security concept for all employees, no matter what level and what position they hold in the organization. While C-level employees are great targets, their admins can be even more powerful vectors for attack!

Thanks!Nipun Jaswal (@nipunjaswal)mail@nipunjaswal.info