Social Engineering - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Social Engineering

Description:

Social engineering is the use of influence and persuasion to ... with the person in an attempt to 'befriend' them, or at least establish a sense of familiarity. ... – PowerPoint PPT presentation

Number of Views:3711
Avg rating:3.0/5.0
Slides: 16
Provided by: cseOhi
Category:

less

Transcript and Presenter's Notes

Title: Social Engineering


1
Social Engineering
  • Presentation by
  • Brandon Betteridge
  • Michael Petersheim

2
Overview of Presentation
  • What Is Social Engineering?
  • Attack Vectors
  • Attack Tools
  • Examples of Attack Methods
  • Protecting Yourself From Attacks
  • Case Study of an Attack

3
What is Social Engineering?
  • Social engineering is the use of influence and
    persuasion to coerce people into divulging
    sensitive information.
  • Social engineering does not have to involve the
    use of technology.

4
Common Vectors of Social Engineering Attacks
  • Over the Phone
  • Via E-Mail (Phishing)
  • In Person

5
Tools of the Trade
  • Social engineers use the following techniques in
    their attacks
  • Development of credibility
  • Getting their target use emotions to make
    decisions
  • Exploiting a person's desire to help
  • Momentum of compliance
  • Getting a person to like them
  • Exploiting a person's fear (of upsetting a boss,
    etc.)
  • Use of reactance
  • Using an organization's size against them

6
Some Typical Attacks
  • The Direct Attack
  • Using Innocuous Information
  • Building Trust
  • Offering Help
  • Phishing

7
The Direct Attack
  • The most simple form of social engineering, in
    which the engineer simply asks for the
    information that they are looking for.
  • For example, to find an unlisted phone number,
    the engineer could call the phone company and act
    like a terminal repairman, saying that he needs
    to know what number should be working for the
    address.

8
Using Innocuous Information
  • In this attack, the engineer first asks for a
    piece of harmless information. Then, using that
    info, they ask another person for more important
    information. This process continues until the
    engineer gets the information that they want.
  • The engineer uses the harmless information to
    make their subsequent request appear valid.

9
Building Trust
  • In this attack, the engineer spends some time
    (days, weeks) interacting with the person in an
    attempt to befriend them, or at least establish
    a sense of familiarity. Then, when the engineer
    asks for the information, the person feels that
    they are helping a friend / coworker.

10
Offering Help
  • This attack has a few variations. The engineer
    can either intentionally cause a problem, then
    act as someone who is in charge of fixing the
    problem, or they can simply offer assistance or
    direction to someone new in the company.
  • While the engineer is offering their assistance,
    they ask for the information that they want by
    claiming that it is necessary to fix the problem
    or help out.

11
Phishing
  • This method involves the use of electronic
    communication (usually e-mail) designed to appear
    legitimate, but which attempts to gather
    sensitive information from the user.
  • Examples include
  • Asking for account validation
  • Warning the user of suspicious activity on their
    account
  • Nigerian 419 Scam

12
Protecting Your Information from Social Engineers
  • Unlike other threats to a company's information,
    social engineering cannot be combatted by
    technical means.
  • The only way to defend against social engineering
    is through training and the establishment of
    security policies

13
Protecting Your Information from Social Engineers
(cont'd)
  • Policies to establish
  • How an employee should act when an attack is
    recognized
  • Exactly what information is considered sensitive
  • How to verify / authenticate someone's identity
  • Saying No is OK
  • Never break security policies, even if asked to
    by the CEO.
  • A guarantee that nobody will be punished for
    following policy.
  • A guarantee that someone WILL be punished if they
    violate policy
  • Ensure that policies are clear, concise, and
    consistently enforced.

14
Protecting Your Information from Social Engineers
(cont'd)
  • Employee training should do the following
  • Raise awareness of social engineering
  • Demonstrate the techniques of social engineering,
    and explain how to resist them
  • Explain the damage that a successful attack could
    do to a company
  • Try to motivate employees to resist social
    engineers, by playing on their desire to not be
    tricked and made a fool of by the engineer.
  • Employees should be tested on their
    susceptibility to social engineering attacks in
    real-life scenarios (live internal security
    audits)

15
Social Engineering A Case Study
  • First call Bookkeeping Department (the victim)
  • Poses as Help Desk staff, warns of network
    problem, gives number to call in case of trouble
  • Gets port number for network connection
  • Second Call Network Ops, 2 days later
  • Posing as member of victims office, asks to have
    the given port number disabled to troubleshoot
    cabling problem
  • Third Call Bookkeeping calls attacker
  • Network connection down, asks Eddie for immediate
    help
  • Fourth Call Network Ops
  • Problem fixed re-enable port
  • Fifth Call Bookkeeping Department
  • Tells him to verify network connection
  • Asks him to download/install program online to
    prevent similar future incidents
  • Program actually Trojan Horse, giving attacker
    back door into company network
Write a Comment
User Comments (0)
About PowerShow.com