A Multi-Level Defense Against Social Engineering - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

A Multi-Level Defense Against Social Engineering

Description:

A Multi-Level Defense Against Social Engineering Allen Stone 9/14/2005 Social Engineering Social Engineering is the process of deceiving people into giving away ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 28
Provided by: alle1164
Category:

less

Transcript and Presenter's Notes

Title: A Multi-Level Defense Against Social Engineering


1
A Multi-Level Defense Against Social Engineering
  • Allen Stone
  • 9/14/2005

2
Social Engineering
  • Social Engineering is the process of deceiving
    people into giving away access or confidential
    information.
  • This paper explores the psychological means of
    the enemy and victims and outlines an effective
    defense against it. It is really the first paper
    to recognize all of the levels necessary for
    proper defense and suggest a defense to not only
    deter such attacks but to also identify or
    isolate the attacker.

3
Constructing an Effective Defense
  • Understand the Enemys tactics
  • Find our psychological vulnerabilities
  • Identify the various levels of defense
  • Devise defense strategies at all levels

4
The Enemy Methods
  • Develop Trust
  • Reverse Social Engineering
  • Avenues and Media
  • Avoid pigeonholing the enemy He/she will
    call/approach/email you under the pretenses of
    authority/customer/coworker/author/etc.

5
Why these attacks work
  • Psychological Triggers in all of us
  • Strong Affect
  • Overloading
  • Reciprocation
  • Deceptive Relationships
  • Diffusion of Responsibility and Moral Duty
  • Authority
  • Integrity and Consistency

6
Strong Effect
  • A heightened emotional state tends to impair
    logical thinking
  • Fear
  • Panic
  • Joy
  • Youve just won!
  • Trip to San Francisco - AoD
  • Surprise
  • Call at 430am

7
Overloading
  • Sensory Overload
  • 30 true statements with 5 untrue, suspect
    statements in between.
  • The 1-cent Cell Phone - AoD
  • Arguing from an unexpected perspective
  • We need time to process
  • How can we defend against this?

8
Reciprocation
  • If someone gives us something, whether or not we
    asked for it, we feel inclined to help them.
  • Reverse Social Engineering
  • mental shortcut Mitnick
  • Yielding points in an argument

9
Deceptive Relationships
  • Developing a relationship with the intent of
    exploiting the other person.
  • AOL attack
  • Hacker and mark are alike

10
Diffusion of Responsibility and Moral Duty
  • Diffusion of Responsibility the mark feels that
    he/she will not be held solely responsible
  • Moral Duty avoid feeling guilt
  • Save the company, Save someones job

11
Authority
  • Impersonation attacks

12
Integrity and Consistency
  • People generally follow through on their
    promises, whether or not it is wise to do so.

13
Levels of Defense
  • Foundational Level
  • Parameter Level
  • Fortress Level
  • Persistence Level
  • Gotcha Level
  • Offensive Level

14
Foundational Level
  • End users are targeted to respond to questionable
    requests
  • They should not decide what information can and
    cannot be divulged
  • Confidence
  • Metacognition and Persuasion Theory

15
Defense (Foundational)
  • General Policy
  • Explicitly state what information can be divulged
    and by whom
  • Train early and often, post policy clearly in
    public view, encourage and enforce compliance
  • Combats Authority, Diffusion of Responsibility,
    Moral Duty

16
Parameter Level And Its Defense
  • Employees need to know when to say no and that
    mgmt backs them
  • Warning signs
  • No contact info, rushing, name-dropping,
    intimidation, misspellings, odd questions,
    requesting suspect info
  • Security Awareness
  • Know what has value
  • Friends are not always friends
  • Passwords are personal
  • Uniforms are cheap

17
Fortress Level
  • Attackers Target Key Personnel
  • Help Desk Personnel
  • Customer Service
  • Business Assistants
  • Secretaries and Receptionists
  • System Administrators
  • How are they prepared?

18
Defense (Fortress)
  • Resistance training for key personnel
  • Inoculation weakened examples
  • Forewarning Not just the intent, but the
    methods
  • Reality Check Defeat their image of personal
    invulnerability. Deceive them to show how easy
    it is.

19
Persistence Level And Its Defense
  • Forgetfulness and Wrongful Prioritization of
    Policy
  • Pervasive and persistent reminders
  • Police Station example

20
Gotcha Level Defense
  • Social Engineering Land Mines (SELM) traps set
    up to expose and stop an attack
  • Active Defense Ideas
  • The Justified Know-It-All
  • Centralized Security Log
  • Call Backs by Policy
  • Key Questions
  • Three Questions Rule
  • Bogus Question
  • Please Hold by Policy

21
Offensive Level Defense
  • Incident Response
  • There needs to be a clearly written and
    well-understood policy surrounding the manner in
    which to respond to a security incident
  • If the first mark is wise to the con but does not
    alert security, it is only a matter of time
    before another mark is selected.

22
How well have we defended?
  • Strong Affect
  • Overloading
  • Reciprocation
  • Deceptive Relationships
  • Diffusion of Responsibility and Moral Duty
  • Authority
  • Integrity and Consistency

23
Other vulnerabilities
  • New employees
  • Poor administration policies

24
Policy from a Social EngineerThe Art of
Deception K. Mitnick
  • Kevin Mitnick outlines an excellent security
    policy at the end of the book with detailed
    reasoning at every level to defend against Social
    Engineering Attacks.

25
Conclusion
  • Social Engineering will always exist, and it is
    extremely difficult to defend against, but the
    success of such attacks can be decreased
    substantially with proper policy and personnel
    training

26
Questions and Comments?
27
References
  • A Multi-Level Defense Against Social
    Engineering by David Gragg, GSEC Option 1
    version 1.4b, Dec. 2002
  • The Art of Deception, Kevin Mitnick
Write a Comment
User Comments (0)
About PowerShow.com