2. 2
IN THIS PRESENTATION
What is Social Engineering
Identifying Social Engineering Exploits
Counteracting Social Engineering Exploits
Evolving Social Engineering Organization Policies
3. 3
INTRODUCTION
During the last 15 years, software makers have improved
their security practices.
Enterprises have deployed better security defenses.
These improvements have pushed cybercriminals to target
vulnerable humans rather than vulnerable code.
5. 5
SOCIAL ENGINEERING
The art of gaining access to buildings, systems or data by
exploiting or manipulating human psychology, rather than
by breaking in or using technical hacking techniques.
For example, instead of trying to find
a software vulnerability, a social
engineer might call an employee
and pose as an IT support person,
trying to trick the employee into
divulging his password.
6. 6
ORIGINS OF SOCIAL ENGINEERING
Social Engineering attcks usually originate from one of three zones:
Trusted
Internal
External
Internal threats come from employees who manipulate other
employees to gather sensitive information and access to IT systems.
May include disgruntled employees, temporary employees,
employees with criminal tendencies, and ancillary workers such as
housekeeping and maintenance staff.
7. 7
ORIGINS OF SOCIAL ENGINEERING
Trusted threats come from other individuals who are formally
associated with your organization on a regular basis but are not on
your payroll. These can include contractors and consultants, as well
as partner organizations.
External threats come from people who are not associated with
your organization. This category can include recreational hackers,
competitors wanting to uncover confidential information, or
criminals wanting to steal something.
This document focuses on the external attacker.
8. 8
HOW SOCIAL ENGINEERS WORK
Criminals will often take weeks and months getting to know a place before
even coming in the door or making a phone call. Their preparation might
include finding a company phone list or org chart and researching employees
on social networking sites like LinkedIn or Facebook.
Once a social engineer is ready to strike, knowing the right thing to say,
knowing whom to ask for, and having confidence are often all it takes to gain
access to a facility or sensitive data.
9. 9
SOCIAL ENGINEERING TACTICS
Tactic 1: Ten degrees of separation
The number one goal of a social engineer who uses the telephone as
his modus operandi is to convince his target that he is either
1) a fellow employee
2) a trusted outside authority (such as law enforcement or an auditor).
According to Sal Lifrieri, a 20-year veteran of the New York City Police Department
there might be ten steps between a criminal's target and the person he or she can
start with in the organization.
"The common technique [for the criminal] is to be friendly," said Lifrieri. "To act like: 'I want to get to
know you. I want to get to know stuff that is going on in your life.' Pretty soon they are getting
information you wouldn't have volunteered a few weeks earlier."
10. 10
SOCIAL ENGINEERING TACTICS
Tactic 2: Learning your corporate language
A social engineering criminal will study that language and be able to
rattle it off with the best of them.
"It's all about surrounding cues, If I'm speaking a language you
recognize, you trust me. You are more willing to give me that
information I'm looking to get out of you if I can use the acronyms and
terms you are used to hearing."
11. 11
SOCIAL ENGINEERING TACTICS
Tactic 3: Borrowing your 'hold' music
Another successful technique involves recording the "hold" music a
company uses when callers are left waiting on the phone.
"The criminal gets put on hold, records the music and then uses it to
their advantage. When he or she calls the intended victim, they talk
for a minute and then say "Oh, my other line is ringing, hold on," and
put them on hold. "The person being scammed hears that familiar
company music and thinks: 'Oh, he must work here at the company.
That is our music.' It is just another psychological cue."
12. 12
SOCIAL ENGINEERING TACTICS
Tactic 4: Phone-number spoofing
Criminals often use phone-number spoofing to make a different
number show up on the target's caller ID.
The criminal could be sitting in an apartment calling you, but the
number that shows up on the caller ID appears to come from within
the company.
Of course, unsuspecting victims are more than likely to give private
information, like passwords, over the phone if the caller ID legitimizes
it. And, of course, the crime is often undetectable after because if
you dial the number back, it goes to an internal company number.
13. 13
SOCIAL ENGINEERING TACTICS
Tactic 5: Using the news against you
"Whatever is going on in the headlines, the bad guys are using that
information as social engineering lures for spam, phishing and other
scams.
Marcus said Avert has seen a rise in the number of presidential
campaign-related and economic crunch-based spam emails lately.
“The email will say 'Your bank is being bought by this bank. Click here
to make sure you update information before the sale closes.'
14. 14
SOCIAL ENGINEERING TACTICS
Tactic 6: Abusing faith in social networking sites
People have a lot of faith in social networking sites like facebook and
linkedin. A recent spear-phishing incident targeted Linked In users,
and the attack was surprising to many.
Emails are usually worded like this : “ site is doing maintenance, click
here to update your information.” Of course, when you click on the
link, you go to the bad guys' site."
One solution is to type in web addresses manually to avoid malicious
links. And also to keep in mind that it is very rare for a site to send out
a request for a password change or an account update.
15. 15
SOCIAL ENGINEERING TACTICS
Tactic 7: Typo Squatting
On the Web, scammers also bank on the common mistakes people
make when they type. When you type in a URL that's just one letter
off, suddenly you can end up on a completely different site looking
just like the one you intended.
Instead of going where they wanted, unsuspecting users who make
typing mistakes end up on a fake site that either intends to sell
something, steal something, or push out malware.
16. 16
IDENTIFY SOCIAL ENGINEERING EXPLOITS
On the phone:
A social engineer might call and pretend to be a fellow employee or a
trusted outside authority (such as law enforcement or an auditor).
In the office:
"Can you hold the door for me? I don't have my key/access card on me."
How often have you heard that in your building? While the person asking
may not seem suspicious, this is a very common tactic used by social
engineers.
17. 17
IDENTIFY SOCIAL ENGINEERING EXPLOITS
-- Online:
Social networking sites have opened a whole new door for social
engineering scams. A common scam is to pose as a Facebook "friend."
Criminals are stealing passwords, hacking accounts and posing as friends
for financial gain.
One popular tactic used recently involved scammers hacking into
Facebook accounts and sending a message on Facebook claiming to be
stuck in a foreign city and they say they need money.
Social engineers also take advantage of current events and holidays to
lure victims.
18. COUNTERACTING SOCIAL ENGINEERING
EXPLOITS
18
Awareness is the number one defensive measure.
Employees should be aware that social engineering exists
and also aware of the tactics most commonly used.
Fortunately, social engineering awareness lends itself to
storytelling. And stories are much easier to understand and
much more interesting than explanations of technical flaws.
Quizzes and attention-grabbing or humorous posters are
also effective reminders about not assuming everyone is
always who they say they are.
20. COUNTERACTING SOCIAL ENGINEERING
EXPLOITS
Design
20
an in-house social engineering penetration test
Although it's a tactic to use with great caution, fear of
embarrassment is a strong motivator. Nobody likes to look
foolish.
Consider this factor if you choose to design an in-house social
engineering penetration test. A little embarrassment will put
everyone on their toes; crossing the line to humiliation will only
make employees angry.
21. COUNTERACTING SOCIAL ENGINEERING
EXPLOITS
21
A number of vendors offer tools or services to help conduct
social engineering exercises, and/or to build employee
awareness via means such as posters and newsletters.
Also worth checking out is social-engineer.org's Social
Engineering Toolkit, which is a free download.
The toolkit helps automate penetration testing via social
engineering, including "spear-phishing attacks", creation of
legitimate-looking websites, USB drive-based attacks, etc.
22. EVOLVING SOCIAL ENGINEERING
ORGANIZATION POLICIES
22
1. Appeal to personal lives: Get people interested in security by
arming them with techniques to secure their personal information;
if they securely tend to their own business, they're more likely to
tend to their employers.
► 2. Make the message visible: Put posters up
at copy machines, bulletin boards, and
lunchrooms. Make them eye-catching but
simple; something anyone walking by can
read and interpret without breaking stride—
they're more likely to remember the content
23. EVOLVING SOCIAL ENGINEERING
ORGANIZATION POLICIES
23
3. Provide treats: Have an occasional celebration where Security
thanks the staff for doing their part.
4. Use their desk: Implement a clean desk policy and, perform random
desk checks after hours.
Reward those who have no sensitive material out by leaving a small treat
like a piece of candy or pack of gum and a "Thanks for Doing your Part"
note, or enter them in a monthly drawing for a prize.
For those who aren’t meeting the criteria, leave a gentle reminder with
specifics about what needs to be corrected. Repeat offenders should be
discussed with management.
24. EVOLVING SOCIAL ENGINEERING
ORGANIZATION POLICIES
24
5. Bring it to their computer screen: If you have a company newsletter,
be certain to include a security article in each edition and provide
information on the latest incidents that have occurred, particularly in
your industry.
6. Require training: Training programs will be more effective if you
include interactive exercises, contests, games, or give-aways.
7. Walk the walk: Perhaps the most impactful technique is for senior
leadership members to display their own penchant for security. If it
looks to be important at the top, you can bet it'll be important at the
bottom.
25. •
EVOLVING SOCIAL ENGINEERING
ORGANIZATION POLICIES
25
Do background checks when hiring employees.
Screen temporary and ancillary workers.
Set up a clear reporting process for security problems.
Open the lines of communication between physical
security and the IT department.
Monitor employee behavior patterns for abnormal
activities and access violations.
26. EVOLVING SOCIAL ENGINEERING
ORGANIZATION POLICIES
26
Lock out terminated employees immediately.
Create a positive work environment, which will cut down on
disgruntled employees.
Publish a formal written company policy stating that the IT
department will never ask for a user's password.
Require ID badges for employees and mandate that an
employee with a badge accompany visitors.
27. 27
SUMMARY
Social Engineers increasingly employ elusive social engineering
attack tactics to exploit natural human predispositions with the goal
of bypassing defenses. These attacks can have very damaging
consequences for an organization, but you can take a number of
steps to mitigate such attacks.
Remember that your employees can make or break your security
program—keep them engaged in the process by soliciting
feedback and suggestions.
A security-aware culture is possible in any organization as long as it is
the standard by which everyone operates, and concepts are
consistently reinforced.