SlideShare ist ein Scribd-Unternehmen logo

Counteracting Social Engineering with Awareness

Als PPTX, PDF herunterladen
Nickkisha Farrell
Nickkisha Farrell

An introductory look at Social Engineering and some measure to counteracting Social Engineering Exploits.

TechnologieBusiness
1 von 28
Data Security Concepts COUNTERACTING SOCIAL ENGINEERING EXPLOITS BY NICKKISHA FARRELL BSc IT, DIP Ed January 2014
2 IN THIS PRESENTATION What is Social Engineering Identifying Social Engineering Exploits Counteracting Social Engineering Exploits Evolving Social Engineering Organization Policies
3 INTRODUCTION  During the last 15 years, software makers have improved their security practices.  Enterprises have deployed better security defenses.  These improvements have pushed cybercriminals to target vulnerable humans rather than vulnerable code.
4 INTRODUCTION
5 SOCIAL ENGINEERING  The art of gaining access to buildings, systems or data by exploiting or manipulating human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
6 ORIGINS OF SOCIAL ENGINEERING  Social Engineering attcks usually originate from one of three zones:   Trusted   Internal External Internal threats come from employees who manipulate other employees to gather sensitive information and access to IT systems. May include disgruntled employees, temporary employees, employees with criminal tendencies, and ancillary workers such as housekeeping and maintenance staff.
7 ORIGINS OF SOCIAL ENGINEERING  Trusted threats come from other individuals who are formally associated with your organization on a regular basis but are not on your payroll. These can include contractors and consultants, as well as partner organizations.  External threats come from people who are not associated with your organization. This category can include recreational hackers, competitors wanting to uncover confidential information, or criminals wanting to steal something.  This document focuses on the external attacker.
8 HOW SOCIAL ENGINEERS WORK  Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.  Once a social engineer is ready to strike, knowing the right thing to say, knowing whom to ask for, and having confidence are often all it takes to gain access to a facility or sensitive data.
9 SOCIAL ENGINEERING TACTICS  Tactic 1: Ten degrees of separation The number one goal of a social engineer who uses the telephone as his modus operandi is to convince his target that he is either    1) a fellow employee 2) a trusted outside authority (such as law enforcement or an auditor). According to Sal Lifrieri, a 20-year veteran of the New York City Police Department there might be ten steps between a criminal's target and the person he or she can start with in the organization. "The common technique [for the criminal] is to be friendly," said Lifrieri. "To act like: 'I want to get to know you. I want to get to know stuff that is going on in your life.' Pretty soon they are getting information you wouldn't have volunteered a few weeks earlier."
10 SOCIAL ENGINEERING TACTICS  Tactic 2: Learning your corporate language A social engineering criminal will study that language and be able to rattle it off with the best of them.  "It's all about surrounding cues, If I'm speaking a language you recognize, you trust me. You are more willing to give me that information I'm looking to get out of you if I can use the acronyms and terms you are used to hearing."
11 SOCIAL ENGINEERING TACTICS  Tactic 3: Borrowing your 'hold' music Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone.  "The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say "Oh, my other line is ringing, hold on," and put them on hold. "The person being scammed hears that familiar company music and thinks: 'Oh, he must work here at the company. That is our music.' It is just another psychological cue."
12 SOCIAL ENGINEERING TACTICS  Tactic 4: Phone-number spoofing Criminals often use phone-number spoofing to make a different number show up on the target's caller ID.  The criminal could be sitting in an apartment calling you, but the number that shows up on the caller ID appears to come from within the company.  Of course, unsuspecting victims are more than likely to give private information, like passwords, over the phone if the caller ID legitimizes it. And, of course, the crime is often undetectable after because if you dial the number back, it goes to an internal company number.
13 SOCIAL ENGINEERING TACTICS  Tactic 5: Using the news against you "Whatever is going on in the headlines, the bad guys are using that information as social engineering lures for spam, phishing and other scams.  Marcus said Avert has seen a rise in the number of presidential campaign-related and economic crunch-based spam emails lately.  “The email will say 'Your bank is being bought by this bank. Click here to make sure you update information before the sale closes.'
14 SOCIAL ENGINEERING TACTICS  Tactic 6: Abusing faith in social networking sites People have a lot of faith in social networking sites like facebook and linkedin. A recent spear-phishing incident targeted Linked In users, and the attack was surprising to many.  Emails are usually worded like this : “ site is doing maintenance, click here to update your information.” Of course, when you click on the link, you go to the bad guys' site."  One solution is to type in web addresses manually to avoid malicious links. And also to keep in mind that it is very rare for a site to send out a request for a password change or an account update.
15 SOCIAL ENGINEERING TACTICS  Tactic 7: Typo Squatting On the Web, scammers also bank on the common mistakes people make when they type. When you type in a URL that's just one letter off, suddenly you can end up on a completely different site looking just like the one you intended.  Instead of going where they wanted, unsuspecting users who make typing mistakes end up on a fake site that either intends to sell something, steal something, or push out malware.
16 IDENTIFY SOCIAL ENGINEERING EXPLOITS  On the phone: A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).  In the office: "Can you hold the door for me? I don't have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
17 IDENTIFY SOCIAL ENGINEERING EXPLOITS  -- Online: Social networking sites have opened a whole new door for social engineering scams. A common scam is to pose as a Facebook "friend."  Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.  One popular tactic used recently involved scammers hacking into Facebook accounts and sending a message on Facebook claiming to be stuck in a foreign city and they say they need money.  Social engineers also take advantage of current events and holidays to lure victims.
COUNTERACTING SOCIAL ENGINEERING EXPLOITS 18  Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used.  Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws.  Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.
COUNTERACTING SOCIAL ENGINEERING EXPLOITS 19
COUNTERACTING SOCIAL ENGINEERING EXPLOITS  Design 20 an in-house social engineering penetration test  Although it's a tactic to use with great caution, fear of embarrassment is a strong motivator. Nobody likes to look foolish.  Consider this factor if you choose to design an in-house social engineering penetration test. A little embarrassment will put everyone on their toes; crossing the line to humiliation will only make employees angry.
COUNTERACTING SOCIAL ENGINEERING EXPLOITS 21  A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.  Also worth checking out is social-engineer.org's Social Engineering Toolkit, which is a free download.  The toolkit helps automate penetration testing via social engineering, including "spear-phishing attacks", creation of legitimate-looking websites, USB drive-based attacks, etc.
EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES  22 1. Appeal to personal lives: Get people interested in security by arming them with techniques to secure their personal information; if they securely tend to their own business, they're more likely to tend to their employers. ► 2. Make the message visible: Put posters up at copy machines, bulletin boards, and lunchrooms. Make them eye-catching but simple; something anyone walking by can read and interpret without breaking stride— they're more likely to remember the content
EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 23  3. Provide treats: Have an occasional celebration where Security thanks the staff for doing their part.  4. Use their desk: Implement a clean desk policy and, perform random desk checks after hours.  Reward those who have no sensitive material out by leaving a small treat like a piece of candy or pack of gum and a "Thanks for Doing your Part" note, or enter them in a monthly drawing for a prize.  For those who aren’t meeting the criteria, leave a gentle reminder with specifics about what needs to be corrected. Repeat offenders should be discussed with management.
EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 24  5. Bring it to their computer screen: If you have a company newsletter, be certain to include a security article in each edition and provide information on the latest incidents that have occurred, particularly in your industry.  6. Require training: Training programs will be more effective if you include interactive exercises, contests, games, or give-aways.  7. Walk the walk: Perhaps the most impactful technique is for senior leadership members to display their own penchant for security. If it looks to be important at the top, you can bet it'll be important at the bottom.
• EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 25  Do background checks when hiring employees.  Screen temporary and ancillary workers.  Set up a clear reporting process for security problems.  Open the lines of communication between physical security and the IT department.  Monitor employee behavior patterns for abnormal activities and access violations.
EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 26 Lock out terminated employees immediately. Create a positive work environment, which will cut down on disgruntled employees. Publish a formal written company policy stating that the IT department will never ask for a user's password. Require ID badges for employees and mandate that an employee with a badge accompany visitors.
27 SUMMARY    Social Engineers increasingly employ elusive social engineering attack tactics to exploit natural human predispositions with the goal of bypassing defenses. These attacks can have very damaging consequences for an organization, but you can take a number of steps to mitigate such attacks. Remember that your employees can make or break your security program—keep them engaged in the process by soliciting feedback and suggestions. A security-aware culture is possible in any organization as long as it is the standard by which everyone operates, and concepts are consistently reinforced.
28 REFERENCES  http://www.csoonline.com/article/514063/socialengineering-the-basics#1  http://www.csoonline.com/article/460135/socialengineering-eight-common-tactics  http://www.techrepublic.com/article/change-yourcompanys-culture-to-combat-social-engineering-attacks/

Empfohlen

Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkRichard Common
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"abercius24
 
Social Engineering CSO Survival Guide
Social Engineering CSO Survival GuideSocial Engineering CSO Survival Guide
Social Engineering CSO Survival GuideE.S.G. JR. Consulting, Inc.
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?JamRivera1
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0Murray Security Services
 
Social engineering
Social engineeringSocial engineering
Social engineeringBola Oduyale
 

Empfohlen

Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkRichard Common
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"abercius24
 
Social Engineering CSO Survival Guide
Social Engineering CSO Survival GuideSocial Engineering CSO Survival Guide
Social Engineering CSO Survival GuideE.S.G. JR. Consulting, Inc.
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?JamRivera1
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0Murray Security Services
 
Social engineering
Social engineeringSocial engineering
Social engineeringBola Oduyale
 
Social engineering
Social engineeringSocial engineering
Social engineeringAlexander Zhuravlev
 
Social engineering
Social engineeringSocial engineering
Social engineeringankushmohanty
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Social engineering
Social engineering Social engineering
Social engineering Abdelhamid Limami
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Hovhannes Aghajanyan
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...ABHAY PATHAK
 
Unit 2
Unit 2Unit 2
Unit 2Jigarthacker
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attackPankaj Dubey
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.Pratum
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
E0334035040
E0334035040E0334035040
E0334035040theijes
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...MZERMA Amine
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales Ahmed Musaad
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringManish Chauhan
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 

Weitere ähnliche Inhalte

Was ist angesagt?

Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...ABHAY PATHAK
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attackPankaj Dubey
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.Pratum
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
E0334035040
E0334035040E0334035040
E0334035040theijes
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...MZERMA Amine
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales Ahmed Musaad
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 

Was ist angesagt? (20)

Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Social engineering
Social engineering Social engineering
Social engineering
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
 
Unit 2
Unit 2Unit 2
Unit 2
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing Awareness
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionage
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
E0334035040
E0334035040E0334035040
E0334035040
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case Studies
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
 

Ähnlich wie Counteracting Social Engineering with Awareness

National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden PotentialEricaCiko
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdfRamya Nellutla
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyAlisa Alvich
 
Learn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityLearn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityAardwolf Security
 
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionWhite Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionEMC
 
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING ijmvsc
 
What is social engineering.pdf
What is social engineering.pdfWhat is social engineering.pdf
What is social engineering.pdfuzair
 
Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Kolluru N Rao
 
Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)CA.Kolluru Narayanarao
 
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...IRJET Journal
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scamsronpoul
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scamsronpoul
 
Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text graphhoc
 
Why is cybersecurity important for the entertainment industry
Why is cybersecurity important for the entertainment industry Why is cybersecurity important for the entertainment industry
Why is cybersecurity important for the entertainment industry Lisa Stockley
 
Cyber safety.pptx
Cyber safety.pptxCyber safety.pptx
Cyber safety.pptxAchu69
 

Ähnlich wie Counteracting Social Engineering with Awareness (20)

Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness Presentation
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden Potential
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copy
 
Learn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityLearn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf Security
 
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionWhite Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
 
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
 
What is social engineering.pdf
What is social engineering.pdfWhat is social engineering.pdf
What is social engineering.pdf
 
Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)
 
Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)
 
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scams
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scams
 
Amir bouker
Amir bouker Amir bouker
Amir bouker
 
Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text
 
Why is cybersecurity important for the entertainment industry
Why is cybersecurity important for the entertainment industry Why is cybersecurity important for the entertainment industry
Why is cybersecurity important for the entertainment industry
 
Cyber safety.pptx
Cyber safety.pptxCyber safety.pptx
Cyber safety.pptx
 

Mehr von Nickkisha Farrell

Database Management Systems 4 - Normalization
Database Management Systems 4 - NormalizationDatabase Management Systems 4 - Normalization
Database Management Systems 4 - NormalizationNickkisha Farrell
 
Database management systems 3 - Data Modelling
Database management systems 3 - Data ModellingDatabase management systems 3 - Data Modelling
Database management systems 3 - Data ModellingNickkisha Farrell
 
Database Management Systems 2
Database Management Systems 2Database Management Systems 2
Database Management Systems 2Nickkisha Farrell
 
Database Management Systems 1
Database Management Systems 1Database Management Systems 1
Database Management Systems 1Nickkisha Farrell
 
About the Rotaract Organization
About the Rotaract OrganizationAbout the Rotaract Organization
About the Rotaract OrganizationNickkisha Farrell
 
Cisco Systems: A company Analysis
Cisco Systems: A company AnalysisCisco Systems: A company Analysis
Cisco Systems: A company AnalysisNickkisha Farrell
 

Mehr von Nickkisha Farrell (9)

Database Management Systems 4 - Normalization
Database Management Systems 4 - NormalizationDatabase Management Systems 4 - Normalization
Database Management Systems 4 - Normalization
 
Database management systems 3 - Data Modelling
Database management systems 3 - Data ModellingDatabase management systems 3 - Data Modelling
Database management systems 3 - Data Modelling
 
Trade Secrets Law
Trade Secrets LawTrade Secrets Law
Trade Secrets Law
 
Database Management Systems 2
Database Management Systems 2Database Management Systems 2
Database Management Systems 2
 
Database Management Systems 1
Database Management Systems 1Database Management Systems 1
Database Management Systems 1
 
A Teacher's Heart
A Teacher's HeartA Teacher's Heart
A Teacher's Heart
 
About the Rotaract Organization
About the Rotaract OrganizationAbout the Rotaract Organization
About the Rotaract Organization
 
Cisco Systems: A company Analysis
Cisco Systems: A company AnalysisCisco Systems: A company Analysis
Cisco Systems: A company Analysis
 
Copyright and Technology
Copyright and TechnologyCopyright and Technology
Copyright and Technology
 

Kürzlich hochgeladen

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Counteracting Social Engineering with Awareness

  • 1. Data Security Concepts COUNTERACTING SOCIAL ENGINEERING EXPLOITS BY NICKKISHA FARRELL BSc IT, DIP Ed January 2014
  • 2. 2 IN THIS PRESENTATION What is Social Engineering Identifying Social Engineering Exploits Counteracting Social Engineering Exploits Evolving Social Engineering Organization Policies
  • 3. 3 INTRODUCTION  During the last 15 years, software makers have improved their security practices.  Enterprises have deployed better security defenses.  These improvements have pushed cybercriminals to target vulnerable humans rather than vulnerable code.
  • 5. 5 SOCIAL ENGINEERING  The art of gaining access to buildings, systems or data by exploiting or manipulating human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
  • 6. 6 ORIGINS OF SOCIAL ENGINEERING  Social Engineering attcks usually originate from one of three zones:   Trusted   Internal External Internal threats come from employees who manipulate other employees to gather sensitive information and access to IT systems. May include disgruntled employees, temporary employees, employees with criminal tendencies, and ancillary workers such as housekeeping and maintenance staff.
  • 7. 7 ORIGINS OF SOCIAL ENGINEERING  Trusted threats come from other individuals who are formally associated with your organization on a regular basis but are not on your payroll. These can include contractors and consultants, as well as partner organizations.  External threats come from people who are not associated with your organization. This category can include recreational hackers, competitors wanting to uncover confidential information, or criminals wanting to steal something.  This document focuses on the external attacker.
  • 8. 8 HOW SOCIAL ENGINEERS WORK  Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.  Once a social engineer is ready to strike, knowing the right thing to say, knowing whom to ask for, and having confidence are often all it takes to gain access to a facility or sensitive data.
  • 9. 9 SOCIAL ENGINEERING TACTICS  Tactic 1: Ten degrees of separation The number one goal of a social engineer who uses the telephone as his modus operandi is to convince his target that he is either    1) a fellow employee 2) a trusted outside authority (such as law enforcement or an auditor). According to Sal Lifrieri, a 20-year veteran of the New York City Police Department there might be ten steps between a criminal's target and the person he or she can start with in the organization. "The common technique [for the criminal] is to be friendly," said Lifrieri. "To act like: 'I want to get to know you. I want to get to know stuff that is going on in your life.' Pretty soon they are getting information you wouldn't have volunteered a few weeks earlier."
  • 10. 10 SOCIAL ENGINEERING TACTICS  Tactic 2: Learning your corporate language A social engineering criminal will study that language and be able to rattle it off with the best of them.  "It's all about surrounding cues, If I'm speaking a language you recognize, you trust me. You are more willing to give me that information I'm looking to get out of you if I can use the acronyms and terms you are used to hearing."
  • 11. 11 SOCIAL ENGINEERING TACTICS  Tactic 3: Borrowing your 'hold' music Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone.  "The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say "Oh, my other line is ringing, hold on," and put them on hold. "The person being scammed hears that familiar company music and thinks: 'Oh, he must work here at the company. That is our music.' It is just another psychological cue."
  • 12. 12 SOCIAL ENGINEERING TACTICS  Tactic 4: Phone-number spoofing Criminals often use phone-number spoofing to make a different number show up on the target's caller ID.  The criminal could be sitting in an apartment calling you, but the number that shows up on the caller ID appears to come from within the company.  Of course, unsuspecting victims are more than likely to give private information, like passwords, over the phone if the caller ID legitimizes it. And, of course, the crime is often undetectable after because if you dial the number back, it goes to an internal company number.
  • 13. 13 SOCIAL ENGINEERING TACTICS  Tactic 5: Using the news against you "Whatever is going on in the headlines, the bad guys are using that information as social engineering lures for spam, phishing and other scams.  Marcus said Avert has seen a rise in the number of presidential campaign-related and economic crunch-based spam emails lately.  “The email will say 'Your bank is being bought by this bank. Click here to make sure you update information before the sale closes.'
  • 14. 14 SOCIAL ENGINEERING TACTICS  Tactic 6: Abusing faith in social networking sites People have a lot of faith in social networking sites like facebook and linkedin. A recent spear-phishing incident targeted Linked In users, and the attack was surprising to many.  Emails are usually worded like this : “ site is doing maintenance, click here to update your information.” Of course, when you click on the link, you go to the bad guys' site."  One solution is to type in web addresses manually to avoid malicious links. And also to keep in mind that it is very rare for a site to send out a request for a password change or an account update.
  • 15. 15 SOCIAL ENGINEERING TACTICS  Tactic 7: Typo Squatting On the Web, scammers also bank on the common mistakes people make when they type. When you type in a URL that's just one letter off, suddenly you can end up on a completely different site looking just like the one you intended.  Instead of going where they wanted, unsuspecting users who make typing mistakes end up on a fake site that either intends to sell something, steal something, or push out malware.
  • 16. 16 IDENTIFY SOCIAL ENGINEERING EXPLOITS  On the phone: A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).  In the office: "Can you hold the door for me? I don't have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
  • 17. 17 IDENTIFY SOCIAL ENGINEERING EXPLOITS  -- Online: Social networking sites have opened a whole new door for social engineering scams. A common scam is to pose as a Facebook "friend."  Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.  One popular tactic used recently involved scammers hacking into Facebook accounts and sending a message on Facebook claiming to be stuck in a foreign city and they say they need money.  Social engineers also take advantage of current events and holidays to lure victims.
  • 18. COUNTERACTING SOCIAL ENGINEERING EXPLOITS 18  Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used.  Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws.  Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.
  • 20. COUNTERACTING SOCIAL ENGINEERING EXPLOITS  Design 20 an in-house social engineering penetration test  Although it's a tactic to use with great caution, fear of embarrassment is a strong motivator. Nobody likes to look foolish.  Consider this factor if you choose to design an in-house social engineering penetration test. A little embarrassment will put everyone on their toes; crossing the line to humiliation will only make employees angry.
  • 21. COUNTERACTING SOCIAL ENGINEERING EXPLOITS 21  A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.  Also worth checking out is social-engineer.org's Social Engineering Toolkit, which is a free download.  The toolkit helps automate penetration testing via social engineering, including "spear-phishing attacks", creation of legitimate-looking websites, USB drive-based attacks, etc.
  • 22. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES  22 1. Appeal to personal lives: Get people interested in security by arming them with techniques to secure their personal information; if they securely tend to their own business, they're more likely to tend to their employers. ► 2. Make the message visible: Put posters up at copy machines, bulletin boards, and lunchrooms. Make them eye-catching but simple; something anyone walking by can read and interpret without breaking stride— they're more likely to remember the content
  • 23. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 23  3. Provide treats: Have an occasional celebration where Security thanks the staff for doing their part.  4. Use their desk: Implement a clean desk policy and, perform random desk checks after hours.  Reward those who have no sensitive material out by leaving a small treat like a piece of candy or pack of gum and a "Thanks for Doing your Part" note, or enter them in a monthly drawing for a prize.  For those who aren’t meeting the criteria, leave a gentle reminder with specifics about what needs to be corrected. Repeat offenders should be discussed with management.
  • 24. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 24  5. Bring it to their computer screen: If you have a company newsletter, be certain to include a security article in each edition and provide information on the latest incidents that have occurred, particularly in your industry.  6. Require training: Training programs will be more effective if you include interactive exercises, contests, games, or give-aways.  7. Walk the walk: Perhaps the most impactful technique is for senior leadership members to display their own penchant for security. If it looks to be important at the top, you can bet it'll be important at the bottom.
  • 25. • EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 25  Do background checks when hiring employees.  Screen temporary and ancillary workers.  Set up a clear reporting process for security problems.  Open the lines of communication between physical security and the IT department.  Monitor employee behavior patterns for abnormal activities and access violations.
  • 26. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 26 Lock out terminated employees immediately. Create a positive work environment, which will cut down on disgruntled employees. Publish a formal written company policy stating that the IT department will never ask for a user's password. Require ID badges for employees and mandate that an employee with a badge accompany visitors.
  • 27. 27 SUMMARY    Social Engineers increasingly employ elusive social engineering attack tactics to exploit natural human predispositions with the goal of bypassing defenses. These attacks can have very damaging consequences for an organization, but you can take a number of steps to mitigate such attacks. Remember that your employees can make or break your security program—keep them engaged in the process by soliciting feedback and suggestions. A security-aware culture is possible in any organization as long as it is the standard by which everyone operates, and concepts are consistently reinforced.