My presentation that was given at North Texas ISSA Second Annual Cyber Security Conference on 4/25/2015. This presentation covers the basics of Social Engineering and provides a good base of knowledge for anyone looking to understand more about this skill, along with where to learn more.
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Â
Social Engineering 101 or The Art of How You Got Owned by That Random Stranger
1. @NTXISSA
Social Engineering 101 or The Art of
How You Got Owned by That Random
Stranger
Steven Hatfield
Security Systems Senior Advisor
Dell
4/25/2015
2. @NTXISSA
About Me
• 8 year Army veteran
• Currently studying for Bachelors of Science
in CyberSecurity at UMUC
• 4 year Security Goon at DEF CON
• 3 year Social Engineer Village volunteer at
DEF CON
• 1 year Security staff at Derbycon
NTX ISSA Cyber Security Conference – April 24-25, 2015 2
4. @NTXISSA
Social Engineering 101
• Definitions
• History
• Social Engineering Framework
• SET – Social Engineering Toolkit
• Categories
• Examples
• Protection
• Resources
• Questions
NTX ISSA Cyber Security Conference – April 24-25, 2015 4
5. @NTXISSA
Definition
• Social Engineering (SE) is a blend of science,
psychology and art. While it is amazing and
complex, it is also very simple.
• We define it as, “Any act that influences a person
to take an action that may or may not be in their
best interest.” We have defined it in very broad and
general terms because we feel that social
engineering is not always negative, but
encompasses how we communicate with our
parents, therapists, children, spouses and others.
NTX ISSA Cyber Security Conference – April 24-25, 2015 5
http://www.social-engineer.org/
6. @NTXISSA
Definition
• Social engineering is the art of manipulating
people so they give up confidential information.
The types of information these criminals are
seeking can vary, but when individuals are
targeted the criminals are usually trying to trick
you into giving them your passwords or bank
information, or access your computer to secretly
install malicious software–that will give them
access to your passwords and bank information
as well as giving them control over your
computer.
NTX ISSA Cyber Security Conference – April 24-25, 2015 6
http://www.webroot.com/us/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering
8. @NTXISSA
History
• The term sociale ingenieurs was introduced in an
essay by the Dutch industrialist J.C. Van Marken
in 1894. The idea was that modern employers
needed the assistance of specialists—"social
engineers"—in handling the human problems of
the planet, just as they needed technical
expertise (ordinary engineers) to deal with the
problems of dead matter (materials, machines,
processes). …
NTX ISSA Cyber Security Conference – April 24-25, 2015 8
9. @NTXISSA
Social Engineering Framework
• Social Engineering Defined
• Categories of Social Engineers
• Hackers
• Penetration Testers
• Spies or Espionage
• Identity Thieves
• Disgruntled Employees
• Information Brokers
• Scam Artists
• Executive Recruiters
• Sales People
• Governments
• Everyday People
NTX ISSA Cyber Security Conference – April 24-25, 2015 9
• Why Attackers Might Use Social
Engineering
• Typical Goals
• The Attack Cycle
• Common Attacks
• Customer Service
• Delivery Person
• Phone
• Tech Support
• Real World Examples
• Con Men
• Crime Victims
• Phishing
• Politicians
10. @NTXISSA
• The Social-Engineer Toolkit (SET) was created and
written by the founder of TrustedSec. It is an open-
source Python-driven tool aimed at penetration testing
around Social-Engineering. SET has been presented at
large-scale conferences including Blackhat, DerbyCon,
Defcon, and ShmooCon. With over two million
downloads, SET is the standard for social-engineering
penetration tests and supported heavily within the
security community.
• The Social-Engineer Toolkit has over 2 million
downloads and is aimed at leveraging advanced
technological attacks in a social-engineering type
environment. TrustedSec believes that social-
engineering is one of the hardest attacks to protect
against and now one of the most prevalent. The toolkit
has been featured in a number of books including the
number one best seller in security books for 12 months
since its release, “Metasploit: The Penetrations Tester’s
Guide” written by TrustedSec’s founder as well as
Devon Kearns, Jim O’Gorman, and Mati Aharoni.
NTX ISSA Cyber Security Conference – April 24-25, 2015 10
SET – Social Engineer Toolkit
13. @NTXISSA
Examples - Common
• Customer Service
• Delivery Person
• Phone
• Tech Support
• Con Men
• Crime Victims
• Phishing
• Politicians
NTX ISSA Cyber Security Conference – April 24-25, 2015 13
14. @NTXISSA
Examples - Real World
• The Overconfident CEO
In one case study, Hadnagy outlines how he was hired as an SE
auditor to gain access to the servers of a printing company which had
some proprietary processes and vendors that competitors were after.
In a phone meeting with Hadnagy's business partner, the CEO
informed him that "hacking him would be next to impossible"
because he "guarded his secrets with his life.”
"He was the guy who was never going to fall for this," said Hadnagy.
"He was thinking someone would probably call and ask for his
password and he was ready for an approach like that.” …
NTX ISSA Cyber Security Conference – April 24-25, 2015 14
http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
15. @NTXISSA
Examples - Real World
• The theme-park scandal
The target in this next case study was a theme park client that was concerned about
potential compromise of its ticketing system. The computers used to check-in patrons also
contained links to servers, client information and financial records. The client was concerned
that if a check-in computer was compromised, a serious data breach might occur.
Hadnagy started his test by calling the park, posing as a software salesperson. He was
offering a new type of PDF-reading software, which he wanted the park to try through a trial
offer. He asked what version they were currently using, got the information easily, and was
ready for step two. …
NTX ISSA Cyber Security Conference – April 24-25, 2015 15
http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
16. @NTXISSA
Examples - Real World
• The hacker is hacked
Hadnagy gives a third example showing how social engineering was used for defensive
purposes. He profiles 'John,' a penetration tester hired to conduct a standard network pen
test for a client. He ran scan using Metasploit, which revealed an open VNC (virtual network
computing) server, a server that allows control of other machines on the network.
He was documenting the find with the VNC session open when, suddenly, in the background,
a mouse began to move across the screen. John new it was a red flag because at the time of
day this was happening, no user would be connected to the network for a legitimate reason.
He suspected an intruder was on the network. …
NTX ISSA Cyber Security Conference – April 24-25, 2015 16
http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
17. @NTXISSA
Examples - Real World
• Price-Matching Scam
NTX ISSA Cyber Security Conference – April 24-25, 2015 17
18. @NTXISSA
Examples - Real World
• Evil Maid attacks
NTX ISSA Cyber Security Conference – April 24-25, 2015 18
19. @NTXISSA
Examples - Real World
• Stuxnet
…
Stuxnet – delivered via USB sticks left around the Iranian site in a
classic "social engineering" attack – used unpatched Windows
vulnerabilities to get inside the SCADA at Iran's Natanz enrichment
plant. It then injected code to make a PLC speed up and slow down
centrifuge motors – wrecking more than 400 machines. Siemens
made both the SCADA (WinCC) and the PLC (S7-300) attacked by
Stuxnet.
…
NTX ISSA Cyber Security Conference – April 24-25, 2015 19
http://www.newscientist.com/article/dn20298-stuxnet-analysis-finds-more-holes-in-critical-software.html
20. @NTXISSA
Examples - Real World
• Sing-o-gram - Michelle from SE crew
…
Next, Chris and I packed our dark glasses and super-spy cameras and headed to the client’s
locations. Four buildings, three days, two states, no sleep. This particular client faces some
big challenges when it comes to physical plant security, not the least of which is sharing
buildings with other companies and retailers open to the general public. Despite having a
great physical security team and RFID badging, we were able to gain access to most of their
secured locations pretexting as inspectors and yes, a singing telegram (I’ll let you guess who
got to do that one). We didn’t really need to do a lot of sneaky stuff; we took advantage of
high traffic times and locations, acted like we belonged there, and exploited people’s general
helpfulness. Using these principles, we accessed areas such their corporate mailroom, NOC,
and executive offices and roamed freely without ever being stopped.
…
NTX ISSA Cyber Security Conference – April 24-25, 2015 20
http://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-05-issue-57/
21. @NTXISSA
Examples - Real World
• News Reporter - “Bob”
“I've gotten myself into a building by claiming to be interviewing them
for a blog and then spending all day taking pictures and plugging
flashdrives in to “print stuff“”
NTX ISSA Cyber Security Conference – April 24-25, 2015 21
22. @NTXISSA
Protection
• Obviously, never give out confidential information.
• Safeguard even inconsequential information about
yourself.
• Lie to security questions, and remember your lies.
• View every password reset email with skepticism.
• Watch your accounts and account activity.
• Diversify passwords, critical services, and security
questions.
NTX ISSA Cyber Security Conference – April 24-25, 2015 22
25. @NTXISSA@NTXISSA
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – April 24-25, 2015 25
Thank you