SlideShare ist ein Scribd-Unternehmen logo

Social Engineering, or hacking people

Tudor Damian
Tudor Damian

DefCamp #5, Bucharest, November 29th Just as a chain is as weak as its weakest link, computer systems are as vulnerable as their weakest component – and that’s rarely the technology itself, it’s more often the people using it. This is precisely why it’s usually easier to exploit people’s natural inclination to trust than it is to discover ways to hack into computer systems. As the art of manipulating people into them giving up confidential information, Social Engineering has been a hot topic for many years. This session will discuss some of the most common Social Engineering techniques and countermeasures.

Technologie
1 von 28
Downloaden Sie, um offline zu lesen
Social Engineering...OR «HACKING PEOPLE» Tudor DamianCEH, IT solutions specialistwww.tudy.telDefCamp #5 -Bucharest, November 28th, 2014
https://www.youtube.com/watch?v=_G3NT91AWUE
87% of small business and 93% of larger organizations experienced a cyber security breach in the last year Source: UK Government, Department for Business, Innovation and Skills (BIS) http://bit.ly/tudydefcamp
Most malicious attacks come from within an organizationDid you see this: http://bit.ly/tudydefcamp ?
Timeline of discovery for cyber espionage attacks worldwide (2013) Hours, 9% Days, 8% Weeks, 16% Months, 62% Years, 5% Hours Days Weeks Months Years Source: Verizonhttp://bit.ly/tudydefcamp
Cyber crime attacks experienced by US companies (June 2014) VIRUSES, WORMS, TROJANSMALWAREBOTNETSWEB-BASED ATTACKSMALICIOUS CODEPHISHING AND SOCIAL ENGINEERINGMALICIOUS INSIDERSSTOLEN SEVICESDENIAL OF SERVICE100% 97% 76% 61% 46% 44% 41% 37% 34% Source: Ponemon Institute; Hewlett-Packard (HP Enterprise Security) Go to http://bit.ly/tudydefcamp now
So, what is Social Engineering? http://bit.ly/tudydefcamp
OSI Model –anything missing? 7 –Application layer 6 –Presentation layer 5 –Session layer 4 –Transport layer 3 –Network layer 2 –Link layer 1 –Physical layer Go to http://bit.ly/tudydefcamp now, ...please?
OSI Model –revised  8 –Human layer 7 –Application layer 6 –Presentation layer 5 –Session layer 4 –Transport layer 3 –Network layer 2 –Link layer 1 –Physical layer http://bit.ly/tudydefcamp
Social Engineering, or “Hacking People” •The science of making people do what you want •Attacks the most vulnerable layer in the OSI model  Really now, did you check out http://bit.ly/tudydefcamp ?
Why are people vulnerable? •False Assumptions •If X is true, then Y is true; Y is true, therefore X must be true •Logical Fallacies •Incorrect arguments in logic and rhetoric, resulting in a lack of validity •Cognitive Biases •Patterns of deviation in judgment, whereby inferences about other people and situations may be drawn in an illogical fashion •Heuristics & Mental Shortcuts •Used to speed up the process of finding a satisfactory solution via mental shortcuts •e.g. using a rule of thumb, an educated guess, an intuitive judgment, stereotyping, profiling, common sense, etc. •Eases the cognitive load of making a decision http://bit.ly/tudydefcamp
Behaviors vulnerable to attacks •Human nature of trust is the basis of most SE attacks •Ignorance about SE and its effects •SE attackers might threatenwith losses or consequences in case of non-compliance with their request •SE attackers lure the targets to divulge information by promising something for nothing •Targets are asked for help and they comply out of a sense of moral obligation Can't believe you haven't noticed this yet: http://bit.ly/tudydefcamp
Technology doesn’t fix ignorance http://bit.ly/tudydefcamp
Types of Social Engineering • Human-based Social Engineering • Gathers sensitive information by interaction • Attacks of this category exploit trust, fear and the helping nature of humans • Computer-based or mobile-based Social Engineering • SE carried out with the help of computers and/or mobile apps Go. There. Now. http://bit.ly/tudydefcamp
Human-based Social Engineering •Posing as a legitimateend user •Give identity and ask for sensitive information •Posing as an importantuser •Posing as a VIP of a target company, valuable customer, etc. •Posing as technicalsupport •Call as technical support staff and request credentials to retrieve data •Authoritysupport •Eavesdropping •Shoulder surfing •Dumpsterdiving •Tailgating& Piggybacking •Reverse SE •Marketing •Sabotage •Tech Support http://bit.ly/tudydefcamp
Computer-based Social Engineering • Spam Email • Hoax/Chain Letters • Instant Chat Messenger • Pop-up Windows • Phishing & Spear Phishing • Publishing Malicious Apps • Repackaging Legitimate Apps • Fake Security Applications Seriously now. http://bit.ly/tudydefcamp
Common Social Engineering attacks •Email from a friend •May contain links/attachments with malicious software embedded •Messages may create a compelling story or pretext •Phishingattempts •Email, IM, comment, text message appearing to come from a legitimate, popular company, bank, school, institution •These messages usually have a scenario or story •Explain there is a problem, notify you that you’re a “winner”, ask for help •Baitingscenarios •Persuasion •Impersonation •Response to a question you never had http://bit.ly/tudydefcamp
Why are companies vulnerable to SE? •Insufficientsecurity training •Easy Access to information •Several Organizational Units •Lackof security policies •SE attacks detection is very difficult •There’s no method to ensure complete security against any form of SE attacks •There’s no specific software or hardware for defending against SE attacks Such wow, much link: http://bit.ly/tudydefcamp
SE attack against an organization -Phases •Research on target company •Dumpster diving, websites, employees, tour company, etc. •Select victim •Identify the frustrated/gullible employees of the target company •Develop relationship •Develop relationships with the selected employees •Exploit the relationship •Collect sensitive account information, financial information and current technologies http://bit.ly/tudydefcamp
Potential impact on the organization •Economiclosses •Loss of privacy •Damage of goodwill •Temporary or permanent closure •Lawsuitsand arbitrations •etc. You've got a smartphone, right? http://bit.ly/tudydefcamp
Common targets of SE attacks •Receptionistsand Help Desk personnel •Vendorsof the target organization •Usersand clients •Low-profileemployees and staff •Office workers •Technical Support Executives •System Administrators http://bit.ly/tudydefcamp
Insider attacks •Spying •If a competitor wants to damage your organization, steal critical secrets or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization •Corporate Espionage •Information theft & sabotage •Revenge •It takes only one disgruntled person to take revenge and your company may be compromised •Insider Attack •Most attacks occur “behind the firewall” •An inside attack is easy to launch •Prevention is difficult, thus the attack can easily succeed •Financial gain is a potential reason …or a laptop? You can pull out your laptop and go to http://bit.ly/tudydefcamp
Protecting yourself from SE attacks •Slowdown •Research the facts •Delete any requests for financialinformation or passwords •Rejectrequests for help or offers of help •Lieto security questions and remember your lies •Beware of any downloads •Secure your devices •Follow security policies •Don’t let a link controlwhere you land http://bit.ly/tudydefcamp
http://bit.ly/tudydefcampTudor DamianCEH, IT solutions specialistwww.tudy.tel

Empfohlen

Securing the Virtual Branch
Securing the Virtual BranchSecuring the Virtual Branch
Securing the Virtual BranchJay McLaughlin
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
 
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...IntelCollab.com
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Social engineering
Social engineeringSocial engineering
Social engineeringAlexander Zhuravlev
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 

Empfohlen

Securing the Virtual Branch
Securing the Virtual BranchSecuring the Virtual Branch
Securing the Virtual BranchJay McLaughlin
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
 
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...IntelCollab.com
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Social engineering
Social engineeringSocial engineering
Social engineeringAlexander Zhuravlev
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
Phishing techniques
Phishing techniquesPhishing techniques
Phishing techniquesSushil Kumar
 
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...DefCamp
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Hovhannes Aghajanyan
 
Social engineering and Phishing
Social engineering and PhishingSocial engineering and Phishing
Social engineering and Phishingthecorrosiveone
 
Geovon TECH621 Presentation
Geovon TECH621 PresentationGeovon TECH621 Presentation
Geovon TECH621 PresentationGeovon
 
Social Engineering Techniques - The Dark Arts
Social Engineering Techniques - The Dark ArtsSocial Engineering Techniques - The Dark Arts
Social Engineering Techniques - The Dark Artsn|u - The Open Security Community
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Cyber war
Cyber warCyber war
Cyber warGuro/ Pharmacy muse/ isang mamayan ng PIlipinas/ Social Scientist
 
Social engineering
Social engineeringSocial engineering
Social engineeringankushmohanty
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber SecurityAyoma Wijethunga
 
Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...
Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...
Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...Aurum Radiance
 
Hacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering RisksHacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering RisksCraig Clark ITIL, CIS LI,EU GDPR P
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineeringPeter Wood
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Phishing & Pharming
Phishing & PharmingPhishing & Pharming
Phishing & PharmingDevendra Yadav
 
Social engineering
Social engineering Social engineering
Social engineering Vîñàý Pãtêl
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 

Weitere ähnliche Inhalte

Andere mochten auch

Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
Phishing techniques
Phishing techniquesPhishing techniques
Phishing techniquesSushil Kumar
 
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...DefCamp
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Social engineering and Phishing
Social engineering and PhishingSocial engineering and Phishing
Social engineering and Phishingthecorrosiveone
 
Geovon TECH621 Presentation
Geovon TECH621 PresentationGeovon TECH621 Presentation
Geovon TECH621 PresentationGeovon
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber SecurityAyoma Wijethunga
 
Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...
Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...
Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...Aurum Radiance
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineeringPeter Wood
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 

Andere mochten auch (20)

Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Phishing techniques
Phishing techniquesPhishing techniques
Phishing techniques
 
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
Social engineering and Phishing
Social engineering and PhishingSocial engineering and Phishing
Social engineering and Phishing
 
Geovon TECH621 Presentation
Geovon TECH621 PresentationGeovon TECH621 Presentation
Geovon TECH621 Presentation
 
Social Engineering Techniques - The Dark Arts
Social Engineering Techniques - The Dark ArtsSocial Engineering Techniques - The Dark Arts
Social Engineering Techniques - The Dark Arts
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking Framework
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing Awareness
 
Cyber war
Cyber warCyber war
Cyber war
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
 
Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...
Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...
Perkenalan Keamanan Siber Offensive Security of SMAN 1 Karawang /w Aurumradia...
 
Hacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering RisksHacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering Risks
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineering
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Phishing & Pharming
Phishing & PharmingPhishing & Pharming
Phishing & Pharming
 
Social engineering
Social engineering Social engineering
Social engineering
 

Ähnlich wie Social Engineering, or hacking people

Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Counterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxCounterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxZakiAhmed70
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Matt Hathaway
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and BadTzar Umang
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.Pratum
 
The Insider Threat January.pptx
The Insider Threat January.pptxThe Insider Threat January.pptx
The Insider Threat January.pptxBertrandRussell6
 
Unveiling the dark web. The importance of your cybersecurity posture
Unveiling the dark web. The importance of your cybersecurity postureUnveiling the dark web. The importance of your cybersecurity posture
Unveiling the dark web. The importance of your cybersecurity postureLourdes Paloma Gimenez
 
Cybersecurity for Emergency Managers
Cybersecurity for Emergency ManagersCybersecurity for Emergency Managers
Cybersecurity for Emergency ManagersSarah K Miller
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR
 
- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdfRamya Nellutla
 
Common sense security by Fortium Partners
Common sense security by Fortium PartnersCommon sense security by Fortium Partners
Common sense security by Fortium PartnersDAVID BERGH
 

Ähnlich wie Social Engineering, or hacking people (20)

Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Counterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxCounterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptx
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and Bad
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
The Insider Threat January.pptx
The Insider Threat January.pptxThe Insider Threat January.pptx
The Insider Threat January.pptx
 
Unveiling the dark web. The importance of your cybersecurity posture
Unveiling the dark web. The importance of your cybersecurity postureUnveiling the dark web. The importance of your cybersecurity posture
Unveiling the dark web. The importance of your cybersecurity posture
 
Cybersecurity for Emergency Managers
Cybersecurity for Emergency ManagersCybersecurity for Emergency Managers
Cybersecurity for Emergency Managers
 
Social engineering
Social engineering Social engineering
Social engineering
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Social Engineering.pdf
Social Engineering.pdfSocial Engineering.pdf
Social Engineering.pdf
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
 
- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf
 
Common sense security by Fortium Partners
Common sense security by Fortium PartnersCommon sense security by Fortium Partners
Common sense security by Fortium Partners
 

Mehr von Tudor Damian

Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Tudor Damian
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Tudor Damian
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themTudor Damian
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016Tudor Damian
 
Microsoft Azure Stack
Microsoft Azure StackMicrosoft Azure Stack
Microsoft Azure StackTudor Damian
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud SecurityTudor Damian
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
Azure Site Recovery and System Center
Azure Site Recovery and System Center Azure Site Recovery and System Center
Azure Site Recovery and System Center Tudor Damian
 
Upgrading your Private Cloud to Windows Server 2012 R2
Upgrading your Private Cloud to Windows Server 2012 R2Upgrading your Private Cloud to Windows Server 2012 R2
Upgrading your Private Cloud to Windows Server 2012 R2Tudor Damian
 
What's new in Hyper-V 2012 R2
What's new in Hyper-V 2012 R2What's new in Hyper-V 2012 R2
What's new in Hyper-V 2012 R2Tudor Damian
 
Comparing MS Cloud with VMware Cloud
Comparing MS Cloud with VMware CloudComparing MS Cloud with VMware Cloud
Comparing MS Cloud with VMware CloudTudor Damian
 
What's new in Windows 8
What's new in Windows 8What's new in Windows 8
What's new in Windows 8Tudor Damian
 
Private cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the UglyPrivate cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the UglyTudor Damian
 
Hyper-V 3.0 Overview
Hyper-V 3.0 OverviewHyper-V 3.0 Overview
Hyper-V 3.0 OverviewTudor Damian
 
BOI 2011 - Be what's next
BOI 2011 - Be what's nextBOI 2011 - Be what's next
BOI 2011 - Be what's nextTudor Damian
 
Hosting your virtual private cloud
Hosting your virtual private cloudHosting your virtual private cloud
Hosting your virtual private cloudTudor Damian
 
Linux sub Hyper-V R2
Linux sub Hyper-V R2Linux sub Hyper-V R2
Linux sub Hyper-V R2Tudor Damian
 
White Hat Hacking #3
White Hat Hacking #3White Hat Hacking #3
White Hat Hacking #3Tudor Damian
 

Mehr von Tudor Damian (20)

Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 
Microsoft Azure Stack
Microsoft Azure StackMicrosoft Azure Stack
Microsoft Azure Stack
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
 
Azure Site Recovery and System Center
Azure Site Recovery and System Center Azure Site Recovery and System Center
Azure Site Recovery and System Center
 
Upgrading your Private Cloud to Windows Server 2012 R2
Upgrading your Private Cloud to Windows Server 2012 R2Upgrading your Private Cloud to Windows Server 2012 R2
Upgrading your Private Cloud to Windows Server 2012 R2
 
What's new in Hyper-V 2012 R2
What's new in Hyper-V 2012 R2What's new in Hyper-V 2012 R2
What's new in Hyper-V 2012 R2
 
Comparing MS Cloud with VMware Cloud
Comparing MS Cloud with VMware CloudComparing MS Cloud with VMware Cloud
Comparing MS Cloud with VMware Cloud
 
What's new in Windows 8
What's new in Windows 8What's new in Windows 8
What's new in Windows 8
 
Linux on Hyper-V
Linux on Hyper-VLinux on Hyper-V
Linux on Hyper-V
 
Private cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the UglyPrivate cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the Ugly
 
Hyper-V 3.0 Overview
Hyper-V 3.0 OverviewHyper-V 3.0 Overview
Hyper-V 3.0 Overview
 
BOI 2011 - Be what's next
BOI 2011 - Be what's nextBOI 2011 - Be what's next
BOI 2011 - Be what's next
 
Hosting your virtual private cloud
Hosting your virtual private cloudHosting your virtual private cloud
Hosting your virtual private cloud
 
Linux sub Hyper-V R2
Linux sub Hyper-V R2Linux sub Hyper-V R2
Linux sub Hyper-V R2
 
White Hat Hacking #3
White Hat Hacking #3White Hat Hacking #3
White Hat Hacking #3
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 

Kürzlich hochgeladen (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

Social Engineering, or hacking people

  • 1. Social Engineering...OR «HACKING PEOPLE» Tudor DamianCEH, IT solutions specialistwww.tudy.telDefCamp #5 -Bucharest, November 28th, 2014
  • 3.
  • 4.
  • 5.
  • 6. 87% of small business and 93% of larger organizations experienced a cyber security breach in the last year Source: UK Government, Department for Business, Innovation and Skills (BIS) http://bit.ly/tudydefcamp
  • 7. Most malicious attacks come from within an organizationDid you see this: http://bit.ly/tudydefcamp ?
  • 8. Timeline of discovery for cyber espionage attacks worldwide (2013) Hours, 9% Days, 8% Weeks, 16% Months, 62% Years, 5% Hours Days Weeks Months Years Source: Verizonhttp://bit.ly/tudydefcamp
  • 9. Cyber crime attacks experienced by US companies (June 2014) VIRUSES, WORMS, TROJANSMALWAREBOTNETSWEB-BASED ATTACKSMALICIOUS CODEPHISHING AND SOCIAL ENGINEERINGMALICIOUS INSIDERSSTOLEN SEVICESDENIAL OF SERVICE100% 97% 76% 61% 46% 44% 41% 37% 34% Source: Ponemon Institute; Hewlett-Packard (HP Enterprise Security) Go to http://bit.ly/tudydefcamp now
  • 10. So, what is Social Engineering? http://bit.ly/tudydefcamp
  • 11. OSI Model –anything missing? 7 –Application layer 6 –Presentation layer 5 –Session layer 4 –Transport layer 3 –Network layer 2 –Link layer 1 –Physical layer Go to http://bit.ly/tudydefcamp now, ...please?
  • 12. OSI Model –revised  8 –Human layer 7 –Application layer 6 –Presentation layer 5 –Session layer 4 –Transport layer 3 –Network layer 2 –Link layer 1 –Physical layer http://bit.ly/tudydefcamp
  • 13. Social Engineering, or “Hacking People” •The science of making people do what you want •Attacks the most vulnerable layer in the OSI model  Really now, did you check out http://bit.ly/tudydefcamp ?
  • 14. Why are people vulnerable? •False Assumptions •If X is true, then Y is true; Y is true, therefore X must be true •Logical Fallacies •Incorrect arguments in logic and rhetoric, resulting in a lack of validity •Cognitive Biases •Patterns of deviation in judgment, whereby inferences about other people and situations may be drawn in an illogical fashion •Heuristics & Mental Shortcuts •Used to speed up the process of finding a satisfactory solution via mental shortcuts •e.g. using a rule of thumb, an educated guess, an intuitive judgment, stereotyping, profiling, common sense, etc. •Eases the cognitive load of making a decision http://bit.ly/tudydefcamp
  • 15.
  • 16. Behaviors vulnerable to attacks •Human nature of trust is the basis of most SE attacks •Ignorance about SE and its effects •SE attackers might threatenwith losses or consequences in case of non-compliance with their request •SE attackers lure the targets to divulge information by promising something for nothing •Targets are asked for help and they comply out of a sense of moral obligation Can't believe you haven't noticed this yet: http://bit.ly/tudydefcamp
  • 17. Technology doesn’t fix ignorance http://bit.ly/tudydefcamp
  • 18. Types of Social Engineering • Human-based Social Engineering • Gathers sensitive information by interaction • Attacks of this category exploit trust, fear and the helping nature of humans • Computer-based or mobile-based Social Engineering • SE carried out with the help of computers and/or mobile apps Go. There. Now. http://bit.ly/tudydefcamp
  • 19. Human-based Social Engineering •Posing as a legitimateend user •Give identity and ask for sensitive information •Posing as an importantuser •Posing as a VIP of a target company, valuable customer, etc. •Posing as technicalsupport •Call as technical support staff and request credentials to retrieve data •Authoritysupport •Eavesdropping •Shoulder surfing •Dumpsterdiving •Tailgating& Piggybacking •Reverse SE •Marketing •Sabotage •Tech Support http://bit.ly/tudydefcamp
  • 20. Computer-based Social Engineering • Spam Email • Hoax/Chain Letters • Instant Chat Messenger • Pop-up Windows • Phishing & Spear Phishing • Publishing Malicious Apps • Repackaging Legitimate Apps • Fake Security Applications Seriously now. http://bit.ly/tudydefcamp
  • 21. Common Social Engineering attacks •Email from a friend •May contain links/attachments with malicious software embedded •Messages may create a compelling story or pretext •Phishingattempts •Email, IM, comment, text message appearing to come from a legitimate, popular company, bank, school, institution •These messages usually have a scenario or story •Explain there is a problem, notify you that you’re a “winner”, ask for help •Baitingscenarios •Persuasion •Impersonation •Response to a question you never had http://bit.ly/tudydefcamp
  • 22. Why are companies vulnerable to SE? •Insufficientsecurity training •Easy Access to information •Several Organizational Units •Lackof security policies •SE attacks detection is very difficult •There’s no method to ensure complete security against any form of SE attacks •There’s no specific software or hardware for defending against SE attacks Such wow, much link: http://bit.ly/tudydefcamp
  • 23. SE attack against an organization -Phases •Research on target company •Dumpster diving, websites, employees, tour company, etc. •Select victim •Identify the frustrated/gullible employees of the target company •Develop relationship •Develop relationships with the selected employees •Exploit the relationship •Collect sensitive account information, financial information and current technologies http://bit.ly/tudydefcamp
  • 24. Potential impact on the organization •Economiclosses •Loss of privacy •Damage of goodwill •Temporary or permanent closure •Lawsuitsand arbitrations •etc. You've got a smartphone, right? http://bit.ly/tudydefcamp
  • 25. Common targets of SE attacks •Receptionistsand Help Desk personnel •Vendorsof the target organization •Usersand clients •Low-profileemployees and staff •Office workers •Technical Support Executives •System Administrators http://bit.ly/tudydefcamp
  • 26. Insider attacks •Spying •If a competitor wants to damage your organization, steal critical secrets or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization •Corporate Espionage •Information theft & sabotage •Revenge •It takes only one disgruntled person to take revenge and your company may be compromised •Insider Attack •Most attacks occur “behind the firewall” •An inside attack is easy to launch •Prevention is difficult, thus the attack can easily succeed •Financial gain is a potential reason …or a laptop? You can pull out your laptop and go to http://bit.ly/tudydefcamp
  • 27. Protecting yourself from SE attacks •Slowdown •Research the facts •Delete any requests for financialinformation or passwords •Rejectrequests for help or offers of help •Lieto security questions and remember your lies •Beware of any downloads •Secure your devices •Follow security policies •Don’t let a link controlwhere you land http://bit.ly/tudydefcamp
  • 28. http://bit.ly/tudydefcampTudor DamianCEH, IT solutions specialistwww.tudy.tel