Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks. By using what’s known as ‘Social Engineering’, hackers exploit unsuspecting people who in good faith open up their doors to unwanted strangers.
Social engineering, or SE, is the art of manipulating people into performing actions or so they give up confidential information. Social Engineering can mean different things to different people.
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
The Art of Human Hacking : Social Engineering
1. The Art of Human Hacking : Social Engineering
A new modern threat for the IT industry?
By:
2. Introduction Companies are generally very good at protecting
themselves against external attacks, but only
rarely do they guard themselves against internal
attacks. By using what’s known as ‘Social
Engineering’, hackers exploit unsuspecting
people who in good faith open up their doors to
unwanted strangers.
Social engineering, or SE, is the art of
manipulating people into performing actions or
so they give up confidential information. Social
Engineering can mean different things to
different people.
3. Present day danger displaying is a protective reaction to understanding a
risk to set yourself up, your system, and your benefits.This syndicated
programs how risk displaying can be utilized as a hostile weapon.While
customary risk demonstrating takes a gander at the assailant, the benefit
and the framework – hostile risk displaying glances back at the protector to
comprehend his strategies and uncover shortcomings.
By receiving the P4S's - People, Points, Posture, Pwnage,
Survey – an attacker can comprehend where best to strike to
inflict the most ideal result.
4. P4S’s
Make a HPTL (High PayoffTarget List)
– resources that give the greatest value for the money
when bargained / compromised
– illustration: security work force, senior administrators
• auxiliary targets
– targets which can be utilized as a backhanded assault
vector
– deals faculty, bolster staff, and merchants
• make a rundown of focuses of chance
– the "low hanging natural product" of the venture
First “ P” Stands For “PinPoint”
5. deteriorate target resources into purposes of assault
• separate every benefit into base segments
– distinguish what parts can be promptly compromised
• Physical versus Human Resources
– family affiliations, pastimes
– behavioral examination, psych profiling
– assessment investigation
– target fingerprinting, mapping
– port outputs, powerlessness inventories
– framework maps, application examination
Second “P” Stands For “Points Of Attack”
6. distinguish resource's guarded stance
• survey the state or stance of every part
– is it prepared to be traded off?
• bunches of basic time-based parts
– specialized timetables – are firewalls rebooted, patches connected at
altered interims?
– change administration windows and discharge plans
–when are workers most drastically averse to be locked in (off-hours,
voyaging, meetings, and so on)
• does the undertaking comprehend security?
– is there a proactive security stance, or basically receptive?
– is occurrence reaction actualized, tried?
Third “P” Stands For “Posture”
7. execute the assault (Hax0r those benefits)
– compromise numerous advantages utilizing differed assaults
– sensible assaults – assault rationale of procedures or applications
– social engineering – assault the general population component
– physical assaults – draw in on location (high hazard)
– influence known shortcomings to trade off resources
– concentrate on resources whose stance abandons them
uncovered
• human shortcomings are frequently the most straightforward to
misuse
– pay off, extortion, straightforward motivating forces
Fourth “P” Stands For “Pwnage”
8. “S” Stands For “Survey”
constantly monitor, keep up traded off resources
• assailant should constantly monitor, redesign resource list
– distinguish if target reaction has been initiated
– examine assault and guarded adequacy
– perform a money saving advantage examination on failing to meet
expectations resources
• perform harm evaluation on lost resources
– guarantee no assault spillage has happened
– recognize possible substitutions.
9. Social Engineering has proven to be the fastest and most successful way to
hack into an organization.The SE technique works every time and more often
than not it works the first time. Social Engineering remains one of the largest
cyber security threat to IT infrastructures.
10. Methods of
Social
Engineering
The methods are different and hard to count. I
studied a bit and found that I can categorize
these methods into different headings as written
below.
• Quid Pro Quo - Something for something
• Phishing - Fraudulently obtaining private
information
• Baiting - Real worldTrojan Horse
• Pretexting - Invented Scenario
• DiversionTheft - A con
• Employment For Social Engineering
•HoneyTrapping
11. Quid Pro Quo • Something for Something
Call random numbers at a company,
claiming to be from technical support.
Eventually, you will reach someone with a
legitimate problem
Grateful you called them back, they will
follow your instructions
The attacker will "help" the user, but will
really have the victim type commands
that will allow the attacker to install
malware
12. Phishing • Fraudulently obtaining private information
o Send an email that looks like it came from a
legitimate business
o Request verification of information and warn of
some consequence if not provided
o Usually contains link to a fraudulent web page
that looks legitimate
o User gives information to the social engineer
Ex: Ebay Scam , Bank Scam Etc
13. Phishing
Continued...
• Spear Fishing
o Specific phishing
Ex: email that makes claims using your
name
• Vishing
o Phone phishing
o Rogue interactive voice system
Ex:call bank to verify information
14. Baiting • Real worldTrojan horse
o Uses physical media
o Relies on greed/curiosity of victim
o Attacker leaves a malware infected cd or usb
drive in a location sure to be found
o Attacker puts a legitimate or curious lable to
gain interest
o Ex: "Company Earnings 2009" left at
company elevator
Curious employee/Good samaritan uses
User inserts media and unknowingly
installs malware
15. Pretexting • Invented Scenario
o Prior Research/Setup used to
establish legitimacy
Give information that a user would
normally not divulge
o This technique is used to impersonate
Authority act
Using prepared answers to victims
questions
Other gathered information
o Ex: Law Enforcement
Threat of alleged infraction to detain
suspect and hold for questioning
16. Pretexting
Real
Example:
• Signed up for Free Credit Report
• Saw Unauthorized charge from another credit
company
o Called to dispute charged and was asked for
Credit Card Number
They insisted it was useless without the
security code
o Asked for Social Security number
• Talked to Fraud Department at my bank
17. Diversion
Theft
• A Con
o Persuade deliver person that delivery is
requested elsewhere - "Round the Corner"
o When deliver is redirected, attacker
pursuades delivery driver to unload delivery
near address
o Ex: Attacker parks security van outside a
bank.Victims going to deposit money into a
night safe are told that the night safe is out
of order.Victims then give money to attacker
to put in the fake security van
o Most companies do not prepare employees
for this type of attack
18. Weakest
Link?
• No matter how strong your:
o Firewalls
o Intrusion Detection Systems
o Cryptography
o Anti-virus software
• You are the weakest link in computer security!
o People are more vulnerable than computers
• "The weakest link in the security chain is the
human element" -Kevin Mitnick
19. HoneyTrapping:Techniques For Social Engineering
This is among the popular methods of social engineering when the stakes
are high. Usually, men are more prone to honey traps compared to women.
This dangerous method can be described in following steps:
•Identify the person in the target company who has good insider
information
•Have a high class hooker to seduce the person
•Film it when they’re in the act
•Use the film to blackmail the trapped person
20. The same method was used in recent PathankotAir Base (2016) Terrorist
attack in India.As the film/video is with the social engineer, the person can
get whatever he or she wants.They can even make the trapped person do
things he or she won’t ever think of doing. In some cases, the stress and
guilt is so high that the trapped person may commit suicide.
There is not much you can do in cases of honey traps except to educate the
people who work for you. But that is not a guaranteed solution as it plays
with the basic human tendencies. Likewise, there is no 100% firewall
against any of the above methods of social engineering. People err and
that’s where the social engineers make profits.All you can do is to educate
and if the employees understand, it is good or else not only they, but their
companies are also at risk of social engineering.
21. To Understand How aTypical HoneyTrap Assignment Works
Read Below:
Prior to the Assignment:
•A HoneyTrap Case Manager will get in touch with you.They will help you
on arranging and executing your HoneyTrap trap task.
•Pick your specialist from a combination of male or female operators of
various identities, foundations, and/or ways of life.
•You will have an interview with the operator and the case specialist to
arrange the points of interest of your HoneyTrap .
22. What aTypical Assignment Consists of:
• The Agent will endeavor to chat with the subject.
• Specialist will ask the subject any foreordained inquiries settled upon for
the situation meeting.
• Trade telephone numbers under the guise of a future meeting.
• Contact and correspondence will be kept up for a pre-concurred time
allotment. Illustrations: Phone, Email,Text or Social Networking
• An discretionary second meeting can be orchestrated lunch, supper, or
at an inn.
23. After the HoneyTrap:
• Agent will submit reports and photos
• The SIM card utilized by the honeytrap operator amid the task
• Duplicates of all roads of interchanges, for example, email, content or
voice messages.
24. Ways to Prevent Social Engineering
Training
• User Awareness
o User knows that giving out certain information is bad
• Military requires CyberTransportation to hold
o Top Secret Security Clearance
o Security Plus Certification
• Policies
o Employees are not allowed to divulge private information
o Prevents employees from being socially pressured or tricked
25. Ways to Prevent Social Engineering Cont..
• 3rd Party test - Ethical Hacker
Have a third party come to your company and attempted to hack
into your network
3rd party will attempt to glean information from employees using
social engineering
Helps detect problems people have with security
• Be suspicious of unsolicited phone calls, visits, or email messages
from individuals asking about internal information
• Do not provide personal information, information about the
company(such as internal network) unless authority of person is
verified
26. General Safety
Before transmitting individual data over the web, check the association
is secure and check the url is right
In the event that uncertain if an email message is true blue, contact the
individual or organization by another methods to verify
Be paranoid and aware when interfacing with anything that
necessities ensured
The lsmallest data could trade off what you're ensuring