Social Engineering: A Test of Your Common Sense - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Social Engineering: A Test of Your Common Sense

Description:

Dear EarthLink User, ... In order to continue using your EarthLink account and keeping it active, you ... The Real EarthLink Web Site. How to Spot Phisher ... – PowerPoint PPT presentation

Number of Views:416
Avg rating:3.0/5.0
Slides: 37
Provided by: fgall
Category:

less

Transcript and Presenter's Notes

Title: Social Engineering: A Test of Your Common Sense


1
Social Engineering A Test of Your Common Sense
  • By Frederick Gallegos, CISA, CGFM, CDE
  • Computer Info Systems Dept

2
Social Engineering
  • Monday morning, 6am the electric rooster is
    telling you it's time to start a new work week. A
    shower, some coffee, and you're in the car and
    off.Ā  On the way to work you're thinking of all
    you need to accomplished this week.Ā 
  • Then, on top of that there's the recent merger
    between your company and a competitor. One of
    your associates told you, you better be on your
    toes because rumors of layoff's are floating
    around.

3
Social Engineering
  • You arrive at the office and stop by the restroom
    to make sure you look your best. You straighten
    your tie, and turn to head to your cube when you
    notice, sitting on the back of the sink, is a
    CD-ROM. Someone must have left this behind by
    accident. You pick it up and notice there is a
    label on it.Ā  The label reads "2005 Financials
    Layoff's". You get a sinking feeling in your
    stomach and hurry to your desk.Ā  It looks like
    your associate has good reasons for concern, and
    you're about to find out for your self.

4
And so
  • The Game Is In Play People Are The Easiest
    TargetYou make it to your desk and insert the
    CD-ROM.Ā  You find several files on the CD,
    including a spreadsheet which you quickly open.Ā 
    The spreadsheet contains a list of employee
    names, start dates, salaries, and a note field
    that says "Release" or "Retain".Ā  You quickly
    search for your name but cannot find it.Ā  In
    fact, many of the names don't seem familiar.Ā  Why
    would they, this is pretty large company, you
    don't know everyone.Since your name is not on
    the list you feel a bit of relief.Ā  It's time to
    turn this over to your boss. Your boss thanks you
    and you head back to your desk.

5
Let's Take A Step Back In Time
  • The CD you found in the restroom, it was not
    left there by accident.Ā  It was strategically
    placed there by me, or one of Security Consulting
    employees.Ā 
  • You see, a firm has been hired to perform a
    Network Security Assessment on your company.Ā 
  • In reality, they have been contracted to hack
    into your company from the Internet and have been
    authorized to utilize social engineering
    techniques.

6
Bingo - Gotcha
  • The spreadsheet you opened was not the only thing
    executing on your computer.
  • The moment you open that file you caused a
    script to execute which installed a few files on
    your computer.Ā 
  • Those files were designed to call home and make
    a connection to one of our servers on the
    Internet.Ā  Once the connection was made the
    software on the Security firms servers responded
    by pushing (or downloading) several software
    tools to your computer.Ā 
  • Tools designed to give the team complete control
    of your computer.Ā  Now they have a platform,
    inside your company's network, where they can
    continue to hack the network.Ā  And, they can do
    it from inside without even being there.

7
This is what we call a 180 degree attack.
  • Ā  Meaning, the security consulting team did not
    have to defeat the security measures of your
    company's firewall from the Internet.Ā 
  • You took care of that for us.Ā 
  • Many organizations give their employees
    unfettered access (or impose limited control) to
    the Internet.Ā 
  • Given this fact, the security firm devised a
    method for attacking the network from within with
    the explicit purpose of gaining control of a
    computer on the private network.
  • All we had to do is get someone inside to do it
    for us.

8
Welcome to Social Engineering
  • What would you have done if you found a CD with
    this type of information on it?
  • Yes it is people who are the weakest link in any
    security system and Social Engineering Exploits
    that ---

9
(No Transcript)
10
Phisher Site Basics
  • Thief sends e-mail to customer claiming to be a
    legitimate company which has lost the customers
    personal information
  • Customer reads e-mail and goes to fake website
  • Customer enters credit card or other personal
    information on website
  • Thief steals personal information

11
Phisher Site E-mail Example (part 1)
From EarthLink To
Date 7/6/2003
115002 AMSubject Billing DepartmentDear
EarthLink User,We regret to inform you, but due
to a recent system flush, the billing/personal
information for your account is temporally
unavailable, and we need to verify your
identity.
12
Phisher Site E-mail Example (part 2)
In order to continue using your EarthLink account
and keeping it active, you must provide us with
your full information within 24 hours of
receiving this message.To re-enter your account
information and keep your account active visit
www.billingdepartment-el.net Sincerely,Sean
WrightEarthLink Billing Department
13
Phisher Site Example
14
The Real EarthLink Web Site
15
How to Spot Phisher Sites
TIP-OFFS
TRICKS
  • Claims of lost information
  • Unfamiliar URL
  • Asks for credit card or other personal info
  • No log in or not secure
  • Most companies will not do this
  • E-mail looks legit (at first)
  • Prompts you to act quickly to keep service
  • Website, html or fax form looks legit

16
Tips for Avoiding Phisher Sites
  • Be suspicious of email asking for credit card or
    other personal info
  • URL should be familiar
  • Should require log-in
  • Should be a SECURE SITE
  • Call the company when in doubt
  • Always report spam/fraud to your ISP

17
Federal Trade CommissionIdentity Theft Data
Clearinghouse Complaints1
Federal Trade Commission
CY-2000
CY-2001
CY-2002
CY-20032
CY- 1999
Projected Cumulative Complaint Count
1999-2003 490,000
Projected Total 210,000
Total 161,886
(in thousands)
Projection
Total 86,197
Total 31,117
Total 1,380
1Since February 2001, complaint data have also
been provided to the Clearinghouse by the Social
Security Administration-Office of Inspector
General.



2Projections for calendar year 2003 are based on
complaints received from January through June
2003.
18
Federal Trade Commission Consumer Sentinel
Complaints1
Federal Trade Commission
380,170
- Identity Theft Complaints
- Fraud Complaints
161,886
220,088
(in thousands)
86,197
139,007
31,117
218,284
133,891
107,890
1Percentages are based on the total number of
Consumer Sentinel complaints by calendar year.
19
Federal Trade Commission
1-877-FTC-HELP
www.consumer.gov/sentinel
1-877-IDTHEFT
www.consumer.gov/idtheft
20
(No Transcript)
21
(No Transcript)
22
And Another
  • The easiest way to break into any computer system
    is to use a valid username and password and the
    easiest way to get that information is to ask
    someone for it.

23
The Beginning
  • Like many hacking techniques, social engineering
    got its start in attacks against the telephone
    company. The hacker (or phone phreaks, as they
    used to be called) would dial-up an operator and
    by using the right jargon, convince him or her to
    make a connection or share some information that
    should not have been shared.

24
In Reality
  • social engineering is probably as old as speech,
    and goes back to the first lie.
  • It is still successful today because people are
    generally helpful, especially to someone who is
    nice, knowledgeable, and / or insistent.
  • No amount of technology can protect you against a
    social engineering attack.

25
So How Do You Protect Yourself from Yourself?
  • Recognizing an Attack
  • You can prepare your organization by teaching
    people how to recognize a possible social
    engineering attack. Do we have a Cyber Security
    Ethics 101 Class?
  • Prevent a successful attack
  • You can prepare a defense against this form of
    social engineering by including instructions in
    your security policy for handling it.

26
So How Do You Protect Yourself from Yourself?
  • Create a response plan
  • Your response plan should include instructions on
    how to deal with inquiries relating to passwords
    or other classified information.
  • Implement and Monitor the response plan and
    continue to reinforce with Training

27
Target And Attack
  • The basic goals of social engineering are the
    same as hacking in general to gain unauthorized
    access to systems or information in order to
    commit fraud, network intrusion, industrial
    espionage, identity theft, or simply to disrupt
    the system or network.
  • Typical targets include telephone companies and
    answering services, big-name corporations and
    financial institutions, military and government
    agencies, and hospitals.
  • The Internet boom had its share of industrial
    engineering attacks in start-ups as well, but
    attacks generally focus on larger entities.

28
And Another
  • One morning a few years back, a group of
    strangers walked into a large shipping firm and
    walked out with access to the firms entire
    corporate network.
  • How did they do it? By obtaining small amounts of
    access, bit by bit, from a number of different
    employees in that firm. First, they did research
    about the company for two days before even
    attempting to set foot on the premises.

29
And so on
  • For example, they learned key employees names by
    calling HR. Next, they pretended to lose their
    key to the front door, and a man let them in.
    Then they "lost" their identity badges when
    entering the third floor secured area, smiled,
    and a friendly employee opened the door for them.

30
And so on
  • The strangers knew the CFO was out of town, so
    they were able to enter his office and obtain
    financial data off his unlocked computer.
  • They dug through the corporate trash, finding all
    kinds of useful documents.
  • They asked a janitor for a garbage pail in which
    to place their contents and carried all of this
    data out of the building in their hands.
  • The strangers had studied the CFO's voice, so
    they were able to phone, pretending to be the
    CFO, in a rush, desperately in need of his
    network password. From there, they used regular
    technical hacking tools to gain super-user access
    into the system.

31
Common Techniques
  • Social Engineering by Phone
  • Dumpster Diving
  • On-line Social Engineering
  • Persuasion
  • Reverse Social Engineering
  • And many more.

32
Defining The Term "Social Engineering"
  • In the world of computers and technology, social
    engineering is a technique used to obtain or
    attempt to obtain secure information by tricking
    an individual into revealing the information.
  • Social engineering is normally quite successful
    because most targets (or victims) want to trust
    people and provide as much help as possible.Ā 
  • Victims of social engineering typically have no
    idea they have been conned out of useful
    information or have been tricked into performing
    a particular task.
  • The prey is not just you but your children and
    elders as well

33
A Challenge to the CSU
  • This is the 21st Century The Time of CyberSpace
  • Why is their No Formal GE Requirement for
    CyberSecurity and Ethics which can not only be
    taught at the CSU level but the CC level as well?
  • Why dont we extend this education to K-12 and
    Senior Centers as well?

34
Mt. SAC and Cal Poly Efforts
  • NSF Grant Project Establishment of a Regional
    Information Systems Security Center (RISSC see
    http//rissc.mtsac.edu/RISSC_NEW/default.asp )
  • Cal Polys Participation in the Title V Grant and
    development of Network Security curriculum
  • Cal Poly Pomonas Establishment of a Center for
    Information Assurance (see http//www.bus.csupomo
    na.edu/cfia.asp )

35
Please join US for
  • Information Assurance SymposiumBuilding
    Information Assurance Capacity and Improving
    Infrastructure at Minority Serving
    InstitutionsDecember 8 - 10, 2005Cal Poly
    Pomona830 a.m. - 500 p.m.

36
Contribute to
  • Information Sharing
  • Curriculum Development
  • Awareness, Knowledge and Development of
    initiatives to help others around us be better at
    practicing good security techniques
  • Our thanks to Educause, ISACA, ISSA, IIA and
    HTCIA for their support
Write a Comment
User Comments (0)
About PowerShow.com