Combating Social Engineering

1
Combating Social Engineering
Jason Collins presents

• 2-24-08

2
Article

• Worm Disguised as Virus Update
• Adapted from Social Engineering Low-Tech Tools
  for Virus Writers48
• By Andrew Conry-Murray, Network Magazine, July
  2001.
• Heres a new spin on an old trickan e-mail
  virus, posing as an antivirus update. In May
  2001,
• users began receiving unsolicited updates from
  Symantec, an antivirus software manufacturer. The
  e-
• mail contained a link, purportedly to route the
  recipient to an antivirus Web site to download a
  patch for
• the utility, or even an updated virus signature.
  In fact the link activated a worm. This type of
  virus hoax
• involves social engineering, which is preferred
  for two reasons First, its easier than
  writing exploits
• that launch without user participation, says
  Roger Thompson, technical director of malicious
  code
• research at TruSecure (www.trusecure.com).
  Second, People will just click on anything,
  Thompson
• adds. Virus writers exploit that, and their
  targets unwittingly spread the virus, says
  Vincent Weafer,
• director of Symantecs AntiVirus Research Center
  (www.symantec.com).49
• With the widespread sharing of computer art,
  games, and a host of other e-mail attachments, we
  
• have developed a culture of e-mail users who are
  overly trusting, clicking on any attachment
  almost
• without thinking. This reaction is a security
  nightmare. Some think that users can be educated
  not to
• open unsolicited e-mail. However Thompson
  disagrees, Even if you convince users not to
  click
• attachments with the common virus extensions,
  such as a file names clickme.exe, Windows may get
  in

3
Questions to Answer

• What non-technical controls or safeguards can
  combat social engineering? Is end user education
  truly hopeless?
• Can the solution of prohibiting attachments to
  solve the problem of users clicking on
  attachments conflict with the business mission of
  an organization? What is the fundamental flaw of
  using this technical solution to a business
  problem?

4
Combating Social Engineering

• Non-Technical Controls and Safe Guards
• Communication Mediums
• Awareness Communication
• Formal Training
• Physical Security
• Building Security
• Documentation Disposal

5
Combating Social Engineering

• Awareness Communication
• Security Awareness Posters
• Mouse Pads
• Pens
• Screen Savers
• News Letters
• Email Reminders

6
Combating Social Engineering

• Training Mediums
• Instructor-led Training Sessions
• Web Based / Computer Based Training
• Training Orientation Videos

7
Combating Social Engineering

• Training Topics
• Social Engineering Awareness and Prevention
• Password Usage and Protection
• Dealing with Email Attachments
• SPAM
• Spyware / Viruses
• Documentation Disposal
• Facility Access
• Incident Reporting

8
Combating Social Engineering

• Building Security
• Secure All Entry Points
• Camera Surveillance System
• Swipe Access / Cipher Locks
• ID Badges
• Security Guards
• Alarm System
• Restrict Access to Data Center / Server Room

9
Combating Social Engineering

• Documentation Disposal
• Shred Paper Documents
• Provide Ample Shredders / Secure Bins
• Securely Wipe All Disk Storage Before Disposal

10
Dealing with Attachments

• Prohibiting All Attachments
• Pros
• Protects against viruses that come in the form of
  an attachment.
• Reduces the amount of network traffic.
• Reduces the amount of sensitive information that
  is sent over the internet.

11
Dealing with Attachments

• Prohibiting All Attachments
• Cons
• Reduces Productivity
• Impairs Communication
• Limits File Distribution Options
• Frustrates Employees, Vendors and Customers
• Does not prevent links to infected websites.

12
Conclusion

• End user education is not hopeless!
• Combat Social Engineering Through
• Awareness Communication
• Formal Training
• Building Security
• Documentation Disposal
• Prohibiting all e-mail attachments hurts business
  productivity and relations.