Post on 16-Apr-2017
TheRiseofSocialEngineering- AnatomyofaFullScaleAttack-
Presenter:DaveNelson,CISSP|PresidentatIntegrity
DaveNelson,CISSP• CertifiedInformationSecurityProfessional(CISSP)
• Over20yearsexperienceasinformationsecurityprofessional
• FellowwiththeInformationSystemsSecurityAssociation
• PresidentEmeritusofISSADesMoinesIowaChapter
Overview
Whatis“SocialEngineering”?
TypesofAttacks&RealWorldExamples
BestDefense
Whatis“SocialEngineering”?WHAT IS
SOCIALENGINEERING?
Social Engineering
• Usingknowledgeofhumanbehaviortoelicitadefinedresponse.
• Putsimply…gettingyoutowillinglydosomethingformewhichislikelynotinyourbestinterest.
Sociology and Psychology
• Studyofhumanbehavior,interactionandsocietalnorms.
• Actionscanbepredictedquiteaccurately.
• Actionscanalsobeinfluencedquiteeasily.
Simple Human Behavior
• TwoTypesofResponses– Natural– Learned
Hackerswillcraftascenarioforyoutoenter,inordertoelicitaresponsewhichtheybelievewillgivethemtheresulttheyarelookingfor.
TypesofAttacks&RealWorldExamples
Why talk about social engineering
Socialengineeringisacomponentoftheattackinnearly1of3successfuldatabreaches,andit’sontherise.
Source:2016VerizonDataBreachInvestigationReport
5CommonAttackMethods
DumpsterDiving
Pretexting
Phishing
PhysicalEntry
Enticement
Dumpster Diving
• Scouringthroughdiscardeditems– Calendars&Dayplanners– Handwrittennotes– Phone&EmailLists– Operationmanualsorprocedures– Systemdiagrams&IPaddresses– Sourcecode
Pretexting
• Fraudulentphonecalls• Usedtoextractinformation• Alsousedtosetupotherattackssuchasfacilityentryorphishing
Phishing
Attemptstogetuserstoprovideinformationorperformanaction
TipsForIdentifyingPhishingAttempts– Askstoupdateaccountinformationviaemail– Noverificationimageorvaryinglayoutdesigns– Providesunfamiliarhyperlinks
Common Bait
• SweetDeals– FreeStuff– LimitedTimeOffers– PackageDelivery
• HelpMe,HelpYou!– TechSupport
• YouGotta’SeeThis!
Spear Phishing Example
GoodMorningMike,
Youmayormaynotknow,butMary(CFO)andIareinAtlantaworkingtocloseadealwithourpartnersXYZCompanyandABCLimitedona$70milliondollarcontractwithOurBigPayday,Inc.Inordertogetthecontractssigned,Ineedyoutowire$85,620toXYZCompanyand$67,980toABCLimited.MarysaysthisshouldcomefromourBankNameHereaccountnumber123456789.TheroutingandaccountnumberforXYZis12345678– 7788994455andforABCis98765432–336699774411.
BecauseOurBigPayday,Inc.isapubliclytradedcompany,thetermsofthisagreementcannotbediscloseduntiltheyfiletheirSECreportsforthequartersoyourabsolutediscretionisexpected.Undernocircumstancesareyoutodiscussthistransactionwithanyoneinthedepartment.AleakcouldresultinSECfinesorprisonforbothofusforinsidertrading.Ifyouhaveanyquestionsaboutthis,pleaserespondtothisemailwithyourdirectlineandI’llcallyouwhenI’moutofthenegotiationmeetings.IappreciateallyoudoforuswhichiswhyI’mtrustingyouwiththiskeyproject.
Keepupthegoodwork!Sandy(CEO)
Physical Presence
• Gainingphysicalaccesscanbeeasierthanvirtualaccess
• Mayprovideadditionalinformation
• Comesatahigherriskbutwithapotentiallygreaterreward
Physical Presence Examples• DeliveryDrivers• EmployeeTailgating• MaintenanceorEmergencyCrews
• Thekeyistoactlikeyoubelong.Ifyoubelieveitsowilleveryoneelse.
Enticement Examples
Afolderwithenticingtitle/labelleftongroundoutsideanemployeeentrancewithaUSBthumbdrivetapedinside.
• USB,CDorDVDsleftinconspicuousspaces.
• Maybeaccompaniedbyfakepaperfiles
• Curiositybeatscaution
Year-EndBonuses
Putting It All Together
• Targetedattackswillalwaysusesomeformofsocialengineering.
• Justlikeinmilitaryoperations,intelmakesorbreaksamission
• Hackersmayneverevenneedtousesophisticatedtechnicalattacksifyouprovidetheinformationwillingly
Stealth Mode
• Limitedsocialengineeringattackscanbehardtodetect.
• Relevantinformationallowsattackerstopinpointtheirattackwhichmakestheirfootprinthardtodiscover.
Don’t Fall for The Long Con
• Socialengineeringisnothingmorethanacon-game.
• Theold“LongCon”hasbeenportedtothedigitalworld.
• Goodconsarehardtospot.
BestDefenses
Best Defenses
• Strongpaperdestructionprocess• Limitingfacilityingress/egresspoints• Challengeunknownpeopleinsecureareas• Implementtechnologytoscreenemailandwebsitesforattacks
Employee Training
• TraditionalCBTmethodsdon’twork• Engagetheemployee,makeapersonalplea• Usegamificationtoenhancelearning• Preparefordifferentlearningstyles(audio,visual,hands-on)
• Awarenessisnottrainingandtrainingisnotawareness
Program Validation
• Socialengineeringtestingengagementsprovideassessmentsofhowwellyourpeople,processandtechnologyarefunctioning.
Summary
• Socialengineeringisheretostayandit’sgrowing• Yourorganizationwillsufferadatabreachduetosocialengineering
• Thestudyofhumanbehaviorhasbeenusedbycriminalsforcenturies,cybercriminalsarenodifferent
• Employeesmustbetrainedtospotsocialengineeringandhowtoreact
Question & Answer
dave.nelson@integritysrc.com
www.integritysrc.com/blog
DaveNelsonCISSP
@IntegrityCEO- @IntegritySRC
515-965-3756