Preventing Social Engineering Attacks
-
Upload
percival-levy -
Category
Documents
-
view
41 -
download
1
description
Transcript of Preventing Social Engineering Attacks
![Page 1: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/1.jpg)
Kelly CorningJulie Sharp
![Page 2: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/2.jpg)
Human-based techniques: impersonation
Computer-based techniques: malware and scams
![Page 3: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/3.jpg)
Manipulates legitimate users into undermining their own security system
Abuses trusted relationships between employees
Very cheap for the attackerAttacker does not need specialized
equipment or skills
![Page 4: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/4.jpg)
Impersonation Help Desk Third-party Authorization Tech Support Roaming the Halls Repairman Trusted Authority Figure Snail Mail
![Page 5: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/5.jpg)
Computer-Based Techniques Pop-up windows Instant Messaging and IRC Email Attachments Email Scams Chain Letters and Hoaxes Websites
![Page 6: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/6.jpg)
Hacker pretends to be an employeeRecovers “forgotten” passwordHelp desks often do not require
adequate authentication
![Page 7: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/7.jpg)
Targeted attack at someone who has information Access to assets Verification codes
Claim that a third party has authorized the target to divulge sensitive information
More effective if the third party is out of town
![Page 8: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/8.jpg)
Hacker pretends to be tech support for the company
Obtains user credentials for troubleshooting purposes.
Users must be trained to guard credentials.
![Page 9: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/9.jpg)
Hacker dresses to blend in with the environment Company uniform Business attire
Looks for sensitive information that has been left unattended Passwords written down Important papers Confidential conversations
![Page 10: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/10.jpg)
Hacker wears the appropriate uniform
Often allowed into sensitive environments
May plant surveillance equipment Could find sensitive information
![Page 11: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/11.jpg)
Hacker pretends to be someone in charge of a company or department
Similar to “third-party authorization” attack
Examples of authority figures Medical personnel Home inspector School superintendent
Impersonation in person or via telephone
![Page 12: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/12.jpg)
Hacker sends mail that asks for personal information
People are more trusting of printed words than webpages
Examples Fake sweepstakes Free offers Rewards programs
More effective on older generations
![Page 13: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/13.jpg)
Window prompts user for login credentials
Imitates the secure network loginUsers can check for visual indicators
to verify security
![Page 14: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/14.jpg)
Hacker uses IM, IRC to imitate technical support desk
Redirects users to malicious sitesTrojan horse downloads install
surveillance programs.
![Page 15: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/15.jpg)
Hacker tricks user into downloading malicious software
Programs can be hidden in downloads that appear legitimate
Examples Executable macros embedded in PDF files Camouflaged extension: “NormalFile.doc”
vs. “NormalFile.doc.exe” Often the final extension is hidden by the
email client.
![Page 16: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/16.jpg)
More prevalent over timeBegins by requesting basic
informationLeads to financial scams
![Page 17: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/17.jpg)
More of a nuisance than a threatSpread using social engineering
techniquesProductivity and resource cost
![Page 18: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/18.jpg)
Offer prizes but require a created login
Hacker capitalizes on users reusing login credentials
Website credentials can then be used for illegitimate access to assets
![Page 19: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/19.jpg)
Never disclose passwordsLimit IT Information disclosedLimit information in auto-reply
emailsEscort guests in sensitive areasQuestion people you don't knowTalk to employees about securityCentralize reporting of suspicious
behavior
![Page 20: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/20.jpg)
Remind employees to keep passwords secret
Don’t make exceptions It’s not a grey area!
![Page 21: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/21.jpg)
Only IT staff should discuss details about the system configuration with others
Don’t answer survey callsCheck that vendor calls are
legitimate
![Page 22: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/22.jpg)
Keep details in out-of-office messages to a minimum
Don’t give out contact information for someone else.
Route requests to a receptionist
![Page 23: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/23.jpg)
Guard all areas with network access Empty offices Waiting rooms Conference rooms
This protects against attacks “Repairman” “Trusted Authority Figure”
![Page 24: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/24.jpg)
All employees should have appropriate badges
Talk to people who you don’t recognize
Introduce yourself and ask why they are there
![Page 25: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/25.jpg)
Regularly talk to employees about common social engineering techniques
Always be on guard against attacksEveryone should watch what they
say and do.
![Page 26: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/26.jpg)
Designate an individual or groupSocial engineers use many points of
contact Survey calls Presentations Help desk calls
Recognizing a pattern can prevent an attack
![Page 27: Preventing Social Engineering Attacks](https://reader036.fdocuments.in/reader036/viewer/2022062314/56812ac7550346895d8ea198/html5/thumbnails/27.jpg)
Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013. <http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>.
Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013. <http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>.
"Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013. <http://www.npdn.org/social_engineering_types>.