Social engineering-Attack of the Human Behavior
-
Upload
james-krusic -
Category
Education
-
view
1.013 -
download
3
description
Transcript of Social engineering-Attack of the Human Behavior
Social Engineering:Exploiting the Human Behavior
Author: James KrusicIASC 1100
“You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”
-Kevin Mitnick
What is Social Engineering?• Is the technique used by attackers to gain the trust of
employee’s, in efforts to get information.• A companies greatest threat are themselves.• Two categories of attacks• Technical• Non-Technical
Technical Attacks• Are those that deceive the user into believing that the
application in use is truly providing them with security.• Example would be logging into Facebook and a random pop-up
window is wanting your credentials. Once you supply the pop-up window with your username/password, the attack has access to your Facebook account.• Once the attacker has your password, most of the time that same
password is used for bank accounts, network access and more.
Technical Attacks cont.• Examples of technical attacks:• Phishing
• Usually sent via e-mail, indicating to the victim that something has happened. Once the victim opens the payload the attacker has access to the network.
• Pop-up Window• Spam-Emails
• This is a mass e-mail system. Which hundreds and thousands of e-mails are sent out to individuals. Tightly related with phishing attempts.
Non-Technical Attacks• Are attacks that are purely perpetrated through the art of
deception. (Peer-to-Peer interaction)• Examples:• Dumpster Diving• Support Staff• Hoaxing• Authoritative Voice
Human Behavior Manipulations
• Curiosity
• Fear
• Thoughtlessness
Curiosity
Why would exploiting curiosity be such an effective method?- It is like saying, “Why do people go into the woods
when its dark?”- People always want to know what’s behind the door.- So when people receive an e-mail saying they won
$5,000 and all they need to do is follow the link, they more than likely will.
Fear• Fear is such a strong behavior, because once a person
experiences it, they do not want that feeling again.• Example: Hoax’s are used to falsify information in-order to scare
the victim.
Thoughtlessness• Is a human behavior that is done without thought. To not think
when doing.• Example: Dumpster Diving• When a person throws old credit cards away without first cutting
them up, or when they throw away bank account statements that have your social security number on them, or credit card information.• An attackers gold mine, is to find personal information such as; SSN,
Account Number, Addresses and more.
How to help mitigate against promising attacks of Social Engineering
- Educate the users/employee’s- Well-rounded policy- Audit and ensure compliance- Proper hardware mitigation
- E-mail filters- Firewalls
User Education/Awareness• User education is an important role to mitigate against social
engineering tasks.• Simple education such as:• Ensure employee’s check the person/s ID• Ensure employee’s verify they have appointment with
management• Ensure employee’s do not divulge company secrets, personal
information, and network information over the phone
Motivate the Users• Self Interest- Most people tend to retain facts better when
they can personally identify with or use that information personally
• Memory Persistence- Current news stories, or recent situations that effect the organization.
• Perceived Importance- Effectively communicate the need for stated security policies.
• Understanding- People are more inclined to follow procedures that they fully understand.
Well Rounded Security Policy• Why do we need a good security policy?• It provides a framework for best practice• Helps turn employee’s into participants in the company’s efforts
to secure its information assets.• Shows internally and externally that assets are important
Audits & Compliance• Why does a company need to audit and ensure compliance of
a security policy?• Companies need to audit the security policy to ensure that
employee’s at all levels are following the policy• Top-Down approach is good when auditing
• Most of the time upper management want more access to network resources than standard employee’s• This is a good place to start because if an attacker decides to do a spear
phishing attack they usually start high, because they do not believe that they need to follow policy.
Hardware/Software Mitigation• Employ multiple firewalls using different platforms• This is security by obscurity, meaning that multiple platforms or
multiple setups ensures that by getting by one firewall doesn’t mean an attacker can get by the second, or third.
• Deploy E-mail Filters• Types of E-mail Filters:
• Bayesian Spam Filters: Work by scanning the e-mail for tokens (usually words), and then calculating the probability that the e-mail is spam.• Very powerful, low false positives
• Spam Assassin: Uses rule sets to scan body and header of e-mail messages. Can be very granular (extensive rules).• Can be ran for all e-mail or can be ran by individual users.
Additional Resources• www.mattslifebytes.com• Can find a video about social engineering.• Can find a experiment on dumpster diving
• Also can find images of servers that can help you understanding hardening Linux. From IT-Adventures.
• End User Security Awareness Presentation• http://www.slideshare.net/frostinel/end-user-security-
awareness-presentation-presentation• Policy Enforcement• http://www.sans.org/reading_room/whitepapers/policyissues/
information-security-policy-development-guide-large-small-companies_1331