Social engineering - Ingeniería social
19
Social Engineering Training Jan-Willem Bullee
-
Upload
neuromon-21 -
Category
Education
-
view
724 -
download
1
Transcript of Social engineering - Ingeniería social
Social Engineering Training
Jan-Willem Bullee
2 Cyber-crime Science
Background
Effectiveness of authority on compliance
We can get some of the answers from» Literature (Meta-analysis)» Attacker stories/interviews
But the answers are inconclusive» Different context» Hard to measure human nature» Difficult to standardize behaviour.
2
3 Cyber-crime Science
Persuasion Principles
Authority Conformity Commitment Liking Reciprocity Scarcity
3
4 Cyber-crime Science
Authority
Titles: Professionals vs Lay people Clothing: Formal vs Casual Trappings: Status vs Insignificance
4
[Cia01] R. B. Cialdini. The science of persuasion. Scientific American Mind, 284:76-81, Feb 2001. http://dx.doi.org/10.1038/scientificamerican0201-76
5 Cyber-crime Science
Literature on Authority
Classical Milgram Shock Experiment» 66% full compliance
Nurse-Physician relationship» 95% compliance
Login credentials» 47% compliance
5
[Mil63] S. Milgram. Behavioral study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378.
6 Cyber-crime Science
Success factors of Authority
Sense of duty Obedience to authority
6
7 Cyber-crime Science
Attacker Stories
Books about Social Engineering Six Principles of Persuasion Provisionally Results:
» 4 books» 100 cases.
7
[Mit02] K. Mitnick, W. L. Simon, and S. Wozniak. The Art of Deception: Controlling the Human Element of Security. Wiley, Oct 2002. http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0471237124.html
8 Cyber-crime Science
Mitnick Analysis
8
9 Cyber-crime Science
Nurse Study: Design
Attacker: Doctor Target: Nurse Goal: Violating policy
» Maximum dose of medicine Interface: Phone Persuasion Principle: Authority
9
[Hof66] C. Hofling, E. Brotzman, S. Dalrymple, N. Graves, and C. Pierce. An experimental study in Nurse-Physician relationships. J. of Nervous & Mental Disease, 143(2):171-180, Aug 1966.
10 Cyber-crime Science
Stealing a key
What is the influence on compliance on a request of:» Social Engineering (e.g. Authority)
You are the researchers!
10
11 Cyber-crime Science
Our: Design
Attacker: You (Student) Target: Employee Goal: Violating policy
» Sharing office key with 3rd party Interface: Face 2 Face Persuasion Principle: Authority
11
12 Cyber-crime Science
Method : Our design
Dependent and Independent variables
4 experimental conditions» Intervention / No Intervention » Authority / No Authority
Dependent variable» Compliance / No Compliance to request.
12
Request Comply
[Fie09] A. Field. Discovering statistics using SPSS. Sage, London, 3rd edition, Jan 2009. http://www.uk.sagepub.com/field3e/main.htm
13 Cyber-crime Science
Method : Our procedure
Subjects from the Carré building» 14 research groups » 4 conditions
Intervention vs No intervention Authority: Suite vs Casual
Randomized sample Attack in 1 day
13
14 Cyber-crime Science
Method : Our procedure
Attack targets» Impersonate facility manager, and ask for the key of
the employee» Short Questionnaire» Note date, time, location, condition, compliance,
difficulty, etc. More details on the course-site
14
15 Cyber-crime Science
What to do on Wed 11 Sep Attacker training in the morning CR2022 Execute experiment individually (or in duo’s)
» One or two attackers per area» Condition and area allocation: Jan-Willem Bullee
On the course-site soon» Debrief directly after attack
15
16 Cyber-crime Science
What to do on Wed 11 Sep We have permission to do this only at
» UT: Carré Enter your data in SPSS
» Directly after the attack» Come to me ZI4047
Earn 0.5 (out of 10) bonus points
16
17 Cyber-crime Science
Ethical issues
Informed consent not possible Zero risk for the subjects Approved by facility management Consistent with data protection (PII form) Approved by ethical committee, see
http://www.utwente.nl/ewi/en/research/ethics_protocol/
17
18 Cyber-crime Science
Conclusion
Designing research involves:» Decide what data are needed» Decide how to collect the data» Use validated techniques where possible» Experimental Design, pilot, evaluate and improve» Training, data gathering» Start again...
18
19 Cyber-crime Science
Further Reading
19
[Cia09] R. B. Cialdini. Influence: The Psychology of Persuasion. Harper Collins, 2009. http://www.harpercollins.com/browseinside/index.aspx?isbn13=9780061241895
[Gre96a] T. Greening. Ask and ye shall receive: a study in 'social engineering'. SIGSAC Rev., 14(2):8-14, Apr 1996. http://doi.acm.org/10.1145/228292.228295
