Jose Chacko FCA,CIA,CFE,CFAP

josechacko@osoolarabia.com

Social engineering techniques bypasses technology-based security.

Best firewall is useless if the person behind it gives away either the access codes or the information it is installed to

protect.2

Kevin Mitnic

"The weakest link in the security chain is the human element”

Mitnic Security Counseling

1.Getting free bus rides in Los Angeles, California

2.Hacking into private DEC systems to view unreleased source code

3.Evading the FBI by using fake identities

4.Hacking into IBM, Motorola, Nokia and Suncomputer systems3

Notorious Hacks

Kevin Mitnick

Kevin Mitnick is a convicted computerhacker who spent five years in prison for computer crimes. Mitnick

currently runs Mitnick Security Counseling.

Fast Facts

1.Born: October 6, 1963

2.Birthplace: Los Angeles, California

3.Released from prison on January 21, 2000

4.His official website has been the victim of many hackers wanting to prove themselves

5.Has had two movies based around the events:Takedown and Freedom Downtime

History

Kevin Mitnick began his long history with hacking by bypassing the ticketing system for the Los Angelesbus

system. From there, he branched out into various other forms of hacking, including social engineering. Mitnick

first gained unauthorized access to a computer system in 1979 after he hacked into the Digital Equipment

Corporation's computer network and caused a reported $160,000 in damages. This act brought the first of his

many run-ins with law enforcement. For his actions, he was later convicted of computer crimes and given a five

year jail sentence. He was released onJanuary 21, 2000, and was not allowed to use any communication

technology for three years as part of the terms of his probation. He fought this ruling and was eventually allowed

access to the internet. Mitnick now runs Mitnick Security Counseling, a company that provides security services

for corporations.

Notorious Hacks

1.Getting free bus rides in Los Angeles, California

2.Hacking into private DEC systems to view unreleased source code

3.Evading the FBI by using fake identities

4.Hacking into IBM, Motorola, Nokia and Suncomputer systems

4

Social Engineering technique cannot be avoided in any

hacking instances

5

Fraud

information

Victim

Social engineering techniques

6

What is “FRAUD”

The art of manipulating and deceiving

people

Intentional misrepresentation or concealment of

information in order to deceive or

mislead

Intentional

deception

made for personal gain or

to damage another

entity.

Fraud

information

Victim

Social engineering techniques

7

TYPES OF FRAUD

WHITE COLLAR CRIMES - FRAUD INCLUDES

•Fraudulent Financial Statements

•Misappropriation of assets

•Expenditure and liability incurred for illegal purposes

•Manipulation of revenues and expenditures

8

Fraudulent financial reporting – Cooking the books

Misappropriation of assets

Earnings management Improper revenue

recognitionOverstatement of assetsUnderstatement of liabilitiesFraudulent journal entriesRound-trip or “wash” trades

Billing schemesCollusionConcealmentEmbezzlementForgeryGhost employeesKitingLappingLarcenyMisapplicationPayroll fraudTheft

9

Illegal expenditures and liabilities

Manipulation of expenditure and

revenues

BribesConflicts of interestKickbacksConcealmentMoney laundering

ConcealmentScams Tax fraud

10

Impact of Fraud Actual loss of money

Loss of consumer confidence

Loss of trust

Not only measured in monetory terms………………..

Loss of market-share / business

Loss of employees benefits

11

Information

“Information is the highest value commodity for the new millennium”-Futurist Alvin Toffler

Information hacking

Individual level

Corporate level

Country level-Espionage - IndustrialEconomic

Fraud

information

Victim

Social engineering techniques

12

SOCIAL ENGINEERING

definition

• ‘Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information’-Wikipedia

Fraud

information

Victim

Social engineering techniques

13

SOCIAL ENGINEERING

definition

• Social Engineering involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders

definition

• psychologically manipulating people into giving them access or the information necessary to get access using a variety of schemes

Fraud

information

Victim

Social engineering techniques

14

15

SOCIAL ENGINEERING

features • Victims of social engineering typically have no idea they have been conned out useful information or have been tricked into performing a particular task

features • Social engineering is normally quite successful because most victims want to trust people and provide as much help as possible

features• Social engineering itself is not a technological problem, but it does

have a technological solution.

16

social engineering attacks typically originate from one of three zones:

Social Engineering attacks

doesn’t have to involve the use of technology.

Internal-

Employees

Trusted-

Consultants

External-

Hackers

17

Social Engineering Techniques generally usedin

IT environment

Impersonating IT staff Playing on users’ sympathy Making close relations with targets Intimidation tactics The greed factor Creating confusion Shoulder surfing Dumpster diving Gone phishing Reverse (social) engineering

18

Impersonating IT staff •pretend to be someone from inside the company—often a member of the IT department. •good social engineers will do their homework and find out the names of real members of the IT department. •They'll even find a way to place the call from inside the company or have a plausibleexcuse for why it’s coming from outside (for example, saying that they'retroubleshooting the problem from the company’s headquarters or its special “centralIT center").

Is it true?

In fact, there’s rarely any reason a real IT administrator would need to know a user’s password. If administrators need to get into a user’s account, they can simply use their administrative privileges to change the password to whatever they want and access the account that way. Asking users for their passwords usually indicates either an administrator who doesn’t know the job or a social engineering attempt.

19

Playing on users’ sympathy

Another favorite tactic of social engineers is to elicit sympathy from a user toget him or her to reveal password information or allow physical access tosensitive servers. For example, the social engineer may pretend to be a workerfrom outside, perhaps from the phone company or the company’s Internetservice provider. He tells the secretary who has the key to the server room thathe’s new on the job and supposed to be back to the office in an hour, and he justneeds to check out some wiring very quickly. Or he pretends to be with the ISPand tells the user he calls that he has messed up her account and if he doesn’tget it fixed right away, he’ll lose his job—and of course, he needs her passwordto do it. Whatever the story, the social engineer appears to be upset, worried,and afraid of some dire consequence that will befall him if the target victimdoesn’t help.

Naturally most people want to help a person who’s in trouble.

20

Making close relations with targets

Some social engineers will go to great lengths to pry information out of a user,especially if the stakes are high (e.g., in cases of corporate espionage where thesocial engineer stands to gain a big financial reward for getting into the network).They’ll engage in elaborate, long-term schemes that include slowly becomingclose friends with their target victims or even initiating and developing aromantic relationship to get to the point where the victim trusts the socialengineer enough to reveal confidential information, including networkpasswords and other information needed to break in. This may also make itpossible for the social engineer to gain access to keys, smart cards, etc., that canbe used to defeat security mechanisms

21

Intimidation tacticsSome victims don’t respond well to the sympathy tactic or romantic overtures. Inthat case, social engineers may need to turn to stronger stuff: intimidation. In

this case, the social engineer pretends to be someoneimportant—a big boss from headquarters, a topclient of the company, an inspector from thegovernment, or someone else who can strike fearinto the heart of regular employees. He or she comes

storming in, or calls the victim up, already yelling and angry. They may threatento fire the employee they don't get the information they want—even if theemployee protests that company policy says not to divulge that information toanyone. It takes a very strong person to say “no” to the (supposed) boss or risklosing the company a big contract or getting the company in trouble with thegovernment.

22

The greed factor

Regardless of the approach, the bottom lineis that the social engineer promises theemployee some benefit , financial orotherwise (for example, a better paying jobwith a competing company) if he or shedivulges the requested information.

23

Creating confusion

Another ploy involves first creating a problem andthen taking advantage of it. It can be as simple assetting off a fire alarm so that everyone will vacatethe area quickly, without locking down theircomputers. Social engineers can then use a logged-on session to do their dirty work by implantingTrojans and so on.

24

Shoulder surfingShoulder surfing is a form of “passive” social engineering in which social engineers put themselves in a position to observe when the victim is typing in passwords or other confidential information. They may do this without the victim’s knowledge that they're there or they may use their people skills to win the victim's trust so they don't mind their being there.

25

Dumpster diving

• Remember to SHRED before you TOSS…

Dumpster diving is a form of socialengineering that predates computers. Thesocial engineer goes through the victim’strash can or the company’s dumpster, in thiscase looking for hard copies of informationthat can be used to break into the network.The social engineer may pose as a janitor toget access to discarded papers, diskettes,discs, etc., that are supposed to be taken to acentral shredding or incineration facility.

26

Gone phishingThe well-publicized Internet scam called “phishing” isa type of social engineering, often done via e-mail rather than in

person. (However, phishing scams can also be conducted by snail mail ortelephone.) Traditional phishers pretend to represent a company withwhich the victim does business, often requesting that the victim go to aWeb site that looks like the site of the company they claim to represent.(In reality, the site belongs to the phisher.) The victim enters passwordand other information on the site, and it goes directly to the phisher, whothen uses it for nefarious purposes. A clever social engineer who wants tobreak into your network might create a site that purports to be set up bythe IT department for the purpose of confirming or changing the user’snetwork password. The information is redirected to the phisher,providing a “free pass” to log onto your network.

27

Reverse (social) engineering

An even sneakier method of social engineering occurs when a socialengineer gets others to ask him or her questionsinstead of questioning them. These social engineers usually

have to do a lot of planning to pull it off, placing themselves in a position ofseeming authority or expertise. This often involves creating a problem withthe network hardware or software (or the appearance of a problem) and thenshowing up as the expert who can fix it (and who gets full access to thesystems to make the repairs).

28

Unlike other threats, social engineering cannot be combated

by technical means

• Education and Trainings– Users will recognize attacks and prevent them

• Establishing good security policies– Detect when someone is accessing information they shouldn’t be.

• Use of technology– Firewalls, anti-virus programs, spam filters

• Keeping up to date with the news• Testing and monitoring

– Test e-mail spam filters, monitor employees in a business.

Fight against Social Engineers

29

Education and trainings:

Raise awareness of social engineering

Demonstrate the techniques of social engineering, and explain how

to resist them

Explain the damage that a successful attack could do to a company

Try to motivate employees to resist social engineers, by playing on

their desire to not be tricked and made a fool of by the engineer.

Employees should be tested on their susceptibility to social

engineering attacks in real-life scenarios (live internal security

audits)

30

Good Security Policies to establish:

How an employee should act when an attack is recognized

Exactly what information is considered sensitive

How to verify / authenticate someone's identity

Saying “No” is OK

Never break security policies, even if asked to by the CEO.

A guarantee that nobody will be punished for following policy.

A guarantee that someone WILL be punished if they violate policy

31

Any Questions?

josechacko@osoolarabia.com

32