Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Social Engineering Security Session

No description
by

Maher Abu-Lail

on 1 September 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Social Engineering Security Session

Information Security Management

What is Social Engineering?
The Art of Social Hacking

"Manipulate people into doing
something, rather than by
breaking in using technical
means"
Kevin Mitnick
DOs and DON'Ts
Practice
Social Engineering
Types of Social Engineering
Kevin Mitnick 
"Art of Deception"
"People inherently
want to be helpful
and therefore
are
easily duped
"

"They assume a
level of trust
in order to
avoid conflict
"

"It's all about
gaining access to information
that people think is
innocuous
when it isn't"

"
Hear a nice voice
on the phone, we
want to be
helpful
"

"Social engineering cannot be
blocked by technology alone"
Live Example
Convinced friend that I would help fix their computer

People inherently want to trust and will believe someone when they want to be helpful

Fixed minor problems on the computer and secretly installed remote control software 

Now I  have total access to their computer through ultravnc viewer
Types of Social Engineering
DON'Ts
DO NOT
disclose
company
,
personal
or
private
information until you have
confirmed the caller's
identity and established that they have a legitimate reason to be given the information.

DO NOT

supply any information
to the caller by
confirming or denying someone’s presence
, current / future location or job title.

DO NOT
volunteer
correction to incorrect statements
made by the caller on someone’s presence, current / future location or job title.
DOs
Insure the caller's identity
by taking their
full details
,
mobile number
and company switchboard number and
setting a time for a call back
.
For doubtful callers claiming being MSPharma Group employees, manager or executives, during the call
verify their name and contacts details using MSPharma Active Directory
, and inform them that you will contact them.
Should you not be able to verify a caller's identity
take notes of following details
:
Male or Female
Accent, enunciation, distinguishing features,
Was the caller confident, nervous, rude or impolite,
Information they volunteer, e.g. name, phone number.
What information the caller was trying to gain? E.g. names of NG personnel, organizational structures, telephone numbers, product details, activities,
Pretext use for the request of the information:
e.g. They are at the airport, BlackBerry not working, can not get a hold on phone numbers, the number I have seems not working, it is very urgent
.
Background noise (traffic, aircraft, trains, machinery, music, children, animals)

Candidate 2
A G E N D A
IVR or phone
phishing
Phishing
Baiting
Pre-texting
What is Social Engineering?

Attacker uses
human interaction
to obtain or compromise information

Attacker
my appear
unassuming
or
respectable
Pretend
to be a
new employee
,
repair man
, ect
May even
offer credentials

By asking questions, the attacker may
piece enough information together
to infiltrate a companies
network
May attempt to
get information
from many sources

Most Social Engineering scams are
conducted
over the phone
in order to avoid direct contact
with the victim
Famous Social Engineering Hacker

Went to prison for hacking
Became ethical hacker
"People are generally helpful, especially to someone who is nice, knowledgeable or insistent."

This technique uses an Interactive voice response (IVR) system to
recreate a legitimate-sounding copy of a bank or other institution's IVR system
.
The victim is requested (typically via a phishing e-mail) to
call in to the "bank"
via a (ideally toll free) number provided in order to "verify" information ensuring the
victim enters PINs or passwords multiple times
, often disclosing several different passwords.
Some systems
transfer the victim to the attacker posing as a customer service

agent for further questioning.
Could be
through regular phone
call
to gain access to information.

Send an email
that looks like it came from a legitimate business

Request verification
of information and
warn
of some consequence if not provided

Usually contains link to a
fraudulent web page
that looks legitimate

User gives information
to the social engineer
 
Ex
: Ebay Scam

Spear Fishing
Specific phishing
Ex
: email that makes claims using your name





(Real world Trojan horse)

Uses
physical media

Relies on
greed/curiosity of victim

Attacker leaves a
malware infected CD or USB
drive
in a location sure to be found

Attacker puts a
legitimate or curious label
to gain interest

Ex
: "Company Earnings 2009" left at company elevator
Curious employee/Good Samaritan uses
User inserts media and
unknowingly installs malware
(Invented Scenario)

Pretexting is the act of
creating and using an invented scenario
(the pretext):
To persuade a targeted victim to
release information
or
perform an action
.
Done
over the telephone
.
It is more than a simple lie as it most often
involves some prior research
or
set up
and the
use of pieces of known information
(e.g.: date of birth, address, last bill amount) to
establish legitimacy in the mind of the target
.
Pretexting can also be used to
impersonate co-workers, police, bank, tax authorities, or insurance investigators
— or any other individual who could have perceived authority or
right-to-know in the
mind of the targeted victim
.
The pretexter must simply
prepare answers to questions
that might be asked by the victim
and sounds authoritative.


Mr. Smith
:
Hello?

Caller
:
Hello, Mr. Smith. This is Fred Jones in tech support. Due to some
disk space constraints, we’re going to be moving some user’s home directories to another disk at 8:00 this evening. Your account will be part of this move, and will be unavailable temporarily.

Mr. Smith
: Uh, okay. I’ll be home by then, anyway.

Caller
: Good. Be sure to log off before you leave. I just need to check a couple of things. What was your username again, smith?

Mr. Smith
: Yes. It’s smith. None of my files will be lost in the move, will they?

Caller
: No sir. But I’ll check your account just to make sure. What was the password on that account, so I can get in to check your files?

Mr. Smith
: My password is “Tuesday”, in lower case letters.

Caller
: Okay, Mr. Smith, thank you for your help. I’ll make sure to check
your account and verify all the files are there.

Mr. Smith
: Thank you. Bye
Survey
Password
Harvesting
How is it done?
Social engineers attack
certain human
weakness
in order to gain access:

Tendency to get impressed by appearance
Story telling ability of the brain
Sexuality
Fear
Empathy
Desire to be helpful
A very
simple way of gaining access to passwords
is making the victim give out or write down a password, For example to
register on an interesting website
(the advertisement being sent to him by a phishing e-mail)
The primary weakness is that
many users often repeat the use of one simple password on every account
: Yahoo, Hotmail, Gmail, AOL…. So
once the hacker has one password, he or she can probably get into multiple accounts
. One way in which hackers have been known to obtain this kind of password is through an
on-line form
: they can send out some sort of information and ask the user to put in a name (including e-mail address – and
sometimes even get that person’s corporate account and password as well.
A caller
pretending to be conducting an
anonymous commercial survey
will, together with questions that could
sound legitimate
(for example about food products, consumer goods, politics or economy, etc) ask questions which will help him gain privileged information :
Do you live in an apartment or family house?
Do you live alone or with family?
Do you work in shifts, regular working hours or irregular hours?
Is your monthly income lower than 1000$, between 1000 and 2000$, Between 2000
and 5000$, above 5000…?...etc

"Hello, can I speak with Tom Smith from R&D please?"

"I'm sorry, he'll be on vacation until next Monday"

"OK, who's in charge until he gets back?"

"Robert Jones“.

Weakest Link?
No matter how strong your:
Firewalls
Intrusion Petection Systems
Cryptography
Anti-virus software

YOU
are the
WEAKEST LINK
in computer security!
 People are more vulnerable than computers
 
"The weakest link in the security chain
is the human element"
-Kevin Mitnick

Practice & Quiz
Social Engineering:
http://isq-connect-library.s3.amazonaws.com/mission-data-protection-1-3/story.html
http://isq-connect-library.s3.amazonaws.com/Workspace-Security-Practices-1-0/story.html
Candidate 1
Mr. Smith
:
Hello?

Caller
:
Hello, Mr. Smith. This is Fred Jones in tech support. Due to some
disk space constraints, we’re going to be moving some user’s home directories to another disk at 8:00 this evening. Your account will be part of this move, and will be unavailable temporarily.

Mr. Smith
: Uh,
okay
.
I’ll be home by then
, anyway.

Caller
: Good. Be sure to log off before you leave. I just need to check a couple of things. What was your username again, smith?

Mr. Smith
: Yes.
It’s smith
. None of my files will be lost in the move, will they?

Caller
: No sir. But I’ll check your account just to make sure. What was the password on that account, so I can get in to check your files?

Mr. Smith
: My password is “
Tuesday
”, in lower case letters.

Caller
: Okay, Mr. Smith, thank you for your help. I’ll make sure to check
you account and verify all the files are there.

Mr. Smith
: Thank you. Bye
"Hello, can I speak with Tom Smith from R&D please?"
"I'm sorry,
he'll be on vacation until next Monday
"
"OK, who's in charge until he gets back?"
"
Robert Jones
“.


A hacker, however, can
leverage
this information when contacting R&D later. After some small talk with an R&D employee, the hacker claims: "
By the way Michael, just before Tom Smith went on vacation, he asked me to review the new design. I talked with Robert Jones and he said you should just fax/mail/send it to me. My number is 123-1234.


Could you do it as soon as possible??!!
Phishing
Pretexting
Pretexting Example
(Where is the mistake?)
Pretexting Example
(Here is the mistake)
Pretexting Example
(Where is the mistake?)
Pretexting Example
(Here is the mistake)
Baiting
IVR
(Phone Phishing)
Survey
Password Harvesting
Dumpster
Diving
The practice of
sifting
through
commercial
or
residential
trash to find items that have been discarded by their owners, but which may be
useful
to the
dumpster diver
Dumpster
Diving
Quiz
Question 2
Question 4
Password Harvesting:

How many weaknesses?
What are they?
A video that has been posted on Facebook around Feb 2014 and was spreading malware. This video is related to a famous accident!!

What was it?
How many types of Social Engineering?

What are they? Name them.
Question 1
Question 3
What is the type of this social engineering hacking?
Question 5
What is the type of this social engineering hacking?
Final Question
Hold your pens and papers and answer the 20 questions:

Q & A
The End
Presidents

Franklin D. Roosevelt

Some have argued that United States President Franklin D. Roosevelt used the attack on Pearl Harbor by Japanese forces on December 7, 1941 as a pretext to enter World War II. American soldiers and supplies had been assisting British and Soviet operations for almost a year by this point, and the United States had thus "chosen a side", but due to the political climate in the States at the time and some campaign promises made by Roosevelt that he would not send American boys to fight in foreign wars. Roosevelt could not declare war for fear of public backlash. The attack on Pearl Harbor united the American people's resolve against the Axis powers and created the bellicose atmosphere in which to declare war. Some believe it was even orchestrated by Roosevelt and his advisers.



George W. Bush

Critics have accused United States President George W. Bush of using the September 11th, 2001 attacks and faulty intelligence about the existence of weapons of mass destruction as a pretext for the war in Iraq.[4] Some of these accusations, like A Pretext for War by James Bamford, were arguably "distorted by his own preconceptions."


Question 6
What is the Rule of Security dependency?

1- 10/90 -->
10%
Technology

90%
People & Process

2- 50/50 -->
50%
Technology

50%
People & Process

3- 90/10 -->
90%
Technology

10%
People & Process

4- 40/60 -->
40%
Technology

60%
People & Process

Meeting Rules
Mobiles are Silent.
1- Use WEAK/SIMPLE Password
2- REPEAT Password
3- Use CORPORATE Account and Password
1- Pre-texting 2- Phishing
3- Baiting 4- Survey
5- IVR or phone Phishing 6- Password Harvest
7- Dumpster Diving
The Winner is .....
<1/3
of UK Businesses provide training on Social Engineering

42%
of UK Businesses are being hit by Social Engineering attacks

Avg cost per incident =
15,000
Pound
Question ??
What is the Rule of Security dependency?

1- 10/90 -->
10%
Technology

90%
People & Process

2- 50/50 -->
50%
Technology

50%
People & Process

3- 90/10 -->
90%
Technology

10%
People & Process

4- 40/60 -->
40%
Technology

60%
People & Process
Full transcript