What Is Social Engineering?

Social Engineering Because there is no “patch” for human stupidity. “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” -Kevin Mitnick

What is Social Engineering Uses Psychological Methods Exploits human tendency to trust Goals are the Same as Hacking

Social Engineering Approaches Carelessness Comfort Zone Helpfulness Fear

Careless Approach Victim is Careless Used for Reconnaissance Does not implement, use, or enforce proper countermeasures Used for Reconnaissance Looking for what is laying around Dumpster Diving/Trashing Building/Password Theft Shoulder Surfing Password Harvesting Impersonation Direct Theft Smoking Zone

Dumpster Diving/Trashing Huge amount of information in the trash Most of it does not seem to be a threat The who, what and where of an organization Knowledge of internal systems Materials for greater authenticity Intelligence Agencies have done this for years

Building/Password Theft Requires physical access Looking for passwords or other information left out in the open Little more information than dumpster diving

Password Harvesting Internet or mail-in sweepstakes Based on the belief that people don’t change their password over different accounts . Sadly, this is, for the most part true.

Impersonation Could be anyone Generally Two Goals Tech Support Co-Worker Boss CEO User Maintenance Staff Delivery Driver Generally Two Goals Asking for a password Building access - Careless Approach

Other Methods Shoulder Surfing Direct Theft Smoking Zone Outside workplace Wallet, id badge, or purse stolen Smoking Zone Attacker will sit out in the smoking area Piggy back into the office when users go back to work

Helpful Approach People generally try to help even if they do not know who they are helping Usually involves being in a position of obvious need Attacker generally does not even ask for the help they receive Piggybacking/Tailgating Troubled user

Piggybacking Attacker will trail an employee entering the building More Effective: Carry something large so they hold the door open for you Go in when a large group of employees are going in Crutches Pretend to be unable to find door key

Troubled user Calling organization numbers asking for help I’m new in IT and the boss is going to kill me. I don’t need your password, but can you provide your username/log in name so I can verify you have the right IP? Getting a username and asking to have a password reset Calls up IT and says, I am kind of new and did something really stupid, I lost my password. Can you reset it for me, my username is xxxx.

Fear Approach Usually draws from the other approaches Puts the user in a state of fear and anxiety Very aggressive Conformity Importance Time Frame

Conformity The user is the only one who has not helped out the attacker with this request in the past I talked to Jan last week and she had no problem providing the information, why do you have to be so difficult? Personal responsibility is diffused User gets justification for granting an attack.

Importance Classic boss or director needs routine password reset So would *you* like to explain to the vice president why *you* don’t think it would be a good idea to reset his password? I am absolutely sure he would be *thrilled* to hear just how important your job is. Showing up from a utility after a natural occurrence (thunderstorm, tornado, etc.) A semi-official looking “uniform” right after a small scale disaster can get you admittance anywhere. Check the back of the building for the phone carrier. Hi, I am from Verizon, we are still having some line difficulties after the hurricane and think we have traced the issue to a loop in your circuit. I need access to your telecom rack.

Time Frame Fictitious deadline Impersonates payroll bookkeeper, proposal coordinator Look, I have 15 minutes to get this taken care of or there will be no paychecks this week. Asks for password change

Advanced Attacks Offering a Service Reverse Social Engineering Attacker contacts the user Uses viruses, worms, or Trojans User could be approached at home or at work Once infected, attacker collects needed information Reverse Social Engineering Attacks puts themselves in a position of authority Users ask attacker for help and information Attacker takes information and asks for what they need while fixing the problem for the user