CS 465 Social Engineering Last Updated: Dec 14, 2017.

Slides:



Advertisements
Similar presentations
Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
Advertisements

Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
7 Effective Habits when using the Internet Philip O’Kane 1.
The Art of Social Hacking
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Aleksandra Kurbatova IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Social Engineering Networks Reid Chapman Ciaran Hannigan.
 ICT Security › If the firm is a victim of a computer crime, should they pursue prosecution of the criminals at all costs, should they maintain a low.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
© Oklahoma State Department of Education. All rights reserved. 1 Beware! Consumer Fraud Standard 9. 1 Fraud and Identity Theft.
1 Social Engineering Dr.Talal Alkharobi. 2 Social Engineering - Definition Webster — management of human beings in accordance with their place and function.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
TRACs Security Awareness FY2009 Office of Information Technology Security 1.
1 Introduction to Security Chapter 11 Information Technology (IT) Security.
Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
CIS Computer Security Kasturi Pore Ravi Vyas.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Social Engineering Euphemism for cons –Confidence schemes - note the word confidence Why technologically based security protection that ignores the human.
Information Systems Security Operations Security Domain #9.
SOCIAL ENGINEERING PART IA: HOW SCAMMERS MANIPULATE EMPLOYEES TO GAIN INFORMATION.
1 Computer Crime Often defies detection Amount stolen or diverted can be substantial Crime is “clean” and nonviolent Number of IT-related security incidents.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.
Topic 5: Basic Security.
What are they? What do they have to with me?. Introduction  You may not know exactly what it is, but chances are you have encountered one at some point.
INTRODUCTION & QUESTIONS.
Social Engineering By: Pete Guhl and Kurt Murrell.
Social Engineering Grifting in the 21 st century U of I Experiment Power Grid Security Spring 2003.
December 10, 2002 Bob Cowles, Computer Security Officer
Unit Five Your Money – Keeping It Safe and Secure Identity Theft Part II Resource: NEFE High School Financial Planning Program.
Sources of Network Intrusion Security threats from network intruders can come from both internal and external sources.  External Threats - External threats.
Designed By: Jennifer Gohn.  “Getting people to do things they wouldn’t ordinarily do for a stranger” –Kevin Mitnick  There are several different.
JANELL LAYSER Training Manual. AWARENESS! Social Engineers are out there, and everyone should be prepared to deal with them! They can contact you by phone,
Cyber security. Malicious Code Social Engineering Detect and prevent.
Social Engineering: The Human Element of Computer Security
Social Engineering Dr. X.
Add video notes to lecture
PHISHING Hi, The comms team asked if I could refresh everyone about Phishing after a fairly successful phishing circulated last week that led to.
Social Engineering Brock’s Cyber Security Awareness Committee
IT Security  .
Social Engineering Charniece Craven COSC 316.
I S P S loss Prevention.
Social Engineering: The Art of Manipulation
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Phishing is a form of social engineering that attempts to steal sensitive information.
Computer Security Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Protect Your Computer Against Harmful Attacks!
Social Engineering Brock’s Cyber Security Awareness Committee
Cybersecurity Awareness
Robert Leonard Information Security Manager Hamilton
Social Engineering No class today! Dr. X.
Malware, Phishing and Network Policies
Malware March 26, 2018.
Cybersecurity Am I concerned?
Security Hardening through Awareness August 2018
How to keep the bad guys out and your data safe
Introduction and Techniques
What is Phishing? Pronounced “Fishing”
Unit 1.6 Systems security Lesson 1
Week 7 - Wednesday CS363.
social Engineering and its importance during Security Audits
Presentation transcript:

CS 465 Social Engineering Last Updated: Dec 14, 2017

Social Engineering Source: The Art of Deception Controlling the Human Element of Security By Kevin Mitnick and William Simon

Information Security Awareness and Training No technology in the world can prevent social engineering attacks Some authorities recommend 40% of an overall security budget be targeted to awareness training

Train Your Employees A company can spend hundreds of thousands of dollars on firewalls, encryption and other security technologies, but it an attacker can call one trusted person within the company and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted. Kevin Mitnick

Six Tendencies of Human Nature Authority Comply with a request from someone of authority Liking Comply with a request from someone we like Reciprocation Comply with a request when we are promised or given something of value Consistency Comply after we have committed to a specific action Social Validation Comply when doing something in line with what others are doing Scarcity Comply when we believe the object sought is in short supply and others are competing for it, or it is available for a short period of time

Common Social Engineering Methods Posing as a fellow employee Posing as an employee of a vendor, partner company, or law enforcement Posing as someone in authority Posing as a new employee requesting help Posing as a vendor or systems manufacturer calling to offer a system patch or update Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call the attacker for help

Common Social Engineering Methods Sending free software or patch for a victim to install Sending a virus or Trojan Horse as an email attachment Using a false pop-up window asking the user to log in again or sign on with password Capturing victim keystrokes with expendable computer system or program Leaving a USB drive around the workplace with malicious software on it

Common Social Engineering Methods Using insider lingo and terminology to gain trust Offering a prize for registering at a Web site with username and password

Top 5 Soc Eng Techniques Familiarity exploit Act like you belong there Create a hostile situation Gathering useful information Social media Cars Dumpster diving Get a job there Body language Source: http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html

5 Attacks to Watch Out For Phishing Pre-texting Lie to obtain sensitive information https://www.washingtonpost.com/news/the-intersect/wp/2014/10/07/forget-celebgate-hackers-are-gunning-for-the-nude-photos-of-ordinary-women-and-underage-girls/?utm_term=.c3fd0fd1a3c5 Baiting http://www.darkreading.com/attacks-breaches/social-engineering-the-usb-way/d/d-id/1128081? Quid pro quo Office workers gave away pw for pen or chocolate Tailgaiting http://www.computerworlduk.com/security/how-a-man-used-social-engineering-to-trick-a-ftse-listed-financial-firm-14706/ Source: https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/

Warning Signs of an Attack Refusal to give a callback number Out-of-ordinary request Claim of authority Stresses urgency Threatens negative consequences of noncompliance Shows discomfort when questioned Name dropping Compliments or flattery Flirting

Common Targets of Attacks Unaware of value of information Receptionists, telephone operators, admin assistants, security guards Special privileges Help desk or technical support, system admins, computer operators, telephone sys admins Manufacturer/Vendor Computer hardware, software manufacturers, voice mail systems vendors Specific departments Accounting, human resources

Factors that Make Companies More Vulnerable to Attacks Large number of employees Multiple facilities Information on employee whereabouts left in voice mail messages Phone extension information made available Lack of security training Lack of data classification system No incident reporting/response plan in place

Foiling Attacks Most attacks could be foiled if the victim simply follows two steps Verify the identity of the person making the request Verify whether the person is authorized

Social Engineering at BYU http://universe.byu.edu/2002/02/28/women-charged-with-theft-of-students-credit-card-numbers/

Advanced Persistent Threat Usually targets organizations for business or political motives Advanced: sophisticated techniques to exploit vulnerable systems Persistent: External command and control that monitors over an extended period of time Threat: Human involvement in orchestrating the attack Claim: most US corporations have had their sensitive data stolen Financial, Oil, Security, Defense

Advanced Persistent Threat Social engineering is the catalyst for many Advanced Persistent Threat (APT) attacks Stuxnet was assisted through USB drives https://www.youtube.com/watch?v=6WmaZYJwJng Penetration testers gain a foothold using social engineering Research VPs and send targeted emails with infected pdf files Pose as cleaning crew inspector and plant infected USB drives

Resources http://en.wikipedia.org/wiki/The_Art_of_Deception http://en.wikipedia.org/wiki/Social_engineering_(security) http://www.social-engineer.org/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.