Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Slides:



Advertisements
Similar presentations
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Advertisements

THE DHS PHISHING IQ TEST PART 2 LEGITIMATE V PHISHING How do you know if an is legitimate, or is a phony, phishing ? Take the.
Thank you to IT Training at Indiana University Computer Malware.
Stay Safe Online in Six Steps Presented by: Scott Rhinehart 540 Lake Center Parkway, Suite 102 Cumming, GA Office: ext Fax:
What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.
The Art of Social Hacking
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.
Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Computer Viruses.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Quiz Review.
Discovering Computers 2010
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Security Issues: Phishing, Pharming, and Spam
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Social Engineering UTHSC Information Security Team.
Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Security Chapter What Should I Ask Santa Claus For? spoofing: fraudulent activity in which the sender address and other parts of the.
1 Kids on the Web. Child’s play? September, 2008.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.
Types of Electronic Infection
Company LOGO Malicious Attacks Brian Duff Nidhi Doshi Timmy Choi Dustin Hellstern.
Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.
Topic 5: Basic Security.
Activity 4 Catching Phish. Fishing If I went fishing what would I be doing? On the Internet fishing (phishing) is similar!
INFORMATION TECHNOLOGY IN A GLOBAL SOCIETY: SECURITY Taylor Moncrief.
U.S. Businesses Targeted Randy Wolverton Brian J. Koechner.
Basics What is ? is short for electronic mail. is a method for sending messages electronically from one computer.
Be Safe Online. Agree, Disagree, Maybe if…  Worksheet Activity  Discussion.
Any criminal action perpetrated primarily through the use of a computer.
Advanced Guide to ing. Introduction In this guide you and explain will learn how to use ing in an advanced way. I will go through on.
Do you know who you’re dealing with? Social Engineering: Minimise the risk of becoming a victim.
Personal Data Protection and Security Measures Kelvin Lai IT Services - Information Security Team 12 & 13 April 2016.
FLTCYBERCOM / C10F    U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET    1 Overall Classification of this Briefing is UNCLASSIFIED//FOUO Phishing.
Ethical, Safety and other issues when using the Internet Displays a knowledge of networking in terms of user- access Demonstrates responsible.
Yes, it’s the holidays... A time of joy, a time of good cheer, a time of celebration... From the Office of the Chief Human Capital Officer (CHCO ) Privacy.
JANELL LAYSER Training Manual. AWARENESS! Social Engineers are out there, and everyone should be prepared to deal with them! They can contact you by phone,
Objectives Define phishing and identify various types of phishing scams Recognize common baiting tactics used in phishing scams Examine real phishing messages.
Media education: from passive consumers to active creators
Spear Phishing Common cause of data breaches Targeted s
PHISHING Hi, The comms team asked if I could refresh everyone about Phishing after a fairly successful phishing circulated last week that led to.
Learn how to protect yourself against common attacks
Social Engineering Brock’s Cyber Security Awareness Committee
The Art of Social Engineering
Social Engineering Charniece Craven COSC 316.
Lesson 3 Safe Computing.
Baiting By Conan, Amy and Sarah.
I S P S loss Prevention.
Phishing, what you should know
Information Security 101 Richard Davis, Rob Laltrello.
Phishing is a form of social engineering that attempts to steal sensitive information.
Protect Your Computer Against Harmful Attacks!
Staying Austin College
Social Engineering Brock’s Cyber Security Awareness Committee
Cybersecurity Awareness
Practice Safe Computing
Robert Leonard Information Security Manager Hamilton
4 ways to stay safe online 1. Avoid viruses and phishing scams
Information Security Session October 24, 2005
9 ways to avoid viruses and spyware
What is Phishing? Pronounced “Fishing”
Phishing 101.
Presentation transcript:

Social Engineering Training

Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering attempts. Spot sophisticated phishing attempts. Avoid phone-based information elicitation. Detect “baiting” attacks via USB keys, CDs, and other physical media.

Why Social Engineering Training? DOE Red Team Tests The Red Team used Social Engineering tactics to attempt to infiltrate the laboratories in Spring They were successful in gaining access and maneuvering without detection at two DOE laboratories and one Site Office. Increased use and sophistication of Social Engineering tactics.

Overview Definition Attacker Motivation Techniques Tests Summary

Definition What is social engineering? Art of manipulating people into performing actions or divulging confidential information. Using trickery to gather information or computer system access. In most cases the attacker never comes face-to- face with the victim.

What motivates social engineers? Obtaining personal information. Gaining unauthorized access. Circumventing established procedures. Because they can.

Pretexting Invented scenario Can use any communication medium. Phone Calls Physical media General Prevention Think about motivation – how could this be used maliciously? Be polite (it could be legitimate). Record available contact information. Ask a question for which the answer is not publicly available.

Tools Used in Pretexting Any publicly available information Postings on public web pages. Phone book information. Professional information. Personal and professional relationships Association with ISU. Association with DOE. Conferences and collaborations in field of expertise.

Specific Techniques Phone Cold Calls / Scams Phishing 1 Trojan Horse 1 Physical Media Baiting 1,2 1 The DOE Red Team used these techniques in their latest successful attacks on two DOE laboratories and one site office. 2 The DOE Red Team was successful using these methods to infiltrate DOE laboratories in the past.

Phone Scams Unexpected / Unsolicited Phone Calls Attempt to elicit personal or organizational information.. Example Pretexts Offer to perform a service. Ask for information about organization (i.e. reporters, prospective students). Claim to be calling for a friend or family members that need access to something. Prevention Be polite. Ask for a number to call *them* back; may allow tracing later. Ask a question for which the answer is not publicly available.

Unsolicited / Unexpected - entice user to: Click on a link to a fraudulent web page. View or execute an attachment. Reply to message. Example Pretexts Standard Viagra, off-shore lottery, etc…spam. Notice from DOE, ISU or other requiring a quick response and personal information. Unsolicited CVs, proposals, professional requests.

– Trojan Horse Malicious software delivered via Attachment Web link Pretext Cool screen saver. Important anti-virus or system upgrade. Latest gossip about a celebrity.

- Prevention Verify Web Links Known Site. URL and text match. Copy and paste rather than click. Verify sender prior to opening attachments or clicking on web links. Contact through different medium (i.e. call sender). Verify via an associate of sender, if known. Examine headers Forward suspect to

Example - Links

Example - Headers

Example - Attachments

What you see: What you don’t see: Attacker’s Server

Physical Media - Baiting Deliver malware via infected CD ROM or USB flash drive. Pretexts “Lost” in a location sure to be found (bathroom, elevator, sidewalk, parking lot). Delivered with a legitimate looking curiosity-piquing label and simply waits for the victim to use the device.

Physical Media - Prevention Verify unexpected mailings with sender. Never put anything into your computer if you don’t know where it’s been. Bring found USB keys, CD-ROMs, or other digital media to IS for examination.

Quick Tests Name 3 clues in this that should make you suspicious

Quick Tests – Solution

Quick Tests Which of these s is legitimate? Which is fake?

Quick Tests The left is a Red Team attack. The right is from DOE.

Quick Tests Can you think of ways the information on Ames Laboratory’s public web page could be exploited to execute a social engineering attack? Can you think of an unsolicited , phone call, or physical mail attack which would be impossible to verify or handle safely?

When to report Social Engineering What to report Spam s with local information. Unusual DOE/Ames Laboratory s. Unsolicited phone calls digging for information/contacts. What not to report General spam.

How to report Social Engineering If Social Engineering techniques are attempted while at work… If you believe you might have revealed sensitive information about the Ames Laboratory… Report it to the IS office at: Phone: This will alert us to any suspicious or unusual activity.

Summary Be suspicious. Think about motivation when revealing information. Verify identity. Be careful what you click on. No one will catch everything – Be willing to ask for help.

Thanks for Attending

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.