The Art of Social Hacking

Slides:



Advertisements
Similar presentations
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Advertisements

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Aleksandra Kurbatova IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.
What is identity theft, and how can you protect yourself from it?
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
Internet Phishing Not the kind of Fishing you are used to.
Social Engineering Networks Reid Chapman Ciaran Hannigan.
The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
How It Applies In A Virtual World
Social Engineering UTHSC Information Security Team.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Safe Computing. Computer Maintenance  Back up, Back up, Back up  External Hard Drive  CDs or DVDs  Disk Defragmenter  Reallocates files so they use.
What is Social Engineering. Pretexting Pretexting is the act of creating and using an invented scenario called the Pretext to persuade a target to release.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.
IT security By Tilly Gerlack.
Viruses & Destructive Programs
People use the internet more and more these days so it is very important that we make sure everyone is safe and knows what can happen and how to prevent.
CIS Computer Security Kasturi Pore Ravi Vyas.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
 A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. It is deliberately.
Phishing scams Phishing is the fraudulent practice of sending s purporting to be from reputable companies in order to induce individuals to reveal.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
1 Computer Crime Often defies detection Amount stolen or diverted can be substantial Crime is “clean” and nonviolent Number of IT-related security incidents.
Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.
Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.
James McQuillen. Data protection Act 1998 The main aim of it is to protect people's fundamental rights and freedom to a particular right to privacy of.
Topic 5: Basic Security.
Inappropriate Content Hackers Phishers Scammers Child Abusers Bullies.
INTRODUCTION & QUESTIONS.
Cybersecurity Test Review Introduction to Digital Technology.
Sources of Network Intrusion Security threats from network intruders can come from both internal and external sources.  External Threats - External threats.
Designed By: Jennifer Gohn.  “Getting people to do things they wouldn’t ordinarily do for a stranger” –Kevin Mitnick  There are several different.
1 Outline of this module By the end of this module, you will be able to: – Understand what is meant by “identity crime”; – Name the different types of.
FLTCYBERCOM / C10F    U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET    1 Overall Classification of this Briefing is UNCLASSIFIED//FOUO Phishing.
Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.
JANELL LAYSER Training Manual. AWARENESS! Social Engineers are out there, and everyone should be prepared to deal with them! They can contact you by phone,
Cyber security. Malicious Code Social Engineering Detect and prevent.
Social Engineering: The Human Element of Computer Security
An Introduction to Phishing and Viruses
Learn how to protect yourself against common attacks
Social Engineering Brock’s Cyber Security Awareness Committee
The Art of Social Engineering
Social Engineering Charniece Craven COSC 316.
Overview 1. Phishing Scams
I S P S loss Prevention.
Information Security 101 Richard Davis, Rob Laltrello.
Phishing is a form of social engineering that attempts to steal sensitive information.
Social Engineering Brock’s Cyber Security Awareness Committee
Cybersecurity Awareness
Robert Leonard Information Security Manager Hamilton
The Art of Deception.
CS 465 Social Engineering Last Updated: Dec 14, 2017.
Business Compromise and Cyber Threat
Computer Security By: Muhammed Anwar.
Introduction and Techniques
What is Phishing? Pronounced “Fishing”
Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.
Presentation transcript:

The Art of Social Hacking Social Engineering The Art of Social Hacking Christopher Stowe

Introduction What is Social Engineering? Types of Social Engineering Manipulate people into doing something, rather than by breaking in using technical means  Types of Social Engineering Quid Pro Quo Phishing Baiting Pretexting Diversion Theft Ways to prevent Social Engineering

What is Social Engineering? Attacker uses human interaction to obtain or compromise information Attacker my appear unassuming or respectable Pretend to be a new employee, repair man, ect May even offer credentials By asking questions, the attacker may piece enough information together to infiltrate a companies network May attempt to get information from many sources

Kevin Mitnick Famous Social Engineer Hacker Went to prison for hacking Became ethical hacker "People are generally helpful, especially to someone who is nice, knowledgeable or insistent."

Kevin Mitnick - Art of Deception: "People inherently want to be helpful and therefore are easily duped" "They assume a level of trust in order to avoid conflict" "It's all about gaining access to information that people think is innocuous when it isn't" Here a nice voice on the phone, we want to be helpful Social engineering cannot be blocked by technology alone

Examples of Social Engineering Kevin Mitnick talks his way into central Telco office Tells guard he will get a new badge Pretend to work there, give manager name from another branch Fakes a phone conversation when caught Free food at McDonalds

Live Example Convinced friend that I would help fix their computer People inherently want to trust and will believe someone when they want to be helpful Fixed minor problems on the computer and secretly installed remote control software  Now I  have total access to their computer through ultravnc viewer

Types of Social Engineering Quid Pro Quo Something for something Phishing Fraudulently obtaining private information Baiting Real world trojan horse Pretexting Invented Scenario Diversion Theft  A con

Quid Pro Quo Something for Something Call random numbers at a company, claiming to be from technical support. Eventually, you will reach someone with a legitamite problem Grateful you called them back, they will follow your instructions The attacker will "help" the user, but will really have the victim type commands that will allow the attacker to install malware

Phishing Fraudulently obtaining private information Send an email that looks like it came from a legitimate business Request verification of information and warn of some consequence if not provided Usually contains link to a fraudulent web page that looks legitimate User gives information to the social engineer  Ex: Ebay Scam

Phishing continued Spear Fishing Specific phishing Ex: email that makes claims using your name Vishing  Phone phishing  Rogue interactive voice system Ex:call bank to verify information

Baiting Real world Trojan horse Uses physical media Relies on greed/curiosity of victim Attacker leaves a malware infected cd or usb drive in a location sure to be found Attacker puts a legitimate or curious lable to gain interest Ex: "Company Earnings 2009" left at company elevator Curious employee/Good samaritan uses User inserts media and unknowingly installs malware

Pretexting Invented Scenario  Prior Research/Setup used to establish legitimacy  Give information that a user would normally not divulge This technique is used to impersonate Authority ect Using prepared answers to victims questions Other gathered information  Ex: Law Enforcement  Threat of alleged infraction to detain suspect and hold for questioning

Pretexting Real Example: Signed up for Free Credit Report Saw Unauthorized charge from another credit company Called to dispute charged and was asked for Credit Card Number They insisted it was useless without the security code Asked for Social Security number Talked to Fraud Department at my bank 

Diversion Theft A Con  Persuade deliver person that delivery is requested elsewhere - "Round the Corner"  When deliver is redirected, attacker pursuades delivery driver to unload delivery near address Ex: Attacker parks security van outside a bank. Victims going to deposit money into a night safe are told that the night safe is out of order. Victims then give money to attacker to put in the fake security van Most companies do not prepare employees for this type of attack

Weakest Link? You are the weakest link in computer security! No matter how strong your: Firewalls Intrusion Detection Systems Cryptography Anti-virus software You are the weakest link in computer security!  People are more vulnerable than computers   "The weakest link in the security chain is the human element" -Kevin Mitnick

Ways to Prevent Social Engineering Training User Awareness User knows that giving out certain information is bad Military requires Cyber Transportation to hold  Top Secret Security Clearance  Security Plus Certification   Policies Employees are not allowed to divulge private information Prevents employees from being socially pressured or tricked

Ways to Prevent Social Engineering Cont.. 3rd Party test - Ethical Hacker Have a third party come to your company and attempted to hack into your network 3rd party will attempt to glean information from employees using social engineering Helps detect problems people have with security Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about internal information Do not provide personal information, information about the company(such as internal network) unless authority of person is verified

General Saftey Before transmitting personal information over the internet, check the connection is secure and check the url is correct If unsure if an email message is legitimate, contact the person or company by another means to verify Be paranoid and aware when interacting with anything that needs protected The smallest information could compromise what you're protecting

Conclusion What is Social Engineering? Types of Social Engineering Manipulate people into doing something, rather than by breaking in using technical means  Types of Social Engineering Quid Pro Quo Phishing Baiting Pretexting Diversion Theft Ways to prevent Social Engineering

Questions?

Social Engineering Clips Animation: http://www.youtube.com/watch?v=Y6tbUNjL0No Live Action: http://www.youtube.com/watch?v=8TJ4XOvY7II&feature=related