The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009
Topic: Infromation Security Technologies Encryption, wirewall, anti-virus software, password Focus: human... Outline: Social engineering? A couple of examples of how attackers get access to information
The book... Title: The Art of Deception Year: 2002 Authors: Kevin Mitnick, William Simon Kevin Mitnick: ex-world-famous hacker, consultant First crime: free bus ride when 12 years old William Simon: writer/editor
What is Social Engineering? ”uses influence and persuasion to deceive people by convincing them that the social engineer is someone he [or she] is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.”(from the book) Pretend, deceive/manipulate, get information
Human Factor of Security Human Factor → the weakest link Emotion, mistakes, misjudgement, tiredness ”Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.” Albert Einstein
6 Basic Tendencies of Human Nature Suggested by Robert B. Cialdini 1. Authority 2. Liking 3. Reciprocation 4. Consistency 5. Social Validation 6. Scarcity
Other Factors National Characters Love thy neighbors Organizational Innocence Sharing information, trust, little/no security → this is changing...
When Innocent Information Isn't... Information that is valuable Credit card number, PIN number, Password, etc We won't give them away because we know they are valuable What about Date of Birth, Pet's name, Student ID, Unit#
Continued... Seemingly useless information can be used to impersonate Step to next more valuable information
An example Banks and CheCredit First Call to Bank: ”I am writing a book. What do you give CheCredit to get credit record?” Second Call to Bank: ”I am calling from Checredit. I am doing a survey to improve service.” ”hours of operation, how many employees, how often call, what is Merchant ID, how long with the bank, suggestions?”
Another example Video shop First call to a shop: ”I had a great experience with the shop and want to send a letter to the manager. And also, I want to send a letter to the company headquarter. What is your brunch number?” Now you have manager's name and brunch number. Continue...
How to prevent 1. Classify information → what is and is not okay to be shared 2. Verify. Don't rely lingo and feelings. Get caller's name and phone number.
Building Trust Appearance, voice, talking, personality Frequent contacts (ex) Video Shop Call to another shop: pretend to be the manager of shop Small requests, chats Continue...
Can you help me? People like helping others
Example of video shop Another call to shop: ”system is down. Can you check a customer for me? Credit card number?”
How to prevent Verify verify verify! Call listed number But you want employees to be helpful to each other at workplace.
Dumpster Diving Low risk and high return Password, receipt, list, etc Shredder may not work... Puzzle → whole list of company systems and passwords
How to Prevent Dumpster Diving Lock the dumpster Cross shredd Mutilevel approach to information of different sensitivity Background check on custodian
Attack on Entry Level Employee An easy target They don't know value of information They don't know the structure of company Likely to obey authority
What is the best countermeasure? Anti-virus? Firewall? Encryption? Code Names? no. Have trained, aware, concsioutious employees
Train Employees Not web page or panphlet Not a one-day seminar → ongoing Raise awareness!!! Procedures are not enough. There are threats Part of job to protect information against threats Reward, encouragement Awareness → specific techniques
Question... Questions?