Social Engineering Training

Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments of DOE laboratories. The Red Team used Social Engineering tactics to attempt to infiltrate the laboratories in Spring They were successful in gaining access and maneuvering without detection at two DOE laboratories and one Site Office. This training class was developed to provide the tools required to identify, detect and deter advanced Social Engineering attempts.

Definition What is social engineering? Art of manipulating people into performing actions or divulging confidential information. Using trickery to gather information or computer system access. In most cases the attacker never comes face-to- face with the victim.

What motivates social engineering? Obtaining personal information for profit. Gaining unauthorized access to an organization. Circumventing established procedures. Just because they can.

Techniques Pretexting Phishing 1 Trojan Horse 1 Baiting 1,2 1 The DOE Red Team used these techniques in their latest successful attacks on two DOE laboratories and one site office. 2 The DOE Red Team was successful using these methods to infiltrate DOE laboratories in the past.

Pretexting Description Create and use an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action, typically over the telephone. Phone Calls Claim a need to perform a service. Ask for information about organization (i.e. reporters, prospective students). Claim to be calling for a friend or family members need access to something. Prevention Be polite. Ask for a number to call *them* back; may allow tracing later. Ask a question for which the answer is not publicly available.

Phishing Description The attacker sends an that appears to come from a legitimate business (bank, credit card company) requesting “verification” of information and warning of some dire consequence if it is not provided. The usually contains a link to a fraudulent web page that seems legitimate and may include company logos and content. Types of Standard Viagra, off-shore lottery, etc…spam. Easy to spot and avoid. claiming to be from DOE, ISU or a bank requiring a quick response and personal information. Unsolicited CVs, requests for feedback on proposals, requests *for* proposals.

Phishing Prevention Examine headers analysis.html Verify sender prior to opening attachments or clicking on web links. Call sender. Contact an associate or representative of sender, if known. Instead of clicking on web links, copy and paste them into a browser. Forward suspicious to for verification.

Phishing – Links

Phishing - Headers

Trojan Horse Description The “ virus” arrives as an attachment promising anything from a “cool” screen saver, an important anti-virus or system upgrade, or the latest gossip about a celebrity.

Baiting Description Attacker leaves a malware infected CD ROM or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. Attacker sends the infected device via “Snail”-mail

Baiting Types of mail Unsolicited CDs/DVDs. Claim to provide training, information but really installs malware. Unsolicited thumb drives. “Lost” CDs, thumb drives, other media. Prevention Verify unexpected mailings with sender. Never put anything into your computer if you don’t know where it’s been. Bring “lost” items to IS for examination. If unsure, ask the IS office.

Tools used by Social Engineers Any publicly available information Postings on public web pages. Phone book information. Professional information. Personal and professional relationships Association with ISU. Association with DOE. Conferences and collaborations in field of expertise.

Quick Tests Which of these s in legitimate? Which is fake?

Quick Tests Can you think of ways the information on Ames Laboratory’s public web page could be exploited to execute a social engineering attack? Can you think of an unsolicited , phone call, or snail-mail attack which would be impossible to verify or handle safely?

How to avoid Social Engineering tactics Be suspicious of unsolicited phone calls, visits or messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. Be certain of a person’s authority to have the information before providing personal information or information about your organization, including its structure or networks.

How to avoid Social Engineering Tactics (Cont) Never reveal personal or financial information in or respond to solicitations for this information. This includes following links sent in an . Check a website’s security before sending sensitive information over the internet. Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g.,.com vs..net).

How to avoid Social Engineering Tactics (Cont) If you are unsure whether an request is legitimate, try to verify it by contacting the company or person directly. Check previous statements for contact information rather than using contact information provided on a web site connected to the request or in an sent to you. Install and maintain anti-virus software, firewalls, and filters to reduce unwanted traffic.

How to report Social Engineering If Social Engineering techniques are attempted while at work… If you believe you might have revealed sensitive information about the Ames Laboratory… Report it to the IS office at: Phone: This will alert us to any suspicious or unusual activity.

Certificate of Completion This certifies the individual listed below has successfully completed the course entitled Social Engineering Training Prepared by the Ames Laboratory Information Systems Office Employee Name Employee # Date