Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Slides:



Advertisements
Similar presentations
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Advertisements

Wichita Public Library Rex Cornelius Electronic Resources Webliography online at:
Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
The Art of Social Hacking
Breaking Trust On The Internet
Information Security Awareness Training
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Social Engineering Networks Reid Chapman Ciaran Hannigan.
Trojan Horse Program Presented by : Lori Agrawal.
 ICT Security › If the firm is a victim of a computer crime, should they pursue prosecution of the criminals at all costs, should they maintain a low.
Security, Privacy, and Ethics Online Computer Crimes.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.
The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
1 Social Engineering Dr.Talal Alkharobi. 2 Social Engineering - Definition Webster — management of human beings in accordance with their place and function.
Computer Viruses. Where the name came from This is a phrase coined from biology to describe a piece of software that behaves very much like a real virus.
TRACs Security Awareness FY2009 Office of Information Technology Security 1.
1 Introduction to Security Chapter 11 Information Technology (IT) Security.
Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Viruses.
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
IT security By Tilly Gerlack.
People use the internet more and more these days so it is very important that we make sure everyone is safe and knows what can happen and how to prevent.
CIS Computer Security Kasturi Pore Ravi Vyas.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Social Engineering Euphemism for cons –Confidence schemes - note the word confidence Why technologically based security protection that ignores the human.
Types of Electronic Infection
Company LOGO Malicious Attacks Brian Duff Nidhi Doshi Timmy Choi Dustin Hellstern.
Emily Ansell 8K viruseshackingbackups next. Viruses A virus is harmful software that can be passed to different computers. A virus can delete and damage.
Viruses Hackers Backups Stuxnet Portfolio Computer viruses are small programs or scripts that can negatively affect the health of your computer. A.
1 Computer Crime Often defies detection Amount stolen or diverted can be substantial Crime is “clean” and nonviolent Number of IT-related security incidents.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Topic 5: Basic Security.
A Computer Virus is a software program that is designed to copy itself over and over again and to attach itself to other programs. They don’t affect hardware,
IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
Social Engineering By: Pete Guhl and Kurt Murrell.
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Social Engineering Grifting in the 21 st century U of I Experiment Power Grid Security Spring 2003.
Computer threats, Attacks and Assets upasana pandit T.E comp.
December 10, 2002 Bob Cowles, Computer Security Officer
Unit Five Your Money – Keeping It Safe and Secure Identity Theft Part II Resource: NEFE High School Financial Planning Program.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Computers Are Your Future Eleventh Edition Chapter 9: Privacy, Crime, and Security Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall1.
Sources of Network Intrusion Security threats from network intruders can come from both internal and external sources.  External Threats - External threats.
Information Systems Design and Development Security Risks Computing Science.
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
JANELL LAYSER Training Manual. AWARENESS! Social Engineers are out there, and everyone should be prepared to deal with them! They can contact you by phone,
Social Engineering Dr. X.
Social Engineering Brock’s Cyber Security Awareness Committee
IT Security  .
Social Engineering Charniece Craven COSC 316.
Phishing is a form of social engineering that attempts to steal sensitive information.
Computer Security Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Cybersecurity Awareness
Robert Leonard Information Security Manager Hamilton
Social Engineering No class today! Dr. X.
9 ways to avoid viruses and spyware
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
CS 465 Social Engineering Last Updated: Dec 14, 2017.
Introduction and Techniques
What is Phishing? Pronounced “Fishing”
Unit 1.6 Systems security Lesson 1
Presentation transcript:

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011

Source: The Art of Deception Controlling the Human Element of Security By Kevin Mitnick and William Simon

 No technology in the world can prevent social engineering attacks  Some authorities recommend 40% of an overall security budget be targeted to awareness training

 Authority › Comply with a request from someone of authority  Liking › Comply with a request from someone we like  Reciprocation › Comply with a request when we are promised or given something of value  Consistency › Comply after we have committed to a specific action  Social Validation › Comply when doing something in line with what others are doing  Scarcity › Comply when we believe the object sought is in short supply and others are competing for it, or it is available for a short period of time

 Most attacks could be foiled if the victim simply follows two steps › Verify the identity of the person making the request › Verify whether the person is authorized

 Social engineering is the catalyst for many Advanced Persistent Threat (APT) attacks › Stuxnet was assisted through USB drives › Penetration testers gain a foothold using social engineering  Research VPs and send targeted s with infected pdf files  Pose as cleaning crew inspector and plant infected USB drives

 Posing as a fellow employee  Posing as an employee of a vendor, partner company, or law enforcement  Posing as someone in authority  Posing as a new employee requesting help  Posing as a vendor or systems manufacturer calling to offer a system patch or update  Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call the attacker for help

 Sending free software or patch for a victim to install  Sending a virus or Trojan Horse as an attachment  Using a false pop-up window asking the user to log in again or sign on with password  Capturing victim keystrokes with expendable computer system or program  Leaving a floppy disk or CD around the workplace with malicious software on it

 Using insider lingo and terminology to gain trust  Offering a prize for registering at a Web site with username and password  Dropping a document or file at company mail room for intra-office delivery  Modifying fax machine heading to appear to come from an internal organization  Asking receptionist to receive and forward a fax

 Asking for a file to be transferred to an apparently internal location  Getting a voice mailbox set up so callbacks perceive attacker as internal  Pretending to be from a remote office and asking for access locally

 Refusal to give a callback number  Out-of-ordinary request  Claim of authority  Stresses urgency  Threatens negative consequences of noncompliance  Shows discomfort when questioned  Name dropping  Compliments or flattery  Flirting

 Unaware of value of information › Receptionists, telephone operators, admin assistants, security guards  Special privileges › Help desk or technical support, system admins, computer operators, telephone sys admins  Manufacturer/Vendor › Computer hardware, software manufacturers, voice mail systems vendors  Specific departments › Accounting, human resources

 Large number of employees  Multiple facilities  Information on employee whereabouts left in voice mail messages  Phone extension information made available  Lack of security training  Lack of data classification system  No incident reporting/response plan in place