Social Engineering Euphemism for cons –Confidence schemes - note the word confidence Why technologically based security protection that ignores the human factor won’t work
Some examples Some dinosaur cons – Count Lustig The OTB wire Identity theft Industrial espionage A disgruntled employee
Relationship to Industrial Espionage Fortune 1000 firms reported trade secret losses in 1999 of $45B, estimates for 2003 are $100B Insiders commit 85% of industrial espionage crimes Kites – expendable contractors that provide access and plausible deniability
The Problem of False Credentials Minimal cost to purchase university degrees and transcripts – They may be back dated Extent of resume fraud – recent research found that 11% of resumes that were checked misrepresented their qualifications
The Social Engineering Attack Cycle Research Developing rapport and trust Exploiting trust Utilizing information Covering tracks
How Attackers Take Advantage Use of authority Being likable Creating a situation where reciprocation is expected Eliciting a public commitment then requesting an action that seems to be consistent with the commitment Creating the belief that others have validated the action Creating the illusion of scarcity
Common Social Engineering Methods Posing as a fellow employee, vendor employee, law enforcement Posing as someone in authority Posing as a new employee requesting help Offering help if a problem occurs then making the problem occur Sending software or a patch for a victim to install Using insider lingo to gain trust Capturing victim keystrokes through different ruses Modifying a fax machine to make appear internal Getting a receptionist to receive and the forward faxes Asking for a file to be transferred to what appears to be an internal location Pretending to be from a remote office and asking for local access Getting a voice mailbox set up so callbacks perceive attacker as internal
Common Targets of Attacks Target Type 1)Unaware of value of information 2)Special privileges 3)Manufacturer/vendor 4)Specific departments Examples 1)Receptionists, telephone operators, administrative assistants, security guards 2)Help desk, technical support, system administrators, computer operators, telephone system administrators 3)Computer hardware, software manufacturers, voice mail sellers 4)Accounting, HR
Seven Deadly Sins Gullibility Curiosity Courtesy Greed Diffidence Thoughtlessness Apathy
Factors that Heighten Companies’ Vulnerability Large number of employees Multiple facilities Information on employee whereabouts left on voice mail Phone extension information made available Lack of security training and awareness No data classification system No incident reporting/response plan in place
Verification and Data Classification in Response to Requests Verification of identity Verification of employee status Procedure to determine need to know Criteria for verifying non-employees Data classification