Social Engineering By: Pete Guhl and Kurt Murrell

Techniques

Phases of Social Engineering - Very similar to how Intelligence Agencies infiltrate their targets - 3 Phased Approach Phase 1- Intelligence Gathering Phase 2- “Victim” Selection Phase 3 -The Attack - Usually a very methodical approach

Phase 1 -Intelligence Gathering - Phase 1 -Intelligence Gathering - Primarily Open Source Information Dumpster Diving Web Pages Ex-employees Contractors Vendors Strategic Partners - The foundation for the next phases

Phase 2 -”Victim” Selection Looking for weaknesses in the organization’s personnel Help Desk Tech Support Reception Admin. Support Etc.

- Phase 3 - The Attack - Commonly known as the “con” - Primarily based on “peripheral” routes to persuasion Authority Liking & Similarity Reciprocation - Uses emotionality as a form of distraction

3 General Types of Attack Ego Attacks Sympathy Attacks Intimidation Attacks

Intimidation Attack Attacker pretends to be someone influential (e.g., authority figure, law enforcement) Attempt to use their authority to coerce the victim into cooperation If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.) If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.

Sympathy Attacks Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc. There is some urgency to complete some task or obtain some information Needs assistance or they will be in trouble or lose their job etc. Plays on the empathy & sympathy of the victim Attackers “shop around” until they find someone who will help Very successful attack

The Ego Attack Attacker appeals to the vanity, or ego of the victim Usually targets someone they sense is frustrated with their current job position The victim wants to prove how smart or knowledgeable they are and provides sensitive information or even access to the systems or data Attacker may pretend to be law enforcement, the victim feels honored to be helping Victim usually never realizes

More info on attacks Attacks can come from anywhere/anytime Social Engineering can circumvent current security practices - What good is a password if everyone has it? No one is immune - Everyone has information about the company

Preventing Social Engineering

Training Warn Users of Imminent Attack - Users that are forewarned are less free with information

Training Define Sensitive Information

Training Define Sensitive Information Passwords

Training Define Sensitive Information Passwords DOB

Training Define Sensitive Information Passwords DOB Maiden Names

Training Define Sensitive Information Passwords DOB Maiden Names Social Security Number

Training Define Sensitive Information Passwords DOB Maiden Names Social Security Number Account Numbers

Training Define Sensitive Information Passwords DOB Maiden Names Social Security Number Account Numbers Billing Amounts

Training Users Passwords, phone numbers, other data

Training Users Passwords, phone numbers, other data System Admins Tougher authentication protocol for password resets

Testing Users - Reveal seemingly innocuous data?

Testing Users - Reveal seemingly innocuous data? System Admins – Divulge network information?

Testing Users - Reveal seemingly innocuous data? System Admins – Divulge network information? Helpdesk personnel – Reset passwords on faulty authentication?

Removing the Weak Link Remove the user’s ability to divulge information - Remove all non essential phones - Restrict to internal communications - Remove Internet access - Disable removable drives - Make false information accessible

Removing the Weak Link Forced strong authentication - Use secure software requiring strong authentication for password resets - Require callback to user’s directory listed number

Removing the Weak Link Secure Protected Doors - Employ Guards - Use Revolving Door - Two Door Checkpoint - Deploy CCTV to remote facility