Social Engineering Grifting in the 21 st century U of I Experiment Power Grid Security Spring 2003.

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

Wichita Public Library Rex Cornelius Electronic Resources Webliography online at:
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
For further information computersecurity.wlu.ca
1 Identity Theft and Phishing: What You Need to Know.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
Chapter 9 Information Systems Ethics, Computer Crime, and Security
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Social Engineering Networks Reid Chapman Ciaran Hannigan.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.
Chapter 9 Information Systems Ethics, Computer Crime, and Security
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
1 Social Engineering Dr.Talal Alkharobi. 2 Social Engineering - Definition Webster — management of human beings in accordance with their place and function.
Web server security Dr Jim Briggs WEBP security1.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
Website Hardening HUIT IT Security | Sep
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Protecting Yourself Online (Information Assurance)
PC Support & Repair Chapter 10 Communication Skills.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Lesson 2- Protecting Yourself Online. Determine the strength of passwords Evaluate online threats Protect against malware/hacking Protect against identity.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Social Engineering Euphemism for cons –Confidence schemes - note the word confidence Why technologically based security protection that ignores the human.
Eng. Hector M Lugo-Cordero, MS CIS4361 Department of Electrical Engineering and Computer Science February, 2012 University of Central Florida.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.
Topic 5: Basic Security.
IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Social Engineering By: Pete Guhl and Kurt Murrell.
ONLINE SAFETY AND SECURITY Computer Basics 1.5. INFAMOUS CYBER ATTACKS IN 2014 Sony Pictures: Attackers stole just about everything in the corporate network,
Computers Are Your Future Eleventh Edition Chapter 9: Privacy, Crime, and Security Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall1.
Sources of Network Intrusion Security threats from network intruders can come from both internal and external sources.  External Threats - External threats.
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
ARE YOU A CYBER SECURITY RISK?. Pass the Hat Al QaedaFARCHezbollahIRAHAMAS.
Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.
JANELL LAYSER Training Manual. AWARENESS! Social Engineers are out there, and everyone should be prepared to deal with them! They can contact you by phone,
Important Information Provided by Information Technology Center
Social Engineering: The Human Element of Computer Security
Social Engineering Dr. X.
INFORMATION TECHNOLOGY NEW USER ORIENTATION
Learn how to protect yourself against common attacks
IT Security  .
Instructor Materials Chapter 7 Network Security
Phishing, what you should know
Lesson 2- Protecting Yourself Online
Cybersecurity Awareness
Robert Leonard Information Security Manager Hamilton
IT services Miki Kallio Liaison Manager (IT and Research), PhD
Social Engineering No class today! Dr. X.
Malware, Phishing and Network Policies
Network Security Best Practices
INFORMATION TECHNOLOGY NEW USER ORIENTATION
INFORMATION TECHNOLOGY NEW USER ORIENTATION
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
CS 465 Social Engineering Last Updated: Dec 14, 2017.
Lesson 2- Protecting Yourself Online
social Engineering and its importance during Security Audits
Presentation transcript:

Social Engineering Grifting in the 21 st century U of I Experiment Power Grid Security Spring 2003

Definitions  Webster— management of human beings in accordance with their place and function in society—applied social science.  Wetware— Human beings (programmers, operators, administrators) attached to a computer system, as opposed to the system’s hardware or software (also liveware & meatware)  Social Engineering— cracking techniques that rely on waknesses in wetware rather than software

Social Engineering--UW  Our Definition— Manipulation of human beings to obtain information or confidence pertaining to the security of networked computer systems (with malicious intent)

Social Engineering Cycle  Research (Dumpster diving, et. al.)  Developing rapport and trust  Exploiting trust  Use the information Source: Mitnick, 2002

Social Engineering Major Tools  Appeal to vanity  Appeal to authority  Eavesdropping  Prey on natural helpfulness  Manipulate lack of awareness of value of info

Social Engineering Methods  Posing as fellow employee  Posing as employee of vendor  Posing as an authority figure  Posing as a new employee requesting help  Posing as a vendor offering patch, etc.  Offering help if a problem occurs  Sending free software or patch to install  Sending a virus/Trojan horse  Using false pop-up window asking for log-in  Capturing victim keystrokes  Leaving floppy sitting around with malicious code  Using insider lingo to gain trust  Offering a prize for registering web site with username and password  Dropping document or file at company mail room for in-house delivery  Modifying fax machine heading to appear to come from normal location  Asking receptionist to receive then forward a fax  Asking for a file to be transferred to an apparently internal location  Getting voice mailbox set up for callbacks, making attacker seem internal  Pretending to be from remote office and asking for access locally Source: Mitnick, 2002

Warning Signs of an Attack  Refusal to give callback number  Out-of-ordinary request  Claim of authority  Stresses urgency  Threatens negative consequences of noncompliance  Shows discomfort when questioned  Name dropping  Compliments or flattery  Flirting Source: Mitnick, 2002

Common Targets of Attacks  Unaware of info value—receptionist  Special privileges—help desk tech support  Manufacturer/vendor—vendors  Specific departments—accounting, HR Source: Mitnick, 2002

Factors Making Companies Vulnerable  Large number of employees  Multiple facilities  Info on employee whereabouts left invoice mail messages  Phone extension info made available  Lack of security training  Lack of data classification system  No incident reporting/response plan Source: Mitnick, 2002

Examples:  Passwords displayed on hardware  Internal company info/memos  User’s passwords/account info  Theft of service (Mitnick)  Theft of intellectual property  Footprinting/casing prior to e-attack

Why do we care?  Humans are potentially the least secure link in any secure system  “You are the weakest link…Goodbye!”

Experiment U of I  War-driving Revealed many wireless networks in use in industry, manufacturing, commerce and education (not to mention residential) Most did not take minimal security measures  Why are industries relying on wireless? Don’t know the risk Incompetent, apathetic, irresponsible

Experiment U of I (cont’d.)  Sent 10 letters to industry/commerce  Identified wireless enabled Warned about risks Sent info obtained about network MAC addresses Access Point brand & name WEP status  Offered to help evaluate risks

Results 1  FSI (First Step Internet) Authentication scheme Access point names and locations Security practices IDS/mitigation Wireless backbone locations/type/frequency Future security plans Client security End user agreements

Results 2  St. Joseph’s Regional Medical Center Well informed Cautious/paranoid/untrusting Unwilling to divulge any info about their network Educated about social engineering and would not answer direct questions Thorough risk assessment determined the liability was smaller than the risk

Recent Survey--UK  InfoSecurity Europe 2003 Survey of Office workers at London’s Waterloo Station 75% gave password immediately 15% further revealed their password after some simple social engineering tricks 2/3 have given password to colleagues 2/3 use the same password for everything

Lessons Learned  People can be trained to avoid/prevent social engineering (St. Joe’s)  It only takes one person to divulge insider info (knowingly or unknowingly) for a security breach  Social engineering is still the easiest method of obtaining insider info.