Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gone Phishing: Understanding Social Engineering Attacks

Published byAshley Dawson Modified over 7 years ago

Similar presentations

Presentation on theme: "Gone Phishing: Understanding Social Engineering Attacks"— Presentation transcript:

1 Gone Phishing: Understanding Social Engineering Attacks
| |

2

3 Director of Security Services at A-LIGN
Presenter Director of Security Services at A-LIGN Areas of concentration include: Penetration Testing PCI DSS ISO 27001 FedRAMP FISMA HIPAA/HITECH Professional designations: CISA CIPT Petar Besalev Director of Security Services at A-LIGN

4 Agenda Understanding Social Engineering
Recent Social Engineering Attacks Case Study of Successful Social Engineering Attacks Preventing Social Engineering Attacks Summary

5 Understanding Social Engineering

6 What is a Breach? A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to Data breaches may involve: PCI – Payment card information PHI - Protected health information PII - Personally identifiable information Trade secrets Intellectual property

7 What is Social Engineering?
Any type of communication that exploits the human factor in order to gather sensitive information Could include: Phishing Pretexting Baiting Other

8 The Cybersecurity Landscape
“No locale, industry or organization is bulletproof when it comes to the compromise of data.” -Verizon’s 2016 Data Breach Investigations Report Source: Verizon’s 2016 Data Breach Investigations Report

9 Recent Social Engineering Attacks

10 Gmail Attack Current attack compromises an account, and then looks for people you have recently sent s to in order to send an to that person with an attachment Once the attachment is clicked, the Gmail previewer doesn’t load the – it opens a Gmail login box Utilizes a convincing URL – starts with

11 Snapchat Attack Snapchat was the victim of a phishing attack
Snapchat’s payroll department was targeted by an scam where an individual impersonated the CEO of Snapchat and asked for employee payroll information Breach could include: Social security numbers Bank details Addresses s

12 Dropbox Attack Users received an emulating Dropbox

13 Dropbox Attack Once the link is clicked, the following link pops up prompting users to login to their account

14 Dropbox Attack Once the information is entered, their account and passwords are compromised Savvy users would be tipped off by the URL being inconsistent with Dropbox’s URL Attacks are becoming more sophisticated

15 Identifying Social Engineering Attacks

16 Phishing Phishing is a series of communications that are sent in order to deceive individuals to provide sensitive information Phishing employs both technical wherewithal and social engineering in order to steal consumer information The most common type of social engineering attack 9,576 total incidents 916 with confirmed data disclosure 13% of people tested click on a phishing attachment

17 Phishing (cont’d) Phishing can take the form of messages, website forms, or phone calls and can be designed to reveal different information. This information can take the form of: Credit card or other financial information Social security information Account logins and passwords Personal Identification Numbers (PINs) Examples of phishing An from an account that you own requesting that you “reverify” the information in your account.

18 Pretexting Pretexting consists of creating a made-up scenario in order to engage with the target Typically, the attacker will do research to provide setup and use uncommon information in order to impersonate someone else in order to establish legitimacy Can be used over the phone or to gain physical entry to a location

19 Pretexting (cont’d) Examples of pretexting
The attacker could wear a cable company shirt and come to your organization for an “inspection” The pretext of the shirt provides reliability that they are worthy of trust Once they are in, they can obtain access to networks, or search for confidential information on site

20 Baiting The modern Trojan-horse
In these attacks, attackers leave malware infected items (USB, CD) in locations where people will find them, along with intriguing names such as “CONFIDENTIAL” Once the item is inserted into a computer, the malware is installed and provides access to computers and networks

21 Other Types of Social Engineering
Tailgating As a manner of getting physical entry to a location, an attacker follows someone with legitimate access into a location Elicitation Extracting information from a subject via conversation Whaling This is a type of CEO fraud where after gaining access to an executive’s , the hacker then requests finances or other information from lower-level employees The Snapchat attack is an example of whaling

22 Case Study of a Social Engineering Attack

23 Case Study A-LIGN ran an extensive social engineering campaign against Company A in the form of a false Security Awareness Training Program Results: 3 high level vulnerabilities that, if exploited, would allow the attacker privileged level access to the system

24 Case Study The email phishing campaign was broken into three sections:
The phishing was “sent” by the CISO of the company and sent to all employees, except C-level positions An embedded link that took users to a spoofed login page The login page itself, where credentials are captured A training video page that included a survey that would ask users for their first name and last name to verify information

25 Case Study A-LIGN sent emails to 72 inboxes
9 username and password combinations were obtained from users who clicked the embedded link and entered their credentials

26 Case Study - Vulnerabilities
Submission of usernames and passwords High – CVSS 9.0 Many employees indicated that they login to company accounts while on public WiFi. Use of public WiFi coupled with the clear text password submission can allow attackers who are eavesdropping to capture their credentials

27 Case Study - Vulnerabilities
Responding to phishing s High – CVSS 8.0 During the social engineering testing, an employee responded to the phishing stating “Nice try” – however, in doing so, gave A-LIGN an internal IP address and more information about the internal network.

28 Case Study - Vulnerabilities
Compromised systems via social engineering High – CVSS 9.0 A-LIGN was able to gain access to multiple machines following the social engineering engagement. A-LIGN used passwords and usernames that were entered into the fake login, and thereby login to employee machines.

29 Case Study - Vulnerabilities
Compromised Systems via Social Engineering (continued) After logging into employee machines, A-LIGN was able to exploit passwords that were saved through the web browsers on these machines, and on any other secured sites that were left open. By using these credentials, A-LIGN was able to login to an external administrator page, vault server, and Office 365 systems.

30 Preventing Social Engineering Attacks

31 Report Attacks Create a procedure that makes it easy for employees to report social engineering attacks Create a culture of awareness to prevent sensitive information from being compromised If one employee is subject to a phishing attack, identifies it and notifies the IT department, it can stop the attack in its tracks before the organization or individual is compromised

32 Employee Education Teach employees how to handle social engineering attacks so that they are prepared in the event of an attack Show examples of recent attacks so that they know what to look for Train employees to report attacks

33 Check the Details Common tells: Poor spelling Poor grammar
Abnormal sender Unfamiliar URLs Inconsistent URLs or information provided

34 Be Aware of Abnormal Request
Are you expecting to receive a request from someone? RED FLAG: Someone is requesting information that they should already have Unexpected account reverifications should be treated cautiously Activating two-factor authentication on all accounts can help identify when an is authentic or a phishing attack

35 Implement Policies Implement security policies such as:
Only entering information on HTTPS-protected sites Utilizing anti-virus software to detect attacks Regularly updating and patching systems that could be corrupted or outdated

36 Test Your Organization with a Penetration Test
Conducting a penetration test with social engineering is a way to analyze areas of security weakness within your organization Three comprehensive testing services Social engineering Network layer testing Web application testing

37 Social Engineering Testing
Emulates an authentic social engineering attack May include: Targeted phone calls Targeted s Attempts to bypass physical controls

38 Network Layer Testing Tests network devices such as:
Servers Firewalls Routers Switches Used to identify security weaknesses such as: Unpatched systems Default passwords Mis-configured devices

39 Web Application Testing
Testing of a web application’s: Authentication mechanisms Input screens Functionality User roles Identifies weaknesses in the application Screens for common vulnerabilities such as the OWASP and SANS Top 20 Tests vulnerabilities unique to your web application

40 Summary

41 Summary Stay updated on the types of social engineering attacks that are occurring in order to prevent them Understand the different types of attacks that your organization could face Test your system regularly in order to understand where remediation is necessary

42 Questions?

43 Please send additional social engineering questions to
| |

44 Sources

Download ppt "Gone Phishing: Understanding Social Engineering Attacks"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
By Ashlee Parton, Kimmy McCoy, & Labdhi Shah

By Ashlee Parton, Kimmy McCoy, & Labdhi Shah
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.

Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
Commercial eSecurity Training and Awareness. Common Online Threats Most electronic fraud falls into one of three categories:  PHISHING – Fraudulent emails.

Commercial eSecurity Training and Awareness. Common Online Threats Most electronic fraud falls into one of three categories:  PHISHING – Fraudulent s.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.

Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.
IT security By Tilly Gerlack.

IT security By Tilly Gerlack.
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.
Malicious Attack Corporate Awareness and Walk through Date 29 September 2011.

Malicious Attack Corporate Awareness and Walk through Date 29 September 2011.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Information Security Sharon Welna Information Security Officer.

Information Security Sharon Welna Information Security Officer.

Similar presentations

Ads by Google