Download presentation
Presentation is loading. Please wait.
1
What Is Social Engineering?
2
Social Engineering Because there is no “patch” for human stupidity.
“You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” -Kevin Mitnick
3
What is Social Engineering
Uses Psychological Methods Exploits human tendency to trust Goals are the Same as Hacking
4
Social Engineering Approaches
Carelessness Comfort Zone Helpfulness Fear
5
Careless Approach Victim is Careless Used for Reconnaissance
Does not implement, use, or enforce proper countermeasures Used for Reconnaissance Looking for what is laying around Dumpster Diving/Trashing Building/Password Theft Shoulder Surfing Password Harvesting Impersonation Direct Theft Smoking Zone
6
Dumpster Diving/Trashing
Huge amount of information in the trash Most of it does not seem to be a threat The who, what and where of an organization Knowledge of internal systems Materials for greater authenticity Intelligence Agencies have done this for years
7
Building/Password Theft
Requires physical access Looking for passwords or other information left out in the open Little more information than dumpster diving
8
Password Harvesting Internet or mail-in sweepstakes
Based on the belief that people don’t change their password over different accounts . Sadly, this is, for the most part true.
9
Impersonation Could be anyone Generally Two Goals Tech Support
Co-Worker Boss CEO User Maintenance Staff Delivery Driver Generally Two Goals Asking for a password Building access - Careless Approach
10
Other Methods Shoulder Surfing Direct Theft Smoking Zone
Outside workplace Wallet, id badge, or purse stolen Smoking Zone Attacker will sit out in the smoking area Piggy back into the office when users go back to work
11
Helpful Approach People generally try to help even if they do not know who they are helping Usually involves being in a position of obvious need Attacker generally does not even ask for the help they receive Piggybacking/Tailgating Troubled user
12
Piggybacking Attacker will trail an employee entering the building
More Effective: Carry something large so they hold the door open for you Go in when a large group of employees are going in Crutches Pretend to be unable to find door key
13
Troubled user Calling organization numbers asking for help
I’m new in IT and the boss is going to kill me. I don’t need your password, but can you provide your username/log in name so I can verify you have the right IP? Getting a username and asking to have a password reset Calls up IT and says, I am kind of new and did something really stupid, I lost my password. Can you reset it for me, my username is xxxx.
14
Fear Approach Usually draws from the other approaches
Puts the user in a state of fear and anxiety Very aggressive Conformity Importance Time Frame
15
Conformity The user is the only one who has not helped out the attacker with this request in the past I talked to Jan last week and she had no problem providing the information, why do you have to be so difficult? Personal responsibility is diffused User gets justification for granting an attack.
16
Importance Classic boss or director needs routine password reset
So would *you* like to explain to the vice president why *you* don’t think it would be a good idea to reset his password? I am absolutely sure he would be *thrilled* to hear just how important your job is. Showing up from a utility after a natural occurrence (thunderstorm, tornado, etc.) A semi-official looking “uniform” right after a small scale disaster can get you admittance anywhere. Check the back of the building for the phone carrier. Hi, I am from Verizon, we are still having some line difficulties after the hurricane and think we have traced the issue to a loop in your circuit. I need access to your telecom rack.
17
Time Frame Fictitious deadline
Impersonates payroll bookkeeper, proposal coordinator Look, I have 15 minutes to get this taken care of or there will be no paychecks this week. Asks for password change
18
Advanced Attacks Offering a Service Reverse Social Engineering
Attacker contacts the user Uses viruses, worms, or Trojans User could be approached at home or at work Once infected, attacker collects needed information Reverse Social Engineering Attacks puts themselves in a position of authority Users ask attacker for help and information Attacker takes information and asks for what they need while fixing the problem for the user
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.