Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Engineering No class today! Dr. X.

Published byPeregrine Stewart Modified over 5 years ago

Similar presentations

Presentation on theme: "Social Engineering No class today! Dr. X."— Presentation transcript:

1 Social Engineering No class today! Dr. X

2 Outline Sigfree by Louis! Q&A buffer overflow homework SE framework
SANS Securing the human, by William

3 What is Social Engineering?

4 A Quote from Kevin Mitnick
“You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”

5 Types of “hackers” according to Kevin Mitnick
Crackers (or vandals) Script kiddies Phone phreaks Social engineers

6 A Classic (and real) Example
Stanley Mark Rifkin defrauded the Security Pacific National bank in LA in 1978 Managed to steal $10,200,000 in a single social engineering attack

7 Types of Attacks Phishing Impersonation on help desk calls
Physical access (such as tailgating) Shoulder surfing Dumpster diving Stealing important documents Fake software Trojans

8 Phishing Use of deceptive mass mailing
Can target specific entities (“spear phishing”) Prevention: Honeypot addresses Education Awareness of network and website changes

9 Impersonation on help desk calls
Calling the help desk pretending to be someone else Usually an employee or someone with authority Prevention: Assign pins for calling the help desk Don’t do anything on someone’s order Stick to the scope of the help desk

10 Physical access Tailgating
Ultimately obtains unauthorize building access Prevention Require badges Employee training Security officers No exceptions!

11 Shoulder surfing Someone can watch the keys you press when entering your password Probably less common Prevention: Be aware of who’s around when entering your password

12 Dumpster diving Looking through the trash for sensitive information
Doesn’t have to be dumpsters: any trashcan will do Prevention: Easy secure document destruction Lock dumpsters Erase magnetic media

13 Stealing important documents
Can take documents off someone’s desk Prevention: Lock your office If you don’t have an office: lock your files securely Don’t leave important information in the open

14 Fake Software Fake login screens
The user is aware of the software but thinks it’s trustworthy Prevention: Have a system for making real login screens obvious (personalized key, image, or phrase) Education Antivirus (probably won’t catch custom tailored attacks)

15 Trojans Appears to be useful and legitimate software before running
Performs malicious actions in the background Does not require interaction after being run Prevention: Don‘t run programs on someone else’s computer Only open attachments you’re expecting Use an antivirus

16 Trust Model

17 Attack Model

18 Responding You’ve been attacked: now what?
Have a place to report incidents People need to take responsibility Conduct audits

19 Other Thoughts What damage has been done? What damage can still be done? Has a crime actually taken place?

20 Sources Adopted slides by Caleb Leak and Smiti Bhatt
Ch. 5: The basics of Hacking and Penetration Testing SE Framework: discussion/

21 Comprehension questions
What is social engineering and why should organizations be concerned about it? Why is social engineering so widely used amongst hackers? Why do so many people fall victim to social engineering attacks? When performing onsite social engineering engagements, what are some of the tactics you use that are most likely to result in a compromise? When performing remote social engineering engagements, what are some of the tactics you use that are most likely to result in a compromise?

22 Comprehension questions
What are the top five things you suggest an organization do or implement to protect themselves from social engineering threats?  What is the most effective strategy an organization can use to educate employees on social engineering threats and are there any tools available to help?

23 Discussion Questions Can we prepare for zero day SE attacks? What would be the process? Think of SE attacks that are were not included in today’s lecture. Think of SE defenses that were not discussed. Can there be insider SE attacks?

Download ppt "Social Engineering No class today! Dr. X."

Similar presentations

Social Engineering Rick Carback 9/12/2005

Social Engineering Rick Carback 9/12/2005
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Social Engineering: The Human Element How Does Social Engineering Work and to What Purpose? Chuck McGann.

Social Engineering: The Human Element How Does Social Engineering Work and to What Purpose? Chuck McGann.
Computer Threats I can understand computer threats and how to protect myself from these threats.

Computer Threats I can understand computer threats and how to protect myself from these threats.
CIT 1100. In this chapter you will learn how to:  Explain the threats to your computers and data  Describe key security concepts and technologies.

CIT In this chapter you will learn how to:  Explain the threats to your computers and data  Describe key security concepts and technologies.
UT Wing Civil Air Patrol. Objective Identify network and cyber vulnerabilities and mitigations Social Media/Metadata/Exfil data MITM Attacks Malware Social.

UT Wing Civil Air Patrol. Objective Identify network and cyber vulnerabilities and mitigations Social Media/Metadata/Exfil data MITM Attacks Malware Social.
Social Engineering – Threats & Concerns Avisek Ghosh, CISA CISSP Sr. Manager – Corporate Security Cognizant Technology Solutions.

Social Engineering – Threats & Concerns Avisek Ghosh, CISA CISSP Sr. Manager – Corporate Security Cognizant Technology Solutions.
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.

Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
Social Engineering Networks Reid Chapman Ciaran Hannigan.

Social Engineering Networks Reid Chapman Ciaran Hannigan.
Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.

Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.
The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.

The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
Program Objective Security Basics

Program Objective Security Basics
Social Engineering UTHSC Information Security Team.

Social Engineering UTHSC Information Security Team.
Cory Bowers Harold Gray Brian Schneider Data Security.

Cory Bowers Harold Gray Brian Schneider Data Security.

Similar presentations

Ads by Google