Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 465 Social Engineering Last Updated: Dec 14, 2017.

Published byจันทร์สิริ สมิท Modified over 5 years ago

Similar presentations

Presentation on theme: "CS 465 Social Engineering Last Updated: Dec 14, 2017."— Presentation transcript:

1 CS 465 Social Engineering Last Updated: Dec 14, 2017

2 Social Engineering Source: The Art of Deception
Controlling the Human Element of Security By Kevin Mitnick and William Simon

3 Information Security Awareness and Training
No technology in the world can prevent social engineering attacks Some authorities recommend 40% of an overall security budget be targeted to awareness training

4 Train Your Employees A company can spend hundreds of thousands of dollars on firewalls, encryption and other security technologies, but it an attacker can call one trusted person within the company and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted. Kevin Mitnick

5 Six Tendencies of Human Nature
Authority Comply with a request from someone of authority Liking Comply with a request from someone we like Reciprocation Comply with a request when we are promised or given something of value Consistency Comply after we have committed to a specific action Social Validation Comply when doing something in line with what others are doing Scarcity Comply when we believe the object sought is in short supply and others are competing for it, or it is available for a short period of time

6 Common Social Engineering Methods
Posing as a fellow employee Posing as an employee of a vendor, partner company, or law enforcement Posing as someone in authority Posing as a new employee requesting help Posing as a vendor or systems manufacturer calling to offer a system patch or update Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call the attacker for help

7 Common Social Engineering Methods
Sending free software or patch for a victim to install Sending a virus or Trojan Horse as an attachment Using a false pop-up window asking the user to log in again or sign on with password Capturing victim keystrokes with expendable computer system or program Leaving a USB drive around the workplace with malicious software on it

8 Common Social Engineering Methods
Using insider lingo and terminology to gain trust Offering a prize for registering at a Web site with username and password

9 Top 5 Soc Eng Techniques Familiarity exploit
Act like you belong there Create a hostile situation Gathering useful information Social media Cars Dumpster diving Get a job there Body language Source:

10 5 Attacks to Watch Out For
Phishing Pre-texting Lie to obtain sensitive information Baiting Quid pro quo Office workers gave away pw for pen or chocolate Tailgaiting Source:

11 Warning Signs of an Attack
Refusal to give a callback number Out-of-ordinary request Claim of authority Stresses urgency Threatens negative consequences of noncompliance Shows discomfort when questioned Name dropping Compliments or flattery Flirting

12 Common Targets of Attacks
Unaware of value of information Receptionists, telephone operators, admin assistants, security guards Special privileges Help desk or technical support, system admins, computer operators, telephone sys admins Manufacturer/Vendor Computer hardware, software manufacturers, voice mail systems vendors Specific departments Accounting, human resources

13 Factors that Make Companies More Vulnerable to Attacks
Large number of employees Multiple facilities Information on employee whereabouts left in voice mail messages Phone extension information made available Lack of security training Lack of data classification system No incident reporting/response plan in place

14 Foiling Attacks Most attacks could be foiled if the victim simply follows two steps Verify the identity of the person making the request Verify whether the person is authorized

15 Social Engineering at BYU

16 Advanced Persistent Threat
Usually targets organizations for business or political motives Advanced: sophisticated techniques to exploit vulnerable systems Persistent: External command and control that monitors over an extended period of time Threat: Human involvement in orchestrating the attack Claim: most US corporations have had their sensitive data stolen Financial, Oil, Security, Defense

17 Advanced Persistent Threat
Social engineering is the catalyst for many Advanced Persistent Threat (APT) attacks Stuxnet was assisted through USB drives Penetration testers gain a foothold using social engineering Research VPs and send targeted s with infected pdf files Pose as cleaning crew inspector and plant infected USB drives

18 Resources http://en.wikipedia.org/wiki/The_Art_of_Deception

Download ppt "CS 465 Social Engineering Last Updated: Dec 14, 2017."

Similar presentations

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.

Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.

Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
The Art of Social Hacking

The Art of Social Hacking
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Aleksandra Kurbatova 111611 IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.

Aleksandra Kurbatova IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Social Engineering Networks Reid Chapman Ciaran Hannigan.

Social Engineering Networks Reid Chapman Ciaran Hannigan.
 ICT Security › If the firm is a victim of a computer crime, should they pursue prosecution of the criminals at all costs, should they maintain a low.

 ICT Security › If the firm is a victim of a computer crime, should they pursue prosecution of the criminals at all costs, should they maintain a low.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.

The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
© 2008. Oklahoma State Department of Education. All rights reserved. 1 Beware! Consumer Fraud Standard 9. 1 Fraud and Identity Theft.

© Oklahoma State Department of Education. All rights reserved. 1 Beware! Consumer Fraud Standard 9. 1 Fraud and Identity Theft.
1 Social Engineering Dr.Talal Alkharobi. 2 Social Engineering - Definition Webster — management of human beings in accordance with their place and function.

1 Social Engineering Dr.Talal Alkharobi. 2 Social Engineering - Definition Webster — management of human beings in accordance with their place and function.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
TRACs Security Awareness FY2009 Office of Information Technology Security 1.

TRACs Security Awareness FY2009 Office of Information Technology Security 1.

Similar presentations

Ads by Google