Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Engineering: The Human Element How Does Social Engineering Work and to What Purpose? Chuck McGann.

Published byClinton Fowler Modified over 9 years ago

Similar presentations

Presentation on theme: "Social Engineering: The Human Element How Does Social Engineering Work and to What Purpose? Chuck McGann."— Presentation transcript:

1 Social Engineering: The Human Element How Does Social Engineering Work and to What Purpose? Chuck McGann

2 Objective: A discussion on types of “social engineering” and how it can be both damaging to your business and to home environments. [We may touch on the dangers of Social Media if there is time.]

3 Defining "Social Engineering"  Social Engineering is defined as the process of deceiving people into giving away access or confidential information by establishing a contrived relationship of trust.  Wikipedia defines it as: "is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim." [1] [1]

4 Defining "Social Media"  Social media is the collective of online communications channels dedicated to community-based input, interaction, content-sharing and collaboration. Websites and applications dedicated to forums, microblogging, social networking, social bookmarking, social curation, and wikis are among the different types of social mediaforums,microbloggingsocial networkingsocial bookmarkingsocial curationwiki

5 Quick Video  Placeholder for the below video  http://www.youtube.com/watch?v=tkgLHoaFeFk&__hssc=&__hstc& hsCtaTracking=70edc2a8-64cf-47f8-9f30- 6581d17e4660%7Cd07bcdc2-0e2c-4028-8505-343bc3d1e11d http://www.youtube.com/watch?v=tkgLHoaFeFk&__hssc=&__hstc& hsCtaTracking=70edc2a8-64cf-47f8-9f30- 6581d17e4660%7Cd07bcdc2-0e2c-4028-8505-343bc3d1e11d

6 The Human Element of Trust  Trust is integral to the idea of social influence: it is easier to influence or persuade someone who is trusting. The notion of trust is increasingly adopted to predict acceptance of behaviors by others, institutions (e.g. government agencies) and objects such as machines…

7 Audience/Targets/Victims  Employees  Customers  Competitors  Hackers  Family  Friends

8

9 Targeted Organizations 9

10 By Industry 10

11 Real World Example  Fall of 2012, USPS was targeted by an external social engineering attack  Over 150 USPS users opened the phishing eMail  80 recipients provided their User ID and Passwords  CIRT issued a requirement to reset all WebVPN user account passwords  Lost work hours

12 Research by Check Point Software Technologies  850 IT and Security professionals in North America, Australia, and New Zealand were surveyed  48% of large businesses have suffered from socially engineered attacks at least 25 times  Resulting in losses of between $25,000 and $100,00 per incident

13 Social Engineering  Types of Attacks  Phishing – Spear/Whale  Impersonation of Help Desk Agent  Fake software  Trojans  Watering Hole  Drive by download

14 Phishing  Use of deceptive mass emailing  Can target specific entities (“Spear phishing and Whale phishing”)  Prevention:  Honeypot email addresses  Education  Awareness of network and website changes  Awareness of links and format of actual address  Note - http://www.usps.com http://www.usps.com

15 Phishing Example  ----- Forwarded message -----  From: Express Mail Service [mailto:support@universalpost.com] Sent: Friday, April 26, 2013 10:13 AM Subject: Shipping Info   Delivery information, Your parcel can not be delivered by courier service. Status:Postal code is not specified. LOCATION OF YOUR ITEM:St.Louis STATUS OF YOUR ITEM: not delivered SERVICE: Local Pickup NUMBER OF YOUR PARCEL:U588850982NU INSURANCE: No Print a label and show it at your post office. An additional information If the parcel is not received within 30 working days our company will have the right to claim compensation from you for it is keeping in the amount of $6.10 for each day of keeping of it. You can find the information about the procedure and conditions of parcels keeping in the nearest office. Thank you for attention. DHL Customer.

16 Impersonation on Help Desk Calls  Calling the Help Desk pretending to be someone else  Usually an employee or someone with authority with a need-to-know  Prevention:  Assign pins for calling the Help Desk  Don’t do anything on someone’s order  Stick to the scope of the Help Desk

17 Fake Software  Fake login screens  The user is aware of the software but thinks it’s trustworthy  Prevention:  Have a system for making real login screens obvious (personalized key, image, or phrase)  Education  Antivirus (will not be able to detect zero day exploits – new virus signatures)

18 Trojans  Appears to be useful and legitimate software before running  Performs malicious actions in the background  Does not require interaction after being run  Prevention:  Don‘t run programs on someone else’s computer  Only open attachments you’re expecting  Use an up-to-date antivirus program

19 Security Awareness Testing  Method, Tools, and Approach  Email  Email will contain an URL which would be redirected to a data collection and metrics web site  Data Collection and Metrics Web Site  Redirect user to a webpage which will contain information for security awareness

20 What Can You Do?  Keep software and antivirus current  Strong security awareness program  Use “least privilege” for users  Periodic technology assessments  Assign the responsibility to someone

21 Places for Help  SANS – Securing the Human  http://www.sans.org/security-awareness/  Multi-State Information Sharing and Analysis Center (MSISAC)  http://msisac.cisecurity.org/resources/videos/free-training.cfm http://msisac.cisecurity.org/resources/videos/free-training.cfm  Dept. of Health and Human Services (HHS.Gov)  http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/awarenesstrai ning.html http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/awarenesstrai ning.html  Stop Think Connect  http://www.stopthinkconnect.org/

22 Weakest Link? No matter how strong your:  Firewalls  Intrusion Detection Systems  Cryptography  Anti-virus software "At the end of the day, people are a critical part of the security process as they can be misled by criminals and make mistakes that lead to malware infections or unintentional data loss“ – Oded Gonda (VP of Check Point) "The weakest link in the security chain is the human element" -Kevin Mitnick

23 Questions

24 Reference  (2013, September 11). Trust (Social Sciences). Retrieved: September 13, 2013, from http://en.wikipedia.org/wiki/Trust_(social_sciences) http://en.wikipedia.org/wiki/Trust_(social_sciences)  http://whatis.techtarget.com/definition/social-media  Schwartz, Mathew J. (2011, September 21). Social Engineering Attacks Cost Companies. Retrieved: September 13, 2013, from http://www.informationweek.com/security/vulnerabilities/social-engineering-attacks-cost- companie/231601868 http://www.informationweek.com/security/vulnerabilities/social-engineering-attacks-cost- companie/231601868

Download ppt "Social Engineering: The Human Element How Does Social Engineering Work and to What Purpose? Chuck McGann."

Similar presentations

How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.

Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
The Art of Social Hacking

The Art of Social Hacking
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
UT Wing Civil Air Patrol. Objective Identify network and cyber vulnerabilities and mitigations Social Media/Metadata/Exfil data MITM Attacks Malware Social.

UT Wing Civil Air Patrol. Objective Identify network and cyber vulnerabilities and mitigations Social Media/Metadata/Exfil data MITM Attacks Malware Social.
AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.

AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.

Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.

Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.
Internet Security Awareness Presenter: Royce Wilkerson.

Internet Security Awareness Presenter: Royce Wilkerson.
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.

Similar presentations

Ads by Google