Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009."— Presentation transcript:

1 The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009

2 Topic: Infromation Security Technologies Encryption, wirewall, anti-virus software, password Focus: human... Outline: Social engineering? A couple of examples of how attackers get access to information

3 The book... Title: The Art of Deception Year: 2002 Authors: Kevin Mitnick, William Simon Kevin Mitnick: ex-world-famous hacker, consultant First crime: free bus ride when 12 years old William Simon: writer/editor

4 What is Social Engineering? ”uses influence and persuasion to deceive people by convincing them that the social engineer is someone he [or she] is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.”(from the book) Pretend, deceive/manipulate, get information

5 Human Factor of Security Human Factor → the weakest link Emotion, mistakes, misjudgement, tiredness ”Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.” Albert Einstein

6 6 Basic Tendencies of Human Nature Suggested by Robert B. Cialdini 1. Authority 2. Liking 3. Reciprocation 4. Consistency 5. Social Validation 6. Scarcity

7 Other Factors National Characters Love thy neighbors Organizational Innocence Sharing information, trust, little/no security → this is changing...

8 When Innocent Information Isn't... Information that is valuable Credit card number, PIN number, Password, etc We won't give them away because we know they are valuable What about Date of Birth, Pet's name, Student ID, Unit#

9 Continued... Seemingly useless information can be used to impersonate Step to next more valuable information

10 An example Banks and CheCredit First Call to Bank: ”I am writing a book. What do you give CheCredit to get credit record?” Second Call to Bank: ”I am calling from Checredit. I am doing a survey to improve service.” ”hours of operation, how many employees, how often call, what is Merchant ID, how long with the bank, suggestions?”

11 Another example Video shop First call to a shop: ”I had a great experience with the shop and want to send a letter to the manager. And also, I want to send a letter to the company headquarter. What is your brunch number?” Now you have manager's name and brunch number. Continue...

12 How to prevent 1. Classify information → what is and is not okay to be shared 2. Verify. Don't rely lingo and feelings. Get caller's name and phone number.

13 Building Trust Appearance, voice, talking, personality Frequent contacts (ex) Video Shop Call to another shop: pretend to be the manager of shop Small requests, chats Continue...

14 Can you help me? People like helping others

15 Example of video shop Another call to shop: ”system is down. Can you check a customer for me? Credit card number?”

16 How to prevent Verify verify verify! Call listed number But you want employees to be helpful to each other at workplace.

17 Dumpster Diving Low risk and high return Password, receipt, list, etc Shredder may not work... Puzzle → whole list of company systems and passwords

18 How to Prevent Dumpster Diving Lock the dumpster Cross shredd Mutilevel approach to information of different sensitivity Background check on custodian

19 Attack on Entry Level Employee An easy target They don't know value of information They don't know the structure of company Likely to obey authority

20 What is the best countermeasure? Anti-virus? Firewall? Encryption? Code Names? no. Have trained, aware, concsioutious employees

21 Train Employees Not web page or panphlet Not a one-day seminar → ongoing Raise awareness!!! Procedures are not enough. There are threats Part of job to protect information against threats Reward, encouragement Awareness → specific techniques

22 Question... Questions?

Download ppt "The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009."

Similar presentations

Operational Risks Task 13. What is CNP? CNP stands for Card Not Present and is when you order or pay for something online as you are not in front of the.

Operational Risks Task 13. What is CNP? CNP stands for Card Not Present and is when you order or pay for something online as you are not in front of the.
A Gift of Fire, 2edChapter 7: Computer Crime1 Computer Crime.

A Gift of Fire, 2edChapter 7: Computer Crime1 Computer Crime.
Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.

Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.
COMPUTER CRIMES CREDIT CARD FRAUD “A BILLION DOLLAR PROBLEM”

COMPUTER CRIMES CREDIT CARD FRAUD “A BILLION DOLLAR PROBLEM”
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.

Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do To Avoid Becoming a Victim?

1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do To Avoid Becoming a Victim?
Protecting Your Identity: What to Know, What to Do.

Protecting Your Identity: What to Know, What to Do.
Deter, Detect, Defend: The FTC’s Program on Identity Theft.

Deter, Detect, Defend: The FTC’s Program on Identity Theft.
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
The Art of Social Hacking

The Art of Social Hacking
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
Information Security Awareness Training

Information Security Awareness Training
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
8 Mistakes That Expose You to Online Fraud to Online Fraud.

8 Mistakes That Expose You to Online Fraud to Online Fraud.
Social Engineering – Threats & Concerns Avisek Ghosh, CISA CISSP Sr. Manager – Corporate Security Cognizant Technology Solutions.

Social Engineering – Threats & Concerns Avisek Ghosh, CISA CISSP Sr. Manager – Corporate Security Cognizant Technology Solutions.
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.

Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Social Engineering Networks Reid Chapman Ciaran Hannigan.

Social Engineering Networks Reid Chapman Ciaran Hannigan.
Presented by: Casey Mullins Social Engineering - Persuasion -

Presented by: Casey Mullins Social Engineering - Persuasion -

Similar presentations

Ads by Google