Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.

Published byOpal Lewis Modified over 9 years ago

Similar presentations

Presentation on theme: "CIS 5370 - Computer Security Kasturi Pore Ravi Vyas."— Presentation transcript:

1 CIS 5370 - Computer Security Kasturi Pore Ravi Vyas

2 Public Definition from wikipedia.org “Social engineering is the art of manipulating people into performing actions or divulging confidential information” Gartner Research Group : “the manipulation of people, rather than machines, to successfully breach the security systems.”

3 Kevin Mitinic was incarcerated in February1995 with more 25 charges. In his book “Art of deception” he stated he did not use any hacking tools or software programs but used social engineering to obtain the passwords and secrets.

4 Three Israli brothers: Ramy, Muzher, and Shadde Badir had 44 charges against them. ◦ Telecommunications fraud ◦ Theft of computer data ◦ Impersonation of a police officer Damages around $2 million

5 On September 16, 2008 an internet activist group 'anonymous‘gained access to governor Palin's email account gov.palin@yahoo.com.gov.palin@yahoo.com gov.palin@yahoo.com DOB 2/11/64 ZIP 99687

6  Its easier to ask the user instead of hacking the system  With the exponential increase in technology it is becoming harder to hack in to systems

7 VS

8  Humans ◦ We are emotionally weak and like to help ◦ We easily succumb to pressure ◦ We cant correctly judge if someone is lying – bias towards truth and stereotypical thinking  Current defense mechanisms ◦ Security policies – single loop ◦ Employee training  Security policies ◦ Has humans involved in creation ◦ Are not updated ◦ Are not followed

9  Information is readily and easily available

10  First attain easily available data  Use it to fake authority  Attain more confidential information  Feedback loop - result of each action is fed back to get a better result in the next action  Final deadly attack on obtaining enough information  Devise attacks to minimize reaction and weaken security

11  Pretexting ◦ Creating a scenario that does not exist in an attempt to pressure a victim in leaking information ◦ Generate cues to build the victim’s trust

12  Phishing: The attacker typically sends an email that appears to come from a legitimate source like a bank or credit card company, asking to verify some information and warns of dire consequences if action is not taken

13  IVR or phone phishing: The attacker created a very legitimate sounding copy of an organization’s IVR(Interactive voice response) system. The attacker will send an email urging people to call on the toll free number to verify information. On calling, they will readily give their information

14  Trojan horse: They take advantage of the greed and curiosity of people to propagate malware. They come as email attachments with attractive subject lines which, when opened introduce a virus in the system

15

16

17

18  Baiting: These are like physical Trojan horses. The attacker leaves malware infected physical media like CD ROM with legitimate but curious labels around the workplace which when inserted by any attacker will cause the system to be infected.

19  Online Social Engineering ◦ Users repeat a single password for all their accounts ◦ attacker sends an email to sign up for some interesting site or some important update asking for a username and a password

20  Reverse social engineering ◦ Make people come to you instead of you ◦ Attacker sabotages a network, causing a problem ◦ Advertise that he is the appropriate person to fix the problem ◦ When he comes to fix the network problem, he requests of information from the employees

21  Physical protection  Security policies that separate documents into different levels or compartments, separation of duty, double loop  Employee training  Lie detectors

22  Goodchild, J. (2008, Nov). Social Engineering: 8 Common Tactics. Retrieved Nov 2008, from NetworkWorld: http://www.networkworld.com/news/2008/110608-social- engineering-eight-common.html http://www.networkworld.com/news/2008/110608-social- engineering-eight-common.html  Granger, S. (2001, Dec). Social Engineering Fundamentals, Part I: Hacker Tactics. Retrieved Nov 2008, from SecurityFocus: http://www.securityfocus.com/infocus/1527 http://www.securityfocus.com/infocus/1527  Granger, S. (2002, Jan). Social Engineering Fundamentals, Part II: Combat Strategies. Retrieved Nov 2008, from SecurityFocus: http://www.securityfocus.com/infocus/1533 http://www.securityfocus.com/infocus/1533  Jose J. Gonzalez, J. M. (2006). A Framework for Conceptualizing Social Engineering. CRITIS 2006, LNCS 4347, 79-90.  Wikipedia. (n.d.). Social engineering (security). Retrieved Nov 2008, from Wikipedia: http://en.wikipedia.org/wiki/Social_engineering_(security)http://en.wikipedia.org/wiki/Social_engineering_(security)

23  VP contender Sarah Palin hacked http://wikileaks.org/wiki/VP_contender_Sarah_Palin_hacked http://wikileaks.org/wiki/VP_contender_Sarah_Palin_hacked  Three Blind Phreaks http://www.wired.com/wired/archive/12.02/phreaks_pr.html http://www.wired.com/wired/archive/12.02/phreaks_pr.html  U.S. vs. Mitnick and DePayne http://www.cnn.com/SPECIALS/1999/mitnick.background/indictme nt/page01.html http://www.cnn.com/SPECIALS/1999/mitnick.background/indictme nt/page01.html  New Trojan Bait: CNN Videos http://blog.trendmicro.com/new-trojan-bait-cnn-videos/ http://blog.trendmicro.com/new-trojan-bait-cnn-videos/

24

Download ppt "CIS 5370 - Computer Security Kasturi Pore Ravi Vyas."

Similar presentations

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.

SOCIAL ENGINEERING ATTACKS GOWTHAM RAM RAJARAM VIGNESH SELVAKUMAR SELLAMUTHU.
Good morning - Matthias Vermeiren - Joachim Seminck Good morning.

Good morning - Matthias Vermeiren - Joachim Seminck Good morning.
Protecting Your Identity: What to Know, What to Do.

Protecting Your Identity: What to Know, What to Do.
The Art of Social Hacking

The Art of Social Hacking
Aleksandra Kurbatova 111611 IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.

Aleksandra Kurbatova IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Social Engineering Networks Reid Chapman Ciaran Hannigan.

Social Engineering Networks Reid Chapman Ciaran Hannigan.
Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.

Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
1 Social Engineering Dr.Talal Alkharobi. 2 Social Engineering - Definition Webster — management of human beings in accordance with their place and function.

1 Social Engineering Dr.Talal Alkharobi. 2 Social Engineering - Definition Webster — management of human beings in accordance with their place and function.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.

INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.

Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.
Social Engineering Provide brief background about ourselves i.e. what were are going to school for Ask students what they think social engineering is before.

Social Engineering Provide brief background about ourselves i.e. what were are going to school for Ask students what they think social engineering is before.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
Security of systems Security risks come from two areas: employees (who introduce accidental and intentional risks) and external computer crime. Unfortunately.

Security of systems Security risks come from two areas: employees (who introduce accidental and intentional risks) and external computer crime. Unfortunately.

Similar presentations

Ads by Google