Hacking the HumanSocial Engineering Attacks

April 14, 2015

CBIZ MHM, LLC – Kansas City

PresentersKyle Konopasek, CIA, CICAManager – CBIZ MHM, LLC11440 Tomahawk Creek ParkwayLeawood, KS 66211

Direct: (913) 234-1020Email: kkonopasek@cbiz.com

Cory Kaiser, CPAManager – CBIZ MHM, LLC11440 Tomahawk Creek ParkwayLeawood, KS 66211

Direct: (913) 234-1238Email: ckaiser@cbiz.com

Effective May 1, 2015 our new office address will be:

700 West 47th Street, Suite 1100Kansas City, Missouri 64112.

After May 1st, please direct all calls to our new numbers:

Kyle Konopasek Cory Kaiser(816) 945-5512 (816) 945-5628

1) Understand what social engineering is and the various types of attacks.

2) Learn how to identify a social engineering attack.3) Understand the impact to an organization as a result of

a social engineering attack.4) Learn who is most susceptible to a social engineering

attack.5) Gain insight on how social engineering attacks can be

mitigated.

Learning Objectives

1) The clever manipulation of the natural human tendency to trust.

2) Manipulating people into willingly doing something rather than by breaking in using technical or brute force means.

3) The act of manipulating a person to take an action that may or may not be in the target’s best interest. ~ Chris Hadnagy

4) The art of intentionally manipulating behavior using specially crafted communication techniques. ~ Gavin Watson

What Is Social Engineering?

4%

14%

40%

46%

51%

0% 10% 20% 30% 40% 50% 60%

Other

Revenge or personal vendetta

Competitive advantage

Access to proprietary information

Financial gain

Motivations for Social Engineering Attacks

Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research

• Sensitive Personally Identifiable Information

• System usernames and passwords

• High-value assets

• Trade secrets and proprietary information

Social Engineering Targets

32%

12%

13%

13%

30%

38%

14%

16%

13%

19%

0% 10% 20% 30% 40%

Less than $10,000

$10,000 - $25,000

$25,000 - $50,000

$50,000 - $100,000

More than $100,000

All companies

More than 5,000employees

Typical Cost Per Social Engineering Incident

Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research

20%

32%

15%

33%

32%

36%

20%

12%

0% 10% 20% 30% 40%

Less than 5 times

5 - 24

25 - 50

More than 50 times

All companies

More than 5,000employees

Frequency of Social Engineering AttacksOver 2-year Period

Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research

• Dumpster diving– Company directory and phone list with email addresses.– Client sensitive personally identifiable information.– Employee usernames and passwords to company systems.– Company policies, procedures, systems, vendors.– Vertical cut shred in trash bag in dumpster.– Hand torn documents in trash in dumpster.

An Attack In Action – Stories and Examples

• Pretexting, Baiting, and Piggy-backing

– Impersonate telecom, janitorial, security personnel, employees.

– Drop a CD or USB thumb drive with a creative label.

– Follow employees through secured doors.

– Develop rapport and level of comfort.

An Attack In Action – Stories and Examples

• Email phishing– New paid time off policy and tracking system.– Obtain false website address – Create a mirror image false website.– Use employee directory from dumpster to email false link to website.– Require Windows login to gain access.– Ask employees to update paid time off balances and requests.

• Provide personal incentive to click the link.

An Attack In Action – Stories and Examples

https://www.principal.com/

https://www.princlpal.com/

Fake Web Address Example

5%6%12%

21%

56% Vishing

Other

Criminals

Phishing

Lack of EmployeeAwareness

Social Engineering Threats To Organizations

Source: 2014 Poll: Employees Clueless About Social Engineering, InformationWeek-Dark Reading

60%

44%

38%

33% 32%

23%

New employeesContractorsExecutive assistantsHuman resourcesBusiness leadersIT personnel

Risk of Falling for Social Engineering Attack

Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research

Social engineering attacks cannot be prevented—only mitigated and deterred.

• Policies– Employees are not allowed to divulge information.

– Prevents employees from being socially pressured or tricked.

– Policies MUST be enforced to be effective.

• Training– User awareness—user knows giving out information is bad.

Mitigating A Social Engineering Attack

• Password management• Physical security• Network defenses may only temporarily repel attacks.

– Virus protection

– Email attachment scanning

– Firewalls, etc.

– Intrusion detection system and intrusion protection system

– Encrypted data at rest

• Security must be tested and updated periodically.

Mitigating A Social Engineering Attack

• Third-party testing– IMPORTANT! This is strictly intended to be a learning tool for the

organization—not a punishment for individual employees.

– Have the third-party attempt to acquire information from employees using social engineering techniques.

• Acquire information from external sources – website, marketing materials, trash and dumpsters in business parking lot.

• Attack strategically targeted areas of the organization.

– May include technical testing of malware and other abnormalities.

Mitigating A Social Engineering Attack

• What a third party tester should not and cannot do.– Illegal examples from a pretexting perspective

• Law enforcement

• Fire

• Paramedics

• Public safety personnel in general

• Military personnel

• Government official

Mitigating A Social Engineering Attack

• Who should consider testing?• Information security focused risk assessment

– Identify weaknesses and most valuable information and assets.

• Planning– Scripts are fully documented and approved by management.

• Reporting– Highly detailed describing each step of testing and the results.– Should not “name names”—not intended to implicate individuals.

• Follow-up training and consulting– Assist in policy development and facilitate quarterly training.

Third Party Social Engineering Testing

Develop Internal ProgramsInformation Security ProgramThe written plan created and implemented by the organization to identify and control risks to information and information systems and to properly dispose of information.

Security Awareness ProgramSecurity awareness reflects an organization’s attitudetoward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets.

• No matter how robust an organization’s . . .– Firewalls,

– Intrusion detection systems,

– Anti-virus/malware software,

– Other technological and physical safeguards . . .

• The human is always the weakest link when dealing with security and protecting valuable information.

Weakest Link

• Good habits drive security culture and there are no technologies that will ever make up for poor security culture.

• Awareness programs, when properly executed, provide knowledge that instills behavior.

• Social engineering testing is an effective method commonly used to assess the condition of the overall security culture.

It is better to fail a test in a controlled environment than to be attacked without knowing how much information will be lost.

Conclusion

QUESTIONS?