preventing social engineering attacks
DESCRIPTION
Kelly Corning Julie Sharp. Preventing Social Engineering Attacks. What is Social Engineering?. Human-based techniques: impersonation Computer-based techniques: malware and scams. Why is Social Engineering Effective?. Manipulates legitimate users into undermining their own security system - PowerPoint PPT PresentationTRANSCRIPT
Kelly CorningJulie Sharp
Human-based techniques: impersonation
Computer-based techniques: malware and scams
Manipulates legitimate users into undermining their own security system
Abuses trusted relationships between employees
Very cheap for the attackerAttacker does not need specialized
equipment or skills
Impersonation Help Desk Third-party Authorization Tech Support Roaming the Halls Repairman Trusted Authority Figure Snail Mail
Computer-Based Techniques Pop-up windows Instant Messaging and IRC Email Attachments Email Scams Chain Letters and Hoaxes Websites
Hacker pretends to be an employeeRecovers “forgotten” passwordHelp desks often do not require
adequate authentication
Targeted attack at someone who has information Access to assets Verification codes
Claim that a third party has authorized the target to divulge sensitive information
More effective if the third party is out of town
Hacker pretends to be tech support for the company
Obtains user credentials for troubleshooting purposes.
Users must be trained to guard credentials.
Hacker dresses to blend in with the environment Company uniform Business attire
Looks for sensitive information that has been left unattended Passwords written down Important papers Confidential conversations
Hacker wears the appropriate uniform
Often allowed into sensitive environments
May plant surveillance equipment Could find sensitive information
Hacker pretends to be someone in charge of a company or department
Similar to “third-party authorization” attack
Examples of authority figures Medical personnel Home inspector School superintendent
Impersonation in person or via telephone
Hacker sends mail that asks for personal information
People are more trusting of printed words than webpages
Examples Fake sweepstakes Free offers Rewards programs
More effective on older generations
Window prompts user for login credentials
Imitates the secure network loginUsers can check for visual indicators
to verify security
Hacker uses IM, IRC to imitate technical support desk
Redirects users to malicious sitesTrojan horse downloads install
surveillance programs.
Hacker tricks user into downloading malicious software
Programs can be hidden in downloads that appear legitimate
Examples Executable macros embedded in PDF files Camouflaged extension: “NormalFile.doc”
vs. “NormalFile.doc.exe” Often the final extension is hidden by the
email client.
More prevalent over timeBegins by requesting basic
informationLeads to financial scams
More of a nuisance than a threatSpread using social engineering
techniquesProductivity and resource cost
Offer prizes but require a created login
Hacker capitalizes on users reusing login credentials
Website credentials can then be used for illegitimate access to assets
Never disclose passwordsLimit IT Information disclosedLimit information in auto-reply
emailsEscort guests in sensitive areasQuestion people you don't knowTalk to employees about securityCentralize reporting of suspicious
behavior
Remind employees to keep passwords secret
Don’t make exceptions It’s not a grey area!
Only IT staff should discuss details about the system configuration with others
Don’t answer survey callsCheck that vendor calls are
legitimate
Keep details in out-of-office messages to a minimum
Don’t give out contact information for someone else.
Route requests to a receptionist
Guard all areas with network access Empty offices Waiting rooms Conference rooms
This protects against attacks “Repairman” “Trusted Authority Figure”
All employees should have appropriate badges
Talk to people who you don’t recognize
Introduce yourself and ask why they are there
Regularly talk to employees about common social engineering techniques
Always be on guard against attacksEveryone should watch what they
say and do.
Designate an individual or groupSocial engineers use many points of
contact Survey calls Presentations Help desk calls
Recognizing a pattern can prevent an attack
Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013. <http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>.
Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013. <http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>.
"Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013. <http://www.npdn.org/social_engineering_types>.