social engineering-based attackshossein/teaching/sp12/... · social engineering-based attacks:...
TRANSCRIPT
1
Social Engineering-Based Attacks:Model and New Zealand Perspective
By Lech Janczewski and Lingyan (René) FuThe University of Auckland, New Zealand
2010 Proceedings of the International Multiconference on Computer Science and
Information Technology
Presented by Brad Kaufmann
2
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
3
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
4
What is Social Engineering?
• Technique to gain access to confidential, proprietary, personal information
• Primarily human-based attack method– Impersonation– Dumpster diving– Shoulder surfing– Vishing
• Technology-based methods exist– Phising
5
Why Use Social Engineering?
• Effectiveness of traditional hacking attacks has decreased
• Technological security solutions being adopted more and more
• Attackers turning to alternative methods• Social engineering targets vulnerabilities
of both people and technology
6
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
7
Background and Motivation
• Social engineering is overlooked because awareness is low– Lacks conceptual model
• Determine major aspects and constructs of social engineering– Identify relations between them
• Design case study to understand social engineering phenomenon– Gather insights from IT professionals
8
Background and Motivation [2]
Conceptual Model of Major Aspects of Social Engineering-Based Attacks
9
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
10
Study Objectives
• Explore significant entities and relations within social engineering attacks– People– Security awareness– Psychological weaknesses– Technology– Defenses– Attack Methods
11
Study Objectives [2]
• Five research questions:– What are existing security vulnerabilities which
can be exploited by attacks? (RQ1)– What are the methods of attack? (RQ2)– What are the consequences of a successful
attack? (RQ3)– What can be done to mitigate attacks? (RQ4)– What is New Zealand's perspective of attacks?
(RQ5)
12
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
13
Study Setup
• Conducted 25 interviews with individuals with IT backgrounds and experiences– IT architect, IT consultant, IT educator, etc.
• Individuals from 17 different organizations– 7 local, 10 international– Cross-section of industries
• Security advisory services, government, consulting firms, education, etc.
14
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
15
RQ1: Existing Vulnerabilities
• People are the weakest link– 64% lack understanding of security issues– 40% appearance can influence perceived
trustworthiness
• Technology issues– 16% flaws in security design– 12% social engineering bypasses technical
controls– 12% growing trend toward malicious misuse of
technology products
16
RQ1: Existing Vulnerabilities [2]
• Security process issues– Social engineering depends on uncertainty
• Putting processes into place works to minimize
– 40% organizations had poor security processes because people issues were overlooked
17
RQ2: Methods of Attack
• Human-based– Based on deception in person or on phone
• Impersonation, shoulder surfing, questionnaire, etc.
– Phone attacks most widespread mode• Attacker can disguise voice• Easier for attacker to cover his/her tracks
• Technology-based– Trick users into belief they are using authentic
computer systems• Popup windows, email attachments, fishing, etc.
18
RQ3: Consequences of Attack
• Primary damages– Breach of CIA
• Gain authorized access to resources• Preparation and information gathering for attack
• Secondary damages– Reputation damage– Financial damage
19
RQ4: Mitigation Strategies
• Physical security properly implemented– Different control mechanisms based on
security classification
• Proper technical controls– Multifactor authentication
• Security policy– Most important and effective element– Takes away uncertainty– Supplement with education and training
20
RQ5: New Zealand Perspective
• Shares similar trend with other countries– Technology adoption– Security risks
• Behind in awareness of security issues and implementation of countermeasures
• Insufficient understanding of security risks– 64% of survey participant responses– 28% due to lack of major security disasters– 44% due to high level of social trust
21
RQ5: New Zealand Perspective [2]
• Lack of well-defined security strategy– 40% of participant responses– 16% due to small country and small businesses– 20% due to lack of standards and legislation– 40% due to immature strategies that expose
vulnerabilities that can be exploited
• Participant examples showed diversity and complexity– Need for multifaceted defense approach
22
Revised Conceptual Model
Revised Conceptual Model of Major Aspects of Social Engineering-Based Attacks
23
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
24
Summary
• Social engineering depends on uncertainty– Manipulates, influences people's actions
• Security strategy and policy is key to preventing social engineering– Eliminates uncertainty
• Advice– Do not give out passwords – Ever!– Be dubious of people who look suspicious– Do not hold doors open
25
Questions
???
26
Bibliography
• Lech Janczewski and Lingyan Fu, “Social Engineering-Based Attacks: Model and New Zealand Perspective”, Proceedings of the International Multiconference on Computer Science and Information Technology 2010”, IEEE, Wisla, Poland, October 2010, pp. 847-853