social engineering, or hacking people
DESCRIPTION
DefCamp #5, Bucharest, November 29th Just as a chain is as weak as its weakest link, computer systems are as vulnerable as their weakest component – and that’s rarely the technology itself, it’s more often the people using it. This is precisely why it’s usually easier to exploit people’s natural inclination to trust than it is to discover ways to hack into computer systems. As the art of manipulating people into them giving up confidential information, Social Engineering has been a hot topic for many years. This session will discuss some of the most common Social Engineering techniques and countermeasures.TRANSCRIPT
![Page 1: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/1.jpg)
Social Engineering. . .O R «HACK ING PE O PL E»
Tudor DamianCEH, IT solutions specialist
www.tudy.tel
DefCamp #5 - Bucharest, November 28th, 2014
![Page 3: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/3.jpg)
![Page 4: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/4.jpg)
![Page 5: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/5.jpg)
![Page 6: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/6.jpg)
87% of small business and 93% of larger organizations experienced a cyber security breach in the last year
Source: UK Government, Department for Business, Innovation and Skills (BIS)
http://bit.ly/tudydefcamp
![Page 7: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/7.jpg)
Most malicious attacks come from within an organization
Did you see this: http://bit.ly/tudydefcamp ?
![Page 8: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/8.jpg)
Timeline of discovery for cyber espionage attacks worldwide (2013)
Hours, 9%
Days, 8%
Weeks, 16%
Months, 62%
Years, 5%
Hours Days Weeks Months Years
Source: Verizon
http://bit.ly/tudydefcamp
![Page 9: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/9.jpg)
Cyber crime attacks experienced by US companies (June 2014)
V I R U S E S , W O R M S , T R O J A N S
M A L W A R E
B O T N E T S
W E B - B A S E D A T T A C K S
M A L I C I O U S C O D E
P H I S H I N G A N D S O C I A L E N G I N E E RI NG
M A L I C I O U S I N S I D E R S
S T O L E N S E V I C E S
D E N I A L O F S E R V I C E
100%
97%
76%
61%
46%
44%
41%
37%
34%
Source: Ponemon Institute; Hewlett-Packard (HP Enterprise Security)
Go to http://bit.ly/tudydefcamp now
![Page 10: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/10.jpg)
So, what is Social Engineering?
http://bit.ly/tudydefcamp
![Page 11: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/11.jpg)
OSI Model – anything missing?
7 – Application layer
6 – Presentation layer
5 – Session layer
4 – Transport layer
3 – Network layer
2 – Link layer
1 – Physical layer
Go to http://bit.ly/tudydefcamp now, ...please?
![Page 12: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/12.jpg)
OSI Model – revised
8 – Human layer
7 – Application layer
6 – Presentation layer
5 – Session layer
4 – Transport layer
3 – Network layer
2 – Link layer
1 – Physical layer
http://bit.ly/tudydefcamp
![Page 13: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/13.jpg)
Social Engineering, or “Hacking People”
• The science of making people do what you want
• Attacks the most vulnerable layer in the OSI model
Really now, did you check out http://bit.ly/tudydefcamp ?
![Page 14: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/14.jpg)
Why are people vulnerable?
• False Assumptions
• If X is true, then Y is true; Y is true, therefore X must be true
• Logical Fallacies
• Incorrect arguments in logic and rhetoric, resulting in a lack of validity
• Cognitive Biases
• Patterns of deviation in judgment, whereby inferences about other people and situations may be drawn in an illogical fashion
• Heuristics & Mental Shortcuts
• Used to speed up the process of finding a satisfactory solution via mental shortcuts• e.g. using a rule of thumb, an educated guess, an intuitive judgment, stereotyping, profiling,
common sense, etc.
• Eases the cognitive load of making a decision
http://bit.ly/tudydefcamp
![Page 15: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/15.jpg)
![Page 16: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/16.jpg)
Behaviors vulnerable to attacks
• Human nature of trust is the basis of most SE attacks
• Ignorance about SE and its effects
• SE attackers might threaten with losses or consequences in case of non-compliance with their request
• SE attackers lure the targets to divulge information by promising something for nothing
• Targets are asked for help and they comply out of a sense of moral obligation
Can't believe you haven't noticed this yet: http://bit.ly/tudydefcamp
![Page 17: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/17.jpg)
Technology doesn’t fix ignorance
http://bit.ly/tudydefcamp
![Page 18: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/18.jpg)
Types of Social Engineering
• Human-based Social Engineering
• Gathers sensitive information by interaction
• Attacks of this category exploit trust, fear and the helping nature of humans
• Computer-based or mobile-based Social Engineering
• SE carried out with the help of computers and/or mobile apps
http://bit.ly/tudydefcampGo. There. Now. http://bit.ly/tudydefcamp
![Page 19: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/19.jpg)
Human-based Social Engineering
• Posing as a legitimate end user
• Give identity and ask for sensitive information
• Posing as an important user
• Posing as a VIP of a target company, valuable customer, etc.
• Posing as technical support
• Call as technical support staff and request credentials to retrieve data
• Authority support
• Eavesdropping
• Shoulder surfing
• Dumpster diving
• Tailgating & Piggybacking
• Reverse SE
• Marketing
• Sabotage
• Tech Support
http://bit.ly/tudydefcamp
![Page 20: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/20.jpg)
Computer-based Social Engineering
• Spam Email
• Hoax/Chain Letters
• Instant Chat Messenger
• Pop-up Windows
• Phishing & Spear Phishing
• Publishing Malicious Apps
• Repackaging Legitimate Apps
• Fake Security Applications
Seriously now. http://bit.ly/tudydefcamp
![Page 21: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/21.jpg)
Common Social Engineering attacks• Email from a friend
• May contain links/attachments with malicious software embedded
• Messages may create a compelling story or pretext
• Phishing attempts
• Email, IM, comment, text message appearing to come from a legitimate, popular company, bank, school, institution
• These messages usually have a scenario or story• Explain there is a problem, notify you that you’re a “winner”, ask for help
• Baiting scenarios
• Persuasion
• Impersonation
• Response to a question you never had
http://bit.ly/tudydefcamp
![Page 22: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/22.jpg)
Why are companies vulnerable to SE?
• Insufficient security training
• Easy Access to information
• Several Organizational Units
• Lack of security policies
• SE attacks detection is very difficult
• There’s no method to ensure complete security against any form of SE attacks
• There’s no specific software or hardware for defending against SE attacks
Such wow, much link: http://bit.ly/tudydefcamp
![Page 23: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/23.jpg)
SE attack against an organization - Phases
• Research on target company
• Dumpster diving, websites, employees, tour company, etc.
• Select victim
• Identify the frustrated/gullible employees of the target company
• Develop relationship
• Develop relationships with the selected employees
• Exploit the relationship
• Collect sensitive account information, financial information and current technologies
http://bit.ly/tudydefcamp
![Page 24: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/24.jpg)
Potential impact on the organization
• Economic losses
• Loss of privacy
• Damage of goodwill
• Temporary or permanent closure
• Lawsuits and arbitrations
• etc.
You've got a smartphone, right? http://bit.ly/tudydefcamp
![Page 25: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/25.jpg)
Common targets of SE attacks
• Receptionists and Help Desk personnel
• Vendors of the target organization
• Users and clients
• Low-profile employees and staff
• Office workers
• Technical Support Executives
• System Administrators
http://bit.ly/tudydefcamp
![Page 26: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/26.jpg)
Insider attacks
• Spying
• If a competitor wants to damage your organization, steal critical secrets or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization
• Corporate Espionage
• Information theft & sabotage
• Revenge
• It takes only one disgruntled person to take revenge and your company may be compromised
• Insider Attack• Most attacks occur “behind the
firewall”
• An inside attack is easy to launch
• Prevention is difficult, thus the attack can easily succeed
• Financial gain is a potential reason
…or a laptop? You can pull out your laptop and go to http://bit.ly/tudydefcamp
![Page 27: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/27.jpg)
Protecting yourself from SE attacks• Slow down
• Research the facts
• Delete any requests for financial information or passwords
• Reject requests for help or offers of help
• Lie to security questions and remember your lies
• Beware of any downloads
• Secure your devices
• Follow security policies
• Don’t let a link control where you land
http://bit.ly/tudydefcamp
![Page 28: Social Engineering, or hacking people](https://reader034.vdocuments.site/reader034/viewer/2022042816/559b620b1a28ab025f8b47c7/html5/thumbnails/28.jpg)
http://bit.ly/tudydefcamp
Tudor DamianCEH, IT solutions specialist
www.tudy.tel