social engineering part ia: how scammers manipulate employees to gain information
TRANSCRIPT
Module 4 - Social Engineering - Part 1A
Social EngineeringPart IA:How Scammers Manipulate Employees to Gain Information
When money or goods are stolen, somebody will notice they are gone.
When information is stolen, most of the time no one will notice because the information is still there.
2014 DHS IT Security & Privacy Training2
What Is Social Engineering?Its an art -- of manipulating people into saying or doing something that reveals confidential information or access to it.It often involves tricking other people to break normal security procedures.It relies on the natural helpfulness of people as well as on their weaknesses. It is sometimes called a "con game." 2014 DHS IT Security & Privacy Training3
Stopping Social EngineeringThere is no technology in the world that can stop social engineering attacks.
2014 DHS IT Security & Privacy Training4
Protecting DHS Sensitive InformationHow do we protect DHS sensitive information?
How do you protect your personal information?2014 DHS IT Security & Privacy Training5
How Do We Protect Sensitive Information if Technology Can't?Educate every employee on DHS security and privacy policies and procedures; this leads to Social Awareness.Understand how attackers manipulate people to get information.Learn appropriate and inappropriate behavior related to providing information.
2014 DHS IT Security & Privacy Training6
The Problem Is Who is Asking for Sensitive InformationWe dont want to stop being helpful to coworkers or to customers.So, we need to have specific verification procedures to use when anybody makes a request for computer access or confidential information. That way we can be helpful to those who need information, but at the same time we will protect DHS information assets and computer systems.
2014 DHS IT Security & Privacy Training7
How Attackers Take Advantage Of UsSocial engineering = manipulation.Attackers try to manipulate us to obtain our compliance with their requests for information.There are several key methods attackers use to manipulate us to obtain information.2014 DHS IT Security & Privacy Training8
What It Boils Down ToBy giving out information, we may unintentionally be giving manipulators information they should not have. This information may hurt:DHS, DHS clients, or DHS employees.Complying with inappropriate requests may also mean DHS employees lose personal information, including personal passwords.This make DHS vulnerable if the employees use the same passwords at DHS and at home. 2014 DHS IT Security & Privacy Training9
Manipulation Attacks Take Many FormsWe are most experienced with manipulation through email attacks and were not very good at foiling those.
But manipulation can take many forms, and the scammers are patient, and willing to do whatever it takes to get the information they want.2014 DHS IT Security & Privacy Training10
How Social Engineers Attempt To Manipulate UsThese behaviors are used in the majority of manipulation attempts:
2014 DHS IT Security & Privacy Training11The next slides explain these behaviors and give examples of how they are used to manipulate us.BehaviorDefinitionAuthorityPeople tend to listen to the advice of those in a position of authority.LikingPeople tend to say yes to those they like, and also to attractive people.ReciprocationSomeone is given a "token" and feels compelled to take action.ConsistencyCertain behavior patterns are consistent from person to person.Social ValidationSomeone is compelled to do what everyone else is doing.
The Manipulation Attack Process2014 DHS IT Security & Privacy Training12
The Manipulation Attack ProcessGather Information: Attackers use a variety of techniques to gather information about their targets, such as phone lists, Social Security numbers, dates of birth, mothers' maiden names, system designs or organizational structures/procedures. The gathered information will be used to build a relationship, however temporary, with someone connected to the eventual target.
Develop Relationship: It's human nature to be somewhat trusting. Attackers exploit this tendency to develop a rapport with their targets. In some cases, this takes place in a single phone call; in others, it can span weeks or longer. By developing a relationship, attackers place themselves in a position of trust, which can then be exploited. 2014 DHS IT Security & Privacy Training13
The Manipulation Attack ProcessExploit Relationship: The attacker exploits the target into revealing information (e.g., passwords, credit card numbers or vacation schedules) or performing an action (e.g., creating an account or reversing telephone charges) that would not normally occur. This information or action can be the end objective or can be used to stage the next attack/cycle of attack. Use Information to Achieve Objective: The attacker uses the information to achieve the end objective. Often an attack can include a number of these cycles to achieve the end objective. 2014 DHS IT Security & Privacy Training14
When in doubt, dont give it out.2014 DHS IT Security & Privacy Training15