social engineering – posing challenges to the thinking security professional 05 dec 2013
DESCRIPTION
Social engineering, from posterity has been a lethal tool in the hands of the immorally minded. This activity targets human weakness so no amount of hardware investment would deter such attempts. Upgrading the human capital in organizations become more necessary. Social engineering exploits natural human tendencies of trustworthiness and helpfulness. Lack of awareness of among staff on the value of the information they possess also make them complacent in protecting it. ‘Social engineering can be said to be an Art and Science of getting people to comply with your wishes. It is not a way of mind control, it will not allow you to get people to perform tasks wildly outside of their normal behavior and it is far from foolproof’ [David Harley 1997]. Humans are programmed to be social engineers at a very early age as we are social beings. We like to know more about our friends and colleagues or what is happening in other organizations the problem starts when this gathered information is used to manipulate. Social engineering is always been a silent killer eating away the vitals of organizations. Organizations which are affected usually never disclose such attempts as this would have disastrous consequences on the organizational reputation with investors viewing it rather dimly. Due to this practitioners of these skills keeps on at it. Social engineering is frequently overlooked with organization preferring to turn their attention on to more visible or media tracked risks. It is frequently viewed as a soft threat due to which budgetary allocation to combat this is rarely allocated. All these conditions in tandem assist the ‘bad guys’ to make use of psychological manipulations to subvert systems and personnel to compromise data of individuals and organizations. The start for an organization in this battle is to recognize that the problem exists and requires addressing. That is been the genesis of this pptTRANSCRIPT
![Page 1: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/1.jpg)
Social Engineering – Posing Challenges ToThe Thinking Security Professional
Paul Devassy, CPP,Chairman ASIS Mumbai – India Chapter
![Page 2: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/2.jpg)
December 12, 20132
Points to be covered
What does Social Engineering mean?1.
Practitioners through the ages2.
What are “Social engineers” looking for?3.
Human frailties4.
Who is at risk?5.
Cycle and Types of attack6.
What can we do?7.
Protection for us?8.
![Page 3: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/3.jpg)
Disclaimer
All views expressed in this lecture is personal and is gathered fromexperiential information.
Examples quoted is just a means to emphasize a point and is in no waybeing judgemental of the person, actions or even events.
![Page 4: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/4.jpg)
Definition of Social engineering
Merriam Webster's dictionary “Management of human beings in accordancewith their place and function in society, applied social science”
• "People inherently want to be helpfuland therefore are easily duped"
• "They assume a level of trust in orderto avoid conflict"
• "It's all about gaining access toinformation that people think isinnocuous when it isn't"
![Page 5: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/5.jpg)
Practitioners through the ages
![Page 6: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/6.jpg)
What are they are looking for?
![Page 7: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/7.jpg)
Exploitation of Human frailties
![Page 8: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/8.jpg)
Lack of training and awareness
![Page 9: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/9.jpg)
Who is at risk?Do the social engineers only target these types people?
Or is everybody a potential target?
![Page 10: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/10.jpg)
Cycle of an attack
![Page 11: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/11.jpg)
Types of attacks
![Page 12: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/12.jpg)
So what do we do?
![Page 13: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/13.jpg)
Protection for us?
![Page 14: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/14.jpg)
Protection 1
![Page 15: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/15.jpg)
Protection 2
Training and awareness at all levels is a must
![Page 16: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/16.jpg)
Questions?
![Page 17: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/17.jpg)
ResourcesBibliographyGranger, Sarah "Social Engineering Fundamentals, Part I: Hacker Tactics"December 18, 2001 URL: http://www.securityfocus.com/infocus/1527 searchSecurity.com Definitions, whatis.com 2004 URLhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html
"Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013.<http://www.npdn.org/social_engineering_types>.
Mitnick, Kevin and Simon, William L. The Art of Deception Wiley Publishing 2002 Information Security Policy and Disaster Recovery Associates, UKURL: http://www.yourwindow.to/information-security/gl_dataclassification.htm.
Wilson, Sam "Combating the Lazy User: An Examination of Various Password Policies and Guidelines" Sept. 16, 2002. URL:http://www.sans.org/rr/papers/6/142.pdf.
Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013.<http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>.
Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013.<http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>.
Mandia, Kevin & Prosise Chris Incident Response McGraw-Hill 2001.Background Check International, LLC. URL: http://www.bcint.com/services.html
David Harley – Refloating the Titanic: Dealing with Social Engineering Attacks
![Page 18: Social engineering – posing challenges to the thinking security professional 05 dec 2013](https://reader033.vdocuments.site/reader033/viewer/2022052907/5591e6871a28ab42698b463f/html5/thumbnails/18.jpg)
Thank you!