social engineering: protecting yourself on the campus network

IT ServicesOpen Forum

Social Engineering Forum: Protecting Yourself on the Campus Network

April 16, 2009

IT Services Open Forum

Agenda1. What is Social Engineering

2. Examples & Risks– Virus and other malware scams

– Telephone calls

– Unauthorized personnel visits

3. What technology is in place to help reduce risks

4. How you can avoid being a victim

5. What you should do if you are a victim

6. Questions and Answers


What is Social Engineering

Social engineering is the act of manipulating people into

performing actions or divulging confidential

information. The term typically applies to trickery or

deception for the purpose of information gathering,

fraud or computer system access. In some cases,

the hacker never comes face-to-face with the victim.


What is Social Engineering

The basic goals of social engineering are the same as

hacking in general: to gain unauthorized access to

systems or information in order to commit fraud,

network intrusion, industrial espionage, identity theft,

or simply to disrupt the system or network.


What is Social EngineeringAnother aspect of social engineering relies on people's inability to keep up

with a culture that relies heavily on information technology. Social

engineers rely on the fact that people are not aware of the value of the

information they possess and are careless about protecting it. Frequently,

social engineers will search dumpsters for valuable information, memorize

access codes by looking over someone's shoulder (shoulder surfing), or

take advantage of people's natural inclination to choose passwords that

are meaningful to them but can be easily guessed. Security experts

propose that as our culture becomes more dependent on information,

social engineering will remain the greatest threat to any security system.

Prevention includes educating people about the value of information,

training them to protect it, and increasing people's awareness of how

social engineers operate.


ExamplesYou arrive at the office and stop by the restroom to make sure you look

your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it. The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for your self.

What would you do?


Examples• Email from help desk asking you for your password• Email from your bank asking you for your account

number • Email from your email provider (such as Hotmail)

asking you to verify your account information• Phone call from your telephone company asking for

your account information• Floppy disk that is tossed in trash that once

contained confidential data (deleted data can be recovered with specialized software)


Virus & Malware Attacks

Various past and current examples given in presentation. For examples, contact CIU IT Help Desk.


Risks• Violation of data security policies with FERPA, PCI,

Federal, etc. which may incur fines, embarrassment, or future business growth consequences.

• Loss of financial resources.• Compromise of donor information.• Loss of personal information (anything done

personally from your work computer such as online banking, etc.)


What IT has in place to help reduce risks

• The Help Desk is the first line of defense for all IT related issues.

• Poweruser accounts do not allow viruses to be installed on your local machine. However, it does not prevent email account from being compromise especially if password is given out as a response to the email.

• Password criteria as well as periodic password reset requirements.

• Data breach response plan.


How do you avoid being a victim• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking

about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. Also be suspicious of emails requesting an action (such clicking on attachment).

– Do not give/send passwords via email– Do not give passwords to co-workers or anyone else (especially those you do not know)– Do not allow anyone from IT to work on your computer or phone unless they are wearing an IT

name badge

• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.

• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

• Don't send sensitive information over the Internet before checking a web site's security.• Shred disks as well as other paper documents that once contained sensitive information.• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this

traffic.


What do you do if you think you are a victim

• If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including the IT Help Desk (5199). Alert us immediately of any suspicious activity or email.

• If the breach involves a visitor, contact IT as well as Security immediately.

• Reset your password immediately (just the password suspected of being compromised)


Questions and AnswersQ: How do you know if your site is secure?A: Look for a small padlock in the lower right corner of your browser window (illustration below) or in the website address box (not on the actual site itself). Also look for HTTPS:// in the website address on secure sites instead of just HTTP://.

Q: Do I need to be concerned with a website that does not have a “log out” button?A: Yes, a little. Site’s that do not have a “log out” button may cache (or keep) your account open so that others can view your account by simply opening the web browser. A safe practice is to lock your computer when leaving or to restart your computer to clear the session if a “log out” button is not available.

social engineering: protecting yourself on the campus network

Technology