social engineering uthsc information security team
TRANSCRIPT
What is Social Engineering?
• Attacker uses human interaction to obtain or compromise information
• Attacker my appear unassuming or respectableo Pretend to be a new employee, repair man, etc.o May even offer credentials
• By asking questions, the attacker may piece enough information together to infiltrate a companies networko May attempt to get information from many sources
What is Social Engineering…
At its core it is manipulating a person into knowingly or unknowingly giving up information; essentially 'hacking' into a person to steal valuable information.
Psychological manipulation
Trickery or Deception for the purpose of information gathering
What is Social Engineering…• It is a way for criminals to gain access to
information systems.
• The purpose of social engineering is usually to secretly install spyware, other malicious software or to trick persons into handing over passwords and/or other sensitive financial or personal information
What is Social Engineering…
Social engineering is one of the most effective routes to stealing confidential data from organizations, according to Siemens Enterprise Communications, based in Germany. In a recent Siemens test, 85 percent of office workers were duped by engineering.
“Most employees are utterly unaware that they are being manipulated,” says Colin Greenlees, security and counter-fraud consultant at Siemens.
Types of Attacks• Phishing
• Impersonation on help desk calls
• Quid Pro Quo - Something for something
• Baiting
• Pretexting
• Invented Scenario
• Diversion Theft - A con
• Physical access (such as tailgating)
• Shoulder surfing
• Dumpster diving
• Stealing important documents
• Fake software
• Trojans
Phishing• Use of deceptive mass mailing
• Can target specific entities (“spear phishing”)
• Prevention: Honeypot email addresses Education Awareness of network and website changes
Impersonation on help desk calls• Calling the help desk pretending to be someone else
• Usually an employee or someone with authority
• Prevention: Assign pins for calling the help desk Don’t do anything on someone’s order Stick to the scope of the help desk
Quid Pro Quo
Something for Somethingo Call random numbers at a company, claiming to
be from technical support.
o Eventually, you will reach someone with a legitamite problem
o Grateful you called them back, they will follow your instructions
o The attacker will "help" the user, but will really have the victim type commands that will allow the attacker to install malware
Baitingo Uses physical media
o Relies on greed/curiosity of victim
o Attacker leaves a malware infected cd or usb drive in a location sure to be found
o Attacker puts a legitimate or curious label to gain interest
o Ex: "Company Earnings 2009" left at company elevatorCurious employee/Good Samaritan usesUser inserts media and unknowingly installs malware
PretextingInvented Scenario
o Prior Research/Setup used to establish legitimacy Give information that a user would normally not divulge
o This technique is used to impersonateAuthority etc.
Using prepared answers to victims questions
Other gathered information
o Ex: Law Enforcement Threat of alleged infraction to detain suspect and hold for questioning
Pretexting Real Example:• Signed up for Free Credit Report
• Saw Unauthorized charge from another credit company
o Called to dispute charged and was asked for Credit Card Number
They insisted it was useless without the security code
o Asked for Social Security number
• Talked to Fraud Department at my bank
Diversion TheftA Con
o Persuade deliver person that delivery is requested elsewhere - "Round the Corner"
o When deliver is redirected, attacker persuades delivery driver to unload delivery near address
o Ex: Attacker parks security van outside a bank. Victims going to deposit money into a night safe are told that the night safe is out of order. Victims then give money to attacker to put in the fake security van
o Most companies do not prepare employees for this type of attack
Physical access• Tailgating
• Ultimately obtains unauthorized building access
• Prevention Require badges Employee training Security officers No exceptions!
Shoulder surfing• Someone can watch the keys you press when entering your
password
• Probably less common
• Prevention: Be aware of who’s around when entering your password
Dumpster diving• Looking through the trash for sensitive information
• Doesn’t have to be dumpsters: any trashcan will do
• Prevention: Easy secure document destruction Lock dumpsters Erase magnetic media
Stealing important documents• Can take documents off someone’s desk
• Prevention: Lock your office If you don’t have an office: lock your files securely Don’t leave important information in the open
Fake Software• Fake login screens
• The user is aware of the software but thinks it’s trustworthy
• Prevention: Have a system for making real login screens obvious (personalized
key, image, or phrase) Education Antivirus (probably won’t catch custom tailored attacks)
Trojans• Appears to be useful and legitimate software before running
• Performs malicious actions in the background
• Does not require interaction after being run
• Prevention: Don‘t run programs on someone else’s computer Only open attachments you’re expecting Use an antivirus
Weakest Link?
• No matter how strong your:o Firewallso Intrusion Detection Systemso Cryptographyo Anti-virus software
• YOU are the weakest link in computer security!o People are more vulnerable than
computers • "The weakest link in the security chain is the
human element" -Kevin Mitnick
General Safety
• Before transmitting personal information over the internet, check the connection is secure and check the url is correct
• If unsure if an email message is legitimate, contact the person or company by another means to verify
• Be paranoid and aware when interacting with anything that needs protectedo The smallest information could compromise what
you're protecting
Ways to Prevent Social Engineering
Training• User Awareness
o User knows that giving out certain information is frowned upon
o Complete Information Security Training
Policies• Employees are not allowed to divulge private
information• Prevents employees from being socially
pressured or tricked…
Ways to Prevent Social Engineering (con…)
• 3rd Party test - Ethical Hackero Have a third party come to your company and
attempted to hack into your networko 3rd party will attempt to glean information from
employees using social engineeringo Helps detect problems people have with security
• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about internal information
• Do not provide personal information, information about the company(such as internal network) unless authority of person is verified
Responding…• You’ve been attacked: now what?
• What damage has been done? What damage can still be done?
• Has a crime actually taken place?
Report the incident or event IMMEDIATELY!
Take responsibility and be honest
Contact UTHSC Help Desk
Summary
• Be suspicious.
• Think about motivation when revealing information.
• Verify identity.
• Be careful what you click on.
• No one will catch everything – Be willing to ask for help. IMMEDIATELY Contact your UTHSC Information Security Team!
Security is Everyone's Responsibility – See Something, Say Something!
UTHSC Information Security Team
L. Kevin Watson
(901) 448-7010
Frank Davison
(901) 448-1260
Jessica McMorris
(901) 448-1579
Ammar Ammar
(901) 448-2163
• Information Security Email: [email protected]
• Website: security.uthsc.edu
• To report phishing and spam email forward it to [email protected]
• UTHSC Help Desk: (901) 448-2222 ext. 1 or [email protected]