Kelly Corning Julie Sharp Preventing Social Engineering Attacks

Kelly Corning Julie Sharp Preventing Social Engineering Attacks

What is Social Engineering? �Human-based techniques: impersonation �Computer-based techniques: malware and scams

Why is Social Engineering Effective? �Manipulates legitimate users into undermining their own security system �Abuses trusted relationships between employees �Very cheap for the attacker �Attacker does not need specialized equipment or skills

Common Techniques �Impersonation Help Desk Third-party Authorization Tech Support Roaming the Halls Repairman Trusted Authority Figure Snail Mail

Common Techniques �Computer-Based Techniques Pop-up windows Instant Messaging and IRC Email Attachments Email Scams Chain Letters and Hoaxes Websites

Impersonation: Help Desk �Hacker pretends to be an employee �Recovers “forgotten” password �Help desks often do not require adequate authentication

Impersonation: Third-party Authorization �Targeted attack at someone who has information Access to assets Verification codes �Claim that a third party has authorized the target to divulge sensitive information �More effective if the third party is out of town

Impersonation: Tech Support �Hacker pretends to be tech support for the company �Obtains user credentials for troubleshooting purposes. �Users must be trained to guard credentials.

Impersonation: Roaming the Halls �Hacker dresses to blend in with the environment Company uniform Business attire �Looks for sensitive information that has been left unattended Passwords written down Important papers Confidential conversations

Impersonation: Repairman �Hacker wears the appropriate uniform �Often allowed into sensitive environments �May plant surveillance equipment �Could find sensitive information

Impersonation: Trusted Authority Figure �Hacker pretends to be someone in charge of a company or department �Similar to “third-party authorization” attack �Examples of authority figures Medical personnel Home inspector School superintendent �Impersonation in person or via telephone

Impersonation: Snail Mail �Hacker sends mail that asks for personal information �People are more trusting of printed words than webpages �Examples Fake sweepstakes Free offers Rewards programs �More effective on older generations

Computer Attacks: Pop-up Windows �Window prompts user for login credentials �Imitates the secure network login �Users can check for visual indicators to verify security

Computer Attacks: IM & IRC �Hacker uses IM, IRC to imitate technical support desk �Redirects users to malicious sites �Trojan horse downloads install surveillance programs.

Computer Attacks: Email Attachments �Hacker tricks user into downloading malicious software �Programs can be hidden in downloads that appear legitimate �Examples Executable macros embedded in PDF files Camouflaged extension: “Normal. File. doc” vs. “Normal. File. doc. exe” Often the final extension is hidden by the email client.

Computer Attacks: Email Scams �More prevalent over time �Begins by requesting basic information �Leads to financial scams

Computer Attacks: Chain Emails �More of a nuisance than a threat �Spread using social engineering techniques �Productivity and resource cost

Computer Attacks: Websites �Offer prizes but require a created login �Hacker capitalizes on users reusing login credentials �Website credentials can then be used for illegitimate access to assets

Best Practices �Never disclose passwords �Limit IT Information disclosed �Limit information in auto-reply emails �Escort guests in sensitive areas �Question people you don't know �Talk to employees about security �Centralize reporting of suspicious behavior

Never disclose passwords �Remind employees to keep passwords secret �Don’t make exceptions �It’s not a grey area!

Limit IT Information Disclosed �Only IT staff should discuss details about the system configuration with others �Don’t answer survey calls �Check that vendor calls are legitimate

Limit Information in Auto-Reply Emails �Keep details in out-of-office messages to a minimum �Don’t give out contact information for someone else. �Route requests to a receptionist

Escort Guests in Sensitive Areas �Guard all areas with network access Empty offices Waiting rooms Conference rooms �This protects against attacks “Repairman” “Trusted Authority Figure”

Question people you don't know �All employees should have appropriate badges �Talk to people who you don’t recognize �Introduce yourself and ask why they are there

Talk to employees about security �Regularly talk to employees about common social engineering techniques �Always be on guard against attacks �Everyone should watch what they say and do.

Centralize Reporting �Designate an individual or group �Social engineers use many points of contact Survey calls Presentations Help desk calls �Recognizing a pattern can prevent an attack

Resources Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks. " Spiceworks Community Global. N. p. , n. d. Web. 26 Mar. 2013. <http: //community. spiceworks. com/how_to/show/666 -bestpractices-to-prevent-social-engineering-attacks>. Information, Network & Managed IT Security Services. "Social Engineering. " Secure. Works. Dell, 2013. Web. 26 Mar. 2013. <http: //www. secureworks. com/consulting/security_testing_and_a ssessments/social_engineering/>. "Types of Social Engineering. " NDPN. org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013. <http: //www. npdn. org/social_engineering_types>.