Kelly Corning Julie Sharp Preventing Social Engineering Attacks
- Slides: 27
Kelly Corning Julie Sharp Preventing Social Engineering Attacks
What is Social Engineering? �Human-based techniques: impersonation �Computer-based techniques: malware and scams
Why is Social Engineering Effective? �Manipulates legitimate users into undermining their own security system �Abuses trusted relationships between employees �Very cheap for the attacker �Attacker does not need specialized equipment or skills
Common Techniques �Impersonation Help Desk Third-party Authorization Tech Support Roaming the Halls Repairman Trusted Authority Figure Snail Mail
Common Techniques �Computer-Based Techniques Pop-up windows Instant Messaging and IRC Email Attachments Email Scams Chain Letters and Hoaxes Websites
Impersonation: Help Desk �Hacker pretends to be an employee �Recovers “forgotten” password �Help desks often do not require adequate authentication
Impersonation: Third-party Authorization �Targeted attack at someone who has information Access to assets Verification codes �Claim that a third party has authorized the target to divulge sensitive information �More effective if the third party is out of town
Impersonation: Tech Support �Hacker pretends to be tech support for the company �Obtains user credentials for troubleshooting purposes. �Users must be trained to guard credentials.
Impersonation: Roaming the Halls �Hacker dresses to blend in with the environment Company uniform Business attire �Looks for sensitive information that has been left unattended Passwords written down Important papers Confidential conversations
Impersonation: Repairman �Hacker wears the appropriate uniform �Often allowed into sensitive environments �May plant surveillance equipment �Could find sensitive information
Impersonation: Trusted Authority Figure �Hacker pretends to be someone in charge of a company or department �Similar to “third-party authorization” attack �Examples of authority figures Medical personnel Home inspector School superintendent �Impersonation in person or via telephone
Impersonation: Snail Mail �Hacker sends mail that asks for personal information �People are more trusting of printed words than webpages �Examples Fake sweepstakes Free offers Rewards programs �More effective on older generations
Computer Attacks: Pop-up Windows �Window prompts user for login credentials �Imitates the secure network login �Users can check for visual indicators to verify security
Computer Attacks: IM & IRC �Hacker uses IM, IRC to imitate technical support desk �Redirects users to malicious sites �Trojan horse downloads install surveillance programs.
Computer Attacks: Email Attachments �Hacker tricks user into downloading malicious software �Programs can be hidden in downloads that appear legitimate �Examples Executable macros embedded in PDF files Camouflaged extension: “Normal. File. doc” vs. “Normal. File. doc. exe” Often the final extension is hidden by the email client.
Computer Attacks: Email Scams �More prevalent over time �Begins by requesting basic information �Leads to financial scams
Computer Attacks: Chain Emails �More of a nuisance than a threat �Spread using social engineering techniques �Productivity and resource cost
Computer Attacks: Websites �Offer prizes but require a created login �Hacker capitalizes on users reusing login credentials �Website credentials can then be used for illegitimate access to assets
Best Practices �Never disclose passwords �Limit IT Information disclosed �Limit information in auto-reply emails �Escort guests in sensitive areas �Question people you don't know �Talk to employees about security �Centralize reporting of suspicious behavior
Never disclose passwords �Remind employees to keep passwords secret �Don’t make exceptions �It’s not a grey area!
Limit IT Information Disclosed �Only IT staff should discuss details about the system configuration with others �Don’t answer survey calls �Check that vendor calls are legitimate
Limit Information in Auto-Reply Emails �Keep details in out-of-office messages to a minimum �Don’t give out contact information for someone else. �Route requests to a receptionist
Escort Guests in Sensitive Areas �Guard all areas with network access Empty offices Waiting rooms Conference rooms �This protects against attacks “Repairman” “Trusted Authority Figure”
Question people you don't know �All employees should have appropriate badges �Talk to people who you don’t recognize �Introduce yourself and ask why they are there
Talk to employees about security �Regularly talk to employees about common social engineering techniques �Always be on guard against attacks �Everyone should watch what they say and do.
Centralize Reporting �Designate an individual or group �Social engineers use many points of contact Survey calls Presentations Help desk calls �Recognizing a pattern can prevent an attack
Resources Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks. " Spiceworks Community Global. N. p. , n. d. Web. 26 Mar. 2013. <http: //community. spiceworks. com/how_to/show/666 -bestpractices-to-prevent-social-engineering-attacks>. Information, Network & Managed IT Security Services. "Social Engineering. " Secure. Works. Dell, 2013. Web. 26 Mar. 2013. <http: //www. secureworks. com/consulting/security_testing_and_a ssessments/social_engineering/>. "Types of Social Engineering. " NDPN. org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013. <http: //www. npdn. org/social_engineering_types>.
- Owens corning ridge cat
- Dow corning investor relations
- Final project plan
- Future of total rewards
- Mytotalrewards.corning.com
- Owens corning fiber optic cable
- Corning
- Multiflex korea
- Corning total rewards
- "gemius"
- Chapter 24 lesson 2 preventing and treating stds
- Chapter 9 resolving conflicts and preventing violence
- Chapter 20 preventing kitchen accidents
- Chapter 16 preventing infection
- Chapter 14:1 using body mechanics
- Preventing kitchen accidents worksheet
- Robert vischer empathy theory disadvantages
- Chapter 9 resolving conflicts and preventing violence
- Chapter 13:2 preventing accidents and injuries
- Chapter 4 preventing injuries through fitness
- Chapter 15 preventing infection
- Preventing hand injuries
- Workers compensation puncture
- Preventing ageing unequally
- Which is mainly responsible for preventing erosion
- Social thinking and social influence in psychology
- Social thinking social influence social relations
- Blackboard xythos