Social Engineering By Pete Guhl and Kurt Murrell
Social Engineering By: Pete Guhl and Kurt Murrell
Techniques
Phases of Social Engineering - Very similar to how Intelligence Agencies infiltrate their targets - 3 Phased Approach Phase 1 - Intelligence Gathering n Phase 2 - “Victim” Selection n Phase 3 -The Attack n - Usually a very methodical approach
Phase 1 -Intelligence Gathering - Primarily Open Source Information Dumpster Diving n Web Pages n Ex-employees n Contractors n Vendors n Strategic Partners n - The foundation for the next phases
Phase 2 -”Victim” Selection n Looking for weaknesses in the organization’s personnel Help Desk n Tech Support n Reception n Admin. Support n Etc. n
- Phase 3 - The Attack - Commonly known as the “con” n - Primarily based on “peripheral” routes to persuasion n Authority n Liking & Similarity n Reciprocation n n - Uses emotionality as a form of distraction
3 General Types of Attack n Ego Attacks n Sympathy Attacks n Intimidation Attacks
Intimidation Attacker pretends to be someone influential (e. g. , authority figure, law enforcement) n Attempt to use their authority to coerce the victim into cooperation n If there is resistance they use intimidation, and threats (e. g. , job sanctions, criminal charges etc. ) n If they pretend to be Law Enforcement they will claim the investigation is hush and not to be discussed etc. n
Sympathy Attacks Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc. n There is some urgency to complete some task or obtain some information n Needs assistance or they will be in trouble or lose their job etc. n Plays on the empathy & sympathy of the victim n Attackers “shop around” until they find someone who will help n Very successful attack n
The Ego Attacker appeals to the vanity, or ego of the victim n Usually targets someone they sense is frustrated with their current job position n The victim wants to prove how smart or knowledgeable they are and provides sensitive information or even access to the systems or data n Attacker may pretend to be law enforcement, the victim feels honored to be helping n Victim usually never realizes n
More info on attacks Attacks can come from anywhere/anytime n Social Engineering can circumvent current security practices - What good is a password if everyone has it? n No one is immune n - Everyone has information about the company
Preventing Social Engineering
Training n Warn Users of Imminent Attack - Users that are forewarned are less free with information
Training n Define Sensitive Information
Training n Define Sensitive Information Passwords
Training n Define Sensitive Information Passwords DOB
Training n Define Sensitive Information Passwords DOB Maiden Names
Training n Define Sensitive Information Passwords DOB Maiden Names Social Security Number
Training n Define Sensitive Information Passwords DOB Maiden Names Social Security Number Account Numbers
Training n Define Sensitive Information Passwords DOB Maiden Names Social Security Number Account Numbers Billing Amounts
Training n Users Passwords, phone numbers, other data
Training n Users Passwords, phone numbers, other data n System Admins Tougher authentication protocol for password resets
Testing n Users - Reveal seemingly innocuous data?
Testing n Users - Reveal seemingly innocuous data? n System Admins – Divulge network information?
Testing n Users - Reveal seemingly innocuous data? n System Admins – Divulge network information? n Helpdesk personnel – Reset passwords on faulty authentication?
Removing the Weak Link n Remove the user’s ability to divulge information - Remove all non essential phones - Restrict to internal communications - Remove Internet access - Disable removable drives - Make false information accessible
Removing the Weak Link n Forced strong authentication - Use secure software requiring strong authentication for password resets - Require callback to user’s directory listed number
Removing the Weak Link n Secure Protected Doors - Employ Guards - Use Revolving Door - Two Door Checkpoint - Deploy CCTV to remote facility
- Slides: 28
