Social Engineering JeroJewo Social Engineering Social engineering is

  • Slides: 11
Download presentation
Social Engineering Jero-Jewo

Social Engineering Jero-Jewo

Social Engineering • Social engineering is the act of manipulating people into performing actions

Social Engineering • Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim. – www. wikipedia. org

Case study • As a service provider, Duo Consulting helps clients manage the publication

Case study • As a service provider, Duo Consulting helps clients manage the publication of critical business information on their web sites. • Integrity and availability are important considerations for Duo when processing requests for changes • 99% of requests from clients come from known client contacts.

Case Study • There is currently a communication process in place to receive and

Case Study • There is currently a communication process in place to receive and manage requests. • How should we handle requests from contacts that are not known?

Real World • New request comes in from an unknown contact at Setton Farms

Real World • New request comes in from an unknown contact at Setton Farms for ftp access to their web server on a Saturday. • Request bounces around until it comes to CTO. • Requester is contacted an inquiry is made about need for ftp access.

Real World • Contact explains that there is an immediate need to publish critical

Real World • Contact explains that there is an immediate need to publish critical information about a recall on their site and they have hired a designer to make the updates to their site.

What happened next? • Question identity of requester • Question authenticity of request

What happened next? • Question identity of requester • Question authenticity of request

What’s missing? • We do not have a policy or process in place to

What’s missing? • We do not have a policy or process in place to confirm identity of contacts making requests • We do not have a list of authorized contacts • There is a service level agreement in place for managed hosting - but nothing defined about emergency requests from clients that do not have a services support contract in place

Next Steps • Solve the problems!

Next Steps • Solve the problems!