14
A summary of social engineering attacks.
| Date post: | 15-Apr-2017 |
| Category: |
Education |
| Upload: | pace-it-at-edmonds-community-college |
| View: | 326 times |
| Download: | 0 times |
A summary of social engineering attacks.
Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certifications PC Hardware Network
Administration IT Project
Management
Network Design User Training IT Troubleshooting
Qualifications Summary
Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.
Brian K. Ferrill, M.B.A.
Page 3
A summary of social engineering attacks.PACE-IT.
– What makes social engineering effective.
– Types of social engineering attacks.
Page 4
What makes social engineering effective.A summary of social engineering attacks.
Page 5
The largest vulnerability in any system tends to be the people who have authorized access to the system itself.
Hackers often attempt to exploit this weakness in the system by applying social pressure to the people who have access to the system. It has been proven to be an effective means of breaching data security for many years, as it relies upon some well known exploitation principles. In actuality, social engineering doesn’t require very much technology in order to be effective.Even the NSA (National Security Administration) was proven to be vulnerable to social engineering attacks. It was the main method used by Edward Snowden to gather the illicit data he took from the organization.
What makes social engineering effective.A summary of social engineering attacks.
Page 6
What makes social engineering effective.A summary of social engineering attacks.
– Reasons for effectiveness.» Authority: the hacker impersonates an authority
figure; the victim believes that he or she must comply with the authority.
• The impersonation can occur through email, over the phone, or even in person.
» Intimidation: the attacker uses a message that intimidates the victim; due to fear, the victim succumbs to the pressure.
» Consensus/social proof: the hacker presents some known facts as proof that he or she is telling the truth; the victim ends up trusting the attacker based on the social proof.
» Scarcity: the attacker persuades the victim that what is being offered is highly valued due to its scarcity.
• The target falls victim to human nature (usually greed)—the Nigerian Prince scam.
Page 7
What makes social engineering effective.A summary of social engineering attacks.
– Reasons for effectiveness continued.
» Urgency: the hacker imparts a sense of situational urgency; the victim feels like he or she has to act now to fix a situation.
• The message delivered may arrive via the telephone or email, but it always implies that action is required now in order to avert disaster.
» Familiarity/liking: the attacker either uses a friendly tone or inserts herself or himself into the workplace; the victims tend to like the attacker or feel that they can trust the attacker.
• This is one of the main methods Edward Snowden used to gain access to the information he took from the NSA.
» Trust: the hacker exploits our human nature to trust—either by appearing to need the victim’s help, or by offering to help the victim.
• By appearing to be the victim of an unfortunate situation, the attacker fools the victim into succumbing to the attack.
• The hacker may create a situation in which the victim appears to need the attacker’s help.
Page 8
Types of social engineering attacks.A summary of social engineering attacks.
Page 9
Types of social engineering attacks.A summary of social engineering attacks.
– Impersonation.» Many social engineering attacks begin with the hacker
using impersonation—the act of pretending to be somebody else.
• A common impersonation technique is where the attacker impersonates someone of perceived authority, causing the victim to feel as if he or she must comply.
• The attacker may impersonate someone who requires help; for example, the attacker pretends to be an end user who requires the assistance of a network administrator.
– Phishing.» The hacker typically casts out a broad net of emails
that appear to be from a trusted source (e.g., a well known bank or Google) requesting that users click on a hyperlink.
• The hyperlink connects to a malicious website and, when the user inputs his or her credentials (as requested), the attacker then steals the user’s credentials.
» The phishing attack may employ the principles of authority and urgency in order to get the victim to respond.
Page 10
Types of social engineering attacks.A summary of social engineering attacks.
– Whaling.» Very similar to a phishing attack; however, instead of
casting a wide net in order to get a few responses, the hacker targets a whale or big fish—somebody with a lot to lose.
• The hacker specifically crafts the message(s) to suit the victim’s situation.
• The usual target is someone at the executive level of an organization.
– Vishing.» A phishing attack that is conducted over the telephone
(voice phishing).
– Hoax.» Employs the principle of consensus/social proof in order
to get the victim to perform an action.• Most hoaxes are not targeted to a specific person or
organization, but are crafted in order to cause disruption.
• Often, a hoax is perpetuated by users who don’t realize that it is a hoax.
Page 11
Types of social engineering attacks.A summary of social engineering attacks.
– Shoulder surfing.» A type of social engineering attack that relies upon the
hacker being able to see the victim’s screen or keyboard.
• The hacker tries to steal confidential information (often a username and password) by watching the victim’s actions.
– Dumpster diving.» The attacker goes through the trash of a person or
organization in an effort to discover sensitive information.
• A cross-cut shredder is more effective than a strip-cut shredder (shredded material can actually be pieced back together).
– Tailgating.» A social engineering attack that is usually used to
bypass physical security.• The attacker waits or times the approach to a secure
area in order to enter right behind an authorized person.
• The victim of a tailgate attack may actually hold the door open for the attacker.
Page 12
What was covered.A summary of social engineering attacks.
The people with authorized access are often the largest vulnerability to any security that is put in place. Attackers exploit this weakness and rely upon several different principles to increase the effectiveness of their attacks. The principles include: authority, intimidation, consensus/social proof, scarcity, urgency, familiarity/liking, and trust.
Topic
What makes social engineering effective.
Summary
In reality, social engineering attacks do not rely upon technology as much as they rely upon human nature. The types of attacks used in social engineering include: impersonation, phishing, whaling, vishing, hoaxes, shoulder surfing, dumpster diving, and tailgating.
Types of social engineering attacks.
Page 13
THANK YOU!
This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.
