Date post: | 28-Mar-2015 |
Category: |
Documents |
Upload: | jose-chacko |
View: | 209 times |
Download: | 3 times |
Social engineering techniques bypasses technology-based security.
Best firewall is useless if the person behind it gives away either the access codes or the information it is installed to
protect.2
Kevin Mitnic
"The weakest link in the security chain is the human element”
Mitnic Security Counseling
1.Getting free bus rides in Los Angeles, California
2.Hacking into private DEC systems to view unreleased source code
3.Evading the FBI by using fake identities
4.Hacking into IBM, Motorola, Nokia and Suncomputer systems3
Notorious Hacks
Kevin Mitnick
Kevin Mitnick is a convicted computerhacker who spent five years in prison for computer crimes. Mitnick
currently runs Mitnick Security Counseling.
Fast Facts
1.Born: October 6, 1963
2.Birthplace: Los Angeles, California
3.Released from prison on January 21, 2000
4.His official website has been the victim of many hackers wanting to prove themselves
5.Has had two movies based around the events:Takedown and Freedom Downtime
History
Kevin Mitnick began his long history with hacking by bypassing the ticketing system for the Los Angelesbus
system. From there, he branched out into various other forms of hacking, including social engineering. Mitnick
first gained unauthorized access to a computer system in 1979 after he hacked into the Digital Equipment
Corporation's computer network and caused a reported $160,000 in damages. This act brought the first of his
many run-ins with law enforcement. For his actions, he was later convicted of computer crimes and given a five
year jail sentence. He was released onJanuary 21, 2000, and was not allowed to use any communication
technology for three years as part of the terms of his probation. He fought this ruling and was eventually allowed
access to the internet. Mitnick now runs Mitnick Security Counseling, a company that provides security services
for corporations.
Notorious Hacks
1.Getting free bus rides in Los Angeles, California
2.Hacking into private DEC systems to view unreleased source code
3.Evading the FBI by using fake identities
4.Hacking into IBM, Motorola, Nokia and Suncomputer systems
4
What is “FRAUD”
The art of manipulating and deceiving
people
Intentional misrepresentation or concealment of
information in order to deceive or
mislead
Intentional
deception
made for personal gain or
to damage another
entity.
Fraud
information
Victim
Social engineering techniques
7
TYPES OF FRAUD
WHITE COLLAR CRIMES - FRAUD INCLUDES
•Fraudulent Financial Statements
•Misappropriation of assets
•Expenditure and liability incurred for illegal purposes
•Manipulation of revenues and expenditures
8
Fraudulent financial reporting – Cooking the books
Misappropriation of assets
Earnings management Improper revenue
recognitionOverstatement of assetsUnderstatement of liabilitiesFraudulent journal entriesRound-trip or “wash” trades
Billing schemesCollusionConcealmentEmbezzlementForgeryGhost employeesKitingLappingLarcenyMisapplicationPayroll fraudTheft
9
Illegal expenditures and liabilities
Manipulation of expenditure and
revenues
BribesConflicts of interestKickbacksConcealmentMoney laundering
ConcealmentScams Tax fraud
10
Impact of Fraud Actual loss of money
Loss of consumer confidence
Loss of trust
Not only measured in monetory terms………………..
Loss of market-share / business
Loss of employees benefits
11
Information
“Information is the highest value commodity for the new millennium”-Futurist Alvin Toffler
Information hacking
Individual level
Corporate level
Country level-Espionage - IndustrialEconomic
Fraud
information
Victim
Social engineering techniques
12
SOCIAL ENGINEERING
definition
• ‘Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information’-Wikipedia
Fraud
information
Victim
Social engineering techniques
13
SOCIAL ENGINEERING
definition
• Social Engineering involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders
definition
• psychologically manipulating people into giving them access or the information necessary to get access using a variety of schemes
Fraud
information
Victim
Social engineering techniques
14
SOCIAL ENGINEERING
features • Victims of social engineering typically have no idea they have been conned out useful information or have been tricked into performing a particular task
features • Social engineering is normally quite successful because most victims want to trust people and provide as much help as possible
features• Social engineering itself is not a technological problem, but it does
have a technological solution.
16
social engineering attacks typically originate from one of three zones:
Social Engineering attacks
doesn’t have to involve the use of technology.
Internal-
Employees
Trusted-
Consultants
External-
Hackers
17
Social Engineering Techniques generally usedin
IT environment
Impersonating IT staff Playing on users’ sympathy Making close relations with targets Intimidation tactics The greed factor Creating confusion Shoulder surfing Dumpster diving Gone phishing Reverse (social) engineering
18
Impersonating IT staff •pretend to be someone from inside the company—often a member of the IT department. •good social engineers will do their homework and find out the names of real members of the IT department. •They'll even find a way to place the call from inside the company or have a plausibleexcuse for why it’s coming from outside (for example, saying that they'retroubleshooting the problem from the company’s headquarters or its special “centralIT center").
Is it true?
In fact, there’s rarely any reason a real IT administrator would need to know a user’s password. If administrators need to get into a user’s account, they can simply use their administrative privileges to change the password to whatever they want and access the account that way. Asking users for their passwords usually indicates either an administrator who doesn’t know the job or a social engineering attempt.
19
Playing on users’ sympathy
Another favorite tactic of social engineers is to elicit sympathy from a user toget him or her to reveal password information or allow physical access tosensitive servers. For example, the social engineer may pretend to be a workerfrom outside, perhaps from the phone company or the company’s Internetservice provider. He tells the secretary who has the key to the server room thathe’s new on the job and supposed to be back to the office in an hour, and he justneeds to check out some wiring very quickly. Or he pretends to be with the ISPand tells the user he calls that he has messed up her account and if he doesn’tget it fixed right away, he’ll lose his job—and of course, he needs her passwordto do it. Whatever the story, the social engineer appears to be upset, worried,and afraid of some dire consequence that will befall him if the target victimdoesn’t help.
Naturally most people want to help a person who’s in trouble.
20
Making close relations with targets
Some social engineers will go to great lengths to pry information out of a user,especially if the stakes are high (e.g., in cases of corporate espionage where thesocial engineer stands to gain a big financial reward for getting into the network).They’ll engage in elaborate, long-term schemes that include slowly becomingclose friends with their target victims or even initiating and developing aromantic relationship to get to the point where the victim trusts the socialengineer enough to reveal confidential information, including networkpasswords and other information needed to break in. This may also make itpossible for the social engineer to gain access to keys, smart cards, etc., that canbe used to defeat security mechanisms
21
Intimidation tacticsSome victims don’t respond well to the sympathy tactic or romantic overtures. Inthat case, social engineers may need to turn to stronger stuff: intimidation. In
this case, the social engineer pretends to be someoneimportant—a big boss from headquarters, a topclient of the company, an inspector from thegovernment, or someone else who can strike fearinto the heart of regular employees. He or she comes
storming in, or calls the victim up, already yelling and angry. They may threatento fire the employee they don't get the information they want—even if theemployee protests that company policy says not to divulge that information toanyone. It takes a very strong person to say “no” to the (supposed) boss or risklosing the company a big contract or getting the company in trouble with thegovernment.
22
The greed factor
Regardless of the approach, the bottom lineis that the social engineer promises theemployee some benefit , financial orotherwise (for example, a better paying jobwith a competing company) if he or shedivulges the requested information.
23
Creating confusion
Another ploy involves first creating a problem andthen taking advantage of it. It can be as simple assetting off a fire alarm so that everyone will vacatethe area quickly, without locking down theircomputers. Social engineers can then use a logged-on session to do their dirty work by implantingTrojans and so on.
24
Shoulder surfingShoulder surfing is a form of “passive” social engineering in which social engineers put themselves in a position to observe when the victim is typing in passwords or other confidential information. They may do this without the victim’s knowledge that they're there or they may use their people skills to win the victim's trust so they don't mind their being there.
25
Dumpster diving
• Remember to SHRED before you TOSS…
Dumpster diving is a form of socialengineering that predates computers. Thesocial engineer goes through the victim’strash can or the company’s dumpster, in thiscase looking for hard copies of informationthat can be used to break into the network.The social engineer may pose as a janitor toget access to discarded papers, diskettes,discs, etc., that are supposed to be taken to acentral shredding or incineration facility.
26
Gone phishingThe well-publicized Internet scam called “phishing” isa type of social engineering, often done via e-mail rather than in
person. (However, phishing scams can also be conducted by snail mail ortelephone.) Traditional phishers pretend to represent a company withwhich the victim does business, often requesting that the victim go to aWeb site that looks like the site of the company they claim to represent.(In reality, the site belongs to the phisher.) The victim enters passwordand other information on the site, and it goes directly to the phisher, whothen uses it for nefarious purposes. A clever social engineer who wants tobreak into your network might create a site that purports to be set up bythe IT department for the purpose of confirming or changing the user’snetwork password. The information is redirected to the phisher,providing a “free pass” to log onto your network.
27
Reverse (social) engineering
An even sneakier method of social engineering occurs when a socialengineer gets others to ask him or her questionsinstead of questioning them. These social engineers usually
have to do a lot of planning to pull it off, placing themselves in a position ofseeming authority or expertise. This often involves creating a problem withthe network hardware or software (or the appearance of a problem) and thenshowing up as the expert who can fix it (and who gets full access to thesystems to make the repairs).
28
Unlike other threats, social engineering cannot be combated
by technical means
• Education and Trainings– Users will recognize attacks and prevent them
• Establishing good security policies– Detect when someone is accessing information they shouldn’t be.
• Use of technology– Firewalls, anti-virus programs, spam filters
• Keeping up to date with the news• Testing and monitoring
– Test e-mail spam filters, monitor employees in a business.
Fight against Social Engineers
29
Education and trainings:
Raise awareness of social engineering
Demonstrate the techniques of social engineering, and explain how
to resist them
Explain the damage that a successful attack could do to a company
Try to motivate employees to resist social engineers, by playing on
their desire to not be tricked and made a fool of by the engineer.
Employees should be tested on their susceptibility to social
engineering attacks in real-life scenarios (live internal security
audits)
30
Good Security Policies to establish:
How an employee should act when an attack is recognized
Exactly what information is considered sensitive
How to verify / authenticate someone's identity
Saying “No” is OK
Never break security policies, even if asked to by the CEO.
A guarantee that nobody will be punished for following policy.
A guarantee that someone WILL be punished if they violate policy
31
Any Questions?
32