Date post: | 20-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 1 times |
The Art of Deception
- Controlling Human Element of Security -
Shohei HagiwaraNovember 17th, 2009
Topic: Infromation Security
Technologies Encryption, wirewall, anti-virus software, password
Focus: human...
Outline: Social engineering? A couple of examples of how attackers get access
to information
The book...
Title: The Art of Deception
Year: 2002
Authors: Kevin Mitnick, William Simon Kevin Mitnick: ex-world-famous hacker, consultant
First crime: free bus ride when 12 years old
William Simon: writer/editor
What is Social Engineering?
”uses influence and persuasion to deceive people by convincing them that the social engineer is someone he [or she] is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.”(from the book)
Pretend, deceive/manipulate, get information
Human Factor of Security
Human Factor → the weakest link Emotion, mistakes, misjudgement, tiredness
”Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.” Albert Einstein
6 Basic Tendencies of Human Nature
Suggested by Robert B. Cialdini 1. Authority 2. Liking 3. Reciprocation 4. Consistency 5. Social Validation 6. Scarcity
Other Factors
National Characters Love thy neighbors
Organizational Innocence Sharing information, trust, little/no security
→ this is changing...
When Innocent Information Isn't...
Information that is valuable Credit card number, PIN number, Password, etc
We won't give them away because we know they are valuable
What about Date of Birth, Pet's name, Student ID, Unit#
Continued...
Seemingly useless information can be used to impersonate
Step to next more valuable information
An example
Banks and CheCredit First Call to Bank: ”I am writing a book. What do
you give CheCredit to get credit record?” Second Call to Bank: ”I am calling from Checredit. I
am doing a survey to improve service.” ”hours of operation, how many employees, how
often call, what is Merchant ID, how long with the bank, suggestions?”
Another example
Video shop
First call to a shop: ”I had a great experience with the shop and want to send a letter to the manager. And also, I want to send a letter to the company headquarter. What is your brunch number?”
Now you have manager's name and brunch number.
Continue...
How to prevent
1. Classify information → what is and is not okay to be shared
2. Verify. Don't rely lingo and feelings. Get caller's name and phone number.
Building Trust
Appearance, voice, talking, personality
Frequent contacts (ex) Video Shop
Call to another shop: pretend to be the manager of shop
Small requests, chats
Continue...
Can you help me?
People like helping others
Example of video shop
Another call to shop: ”system is down. Can you check a customer for me? Credit card number?”
How to prevent
Verify verify verify! Call listed number
But you want employees to be helpful to each other at workplace.
Dumpster Diving
Low risk and high return
Password, receipt, list, etc
Shredder may not work... Puzzle → whole list of company systems and
passwords
How to Prevent Dumpster Diving
Lock the dumpster
Cross shredd
Mutilevel approach to information of different sensitivity
Background check on custodian
Attack on Entry Level Employee
An easy target They don't know value of information They don't know the structure of company Likely to obey authority
What is the best countermeasure?
Anti-virus? Firewall? Encryption? Code Names?
no.
Have trained, aware, concsioutious employees
Train Employees
Not web page or panphlet
Not a one-day seminar → ongoing
Raise awareness!!! Procedures are not enough. There are threats Part of job to protect information against threats
Reward, encouragement
Awareness → specific techniques
Question...
Questions?