www.cyberoam.com
www.cyberoam.com
Our Products
Modem Router Integrated Security applianceNetwork Security Appliances - UTM, NGFW
(Hardware & Virtual)
Moderating Social Engineering Threats
Presenter: Keyur ShahManager - Pre Sales
www.cyberoam.com
Agenda
What is Social Engineering
Common Types of Social Engineering
Personality Traits
Social Engineering Exploits
Countermeasures to Social Engineering
www.cyberoam.com
Social Engineering
Information gathering
Development of relationship
Exploitation of relationship
Execution to achieve the
objective
Social engineering is a type of security attack in which someone manipulates others into revealing information that can be used to steal data, access to systems, access to cellular phones, money or even own identity. These attacks can vary in their sophistication from being very obvious to being very complex.
www.cyberoam.com
Social Engineering
Social engineering preys on qualities of human nature
The desire to be helpful
1
The tendency to trust people
2
The fear of getting into trouble
3
www.cyberoam.com
Human behavior vulnerable to Social Engineering Attacks
www.cyberoam.com
For being a truly successful social engineer, one has to gather information without raising any suspicion – skills similar to as those showcased by the penny
stocks dealer we encountered in The Wolf of Wall Street…
Social Engineering
Your profit, on a mere $ 6.000 investment, Would be up to $ 60.000.
www.cyberoam.com
Social Engineering Example
Hello, Mr. William. This is Maddy from IT support. Due to some disk space constraints, we’re are moving some users’ home
directories to another disk at 8:00 this evening. Your account will be part of this move, and will be unavailable temporarily.
Uh, okay. I’ll be home by then, anyway.
Good. Be sure to log off before you leave. I just need to check a couple of things. What was your username again, William?
Yes. It’s William. None of my files will be lost in the move, will they?
No sir. But I’ll check your account just to make sure. What was the password on that account, so I can get in to check your files?
My password is sunday, in lower case letters.
Okay, Mr. William, thank you for your help. I’ll make sure tocheck you account and verify all the files are there.
Thank you. Bye.
Hello?
Mr. William
Conman
www.cyberoam.com
Types of Social Engineering
Human Based Computer Based
www.cyberoam.com
Human-based
Impersonation Important User 3rd-Party Authorization
Tech Support In Person
www.cyberoam.com
Human-based
Dumpster Diving Shoulder Surfing
www.cyberoam.com
Computer-based
Popup Windows Mail Attachments
Spam, Chain Letters and Hoaxes Websites
www.cyberoam.com
Technology Based
Approach
• Phishing
• Vishing
• Spam Mails
• Popup Window
• Interesting Software
Non Technical Approach
• Pretexting/Impersonation
• Dumpster Diving
• Spying end Eavesdropping
• Acting as a Technical Expert
• Support Staff
• Hoaxing
• Authoritative Voice
Social Engineering Exploits (Summary)
www.cyberoam.com
Successful Social Engineering Attacks
Government agency compromised by fake Facebook hottie
http://www.zdnet.com/government-agency-compromised-by-fake-facebook-hottie-7000022700/
Social Engineering Attack Nets $2.1 Million from Wells Fargo Bank
http://www.esecurityplanet.com/network-security/social-engineering-attack-nets-2.1-million-from-wells-fargo-bank.html
How a lying 'social engineer' hacked Wal-Mart
http://money.cnn.com/2012/08/07/technology/walmart-hack-defcon/
Facebook Social Engineering Attack Strikes NATO
http://www.darkreading.com/risk-management/facebook-social-engineering-attack-strikes-nato-/d/d-id/1103308?
www.cyberoam.com
Countermeasures
Well Documented Security Policy
Risk Assessment
Awareness and Education
Audits and Compliance
Identity management
Operating Procedure
Security Incidents management