Social engineering

Social

Engineering Alexander Zhuravlev MSLU 2010

“Amateurs hack computersProfessionals hack people”

Contenst

1. Security issues today

2. What is social engineering?

3. Why social engineering?

4. Categories of social engineering

5. How to safeguard against social engineering?

6. Conclusion

Security issues today

Security has never been as important as it is today. The essential need for information security is not only apparent in every country and organization, but also for the individual. Consequently, victims of these crimes can be left with debt, bad credit, higher interest rates, and possibly criminal charges against them until they are able to prove themselves innocent. As a result, it could take years or even a lifetime, to recover from these wrongdoings.

According to a survey released on May 15, 2008 by the United States Department of Justice “An estimated 3.6 million--or 3.1 percent-of American households became victims of identity theft in 2007

What is social engineering?Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or a simple fraud, the term typically applies to trickery for information gathering or computer system access. In most of the cases the attacker never comes face-to-face with the victims and the latter seldom realize that they have been manipulated.

By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.

They prey on human behavior, such as the desire to be helpful, the attitude to trust people and the fear of getting in trouble. The sign of truly successful social engineers is that they receive the information without any suspicion.

Why social engineering?

Social Engineering uses human error or weakness to gain access to any system despite the layers of defensive security controls that may have been implemented. A hacker may have to invest a lot of time & effort in breaking an access control system, but he or she will find it much easier in persuading a person to allow admittance to a secure area or even to disclose confidential information. Despite the automation of machines and networks today, there is no computer system in the world that is not dependent on human operators at one point in time or another.

Social Engineering has always been prevailing in some form or the other; primarily because of the some very natural facets of human behavior. A social engineer exploits these behavior patterns to drive the target towards becoming a victim in the attack. Common human behaviors that are exploited by social engineers are shown in the image provided.

Behaviors Vulnerable to Social Engineering Attacks

Six tendencies of human nature

Authority - Comply with a request from someone of authority

Liking - Comply with a request from someone we like

Reciprocation - Comply with a request when we are promised or given something of value

Consistency - Comply after we have committed to a specific Action

social validation - Comply when doing something in line with what others are doingScarcity - Comply when we believe the object sought is in short supply and others are competing for it, or it is available for a short period of time

Desire to be helpful

Enthusiasm to get free rewards

Desire to be helpful

Attitude to trust

Appeal to authority

Exploitation of human behavior

There are two main categories under which all social engineering attempts could be classified :

• The technology-based approach is to deceive the user into believing that he is interacting with a 'real' application or system and get him to provide confidential information

• Attacks based on non-technical approach are perpetrated purely through deception; i.e. by taking advantage of the victim's human behavior weaknesses (as described earlier).

Categories of Social Engineering

For instance, the user gets a popup window, informing him that the computer application has a problem, and the user will need to re-authenticate in order to proceed. Once the user provides his ID and password on that pop up window, the damage is done.

For instance, the attacker impersonates a person having a big authority; places a call to the help desk, and pretends to be a senior Manager, and says that he / she has forgotten his password and needs to get it reset right away.

•Phishing•Vishing•Spam Mails•Popup Window•Interesting Software

Technical

•Impersonation/Pretexting•Dumpster Diving•Spying and Eavesdropping•Support Staff•Technical Expert

Non-Technical

•PhishingThis term applies to an email appearing to have come from a legitimate business, a bank, or credit card company requesting "verification" of information and warning of some dire consequences if it is not done. •VishingIt is the practice of leveraging Voice over Internet Protocol (VoIP) technology to trick private personal and financial information from the public for the purpose of financial reward. This term is a combination of "voice" and phishing. Vishing exploits the public's trust in landline telephone services.•Spam MailsE-mails that offer friendships, diversion, gifts and various free pictures and information take advantage of the anonymity and camaraderie of the Internet to plant malicious code.

•Popup WindowThe attacker's rogue program generates a pop up window, saying that the application connectivity was dropped due to network problems, and now the user needs to reenter his id and password to continue with his session. •Interesting SoftwareIn this case the victim is convinced to download and install a very useful program or application which might be 'window dressed' .

Pretexting / ImpersonationThis is the act of creating and using an invented scenario (the pretext) to persuade a target to release information. It's more than a simple lie as it most often involves some prior research or set up and makes use of pieces of known information (e.g. date of birth, mother's maiden name, billing address etc.) to establish legitimacy in the mind.Dumpster DivingIf the junk mail contains personal identification information, a 'dumpster diver' can use it in carrying out an identity theft. A hacker can retrieve confidential Information from the hard disk of a computer as there are numerous ways to retrieve information from disks, even if the user thinks the data has been 'deleted' from the disk.

Spying and EavesdroppingA clever spy can determine the id and password by observing a user typing it in (Shoulder Surfing). All that needs to be done is to be there behind the user and be able to see his fingers on the keyboard.

Acting as a Technical ExpertThis is the case where an intruder pretends to be a support technician working on a network problem requests the user to let him access the workstation and 'fix' the problem. Support StaffHere a hacker may pose as a member of a facility support staff and do the trick. A man dressed like the cleaning crew, walks into the work area, carrying cleaning equipment. In the process of appearing to clean your desk area, he can snoop around and get valuable information - such as passwords, or a confidential file that you have forgotten to lock up.

Non – Technical Approach

How to safeguard from social engineering?

Security policy

Well Documented Security Policy - associated standards and guidelines form the foundation of a good security strategy. • Acceptable usage policy - for acceptable business usage of email, computer systems etc• Information classification and handling - for identifying critical information assets • Personnel security - screening prospective employees, contractors to ensure that they do not pose a security threat to the organization, if employed• Physical security - to secure the facility from unauthorized physical access with the help of sign in procedures• Information access control - password usage and guidelines for generating secure passwords• Protection from viruses - to secure the systems and information from viruses and similar threats• Information security awareness training - to ensure that employees are kept informed of threats • Compliance monitoring - to continually ensure that the security policy is being complied with.

People need to…

Know what they need to do

Be able to identify threats

Social engineering is a technique used by hackers and other criminals to persuade people to divulge confidential information for their personal gain or for malicious purposes. Although social engineering attacks are difficult to defend against because they involve the human element, it is possible for organizations and individuals to protect themselves by being trained on the importance of security and gaining awareness of the possible social engineering attacks that they may encounter.

Conclusion

Thank you for attention

Alexander Zhuravlev MSLU 2010