Social Engineering UTHSC Information Security Team.

Social EngineeringUTHSC Information Security Team

What is Social Engineering?

• Attacker uses human interaction to obtain or compromise information

• Attacker my appear unassuming or respectableo Pretend to be a new employee, repair man, etc.o May even offer credentials

• By asking questions, the attacker may piece enough information together to infiltrate a companies networko May attempt to get information from many sources

What is Social Engineering…

At its core it is manipulating a person into knowingly or unknowingly giving up information; essentially 'hacking' into a person to steal valuable information.

Psychological manipulation

Trickery or Deception for the purpose of information gathering

What is Social Engineering…• It is a way for criminals to gain access to

information systems.

• The purpose of social engineering is usually to secretly install spyware, other malicious software or to trick persons into handing over passwords and/or other sensitive financial or personal information

What is Social Engineering…

Social engineering is one of the most effective routes to stealing confidential data from organizations, according to Siemens Enterprise Communications, based in Germany. In a recent Siemens test, 85 percent of office workers were duped by engineering.

“Most employees are utterly unaware that they are being manipulated,” says Colin Greenlees, security and counter-fraud consultant at Siemens.

Watch this video…

Types of Attacks• Phishing

• Impersonation on help desk calls

• Quid Pro Quo - Something for something

• Baiting

• Pretexting

• Invented Scenario

• Diversion Theft - A con

• Physical access (such as tailgating)

• Shoulder surfing

• Dumpster diving

• Stealing important documents

• Fake software

• Trojans

Phishing• Use of deceptive mass mailing

• Can target specific entities (“spear phishing”)

• Prevention: Honeypot email addresses Education Awareness of network and website changes

Impersonation on help desk calls• Calling the help desk pretending to be someone else

• Usually an employee or someone with authority

• Prevention: Assign pins for calling the help desk Don’t do anything on someone’s order Stick to the scope of the help desk

Quid Pro Quo

Something for Somethingo Call random numbers at a company, claiming to

be from technical support.

o Eventually, you will reach someone with a legitamite problem

o Grateful you called them back, they will follow your instructions

o The attacker will "help" the user, but will really have the victim type commands that will allow the attacker to install malware

Baitingo Uses physical media

o Relies on greed/curiosity of victim

o Attacker leaves a malware infected cd or usb drive in a location sure to be found

o Attacker puts a legitimate or curious label to gain interest

o Ex: "Company Earnings 2009" left at company elevatorCurious employee/Good Samaritan usesUser inserts media and unknowingly installs malware

PretextingInvented Scenario

o  Prior Research/Setup used to establish legitimacy Give information that a user would normally not divulge

o This technique is used to impersonateAuthority etc.

Using prepared answers to victims questions

Other gathered information

o  Ex: Law Enforcement Threat of alleged infraction to detain suspect and hold for questioning

Pretexting Real Example:• Signed up for Free Credit Report

• Saw Unauthorized charge from another credit company

o Called to dispute charged and was asked for Credit Card Number

They insisted it was useless without the security code

o Asked for Social Security number

• Talked to Fraud Department at my bank 

Diversion TheftA Con

o  Persuade deliver person that delivery is requested elsewhere - "Round the Corner"

o  When deliver is redirected, attacker persuades delivery driver to unload delivery near address

o Ex: Attacker parks security van outside a bank. Victims going to deposit money into a night safe are told that the night safe is out of order. Victims then give money to attacker to put in the fake security van

o Most companies do not prepare employees for this type of attack

Physical access• Tailgating

• Ultimately obtains unauthorized building access

• Prevention Require badges Employee training Security officers No exceptions!

Shoulder surfing• Someone can watch the keys you press when entering your

password

• Probably less common

• Prevention: Be aware of who’s around when entering your password

Dumpster diving• Looking through the trash for sensitive information

• Doesn’t have to be dumpsters: any trashcan will do

• Prevention: Easy secure document destruction Lock dumpsters Erase magnetic media

Stealing important documents• Can take documents off someone’s desk

• Prevention: Lock your office If you don’t have an office: lock your files securely Don’t leave important information in the open

Fake Software• Fake login screens

• The user is aware of the software but thinks it’s trustworthy

• Prevention: Have a system for making real login screens obvious (personalized

key, image, or phrase) Education Antivirus (probably won’t catch custom tailored attacks)

Trojans• Appears to be useful and legitimate software before running

• Performs malicious actions in the background

• Does not require interaction after being run

• Prevention: Don‘t run programs on someone else’s computer Only open attachments you’re expecting Use an antivirus

Weakest Link?

• No matter how strong your:o Firewallso Intrusion Detection Systemso Cryptographyo Anti-virus software

• YOU are the weakest link in computer security!o  People are more vulnerable than

computers • "The weakest link in the security chain is the

human element" -Kevin Mitnick

General Safety

• Before transmitting personal information over the internet, check the connection is secure and check the url is correct

• If unsure if an email message is legitimate, contact the person or company by another means to verify

• Be paranoid and aware when interacting with anything that needs protectedo The smallest information could compromise what

you're protecting

Ways to Prevent Social Engineering

Training• User Awareness

o User knows that giving out certain information is frowned upon

o Complete Information Security Training

Policies• Employees are not allowed to divulge private

information• Prevents employees from being socially

pressured or tricked…

Ways to Prevent Social Engineering (con…)

• 3rd Party test - Ethical Hackero Have a third party come to your company and

attempted to hack into your networko 3rd party will attempt to glean information from

employees using social engineeringo Helps detect problems people have with security

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about internal information

• Do not provide personal information, information about the company(such as internal network) unless authority of person is verified

Responding…• You’ve been attacked: now what?

• What damage has been done? What damage can still be done?

• Has a crime actually taken place?

Report the incident or event IMMEDIATELY!

Take responsibility and be honest

Contact UTHSC Help Desk

Summary

• Be suspicious.

• Think about motivation when revealing information.

• Verify identity.

• Be careful what you click on.

• No one will catch everything – Be willing to ask for help. IMMEDIATELY Contact your UTHSC Information Security Team!

Security is Everyone's Responsibility – See Something, Say Something!

UTHSC Information Security Team

L. Kevin Watson

[email protected]

(901) 448-7010

Frank Davison

[email protected]

(901) 448-1260

Jessica McMorris

[email protected]

(901) 448-1579

Ammar Ammar

[email protected]

(901) 448-2163

• Information Security Email: [email protected]

• Website: security.uthsc.edu

• To report phishing and spam email forward it to [email protected]

• UTHSC Help Desk: (901) 448-2222 ext. 1 or [email protected]