Social Engineering

1
Social Engineering

• Presentation by
• Brandon Betteridge
• Michael Petersheim

2
Overview of Presentation

• What Is Social Engineering?
• Attack Vectors
• Attack Tools
• Examples of Attack Methods
• Protecting Yourself From Attacks
• Case Study of an Attack

3
What is Social Engineering?

• Social engineering is the use of influence and
  persuasion to coerce people into divulging
  sensitive information.
• Social engineering does not have to involve the
  use of technology.

4
Common Vectors of Social Engineering Attacks

• Over the Phone
• Via E-Mail (Phishing)
• In Person

5
Tools of the Trade

• Social engineers use the following techniques in
  their attacks
• Development of credibility
• Getting their target use emotions to make
  decisions
• Exploiting a person's desire to help
• Momentum of compliance
• Getting a person to like them
• Exploiting a person's fear (of upsetting a boss,
  etc.)
• Use of reactance
• Using an organization's size against them

6
Some Typical Attacks

• The Direct Attack
• Using Innocuous Information
• Building Trust
• Offering Help
• Phishing

7
The Direct Attack

• The most simple form of social engineering, in
  which the engineer simply asks for the
  information that they are looking for.
• For example, to find an unlisted phone number,
  the engineer could call the phone company and act
  like a terminal repairman, saying that he needs
  to know what number should be working for the
  address.

8
Using Innocuous Information

• In this attack, the engineer first asks for a
  piece of harmless information. Then, using that
  info, they ask another person for more important
  information. This process continues until the
  engineer gets the information that they want.
• The engineer uses the harmless information to
  make their subsequent request appear valid.

9
Building Trust

• In this attack, the engineer spends some time
  (days, weeks) interacting with the person in an
  attempt to befriend them, or at least establish
  a sense of familiarity. Then, when the engineer
  asks for the information, the person feels that
  they are helping a friend / coworker.

10
Offering Help

• This attack has a few variations. The engineer
  can either intentionally cause a problem, then
  act as someone who is in charge of fixing the
  problem, or they can simply offer assistance or
  direction to someone new in the company.
• While the engineer is offering their assistance,
  they ask for the information that they want by
  claiming that it is necessary to fix the problem
  or help out.

11
Phishing

• This method involves the use of electronic
  communication (usually e-mail) designed to appear
  legitimate, but which attempts to gather
  sensitive information from the user.
• Examples include
• Asking for account validation
• Warning the user of suspicious activity on their
  account
• Nigerian 419 Scam

12
Protecting Your Information from Social Engineers

• Unlike other threats to a company's information,
  social engineering cannot be combatted by
  technical means.
• The only way to defend against social engineering
  is through training and the establishment of
  security policies

13
Protecting Your Information from Social Engineers
(cont'd)

• Policies to establish
• How an employee should act when an attack is
  recognized
• Exactly what information is considered sensitive
• How to verify / authenticate someone's identity
• Saying No is OK
• Never break security policies, even if asked to
  by the CEO.
• A guarantee that nobody will be punished for
  following policy.
• A guarantee that someone WILL be punished if they
  violate policy
• Ensure that policies are clear, concise, and
  consistently enforced.

14
Protecting Your Information from Social Engineers
(cont'd)

• Employee training should do the following
• Raise awareness of social engineering
• Demonstrate the techniques of social engineering,
  and explain how to resist them
• Explain the damage that a successful attack could
  do to a company
• Try to motivate employees to resist social
  engineers, by playing on their desire to not be
  tricked and made a fool of by the engineer.
• Employees should be tested on their
  susceptibility to social engineering attacks in
  real-life scenarios (live internal security
  audits)

15
Social Engineering A Case Study

• First call Bookkeeping Department (the victim)
• Poses as Help Desk staff, warns of network
  problem, gives number to call in case of trouble
• Gets port number for network connection
• Second Call Network Ops, 2 days later
• Posing as member of victims office, asks to have
  the given port number disabled to troubleshoot
  cabling problem
• Third Call Bookkeeping calls attacker
• Network connection down, asks Eddie for immediate
  help
• Fourth Call Network Ops
• Problem fixed re-enable port
• Fifth Call Bookkeeping Department
• Tells him to verify network connection
• Asks him to download/install program online to
  prevent similar future incidents
• Program actually Trojan Horse, giving attacker
  back door into company network