IT Arkitektur og Sikkerhed

1
IT Arkitektur og Sikkerhed

• Social Engineering

2
Sidste uge

• I sidste uge gennemgik vi
• Risiko Analyse

3
Dagsorden

• I denne uge gennemgår vi
• Del 1
• Social Engineering (mini)
• Del 2
• Præsentation af prøveeksamen

4
Definition

• Social engineering is the art of utilizing
  human behavior to breach security without the
  participant (or victim) even realizing that they
  have been manipulated. (SAN)
• Social engineering preys on qualities of human
  nature
• The desire to be helpful
• The tendency to trust people
• The fear of getting into trouble

5
Physical Cycle of Social Engineering

• Research (Dumpster diving , et. al.)
• Developing rapport and trust
• Exploiting trust
• Use the information (Local impact)
• Mitnick, 2002

6
Social Engineering Aspects

• Appeal to vanity
• Appeal to authority
• Eavesdropping
• Prey on natural helpfulness
• Manipulate lack of awareness of value of info

7
Applied Approaches

• Posing as fellow employee
• Posing as employee of vendor
• Posing as an authority figure
• Posing as a new employee requesting help
• Posing as a vendor offering patch, etc.
• Offering help if a problem occurs
• Sending free software or patch to install
• Sending a virus/Trojan horse
• Using false pop-up window asking for log-in
• Capturing victim keystrokes
• Leaving floppy sitting around with malicious code
• Using insider lingo to gain trust
• Offering a prize for registering web site with
  username and password
• Dropping document or file at company mail room
  for in-house delivery
• Modifying fax machine heading to appear to come
  from normal location
• Asking receptionist to receive then forward a fax
• Asking for a file to be transferred to an
  apparently internal location
• Getting voice mailbox set up for callbacks,
  making attacker seem internal
• Pretending to be from remote office and asking
  for email access locally

8
Factors Making Companies Vulnerable

• Large number of employees
• Multiple facilities
• Info on employee whereabouts left invoice mail
  messages
• Phone extension info made available
• Lack of security training
• Lack of data classification system
• No incident reporting/response plan

9
Common Targets of Attacks in Company

• Unaware of info value
• Receptionist
• Special privileges
• Helpdesk tech support
• Specific departments
• Accounting, HR

10
The Broken
TheBrokenEpisode (fra 535)