Security Awareness http:security'nsu'edu

1
Security Awarenesshttp//security.nsu.edu

• Social Engineering

2
Security AwarenessSocial Engineering

• Wikipedia defines Social Engineering as the
  practice of obtaining confidential information by
  manipulation of legitimate users. A social
  engineer will commonly use the telephone or
  Internet to trick people into revealing sensitive
  information or getting them to do something that
  is against typical policies. By this method,
  social engineers exploit the natural tendency of
  a person to trust his or her word, rather than
  exploiting computer security holes. It is
  generally agreed upon that users are the weak
  link in security and this principle is what
  makes social engineering possible.
• http//en.wikipedia.org/wiki/Social_engineering_(
  computer_security)

3
Security AwarenessSocial Engineering

• People are the weakest link in the security of an
  institution.
• Social Engineers take advantage because
• It is natural for people to want to help.
• It is natural for people to trust.
• It is natural for people to fear what happens
  when they do something wrong.
• The most predominant way data is compromised.
• Usually, the first type of attack to occur

4
Security AwarenessSocial Engineering

• Social Engineering
• A direct request from the attacker.
• An indirect request from the attacker.
• They ask questions that are not directly related
  to their objective and want the victim to supply
  the answers with the information they really
  want.
• Use statements that make the person feel a
  certain way.
• Fear of reprimand or losing their job.

5
Security AwarenessSocial Engineering

• Defending against Social Engineering is
  difficult. The security of the institution
  relies on individuals to determine what is right
  (instinct?)
• To ensure people are aware, training is a key
  component of any security awareness program
• Policies are implemented

6
Security AwarenessSocial Engineering

• Direct engineering can take the form of the
  following
• Impersonation This is representative from your
  bank. We need to verify some info.
• Authority figure This is sergeant yada yada
  from your local precinct. Can you verify your
  name and address for me.
• Help Desk (most common target)
• Authorized third party This is someone from
  some contractor and I need access to your
  username and password to verify something.
• Support This is someone from some contractor
  and I need access to your username and password
  to verify something
• In person I have a bunch of food for a meeting,
  can you open the door for me.

7
Security AwarenessSocial Engineering

• Direct engineering can take the form of the
  following
• Dumpster diving Digging through trash to collect
  details about someone.
• Ever through a credit card receipts away with the
  entire number on them?
• Thrown away something with your SSN on it?
• Invest in a shredder!!!
• Shoulder Surfing This is the act of monitoring
  (or watching) as a user types in their
  information, password, username, PIN for an ATM,
  etc.
• Is there someone behind you standing too close?

8
Security AwarenessSocial Engineering

• Direct engineering can take the form of the
  following
• Piggybacking (2 definitions)
• Gaining access to a restricted area by means of
  being close to someone so they hold the door open
  for you.
• One of the easiest ways to gain access to a
  building.
• Plays on peoples wanting to help.
• When entering a restricted or locked area, have
  you ever held the door open (being polite) for
  someone you didnt recognize whether they asked
  or not?
• Gaining access to a computer because the user did
  not lock it when leaving even for just a moment.

9
Security AwarenessSocial Engineering

• Computer based engineering
• Spam/Phishing
• Spam is unsolicited email advertising wonder
  drugs for cheap. Usually, you provide your
  credit card info and find you have maxed it out.
  Even worse, you gave them info about your debit
  card
• Phishing is unsolicited email that appears to
  come from a legitimate banking site requesting
  you click a url and enter your banking
  information, userid, password, account number,
  SSN, etc
• Always be the one to initiate contact. If you
  get a phone call from your bank, ask to call them
  back at a published number or go to a branch.
• Research it! Most scams will have others
  screaming about it online.
• Popups are additional windows that will popup
  when surfing the internet or malicious software
  has been installed on your PC.
• In some cases, like free internet services, the
  popups are part of a policy you have accepted.
  NetZero
• Clean your PC and get a popup blocker. Google
  Toolbar

10
Security AwarenessSocial Engineering

• Computer based engineering
• Web sites are not always legitimate.
• Hacked web sites are out there as companies or
  there systems have flaws that can be exploited.
• Your PC can be redirected to malicious sites.
• Email attachments can include executables
  (programs) or other files that contain malicious
  code.
• Before opening an email, make sure you know who
  it is.
• Where you expecting it?
• Anti-Virus software should be installed.
• Anti-Spyware software should be installed.

11
Security AwarenessSocial Engineering

• Social Engineers may have these personality
  traits
• Place the blame on someone else, maybe a
  supervisor
• Who will benefit? Them? You?
• They will gain your trust.
• They will play on your emotions. Feel guilty?
  Morally correct?
• They will empathize with you or get you to
  empathize with them.
• They will appear to be helpful in any way
  possible.
• They will appear to be very cooperative.

12
Security AwarenessSocial Engineering

• How does a social engineer get a person to do
  what they want?
• They may ask directly.
• Please get so and sos password and user ID. So
  and so trusts you.
• They may make the request appear complicated. If
  there are more issues involved, the more one will
  want to help.
• They may make the victim feel as if the decision
  was theirs.

13
Security AwarenessSocial Engineering

• Ways security can be breached
• Acquire username and password for user.
• Set up web sites to collect information or
  install malicious code when accessed.
• Install modems for dialing to a server or a
  wireless access point so a laptop can get on the
  network and monitor or use hacking tools.
• Pretend to be the help desk and get users to
  perform functions for them.

14
Security AwarenessSocial Engineering

• So, how do you protect yourself from social
  engineers?
• Issue ID cards or badges and have them checked
• Biometric, such as retina scans, fingerprint
  scans, voice or facial recognition
• Implement password policies
• Do not share your passwords
• Do not write down your passwords
• Use caller ID.
• Do you answer when there is no name or number
  displayed?
• Shredders are our friends.

15
Security AwarenessSocial Engineering

• So, how do you protect yourself from social
  engineers?
• Be able to recognize the signs
• They refuse to give you contact information
• You cant contact them
• They rush/hurry
• They drop important peoples names
• They try to intimidate you
• There are small mistakes in what they say or are
  doing
• They request information that is forbidden
• Their cell phone is about to die
• The cell phone can only make calls, not receive
  them

16
Security AwarenessSocial Engineering

• So, how do you protect yourself from social
  engineers?
• Implement policies
• Call them back at publicly listed telephone
  numbers.
• Are they in the phone book?
• Vendors and contractors should be accompanied at
  all times.
• Assign someone for the task of accompnying them

17
Security AwarenessSocial Engineering

• NSU policies are available from
• http//www.nsu.edu/policies
• Policy 60.201 Acceptable Use of Technology
  Resources
• Policy 62.002 Computer Systems Passwords
• http//www.nsu.edu/forms
• Resource Authorization Request / OIT Request Form
  Information Security Access Agreement
• http//www.nsu.edu/oit/policies
• Policy 61.002 Electronic Data Privacy and
  Ownership