A Multi-Level Defense Against Social Engineering

1
A Multi-Level Defense Against Social Engineering

• Allen Stone
• 9/14/2005

2
Social Engineering

• Social Engineering is the process of deceiving
  people into giving away access or confidential
  information.
• This paper explores the psychological means of
  the enemy and victims and outlines an effective
  defense against it. It is really the first paper
  to recognize all of the levels necessary for
  proper defense and suggest a defense to not only
  deter such attacks but to also identify or
  isolate the attacker.

3
Constructing an Effective Defense

• Understand the Enemys tactics
• Find our psychological vulnerabilities
• Identify the various levels of defense
• Devise defense strategies at all levels

4
The Enemy Methods

• Develop Trust
• Reverse Social Engineering
• Avenues and Media
• Avoid pigeonholing the enemy He/she will
  call/approach/email you under the pretenses of
  authority/customer/coworker/author/etc.

5
Why these attacks work

• Psychological Triggers in all of us
• Strong Affect
• Overloading
• Reciprocation
• Deceptive Relationships
• Diffusion of Responsibility and Moral Duty
• Authority
• Integrity and Consistency

6
Strong Effect

• A heightened emotional state tends to impair
  logical thinking
• Fear
• Panic
• Joy
• Youve just won!
• Trip to San Francisco - AoD
• Surprise
• Call at 430am

7
Overloading

• Sensory Overload
• 30 true statements with 5 untrue, suspect
  statements in between.
• The 1-cent Cell Phone - AoD
• Arguing from an unexpected perspective
• We need time to process
• How can we defend against this?

8
Reciprocation

• If someone gives us something, whether or not we
  asked for it, we feel inclined to help them.
• Reverse Social Engineering
• mental shortcut Mitnick
• Yielding points in an argument

9
Deceptive Relationships

• Developing a relationship with the intent of
  exploiting the other person.
• AOL attack
• Hacker and mark are alike

10
Diffusion of Responsibility and Moral Duty

• Diffusion of Responsibility the mark feels that
  he/she will not be held solely responsible
• Moral Duty avoid feeling guilt
• Save the company, Save someones job

11
Authority

• Impersonation attacks

12
Integrity and Consistency

• People generally follow through on their
  promises, whether or not it is wise to do so.

13
Levels of Defense

• Foundational Level
• Parameter Level
• Fortress Level
• Persistence Level
• Gotcha Level
• Offensive Level

14
Foundational Level

• End users are targeted to respond to questionable
  requests
• They should not decide what information can and
  cannot be divulged
• Confidence
• Metacognition and Persuasion Theory

15
Defense (Foundational)

• General Policy
• Explicitly state what information can be divulged
  and by whom
• Train early and often, post policy clearly in
  public view, encourage and enforce compliance
• Combats Authority, Diffusion of Responsibility,
  Moral Duty

16
Parameter Level And Its Defense

• Employees need to know when to say no and that
  mgmt backs them
• Warning signs
• No contact info, rushing, name-dropping,
  intimidation, misspellings, odd questions,
  requesting suspect info
• Security Awareness
• Know what has value
• Friends are not always friends
• Passwords are personal
• Uniforms are cheap

17
Fortress Level

• Attackers Target Key Personnel
• Help Desk Personnel
• Customer Service
• Business Assistants
• Secretaries and Receptionists
• System Administrators
• How are they prepared?

18
Defense (Fortress)

• Resistance training for key personnel
• Inoculation weakened examples
• Forewarning Not just the intent, but the
  methods
• Reality Check Defeat their image of personal
  invulnerability. Deceive them to show how easy
  it is.

19
Persistence Level And Its Defense

• Forgetfulness and Wrongful Prioritization of
  Policy
• Pervasive and persistent reminders
• Police Station example

20
Gotcha Level Defense

• Social Engineering Land Mines (SELM) traps set
  up to expose and stop an attack
• Active Defense Ideas
• The Justified Know-It-All
• Centralized Security Log
• Call Backs by Policy
• Key Questions
• Three Questions Rule
• Bogus Question
• Please Hold by Policy

21
Offensive Level Defense

• Incident Response
• There needs to be a clearly written and
  well-understood policy surrounding the manner in
  which to respond to a security incident
• If the first mark is wise to the con but does not
  alert security, it is only a matter of time
  before another mark is selected.

22
How well have we defended?

• Strong Affect
• Overloading
• Reciprocation
• Deceptive Relationships
• Diffusion of Responsibility and Moral Duty
• Authority
• Integrity and Consistency

23
Other vulnerabilities

• New employees
• Poor administration policies

24
Policy from a Social EngineerThe Art of
Deception K. Mitnick

• Kevin Mitnick outlines an excellent security
  policy at the end of the book with detailed
  reasoning at every level to defend against Social
  Engineering Attacks.

25
Conclusion

• Social Engineering will always exist, and it is
  extremely difficult to defend against, but the
  success of such attacks can be decreased
  substantially with proper policy and personnel
  training

26
Questions and Comments?
27
References

• A Multi-Level Defense Against Social
  Engineering by David Gragg, GSEC Option 1
  version 1.4b, Dec. 2002
• The Art of Deception, Kevin Mitnick