hacking module 09

8/9/2019 hacking Module 09

1/16

NMCSP2008 Batch-I

Module IX

Social Engineering


2/16


3/16

Module Objectives

What is Social Engineering?

Common Types of Attacks

Social Engineering by Phone

Dumpster Diving

Online Social Engineering

Reverse Social Engineering

Policies and Procedures

Employee Education


4/16

Module Flow

Aspects of Social Engineering

Policies and Procedures

Reverse Social EngineeringComputer Based

Social Engineering

Social Engineering Types


5/16

What is Social Engineering?

Social Engineering is the use of influence andpersuasion to deceive people for the purpose ofobtaining information or persuading the victimto perform some action.

Companies with authentication processes,firewalls, virtual private networks, and networkmonitoring software are still wide open toattacks.

An employee may unwittingly give away keyinformation in an email or by answeringquestions over the phone with someone theydon't know or even by talking about a project

with co workers at a local pub after hours.


6/16

Art of Manipulation

Social Engineering includes acquisition ofsensitive information or inappropriate accessprivileges by an outsider, based upon the

building of inappropriate trust relationshipswith outsiders.

The goal of a social engineer is to trick someoneinto providing valuable information or access to

that information. It preys on qualities of human nature, such as

the desire to be helpful, the tendency to trustpeople and the fear of getting in trouble.


7/16

Human Weakness

People are usually theweakest link in thesecurity chain.

A successful defense

depends on having goodpolicies in place andeducating employees tofollow the policies.

Social Engineering is thehardest form of attack todefend against because itcannot be defended withhardware or softwarealone.


8/16

Common Types of Social Engineering

Social Engineering canbe broken into two types:human based andcomputer based.

1.Human-based SocialEngineering refers toperson to personinteraction to retrieve thedesired information.

2. Computer based SocialEngineering refers tohaving computer softwarethat attempts to retrievethe desired information.


9/16

Human based socialengineering techniques can be

broadly categorized into:

Impersonation

Posing as Important User

Third-person Approach

Technical Support

In Person Dumpster Diving

Shoulder Surfing

Human based - Impersonation


10/16

Example


11/16

Example


12/16

Computer Based Social Engineering

These can be divided into

the following broad

categories:

Mail/IM attachments

Pop-up Windows

Websites/Sweepstakes

Spam Mail


13/16

Reverse Social Engineering

More advanced method of gaining illicitinformation is known as "reverse socialengineering.

This is when the hacker creates a persona thatappears to be in a position of authority so thatemployees will ask him for information, ratherthan the other way around.

The three parts of reverse social engineeringattacks are sabotage, advertising and assisting.


14/16


15/16

Security Policies - Checklist

Account Setup

Password Change Policy

Help Desk Procedures

Access Privileges Violations

Employee Identification

Privacy Policy

Paper Documents Modems

Physical Access Restrictions

Virus Control


16/16

Summary

Social Engineering is the use of influence andpersuasion to deceive people for the purpose ofobtaining information or persuading the victim toperform some action.

Social Engineering involves acquiring sensitiveinformation or inappropriate access privileges by anoutsider.

Human-based Social Engineering refers to person toperson interaction to retrieve the desired information.

Computer based Social Engineering refers to havingcomputer software that attempts to retrieve the desiredinformation.

A successful defense depends on having good policies inplace and diligent implementation.