module 3 social engineering-b
TRANSCRIPT
© 2010 – Foreground Security. All rights reserved
Module 3Social Engineering
Module3
© 2010 – Foreground Security. All rights reserved
Social Engineering
Did you know that humans get Hacked as much as computers? It’s called social engineering and it has been happening long before computers ever
existed!
© 2010 – Foreground Security. All rights reserved
Module Objectives
This Module will cover the following:
• What is Social Engineering
• Background
• Examples
• Countermeasures
© 2010 – Foreground Security. All rights reserved
Social Engineering Definition
Social Engineering: n.
Term used among hackers and security professionals for techniques that rely on weaknesses in people rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security.
Source: The Hacker’s Jargon dictionary
© 2010 – Foreground Security. All rights reserved
Social Engineering Definition
Impersonation and deception for the purpose of gathering information to obtain:
• Network information• System access information• Personal information• Passwords
Impersonation and deception for the purpose of influencing action such as:
• Establishing, moving, or canceling a service• Making a commitment or scheduling an engagement
for which someone else is responsible
© 2010 – Foreground Security. All rights reserved
Social Engineering
Can you spot a “Social Engineer” in this group?
© 2010 – Foreground Security. All rights reserved
Social Engineering Methods
© 2010 – Foreground Security. All rights reserved
Social Engineering Methods
Social Engineering by Phone • The most prevalent type of social engineering attack.
• Callers may be male or female
• The caller may appear to know the make and model of your equipment.
• The caller is after equipment serial numbers on devices such as printers, copiers, and computers.
• The caller will attempt to gain as much ‘extra' information as possible, such as phone numbers, fax numbers, employee titles, addresses and other employee information.
• The caller uses a ‘private' or spoofed phone number.
• Demonstration
© 2010 – Foreground Security. All rights reserved
Social Engineering Methods
Social Engineering in PersonDumpster Diving- A huge amount of information can be collected through company dumpsters and trash.
• Examples include: Company phone books, organizational charts, memos, company policy manuals, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware. Impersonation- A repairman, trusted third party, fellow employee, anyone in uniform.
• Example: the hacker will study a real individual in an organization and wait until that person is out of town to impersonate him, dressed in corporate uniform, fake ID…
© 2010 – Foreground Security. All rights reserved
Social Engineering Methods
Social Engineering by Internet
• Fraudulent messages are designed to fool the recipients into divulging personal authentication data such as account usernames and passwords, credit card numbers, social security numbers, etc.
• Phishing attacks use email or malicious web sites to solicit personal, often financial, information or login/password information.
• Email attachments sent from someone of authenticity can carry viruses, worms and Trojan horses.
• Because these emails look “official”, over 5% of recipients may respond to them, resulting in financial losses, identity theft, release of sensitive information or other fraudulent activity.
© 2010 – Foreground Security. All rights reserved
Social Engineering Methods
Social Engineering by Mail or E-mail
• E-mails that offer friendships, diversion, gifts and various free pictures and information take advantage of the anonymity and camaraderie of the Internet to plant malicious code.
• He or she (the victim) is motivated to open the message because it appears to:• Offer useful information, such as security notices or verification of a purchase• Promise a diversion, such as jokes, gossip, cartoons or photographs.• Give away something for nothing, such as music, videos or software downloads.
© 2010 – Foreground Security. All rights reserved
Social Engineering Countermeasures
Social engineering countermeasures • Be suspicious of unsolicited phone calls, visits, or email messages
from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
© 2010 – Foreground Security. All rights reserved
Social Engineering Countermeasures
How to avoid being a victim?• Don't send or provide sensitive information over
the Internet, over the phone, or in person before checking authenticity.
• Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• If you are unsure whether an email or “snail mail” request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request.
© 2010 – Foreground Security. All rights reserved
Exercise
Social engineering• Name 3 Companies
– ________________– ________________– ________________