social engineering: the forgotten information assurance risk
DESCRIPTION
Social Engineering: The Forgotten Information Assurance Risk. Marc Rogers PhD, CISSP, CCCI Associate Professor Department of Computer Technology Center for Education and Research in Information Assurance & Security (CERIAS) Purdue University. Outline. How Big is the Problem? - PowerPoint PPT PresentationTRANSCRIPT
Social Engineering: The
Forgotten Information
Assurance Risk
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
2
Marc Rogers PhD, CISSP, CCCI
Associate Professor
Department of Computer Technology
Center for Education and Research in Information Assurance & Security (CERIAS)
Purdue University
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
3
Outline
• How Big is the Problem?
• What is Social Engineering?
• Why is SE so Effective?
• Anatomy of an SE Attack
• How to Mitigate the Risk
• Conclusions
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
4
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
5
How big is the Problem?
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
6
How big is the Problem?
• CSI/FBI 2004
• $141,496,560 decrease from last year ???
• Denial of Service most costly
• Theft of IP second
• 2002-03 Australian Cyber Crime Survey
• Volume of attacks doubled since 2001
• Deloitte 2004 Global Security Survey
• Financial Institutions’ concern tied to regulatory compliance
• 83% of respondents had suffered a compromise
• PWC/Department of Trade & Industry: information Security Breaches Survey 2004 (UK)
• Number of breaches increased
• Average cost of incident to large business was roughly $250,000
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
7
How big is the Problem?
CERT/CC StatsCERT/CC Stats
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Incidents ReportedIncidents Reported
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
8
How big is the Problem?
• CSO 2003 Survey
• Respondents who suffered the most damages from security incidents were two times more likely than the average respondent to plan on decreasing security spending next year.
• Those with the most damages were nearly half as likely to list staff training as one of their top three priorities.
????
????
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
9
How big is the Problem?
• We don’t really know????
• Lack of meaningful metrics
• Trends indicate that it is increasing yearly
• The monetary loss has been estimated from $400 Million - $12 Billion
• Identity theft - fastest growing non-violent criminal activity
• Phishing exploits seem to be on the rise
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
10
How big is the Problem?
• ID Theft: Fastest growing non-violent criminal activity in the US – FTC
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
11
How big is the Problem?
•“Phishing”
•Fraudulent e-mail messages designed to fool the recipients into divulging personal authentication data.
• account usernames and passwords, credit card numbers, social security numbers, ATM card PINs,
•These e-mails look “official” and recipients trust the brand, they often respond to them, resulting in financial losses, identity theft, and other fraudulent activity.
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
12
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
13
Phishing
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
14
Phishing
• A Closer Look!
• Complete email Headers:
• Received: from customer-201-133-75-84.prod-infinitum.com.mx ([201.133.75.84]) by exchange.purdue.edu with Microsoft SMTPSVC(6.0.3790.0); Mon, 6 Sep 2004 18:05:57 -0500
• Whois on this domain:
• Registered to a company on the Island of Curacao
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
15
Phishing
Real site: www.citizensbank.com
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
16
Phishing: Source View
•Snippet of the source:</A></a></font></p><p><font = color=3D"#FFFFFA">in 1847 Windows Me All the best
you are stupid Napster = Kid Rock Costumes in 2005 ?????? smart in 1861 Hold on in 1822 Pokemon =
Gold It's not for me Temptation Island Big Brother I can't answer it's =
beautiful Just tonight no more Terra in 1861 going to Wrong number =
</font></p></html>
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
17
What is Social Engineering?
• Social/Psychological phenomenon
• Original Definition
“The practical application of sociological principles to particular social problems.”
• Not necessarily a “negative” term
• Persuasion
• Various psychological/communications theories
• Cognitive Dissonance
• Language Expectation Theory
• Has now become a negative technology issue
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
18
What is Social Engineering?
• “Successful or unsuccessful attempts to influence a person(s) into either revealing information or acting in a manner that would result in; unauthorized access, unauthorized use, or unauthorized disclosure, to an information system, network or data.” (Rogers & Berti, 2001)
• Basically using deception or persuasion to “con” someone into providing information or access they would not usually have provided.
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
19
Why is SE so Effective?
• The Information Assurance/Security Field has focused primarily on technical security
• Almost no attention to the person-machine interaction
• Only as strong as the weakest link-People are the weakest link
• Why spend time attacking the technology when a person will give you access?
• Extremely hard to detect as there is no IDS for “lack of common sense” or more appropriately, ignorance
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
20
Why is SE so Effective?
• 2 Primary Factors
• Basic Human Nature & Business Environment
• Human Nature:
• Helpful
• Trusting
• Naïve
• Business Environment
• Service Oriented
• Time Crunch/Multitasking
• Distributed Locations
• Virtual Offices
• Transient Workforce
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
21
Anatomy of an SE Attack
• Very similar to how Intelligence Agencies infiltrate their targets
• 3 Phased Approach
• Phase 1- Intelligence Gathering
• Phase 2- “Victim” Selection
• Phase 3 -The Attack
• Usually a very methodical approach
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
22
Anatomy of an SE Attack
• Phase 1 -Intelligence Gathering
• Primarily Open Source Information
• Dumpster Diving
• Web Pages
• Ex-employees
• Contractors
• Vendors
• Strategic Partners
• The foundation for the next phases
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
23
Anatomy of an SE Attack
• Phase 2 -”Victim” Selection
• Looking for weaknesses in the organization’s personnel
• Help Desk
• Tech Support
• Reception
• Admin. Support
• Etc.
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
24
Anatomy of an SE Attack
• Phase 3 - The Attack
• Commonly known as the “con”
• Primarily based on “peripheral” routes to persuasion
• Authority
• Liking & Similarity
• Reciprocation
• Commitment & Consistency
• Uses emotionality as a form of distraction
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
25
The SE Attack
• 4 General categories of attacks:
• Technical Attacks
• Ego Attacks
• Sympathy Attacks
• Intimidation Attacks
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
26
Anatomy of an SE Attack
• The Technical Attack - (Authority/Consistency)
• No direct interpersonal contact with victims
• Attacker forges e-mail messages, pop ups, web sites, or some other medium
• Pretends to be an authorized support or system admin. person legitimizes the request
• Tries to obtain sensitive account information from users (e.g., passwords, user-ids, CC #s, PINs etc.)
• “PHISHING”
• Has been very successful to date
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
27
Anatomy of an SE Attack
• The Ego Attack - (Reciprocation/Liking)
• Attacker appeals to the vanity, or ego of the victim
• Usually targets someone they sense is frustrated with their current job position
• The victim wants to prove how smart or knowledgeable they are and provides sensitive information or even access to the systems or data
• Attacker may pretend to be law enforcement, the victim feels honored to be helping
• Victim usually never realizes
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
28
Anatomy of an SE Attack
• Sympathy Attacks - (Liking/Commitment)
• Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc.
• There is some urgency to complete some task or obtain some information
• Needs assistance or they will be in trouble or lose their job etc.
• Plays on the empathy & sympathy of the victim
• Attackers “shop around” until they find someone who will help
• Very successful attack
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
29
Anatomy of an SE Attack
• Intimidation Attack - (Authority)
• Attacker pretends to be someone influential (e.g., authority figure, law enforcement)
• Attempt to use their authority to coerce the victim into cooperation
• If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.)
• If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
30
Mitigating the Risk
• The Impact of SE is usually high
• The ease of the Attack is high
• Technical controls alone will not prevent the attack
• Operational/Administrative controls alone will not prevent it
• Environmental controls alone will not prevent it
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
31
Mitigating the Risk
• We need a combination of Operational/Administrative, Technical (logical), & Environmental (Physical) Control Principles
• It really comes down to:
• Technology
• Policies
• Education
• Awareness
• Training
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
32
Mitigating the Risk
• All employees should have a security mind-set and question things
• Need to recognize good “catches”
• Have proper incident response procedures and teams to mitigate the damage if a breach occurs
• Immediate notification of targeted groups
• Apply technology where possible
• Need to test your readiness periodically
• IT Security reviews/assessments that include SE
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
33
Conclusions
• SE Attacks are a serious threat
• SE Attacks are very easy and very effective
• We cannot forget about the person-machine interaction
• Information Assurance/Security is a hardware, software, firmware, and “peopleware” problem
• The best defense is proper education and awareness training combined with technical approaches
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
34
Parting Thoughts
” Those who fail to learn the lessons of history are doomed to repeat them." (Santayana)
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
35
Questions/Comments?
© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”
36
Contact Information
Dr. Marc Rogers
Department of Computer Technology
Purdue University
765-494-2561