social engineering the good and bad
TRANSCRIPT
Social EngineeringThe Good and Bad
Tzar C. UmangTzar Enterprises – 23o9.tech
Objective
• Understand the principles of Social Engineering on both ends, the good and the bad• Define the goals of Social Engineering• Recognize the signs of Social Engineering• Social Media and Social Engineering• Identify ways how to sort out information to protect or
comply responsibly
Social Engineering?
• Definition 1 • A method by which people are manipulated, consciously or
unconsciously to extract information, personal and valuable information for the following purposes:• Hacking into accounts• Identity Theft
• Done with:• Psychological Manipulation• Trickery or Deception
Social Engineering?
• Definition 2• It is a way by criminals to lure victims to an infected item to secretly
install spyware, trojans and malwares or to use a mock up login page to trick users to enter their username and password.
Social Engineering?
• Definition 3• It is the most effective way to steal confidential data from an
unsuspecting victims.• According to Siemens Enterprise Communications, based in
Germany. In a recent Siemens test, 85 percent of office workers were duped by engineering.
“Most employees are utterly unaware that they are being manipulated,” says Colin Greenlees, security and counter-fraud
consultant at Siemens.
Social Engineering?
It is a method governed by several discipline such as psychology and mathematics to bring about shift on mindset
or thinking of the target individual or population to bring about compliance based on goals and targets of the Social
Engineer, whether it is good or bad…Good Bad
Rapid Mind shift towards Social Change for the Better
Inciting Rebellion
Effective Compliance to Laws Data Leakage through irresponsible mind or thought shaping
Social Engineering and Security Challenges• What are they up to?• Valuable Information• Identity• Profiling Data• Compliance• Manipulation
Social Engineering and Security
• Information Theft
• Obtaining simple information such as your pet's name, birthday, where you're from, the places you've visited; information that you'd give out freely to your friends. • Think of yourself as a walking computer, full of valuable information
about yourself. You've got a name, address, and valuables. Now categorize those items like a business does. Personally identifiable data, financial information, cardholder data, health insurance data, credit reporting data, and so on…
Social Engineering and Security
• Where do you use the information?• Answers to secret questions…
What's the name of your first pet? What is your maiden name? When was your mother/father born? Where were you born? When are you born?
Social Engineering and Security
• Common strategies that are used:
Pretexting – Creating a fake scenario “Mr. Zimbabwe”
Phishing and Fake Websites – Send out bait to fool victims into giving away their information using a site that looks like the real thing. Log in with real credentials that are now compromised “FB Fake Login Page”
–Fake Pop-up – Pops up in front of real web site to obtain user credentials “Special Offer”
Social Engineering and Security
• Large Scale Mind Shift Operation
• FB Emotion Targeting Experiment• Negative post are increased that affected users emotions and pushed them to post more
negative stuff
• “Million People March”• A viral phenomenon where the citizenry’s flared up emotions are used to bring them to gather
around Rizal Park last 2011, organizers used social engineering to effectively invite people
• Smarter Philippines Rapid Mind Shift Framework• Highly based on social engineering principles to rapidly shift the mindset of the target social
group to enhance productivity and compliance
Protection?
• To protect yourself from the bad side of Social Engineering you should:
Recognize inappropriate requests for information Take ownership for corporate security Understand risk and impact of security breeches Social engineering attacks are personal Password management Two factor authentication Physical security Understand what information you are putting on the Web for targeting
at social network sites
Making it Effective?
• How to make if effective if you are geared towards the good side of Social Engineering?• Know the target, weaknesses and strengths• Work on the need• Localize• Rapid IEC • Real Results
