SlideShare una empresa de Scribd logo
1 de 99
Descargar para leer sin conexión
Ethical Hacking and
Countermeasures
Version 6




   Module
   Mod le XI
   Social Engineering
Scenario




                                Source: http://www.treasury.gov/


                                                   Copyright © by EC-Council
EC-Council              All Rights Reserved. Reproduction is Strictly Prohibited
News




                    Source: http://www.technewsworld.com/

                                               Copyright © by EC-Council
EC-Council          All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective


             This module will familiarize you with:

             •   Social Engineering
             •   Types of Social Engineering
             •   Behaviors vulnerable to attacks
             •   Social Engineering Threats and Defenses
             •   Countermeasures for Social engineering
             •   Policies and Procedures
             •   Impersonating Orkut, Facebook, and MySpace
             •   Identity Theft
             •   Countermeasures for Identity theft


                                                                               Copyright © by EC-Council
EC-Council                                          All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow


                            Social Engineering                  Impersonating Orkut,
     Social Engineering
                           Threats and Defenses                Facebook, and MySpace




       Types of Social      Countermeasures for
                                                                         Identity Theft
        Engineering          Social engineering




    Behaviors vulnerable                                           Countermeasures for
                           Policies and Procedures
         to tt k
         t attacks                                                    Identity th ft
                                                                      Id tit theft

                                                                                Copyright © by EC-Council
EC-Council                                           All Rights Reserved. Reproduction is Strictly Prohibited
There is No
              Patch to
               Human
              Stupidity
                 p    y
                                               Copyright © by EC-Council
EC-Council          All Rights Reserved. Reproduction is Strictly Prohibited
What is Social Engineering


   Social Engineering is the human side of breaking into a
   corporate network




   Companies with authentication processes, firewalls, virtual
   private net o ks
   p i ate networks, and network monitoring soft a e a e still
                         net o k monito ing software are
   open to attacks



   An employee may unwittingly give away key information in an
   email or by answering questions over the phone with someone
   they do not know, or even by talking about a project with
   coworkers at a local pub after hours

                                                                                    Copyright © by EC-Council
EC-Council                                               All Rights Reserved. Reproduction is Strictly Prohibited
What is Social Engineering
             (cont d)
             (cont’d)
              Social engineering is the tactic or trick of
              gaining sensitive i f
                i i       i i information b exploiting the
                                         i by        l ii  h
              basic human nature such as:

              • Trust
              • Fear
              • Desire to Help


              Social engineers attempt to gather information
              such as:

              • Sensitive information
              • Authorization details
              • Access details


                                                                         Copyright © by EC-Council
EC-Council                                    All Rights Reserved. Reproduction is Strictly Prohibited
Human Weakness


     People are usually the weakest link in the
     security chain



     A successful defense depends on having good
     policies and educating employees to follow
     them


     Social Engineering is the hardest form of
     attack to defend against because it cannot be
     defended with hardware or software alone


                                                                                Copyright © by EC-Council
EC-Council                                           All Rights Reserved. Reproduction is Strictly Prohibited
“Rebecca” and “Jessica”

    Hackers use the term “Rebecca” and “Jessica” to denote social engineering
    attacks


    Hackers commonly use these terms to social engineer victims


    Rebecca and Jessica mean a person who is an easy target for social
    engineering,
    engineering such as the receptionist of a company


         Example:
             p

        • “There was a Rebecca at the bank and I am going to call
          her to extract the privileged information.”
        • “I met Ms. Jessica, she was an easy target for social
                               ,              y g
          engineering.”
        • “Do you have any Rebecca in your company?”
                                                                                         Copyright © by EC-Council
EC-Council                                                    All Rights Reserved. Reproduction is Strictly Prohibited
Office Workers

      Despite having the best firewall, intrusion-detection
          p           g                 ,
      and antivirus systems, technology has to offer, you
      are still hit with security breaches


      One reason for this may be lack of motivation among
      workers


      Hackers can attempt social engineering attack on
      office workers to extract sensitive data such as:

       •   Security policies
       •   Sensitive documents
       •   Office network infrastructure
       •   Passwords
                                                                                Copyright © by EC-Council
EC-Council                                           All Rights Reserved. Reproduction is Strictly Prohibited
Types of Social Engineering

             Social Engineering can be divided into two
             categories:


             •H
              Human-based:
                    b d
              • Gathers sensitive information by interaction
              • Attacks of this category exploits trust, fear, and helping nature of
                humans
             • Computer Based:
               Computer-Based:
              • Social engineering is carried out with the aid of computers




                                                                                             Copyright © by EC-Council
EC-Council                                                        All Rights Reserved. Reproduction is Strictly Prohibited
Human-Based Social
                      Engineering

             Posing
             P i as a L iti t End U
                      Legitimate E d User


             • Gives identity and asks for the sensitive information
             • “Hi! This is John, from Department X. I have forgotten my password. Can I
               get it?”



             Posing as an Important User


             • Posing as a VIP of a target company, valuable customer, etc.
             • “Hi! This is Kevin, CFO Secretary. I’m working on an urgent project and lost
               system password. Can you help me out?”



                                                                                             Copyright © by EC-Council
EC-Council                                                        All Rights Reserved. Reproduction is Strictly Prohibited
Human-Based Social Engineering
                 ( cont’d)
                   cont d)


        Posing as Technical Support



       • Calls as a technical support staff, and
         Ca s        tec ca suppo t sta , a d
         requests id & passwords to retrieve data
       • ‘Sir, this is Mathew, Technical support, X
         company. Last night we had a system
         crash here, and we are checking for the lost
                 here
         data. Can u give me your ID and
         Password?’



                                                                               Copyright © by EC-Council
EC-Council                                          All Rights Reserved. Reproduction is Strictly Prohibited
Technical Support Example



                  A man calls a company’s help
                  desk and says he’s forgotten his
                                 he s
                  password. In a panic, he adds
                  that if he misses the deadline
                  on a big advertising project, his
                  boss might fire him. The help
                  desk worker feels sorry for him
                  and quickly resets the password
                  unwittingly giving the hacker
                  clear entrance into the
                  corporate network




                                                                                 Copyright © by EC-Council
EC-Council                                            All Rights Reserved. Reproduction is Strictly Prohibited
More Social Engineering
             Examples


                   "Hi, I'm John Brown. I'm with
                    the external auditors Arthur
                   Sanderson. We've been told by
                      corporate to do a surprise
                     inspection of your disaster
                     recovery procedures. Your
                   department has 10 minutes to
                  show me how you would recover
                       from a Website crash."




                                                                              Copyright © by EC-Council
EC-Council                                         All Rights Reserved. Reproduction is Strictly Prohibited
More Social Engineering
             Examples

                  "Hi I'm Sharon, a sales rep out of the
                  New York office. I know this is short
                  notice, but I have a group of
                  perspective clients out in the car that
                  I've been trying for months to get to
                  outsource th i security training
                     t       their      it t i i
                  needs to us.

                  They're located just a few miles away
                  and I think that if I can give them a
                  quick tour of our facilities it should
                                     facilities,
                  be enough to push them over the
                  edge and get them to sign up.

                  Oh yeah, they are particularly
                  interested in what security
                  precautions we've adopted. Seems
                  someone hacked into their Website a
                  while back, which is one of the
                  reasons they're considering our
                  company."




                                                                                       Copyright © by EC-Council
EC-Council                                                  All Rights Reserved. Reproduction is Strictly Prohibited
More Social Engineering
             Examples



                  "Hi I m with Aircon Express
                   Hi, I'm
                  Services. We received a call that
                  the computer room was getting
                  too warm and need to check
                  your HVAC system." Using
                  professional-sounding terms
                  like HVAC (Heating,
                  Ventilation, and Air
                  Conditioning) may add just
                  enough credibility to an
                  intruder's masquerade to allow
                  him or her to gain access to the
                  targeted secured resource.




                                                                                 Copyright © by EC-Council
EC-Council                                            All Rights Reserved. Reproduction is Strictly Prohibited
Human-Based Social
                 Engineering: Eavesdropping

    Eavesdropping or unauthorized li t i of
    E    d     i           th i d listening f
    conversations or reading of messages


    Interception of any form such as audio, video, or
    written




                                                                               Copyright © by EC-Council
EC-Council                                          All Rights Reserved. Reproduction is Strictly Prohibited
Human-Based Social
                  Engineering: Shoulder Surfing


  Looking over your shoulder as you enter a
  password                                                Passwords




  Shoulder surfing is the name given to the
  p
  procedure that identity thieves use to find
                        y                                                                     Hacker
  out passwords, personal identification
  number, account numbers, and more


  Simply, they look over your shoulder--or
  even watch from a distance using binoculars,
  in order to get those pieces of information
                                                 Victim




                                                                                     Copyright © by EC-Council
EC-Council                                                All Rights Reserved. Reproduction is Strictly Prohibited
Human-Based Social
                    Engineering: Dumpster Diving

       Search for sensitive information at
       target company’s:

      • Trash-bins
      • Printer Trash bins
      • user desk for sticky notes etc


       Collect:


      •   Phone Bills
      •   Contact Information
      •   Financial Information
      •   Operations related Information etc

                                                                          Copyright © by EC-Council
EC-Council                                     All Rights Reserved. Reproduction is Strictly Prohibited
Dumpster Diving Example

                 A man behind the building is loading
                 the company’s paper recycling bins
                 into the back of a truck. Inside the
                 bins are lists of employee titles and
                 p o e u be s, a et g plans, and
                 phone numbers, marketing p a s, a d
                 the latest company financials



                 This information is sufficient to
                 launch a social engineering attack on
                 the company




                                                                          Copyright © by EC-Council
EC-Council                                     All Rights Reserved. Reproduction is Strictly Prohibited
Dumpster Diving Example


                    For example, if the hacker
                     appears to have a good
                working knowledge of the staff
                 in a company department he
                                department,
                  or she will probably be more
                   successful while making an
                    approach; most staff will
                   assume that someone who
                            h               h
                knows a lot about the company
                    must be a valid employee




                                                                    Copyright © by EC-Council
EC-Council                               All Rights Reserved. Reproduction is Strictly Prohibited
Oracle Snoops Microsoft’s Trash
                 Bins




    "We weren't spying. We were
    trying to expose what Microsoft
    was doing," said a fiery Ellison
    when reporters asked repeatedly
             p               p       y
    about the detective agency's
    attempts at buying garbage.




                                                                    Copyright © by EC-Council
EC-Council                               All Rights Reserved. Reproduction is Strictly Prohibited
Human-Based Social Engineering
               ( cont’d)
                 cont d)


                    • Survey a target company to collect
                      information on
        In person    • C
                       Current t h l i
                             t technologies
                     • Contact information, and so on




                    • Refer to an important person in the
                      organization and try to collect data
                        g                y
     Third-party
      hi d          • “Mr. George, our Finance Manager,
    Authorization     asked that I pick up the audit
                      reports. Will you please provide
                      them to me?
                              me?”

                                                                               Copyright © by EC-Council
EC-Council                                          All Rights Reserved. Reproduction is Strictly Prohibited
Human-Based Social Engineering
                     ( cont’d)
                       cont d)


             Tailgating


         • An unauthorized person, wearing a fake ID badge, enters a secured area by
           closely following an authorized person through a door requiring key access
         • An authorized person may be unaware of providing an unauthorized person
           access to a secured area



             Piggybacking


         • “I forgot my ID badge at home. Please help me.”
         • An authorized person provides access to an unauthorized person by keeping the
           secured door open


                                                                                          Copyright © by EC-Council
EC-Council                                                     All Rights Reserved. Reproduction is Strictly Prohibited
Human-Based Social Engineering
                      ( cont’d)
                        cont d)

         Reverse Social Engineering
         R       S i lE i       i


        • This is when the hacker creates a persona that
          appears to be in a position of authority so that
          employees will ask him for information, rather
          than the other way around
        • Reverse Social Engineering attack involves
             • Sabotage
             • Marketing
             • Providing Support




                                                                                        Copyright © by EC-Council
EC-Council                                                   All Rights Reserved. Reproduction is Strictly Prohibited
Movies to Watch for Reverse Engineering
             Examples: The Italian Job and Catch Me If You
             Can




                                                                    Copyright © by EC-Council
EC-Council                               All Rights Reserved. Reproduction is Strictly Prohibited
Computer-Based Social
                               Engineering

    It can be divided:


             Mail / IM attachments



             Pop up
             Pop-up Windows



             Websites / Sweepstakes



             Spam mail

                                                                   Copyright © by EC-Council
EC-Council                              All Rights Reserved. Reproduction is Strictly Prohibited
Computer-Based Social Engineering
                       (cont d)
                       (cont’d)
             Pop-up Windows
             • Windows that suddenly pops up, while surfing the Internet and asks for users’
               information to login or sign-in

             Hoaxes and chain letters
             • Hoax letters are emails that issue warnings to user on new virus, Trojans or worms
               that may harm the user’s system
             • Chain letters are emails that offer free gifts such as money, and software on the
               condition that if the user forwards the mail to said number of persons




                                                                                                     Copyright © by EC-Council
EC-Council                                                                All Rights Reserved. Reproduction is Strictly Prohibited
Computer-Based Social Engineering
             (cont d)
             (cont’d)




                Online Pop-Up Attacks and Costs


                                                                             Copyright © by EC-Council
EC-Council                                        All Rights Reserved. Reproduction is Strictly Prohibited
Computer-Based Social Engineering
             (cont d)
             (cont’d)

                Instant Ch t Messenger
                I t t Chat M
                • Gathering of personal information by chatting with a selected
                  online user to attempt to get information such as birth dates and
                  maiden names
                • Acquired data is later used for cracking the user’s accounts




                Spam email
                • Email sent to many recipients without prior permission
                  intended for commercial purposes
                • Irrelevant, unwanted, and unsolicited email to collect financial
                  information, social security numbers, and network information
                               ,             y        ,


                                                                                Copyright © by EC-Council
EC-Council                                           All Rights Reserved. Reproduction is Strictly Prohibited
Computer-Based Social Engineering
                     (cont d)
                     (cont’d)

             Phishing
             Phi hi


             • A illegitimate email f l l claiming t b
               An ill iti t        il falsely l i i to be
               from a legitimate site attempts to acquire
               user’s personal or account information
             • Lures online users with statements such as
              • Verify your account
              • Update your information
              • Your account will be closed or suspended
             • Spam filters, anti-phishing tools integrated
               with web browsers can be used to protect
               from Phishers


                                                                                      Copyright © by EC-Council
EC-Council                                                 All Rights Reserved. Reproduction is Strictly Prohibited
Computer-Based Social Engineering
                  (cont d)
                  (cont’d)




       E mail
       E-mail phishing hyperlink




                                   Web page phishing hyperlink
                                                                  Copyright © by EC-Council
EC-Council                             All Rights Reserved. Reproduction is Strictly Prohibited
Computer-Based Social Engineering
             (cont d)
             (cont’d)




                   Online E-mail Attacks and Costs
                                                                          Copyright © by EC-Council
EC-Council                                     All Rights Reserved. Reproduction is Strictly Prohibited
Insider Attack

     If a competitor wants to cause damage to your organization,
     steal critical secrets, or put you out of b i
      t l iti l          t        t       t f business, th j t h
                                                        they just have t
                                                                       to
     find a job opening, prepare someone to pass the interview, have
     that person hired, and they will be in the organization



             It takes only one disgruntled person to take
             revenge and your company i compromised
                         d               is          i d


             •   60% of attacks occur behind the firewall
             •   An inside attack is easy to launch
             •   Prevention is difficult
             •   The inside attacker can easily succeed
             •   Difficult to catch the perpetrator

                                                                                       Copyright © by EC-Council
EC-Council                                                  All Rights Reserved. Reproduction is Strictly Prohibited
Disgruntled Employee

                                              Most cases of insider abuse can be
                                              traced to i di id l who are
                                                    d individuals h
                                              introverted, incapable of dealing
                                              with stress or conflict, and
                                              frustrated with their job, office
                                              politics, no respect, no promotions
                                              etc

     Disgruntled      Company
      Employee         Secrets




                                 Sends h data to
                                 S d the d
                                 competitors using
                                 Steganography                                    Competitor

        Company
        Network


                                                                        Copyright © by EC-Council
EC-Council                                   All Rights Reserved. Reproduction is Strictly Prohibited
Preventing Insider Threat

      There is no single solution to prevent an insider threat



             Some recommendations:

             •   Separation of duties
             •   Rotation of duties
             •   Least privilege
             •   Controlled access
             •   Logging and auditing
                     i       d di i
             •   Legal policies
             •   Archive critical data



                                                                             Copyright © by EC-Council
EC-Council                                        All Rights Reserved. Reproduction is Strictly Prohibited
Common Targets of Social
                 Engineering
       Receptionists and help desk
           p                p
       personnel



       Technical support executives




       Vendors of target organization



       System administrators and
       users


                                                                   Copyright © by EC-Council
EC-Council                              All Rights Reserved. Reproduction is Strictly Prohibited
Social Engineering
             Threats and Defenses



                                                      Copyright © by EC-Council
EC-Council                 All Rights Reserved. Reproduction is Strictly Prohibited
Social Engineering Threats and
                     Defenses

             Major attack vectors that a social
             engineering hacker uses:

             •   Online
             •   Telephone
             •   Personal approaches
             •   Reverse social engineering




                                                                             Copyright © by EC-Council
EC-Council                                        All Rights Reserved. Reproduction is Strictly Prohibited
Online Threats

    In a connected business world, staff often use and respond to requests and
    information that come electronically
    i f      i   h          l      i ll

    This connectivity enables hackers to make approaches to staff from the relative
    anonymity of Internet
         y   y

    Online attacks, such as e-mail, pop-up application, and instant message attacks; use
    Trojan horses, worms, or viruses(malware) to damage or subvert computer resources

    Social engineering hacker persuades a staff member to provide information through a
    believable ruse, rather than infecting a computer with malware through a direct attack

    An attack may provide information that enables hacker to make a subsequent malware
    attack


    Solution: Ad i staff on h
    S l ti    Advise t ff   how t id tif and avoid online social engineering attacks
                                to identify d   id li        i l    i    i    tt k

                                                                                        Copyright © by EC-Council
EC-Council                                                   All Rights Reserved. Reproduction is Strictly Prohibited
Telephone-Based Threats

    Telephone offers a unique attack vector f social engineering h k
    T l h      ff        iq    tt k     t for    i l    i    i hackers



    It is a familiar medium, but it is also impersonal, because target cannot see the
    hacker



    Communication options for most computer systems can also make Private
    Branch Exchange (PBX) an attractive target



    Stealing either credit card or telephone card PINs at telephone booths is another
    kind of attack

                                                                                      Copyright © by EC-Council
EC-Council                                                 All Rights Reserved. Reproduction is Strictly Prohibited
Telephone-Based Threats
                   (cont d)
                   (cont’d)
             There are three major goals for a hacker who
             attacks a PBX:

             • Request information, usually through the imitation of a legitimate
               user, either to access the telephone system itself or to gain remote
               access t computer systems
                      to         t     t
             • Gain access to “free” telephone usage
             • Gain access to communications network




                                                                Telephony PBX
                                                                attack


                                                                                       Copyright © by EC-Council
EC-Council                                                  All Rights Reserved. Reproduction is Strictly Prohibited
Personal Approaches

       The simplest and cheapest way for a hacker to get information is to
       ask for it di tl
         kf       directly

       This approach may seem crude and obvious, but it has been bedrock
       of confidence tricks since time b
        f    fid       i k i       i   began


             Four main successful approaches
             for social engineers:

             •   Intimidation
             •   Persuasion
             •   Ingratiation
             •   Assistance



                                                                               Copyright © by EC-Council
EC-Council                                          All Rights Reserved. Reproduction is Strictly Prohibited
Defenses Against Social
                   Engineering Threats

        After you understand the wide range of threats, 3 steps are
        necessary to defend against social engineering threats

         • Develop a security management framework
         • Undertake risk management assessments
         • Implement social engineering defenses within your security policy




                                                                                     Copyright © by EC-Council
EC-Council                                                All Rights Reserved. Reproduction is Strictly Prohibited
Defenses Against Social
                    Engineering Threats (cont’d)
                                        (cont d)
       Risk Assessment:
         • You need to assess the level of risk that an attack possesses towards your
           company for deploying suitable security measures
       Risk categories include:
         •   Confidential information
         •   Business credibility
         •   Business availability
         •   Resources
         •   Money




                                                                                      Copyright © by EC-Council
EC-Council                                                 All Rights Reserved. Reproduction is Strictly Prohibited
Factors that make Companies
                 Vulnerable to Attacks
     Insufficient security training and awareness


     Several organizational units


     Lack of appropriate security policies


     Easy access of information e.g. e-mail Ids and phone extension
     numbers of employees




                                                                               Copyright © by EC-Council
EC-Council                                          All Rights Reserved. Reproduction is Strictly Prohibited
Why is Social Engineering
                 Effective
   Security policies are as strong as its weakest link, and
   humans are the most susceptible factor



   Difficult to detect social engineering attempts



   There is no method to ensure the complete security
   from social engineering attacks



   No specific software or hardware for defending against
        p                                       g g
   a social engineering attack
                                                                                 Copyright © by EC-Council
EC-Council                                            All Rights Reserved. Reproduction is Strictly Prohibited
Warning Signs of an Attack


             An attacker may:

             •   Show inability to give valid callback number
             •   Make informal requests
             •   Claim of authority
             •   Show haste
             •   Unusually compliment or praise
             •   Show discomfort when questioned
             •   Drop the name inadvertently
             •   Threaten f dire
                 Th t of di consequences if information
                                                    i f   ti
                 is not provided




                                                                                           Copyright © by EC-Council
EC-Council                                                      All Rights Reserved. Reproduction is Strictly Prohibited
Tool : Netcraft Anti-Phishing Toolbar
                  www.netcraft.com


    An anti-phishing system consisting of a toolbar and a central server that has
            p      g y               g
    information about URLs provided by Toolbar community and Netcraft



    Blocks phishing websites that are recorded in Netcraft’s central server



    Suspicious URLs can be reported to Netcraft by clicking Report a Phishing Site
    in the toolbar menu



    Shows all the attributes of each site such as host location, country, longevity, and
    popularity


                                                                                       Copyright © by EC-Council
EC-Council                                                  All Rights Reserved. Reproduction is Strictly Prohibited
Tool : Netcraft Anti-Phishing Toolbar
                          ( cont’d)
                            cont d)



       Netcraft Toolbar

                                                                    Site Report




                                                                          Copyright © by EC-Council
EC-Council                                     All Rights Reserved. Reproduction is Strictly Prohibited
Tool : Netcraft Anti-Phishing Toolbar
                        ( cont’d)
                          cont d)




             Location
                                Website Network Information                              Copyright © by EC-Council
EC-Council   details                                          All Rights Reserved. Reproduction is Strictly Prohibited
Phases in a Social Engineering
                     Attack
       Four phases of a Social Engineering Attack:

                                     Research on target company
                       Dumpster diving, websites, employees, tour company and so on



                                              Select Victim
                             Identify frustrated employees of the target company



                                         Develop relationship
                             Developing relationship with the selected employees



                         Exploit the relationship to achieve the objective
                           p                    p                  j
         Collect sensitive account
                                           Financial information                Current Technologies
               information
                                                                                                  Copyright © by EC-Council
EC-Council                                                             All Rights Reserved. Reproduction is Strictly Prohibited
Behaviors Vulnerable to Attacks
        Trust
        • Human nature of trust is the basis of any social engineering attack

        Ignorance
        • Ignorance about social engineering and its effects among the workforce
          makes the organization an easy target

        Fear
        • Social engineers might threaten severe losses in case of non- compliance with
          their request
           h i

        Greed
        • Social engineers lure the targets to divulge information by p
                   g                   g            g               y promising
                                                                              g
          something for nothing

        Moral duty
        • Targets are asked for the help, and they comply out of a sense of moral
          obligation

                                                                                            Copyright © by EC-Council
EC-Council                                                       All Rights Reserved. Reproduction is Strictly Prohibited
Impact on the Organization

     Economic losses


     Damage of goodwill


     Loss of privacy


     Dangers of terrorism


     Lawsuits and arbitrations


     Temporary or permanent closure
                                                                 Copyright © by EC-Council
EC-Council                            All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures

             Training

             • An efficient training program should consist of all security policies
               and methods to increase awareness on social engineering




                                                                                         Copyright © by EC-Council
EC-Council                                                    All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (cont’d)

             Password policies


             •   Periodic password change
             •   Avoiding guessable passwords
             •   Account blocking after failed attempts
             •   Length and complexity of passwords
                 L    th d       l it f             d
                 • Minimum number of characters, use of special characters, and
                   numbers etc. e.g. ar1f23#$g
             • Secrecy of p
                     y passwords
                 • Do not reveal if asked, or write on anything to remember them




                                                                                        Copyright © by EC-Council
EC-Council                                                   All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (cont’d)

                     Operational guidelines


                     • Ensure security of sensitive information and
                       authorized use of resources


                     Physical security policies


                     • Identification of employees e.g. issuing of ID
                       cards,
                       cards uniforms and so on
                     • Escorting the visitors
                     • Accessing area restrictions
                     • Proper shredding of useless documents
                     • Employing security personnel
                           l                         l

                                                                      Copyright © by EC-Council
EC-Council                                 All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (cont’d)

             Classification of Information
             • Categorize the information as top secret, proprietary, for internal use
               only, for public use, and so on

             Access privileges
             A        i il
             • Administrator, user, and guest accounts with proper authorization

             Background check of employees and proper
             B k       d h k f      l        d
             termination process
             • Insiders with a criminal background and terminated employees are easy
               targets for procuring information

             Proper incidence response system
             • There should be proper guidelines for reacting in case of a social
               engineering attempt

                                                                                              Copyright © by EC-Council
EC-Council                                                         All Rights Reserved. Reproduction is Strictly Prohibited
Policies and Procedures

     Policy is the most critical component for any
     information security program


     Good policies and procedures are ineffective if they are
     not taught and reinforced by the employees



     Employees need to emphasize their importance


     After receiving training, the employee should sign a
     statement acknowledging that they understand the
                           g g          y
     policies
                                                                                Copyright © by EC-Council
EC-Council                                           All Rights Reserved. Reproduction is Strictly Prohibited
Security Policies - Checklist

        Account setup

        Password change policy

        Help desk procedures

        Access privileges

        Violations

        Employee
        Emplo ee identification

        Privacy policy

        Paper documents

        Modems

        Physical access restrictions
          y

        Virus control
                                                                    Copyright © by EC-Council
EC-Council                               All Rights Reserved. Reproduction is Strictly Prohibited
What Happened Next




                            Source http://www.treasury.gov/


                                                           Copyright © by EC-Council
EC-Council                      All Rights Reserved. Reproduction is Strictly Prohibited
Impersonating Orkut,
              Facebook,
              Facebook MySpace



                                                      Copyright © by EC-Council
EC-Council                 All Rights Reserved. Reproduction is Strictly Prohibited
News




                    Source: http://www.dnaindia.com/ Copyright © by EC-Council
EC-Council               All Rights Reserved. Reproduction is Strictly Prohibited
News




                    Source: http://www.marketingweek.co.uk/



                                                       Copyright © by EC-Council
EC-Council                  All Rights Reserved. Reproduction is Strictly Prohibited
Orkut




                                                Copyright © by EC-Council
EC-Council           All Rights Reserved. Reproduction is Strictly Prohibited
Impersonating on Orkut

       Impersonation means imitates or copies the behavior or actions of others


       Orkut is a famous social networking site, and as a open source anyone can steal the
       personal and corporate information and create the account on others’ name


       On Orkut, accounts can be hacked by 2 main methods: Cookie Stealing and Phishing
       (Fake Page)


       Cookie Stealing involves a simple JavaScript which is backed up by a powerful PHP
       script in the back


       When this script is run by the victim, his cookie comes to the hacker, using which he
       can get into the victim’s account


       Fake pages look like pages of Orkut; when user name and password is put into their
       respective fields, they are sent to the email ID of the hacker

                                                                                            Copyright © by EC-Council
EC-Council                                                       All Rights Reserved. Reproduction is Strictly Prohibited
MW.Orc worm

    MW.Orc worm steals users' banking details, usernames, and passwords by propagating
    through Orkut


    This attack is triggered as the user launches an executable file disguised as a JPEG file


    The initial executable file that causes the infection, installs two additional files on the user's
    computer


    These files then pass e-mail banking details and passwords to the worm's anonymous
    creator when the infected users click on “My Computer” icon


    Infection spreads automatically by posting a URL in another user's Orkut Scrapbook; a
    guestbook where visitors can leave comments visible on user's page


    Apart from stealing personal information, this malware also enables a remote user to
    control PC and make it a part of botnet which is a network of infected PCs
                                                                                                Copyright © by EC-Council
EC-Council                                                           All Rights Reserved. Reproduction is Strictly Prohibited
News




                            Source: http://www.theregister.co.uk/


                                               Copyright © by EC-Council
EC-Council          All Rights Reserved. Reproduction is Strictly Prohibited
News




                           Source: http://www.ibnlive.com/news/


                                               Copyright © by EC-Council
EC-Council          All Rights Reserved. Reproduction is Strictly Prohibited
News




                           Source: http://www.ibnlive.com/


                                               Copyright © by EC-Council
EC-Council          All Rights Reserved. Reproduction is Strictly Prohibited
Facebook




                                                   Copyright © by EC-Council
EC-Council              All Rights Reserved. Reproduction is Strictly Prohibited
Impersonating on Facebook

       Facebook bloggers use a nickname instead of
       the
       th real name
             l


       Fake accounts are a violation of Terms of Use


       Facebook requires users to provide their real
       first d last
       fi t and l t names


       The impostor keeps add g up friends
         e posto eeps adding          e ds


       The impostor uses other’s profile to get critical
       and valuable information

                                                                                  Copyright © by EC-Council
EC-Council                                             All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot




                                                     Copyright © by EC-Council
EC-Council                All Rights Reserved. Reproduction is Strictly Prohibited
News




                                Source: http://www.timesnews.net/



                                               Copyright © by EC-Council
EC-Council          All Rights Reserved. Reproduction is Strictly Prohibited
MySpace




                                                  Copyright © by EC-Council
EC-Council             All Rights Reserved. Reproduction is Strictly Prohibited
Impersonating on MySpace

        MySpace
        M Space has become an effective marketing tool
                              effecti e



        Various people have their profiles on MySpace to
        gain exposure



        All MySpace profiles are not genuine and real



        Adults impersonate as teen on MySpace which leads
        to tragedy

                                                                                   Copyright © by EC-Council
EC-Council                                              All Rights Reserved. Reproduction is Strictly Prohibited
Identity Theft


                                                  Copyright © by EC-Council
EC-Council             All Rights Reserved. Reproduction is Strictly Prohibited
News




                     Source: http://www.mercurynews.com/

                                               Copyright © by EC-Council
EC-Council          All Rights Reserved. Reproduction is Strictly Prohibited
What is “Identity Theft”


      Identity theft occurs when someone steals your name and other personal
      information for fraudulent purposes




                                                                                   Copyright © by EC-Council
EC-Council                                              All Rights Reserved. Reproduction is Strictly Prohibited
Identity Theft




                                                         Copyright © by EC-Council
EC-Council                    All Rights Reserved. Reproduction is Strictly Prohibited
How do you steal
                Identity?
                 d   i


                                                   Copyright © by EC-Council
EC-Council              All Rights Reserved. Reproduction is Strictly Prohibited
How to Steal Identity

       Original identity – Steven Charles

       Address: San Diego CA 92130




                                                                       Copyright © by EC-Council
EC-Council                                  All Rights Reserved. Reproduction is Strictly Prohibited
STEP 1

     Get hold of Steven’s telephone bill, water bill, or electricity bill using
     dumpster diving, stolen email, or onsite stealing
              diving          email




                                                                                         Copyright © by EC-Council
EC-Council                                                    All Rights Reserved. Reproduction is Strictly Prohibited
STEP 2

  Go to the Driving License Authority



  Tell them you lost your driver’s license



  They will ask you for proof of identity like a water bill,and electricity bill



  Show them the stolen bills


  Tell them you have moved from the original address


  The department employee will ask you to complete 2 forms – 1 for the
  replacement of the driver’s license and the 2nd for a change in address


  You will need a photo for the driver’s license

                                                                                                          Copyright © by EC-Council
EC-Council                                                                     All Rights Reserved. Reproduction is Strictly Prohibited
STEP 3

       Your replacement driver’s license will be issued to your new home address


       Now you are ready to have some serious fun




                                                                                    Copyright © by EC-Council
EC-Council                                               All Rights Reserved. Reproduction is Strictly Prohibited
Comparison

             Original

     Same name: Steven Charles




             Identity Theft




                                                            Copyright © by EC-Council
EC-Council                       All Rights Reserved. Reproduction is Strictly Prohibited
STEP 4

   Go to a bank in which the original Steven Charles has an account (Example Citibank)


   Tell them you would like to apply for a new credit card


   Tell them you do not remember the account number and ask them to look it up using
   Steven’s name and address


   The bank will ask for your ID: Show them your driver’s license as ID


   ID is accepted. Your credit card is issued and ready for use


   Now you are ready for shopping


                                                                                             Copyright © by EC-Council
EC-Council                                                        All Rights Reserved. Reproduction is Strictly Prohibited
Fake Steven has a New Credit
                    Card
    The fake Steven visits Wal-Mart and purchases a 42” plasma TV and state-of-the-art Bose
    speakers


    The fake Steven buys a Vertu Gold Phone worth USD 20K




                                                                                          Copyright © by EC-Council
EC-Council                                                     All Rights Reserved. Reproduction is Strictly Prohibited
Fake Steven Buys Car


    The fake Steven walks into a store and
    applies for a car loan; minutes later
    he is driving a new Audi



    Present your driver’s license as a form
    of ID
     f


    The loan officer does the credit check,
    and it comes out clean since the
    original Steven has a clean credit
    history
          y

                                                                         Copyright © by EC-Council
EC-Council                                    All Rights Reserved. Reproduction is Strictly Prohibited
Real Steven Gets Huge Credit Card
             Statement – USD 40k
                              4




                           Ahhh!!! Somebody
                           stole my identity!!

                                                            Copyright © by EC-Council
EC-Council                       All Rights Reserved. Reproduction is Strictly Prohibited
What Else…Oh My God!

     Fake Steven can apply for a new passport


     Fake Steven can apply for a new bank account


     Fake Steven can shut down your utility services


     FAKE STEVEN CAN MAKE THE LIFE OF REAL STEVEN HELL


     Scary eh?




                                                                                  Copyright © by EC-Council
EC-Council                                             All Rights Reserved. Reproduction is Strictly Prohibited
“One bit of personal
                 One
             information is all someone
             needs to steal your identity”
                            y           y




                                                       Copyright © by EC-Council
EC-Council                  All Rights Reserved. Reproduction is Strictly Prohibited
Identity Theft - Serious Problem


   Identity theft is a serious problem




   The number of violations has continued to
   increase



   Securing personal i f
   S     i           l information i the
                                i in h
   workplace and at home, and looking over
   credit card reports are just few of the ways
   to minimize the risk of the identity theft


                                                                             Copyright © by EC-Council
EC-Council                                        All Rights Reserved. Reproduction is Strictly Prohibited
http://www.consumer.gov/idtheft/




                                                            Copyright © by EC-Council
EC-Council                       All Rights Reserved. Reproduction is Strictly Prohibited
Summary

   Social Engineering is the human side of breaking into a corporate network
                             human-side



   Social Engineering involves acquiring sensitive information or inappropriate access privileges
   by
   b an outsider
           t id


   Human-based social engineering refers to person-to-person interaction to retrieve the
   desired information
   d i di f        i


   Computer-based social engineering refers to having computer software that attempts to
   retrieve the desired i f
       i     h d i d information
                              i



   A successful defense depends on having good policies and their diligent implementation


                                                                                           Copyright © by EC-Council
EC-Council                                                      All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council   All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council   All Rights Reserved. Reproduction is Strictly Prohibited

Más contenido relacionado

La actualidad más candente

Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkRichard Common
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 
Module 3 social engineering-b
Module 3   social engineering-bModule 3   social engineering-b
Module 3 social engineering-bBbAOC
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917Evan Francen
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales Ahmed Musaad
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and BadTzar Umang
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Social Engineering Techniques
Social Engineering TechniquesSocial Engineering Techniques
Social Engineering TechniquesNeelu Tripathy
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Infographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test CampaignInfographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test CampaignPratum
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 

La actualidad más candente (20)

Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest Link
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
 
Module 3 social engineering-b
Module 3   social engineering-bModule 3   social engineering-b
Module 3 social engineering-b
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionage
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering
Social engineering Social engineering
Social engineering
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking Framework
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and Bad
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Social Engineering Techniques
Social Engineering TechniquesSocial Engineering Techniques
Social Engineering Techniques
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Infographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test CampaignInfographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test Campaign
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About it
 

Destacado

EC-Council Certified Network Defender
EC-Council Certified Network DefenderEC-Council Certified Network Defender
EC-Council Certified Network DefenderITpreneurs
 
TH3 Professional Developper CEH phishing
TH3 Professional Developper CEH phishingTH3 Professional Developper CEH phishing
TH3 Professional Developper CEH phishingth3prodevelopper
 
TH3 Professional Developper CEH denial of service
TH3 Professional Developper CEH denial of serviceTH3 Professional Developper CEH denial of service
TH3 Professional Developper CEH denial of serviceth3prodevelopper
 
TH3 Professional Developper CEH hacking email accounts
TH3 Professional Developper CEH hacking email accountsTH3 Professional Developper CEH hacking email accounts
TH3 Professional Developper CEH hacking email accountsth3prodevelopper
 
Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015anpapathanasiou
 
Bulling lia damaris2
Bulling lia damaris2Bulling lia damaris2
Bulling lia damaris2upark4
 
Cyberbulling presentation
Cyberbulling presentationCyberbulling presentation
Cyberbulling presentationpaulinariba
 
OSINT 2.0 - Past, present and future
OSINT 2.0  - Past, present and futureOSINT 2.0  - Past, present and future
OSINT 2.0 - Past, present and futureChristian Martorella
 
Cyber Bulling On School Grounds
Cyber Bulling On School GroundsCyber Bulling On School Grounds
Cyber Bulling On School Groundskerr1va
 
Social engineering with in for kanban
Social engineering with in for kanbanSocial engineering with in for kanban
Social engineering with in for kanbanDavid Anderson
 
Osint overview 26 mar 2015
Osint overview  26 mar 2015Osint overview  26 mar 2015
Osint overview 26 mar 2015Mats Björe
 
Ce hv7 module 08 sniffers
Ce hv7 module 08 sniffersCe hv7 module 08 sniffers
Ce hv7 module 08 sniffersZuleima Parada
 
20070317 Osint Presentation
20070317 Osint Presentation20070317 Osint Presentation
20070317 Osint PresentationMats Björe
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
Ceh v5 module 09 social engineering
Ceh v5 module 09 social engineeringCeh v5 module 09 social engineering
Ceh v5 module 09 social engineeringVi Tính Hoàng Nam
 
Datasploit - An Open Source Intelligence Tool
Datasploit - An Open Source Intelligence ToolDatasploit - An Open Source Intelligence Tool
Datasploit - An Open Source Intelligence ToolShubham Mittal
 

Destacado (20)

EC-Council Certified Network Defender
EC-Council Certified Network DefenderEC-Council Certified Network Defender
EC-Council Certified Network Defender
 
TH3 Professional Developper CEH phishing
TH3 Professional Developper CEH phishingTH3 Professional Developper CEH phishing
TH3 Professional Developper CEH phishing
 
TH3 Professional Developper CEH denial of service
TH3 Professional Developper CEH denial of serviceTH3 Professional Developper CEH denial of service
TH3 Professional Developper CEH denial of service
 
TH3 Professional Developper CEH hacking email accounts
TH3 Professional Developper CEH hacking email accountsTH3 Professional Developper CEH hacking email accounts
TH3 Professional Developper CEH hacking email accounts
 
Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015
 
Peace: Conflict Well Done
Peace: Conflict Well DonePeace: Conflict Well Done
Peace: Conflict Well Done
 
Cyberbulling
CyberbullingCyberbulling
Cyberbulling
 
Bulling lia damaris2
Bulling lia damaris2Bulling lia damaris2
Bulling lia damaris2
 
cyber bulling
cyber bullingcyber bulling
cyber bulling
 
Cyberbulling presentation
Cyberbulling presentationCyberbulling presentation
Cyberbulling presentation
 
Phising
PhisingPhising
Phising
 
OSINT 2.0 - Past, present and future
OSINT 2.0  - Past, present and futureOSINT 2.0  - Past, present and future
OSINT 2.0 - Past, present and future
 
Cyber Bulling On School Grounds
Cyber Bulling On School GroundsCyber Bulling On School Grounds
Cyber Bulling On School Grounds
 
Social engineering with in for kanban
Social engineering with in for kanbanSocial engineering with in for kanban
Social engineering with in for kanban
 
Osint overview 26 mar 2015
Osint overview  26 mar 2015Osint overview  26 mar 2015
Osint overview 26 mar 2015
 
Ce hv7 module 08 sniffers
Ce hv7 module 08 sniffersCe hv7 module 08 sniffers
Ce hv7 module 08 sniffers
 
20070317 Osint Presentation
20070317 Osint Presentation20070317 Osint Presentation
20070317 Osint Presentation
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attack
 
Ceh v5 module 09 social engineering
Ceh v5 module 09 social engineeringCeh v5 module 09 social engineering
Ceh v5 module 09 social engineering
 
Datasploit - An Open Source Intelligence Tool
Datasploit - An Open Source Intelligence ToolDatasploit - An Open Source Intelligence Tool
Datasploit - An Open Source Intelligence Tool
 

Similar a TH3 Professional Developper CEH social engineering

Cehv6 module 01 introduction to ethical hacking
Cehv6 module 01 introduction to ethical hackingCehv6 module 01 introduction to ethical hacking
Cehv6 module 01 introduction to ethical hackinganonymousrider
 
Ce hv6 module 48 corporate espionage by insiders
Ce hv6 module 48 corporate espionage by insidersCe hv6 module 48 corporate espionage by insiders
Ce hv6 module 48 corporate espionage by insidersVi Tính Hoàng Nam
 
Cyber security talks 2019 by theko moima
Cyber security talks 2019 by theko moimaCyber security talks 2019 by theko moima
Cyber security talks 2019 by theko moimaTheko Moima
 
Module 9 (social engineering)
Module 9 (social engineering)Module 9 (social engineering)
Module 9 (social engineering)Wail Hassan
 
Isaca june 19, 2010
Isaca june 19, 2010Isaca june 19, 2010
Isaca june 19, 2010Vicky Shah
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
 
Ce Hv6 Module 43 Cyber Warfare Hacking Al Qaida And Terrorism
Ce Hv6 Module 43 Cyber Warfare  Hacking Al Qaida And TerrorismCe Hv6 Module 43 Cyber Warfare  Hacking Al Qaida And Terrorism
Ce Hv6 Module 43 Cyber Warfare Hacking Al Qaida And TerrorismKislaychd
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An IntroductionJayaseelan Vejayon
 
Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT CollegesPotato
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1Ian Sommerville
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensenjaredcarst
 
AI: The New Player in Cybersecurity (Nov. 08, 2023)
AI: The New Player in Cybersecurity (Nov. 08, 2023)AI: The New Player in Cybersecurity (Nov. 08, 2023)
AI: The New Player in Cybersecurity (Nov. 08, 2023)Takeshi Takahashi
 
Threats & Cyber Protection Measures
Threats & Cyber Protection MeasuresThreats & Cyber Protection Measures
Threats & Cyber Protection MeasuresShiva Bissessar
 

Similar a TH3 Professional Developper CEH social engineering (20)

Cehv6 module 01 introduction to ethical hacking
Cehv6 module 01 introduction to ethical hackingCehv6 module 01 introduction to ethical hacking
Cehv6 module 01 introduction to ethical hacking
 
Ce hv6 module 48 corporate espionage by insiders
Ce hv6 module 48 corporate espionage by insidersCe hv6 module 48 corporate espionage by insiders
Ce hv6 module 48 corporate espionage by insiders
 
Cyber security talks 2019 by theko moima
Cyber security talks 2019 by theko moimaCyber security talks 2019 by theko moima
Cyber security talks 2019 by theko moima
 
Hacking (1)
Hacking (1)Hacking (1)
Hacking (1)
 
Module 9 (social engineering)
Module 9 (social engineering)Module 9 (social engineering)
Module 9 (social engineering)
 
Isaca june 19, 2010
Isaca june 19, 2010Isaca june 19, 2010
Isaca june 19, 2010
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
 
Ce Hv6 Module 43 Cyber Warfare Hacking Al Qaida And Terrorism
Ce Hv6 Module 43 Cyber Warfare  Hacking Al Qaida And TerrorismCe Hv6 Module 43 Cyber Warfare  Hacking Al Qaida And Terrorism
Ce Hv6 Module 43 Cyber Warfare Hacking Al Qaida And Terrorism
 
DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015
 
Cyber security
Cyber securityCyber security
Cyber security
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
 
Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT Colleges
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
 
AI: The New Player in Cybersecurity (Nov. 08, 2023)
AI: The New Player in Cybersecurity (Nov. 08, 2023)AI: The New Player in Cybersecurity (Nov. 08, 2023)
AI: The New Player in Cybersecurity (Nov. 08, 2023)
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
seminar ppt.pptx
seminar ppt.pptxseminar ppt.pptx
seminar ppt.pptx
 
Threats & Cyber Protection Measures
Threats & Cyber Protection MeasuresThreats & Cyber Protection Measures
Threats & Cyber Protection Measures
 

Último

How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesCeline George
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxheathfieldcps1
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICESayali Powar
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 

Último (20)

How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 Sales
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptx
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICE
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 

TH3 Professional Developper CEH social engineering

  • 1. Ethical Hacking and Countermeasures Version 6 Module Mod le XI Social Engineering
  • 2. Scenario Source: http://www.treasury.gov/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 3. News Source: http://www.technewsworld.com/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 4. Module Objective This module will familiarize you with: • Social Engineering • Types of Social Engineering • Behaviors vulnerable to attacks • Social Engineering Threats and Defenses • Countermeasures for Social engineering • Policies and Procedures • Impersonating Orkut, Facebook, and MySpace • Identity Theft • Countermeasures for Identity theft Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 5. Module Flow Social Engineering Impersonating Orkut, Social Engineering Threats and Defenses Facebook, and MySpace Types of Social Countermeasures for Identity Theft Engineering Social engineering Behaviors vulnerable Countermeasures for Policies and Procedures to tt k t attacks Identity th ft Id tit theft Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 6. There is No Patch to Human Stupidity p y Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 7. What is Social Engineering Social Engineering is the human side of breaking into a corporate network Companies with authentication processes, firewalls, virtual private net o ks p i ate networks, and network monitoring soft a e a e still net o k monito ing software are open to attacks An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they do not know, or even by talking about a project with coworkers at a local pub after hours Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 8. What is Social Engineering (cont d) (cont’d) Social engineering is the tactic or trick of gaining sensitive i f i i i i information b exploiting the i by l ii h basic human nature such as: • Trust • Fear • Desire to Help Social engineers attempt to gather information such as: • Sensitive information • Authorization details • Access details Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 9. Human Weakness People are usually the weakest link in the security chain A successful defense depends on having good policies and educating employees to follow them Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 10. “Rebecca” and “Jessica” Hackers use the term “Rebecca” and “Jessica” to denote social engineering attacks Hackers commonly use these terms to social engineer victims Rebecca and Jessica mean a person who is an easy target for social engineering, engineering such as the receptionist of a company Example: p • “There was a Rebecca at the bank and I am going to call her to extract the privileged information.” • “I met Ms. Jessica, she was an easy target for social , y g engineering.” • “Do you have any Rebecca in your company?” Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 11. Office Workers Despite having the best firewall, intrusion-detection p g , and antivirus systems, technology has to offer, you are still hit with security breaches One reason for this may be lack of motivation among workers Hackers can attempt social engineering attack on office workers to extract sensitive data such as: • Security policies • Sensitive documents • Office network infrastructure • Passwords Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 12. Types of Social Engineering Social Engineering can be divided into two categories: •H Human-based: b d • Gathers sensitive information by interaction • Attacks of this category exploits trust, fear, and helping nature of humans • Computer Based: Computer-Based: • Social engineering is carried out with the aid of computers Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 13. Human-Based Social Engineering Posing P i as a L iti t End U Legitimate E d User • Gives identity and asks for the sensitive information • “Hi! This is John, from Department X. I have forgotten my password. Can I get it?” Posing as an Important User • Posing as a VIP of a target company, valuable customer, etc. • “Hi! This is Kevin, CFO Secretary. I’m working on an urgent project and lost system password. Can you help me out?” Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 14. Human-Based Social Engineering ( cont’d) cont d) Posing as Technical Support • Calls as a technical support staff, and Ca s tec ca suppo t sta , a d requests id & passwords to retrieve data • ‘Sir, this is Mathew, Technical support, X company. Last night we had a system crash here, and we are checking for the lost here data. Can u give me your ID and Password?’ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 15. Technical Support Example A man calls a company’s help desk and says he’s forgotten his he s password. In a panic, he adds that if he misses the deadline on a big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly resets the password unwittingly giving the hacker clear entrance into the corporate network Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 16. More Social Engineering Examples "Hi, I'm John Brown. I'm with the external auditors Arthur Sanderson. We've been told by corporate to do a surprise inspection of your disaster recovery procedures. Your department has 10 minutes to show me how you would recover from a Website crash." Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 17. More Social Engineering Examples "Hi I'm Sharon, a sales rep out of the New York office. I know this is short notice, but I have a group of perspective clients out in the car that I've been trying for months to get to outsource th i security training t their it t i i needs to us. They're located just a few miles away and I think that if I can give them a quick tour of our facilities it should facilities, be enough to push them over the edge and get them to sign up. Oh yeah, they are particularly interested in what security precautions we've adopted. Seems someone hacked into their Website a while back, which is one of the reasons they're considering our company." Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 18. More Social Engineering Examples "Hi I m with Aircon Express Hi, I'm Services. We received a call that the computer room was getting too warm and need to check your HVAC system." Using professional-sounding terms like HVAC (Heating, Ventilation, and Air Conditioning) may add just enough credibility to an intruder's masquerade to allow him or her to gain access to the targeted secured resource. Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 19. Human-Based Social Engineering: Eavesdropping Eavesdropping or unauthorized li t i of E d i th i d listening f conversations or reading of messages Interception of any form such as audio, video, or written Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 20. Human-Based Social Engineering: Shoulder Surfing Looking over your shoulder as you enter a password Passwords Shoulder surfing is the name given to the p procedure that identity thieves use to find y Hacker out passwords, personal identification number, account numbers, and more Simply, they look over your shoulder--or even watch from a distance using binoculars, in order to get those pieces of information Victim Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 21. Human-Based Social Engineering: Dumpster Diving Search for sensitive information at target company’s: • Trash-bins • Printer Trash bins • user desk for sticky notes etc Collect: • Phone Bills • Contact Information • Financial Information • Operations related Information etc Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 22. Dumpster Diving Example A man behind the building is loading the company’s paper recycling bins into the back of a truck. Inside the bins are lists of employee titles and p o e u be s, a et g plans, and phone numbers, marketing p a s, a d the latest company financials This information is sufficient to launch a social engineering attack on the company Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 23. Dumpster Diving Example For example, if the hacker appears to have a good working knowledge of the staff in a company department he department, or she will probably be more successful while making an approach; most staff will assume that someone who h h knows a lot about the company must be a valid employee Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 24. Oracle Snoops Microsoft’s Trash Bins "We weren't spying. We were trying to expose what Microsoft was doing," said a fiery Ellison when reporters asked repeatedly p p y about the detective agency's attempts at buying garbage. Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 25. Human-Based Social Engineering ( cont’d) cont d) • Survey a target company to collect information on In person • C Current t h l i t technologies • Contact information, and so on • Refer to an important person in the organization and try to collect data g y Third-party hi d • “Mr. George, our Finance Manager, Authorization asked that I pick up the audit reports. Will you please provide them to me? me?” Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 26. Human-Based Social Engineering ( cont’d) cont d) Tailgating • An unauthorized person, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door requiring key access • An authorized person may be unaware of providing an unauthorized person access to a secured area Piggybacking • “I forgot my ID badge at home. Please help me.” • An authorized person provides access to an unauthorized person by keeping the secured door open Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 27. Human-Based Social Engineering ( cont’d) cont d) Reverse Social Engineering R S i lE i i • This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around • Reverse Social Engineering attack involves • Sabotage • Marketing • Providing Support Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 28. Movies to Watch for Reverse Engineering Examples: The Italian Job and Catch Me If You Can Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 29. Computer-Based Social Engineering It can be divided: Mail / IM attachments Pop up Pop-up Windows Websites / Sweepstakes Spam mail Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 30. Computer-Based Social Engineering (cont d) (cont’d) Pop-up Windows • Windows that suddenly pops up, while surfing the Internet and asks for users’ information to login or sign-in Hoaxes and chain letters • Hoax letters are emails that issue warnings to user on new virus, Trojans or worms that may harm the user’s system • Chain letters are emails that offer free gifts such as money, and software on the condition that if the user forwards the mail to said number of persons Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 31. Computer-Based Social Engineering (cont d) (cont’d) Online Pop-Up Attacks and Costs Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 32. Computer-Based Social Engineering (cont d) (cont’d) Instant Ch t Messenger I t t Chat M • Gathering of personal information by chatting with a selected online user to attempt to get information such as birth dates and maiden names • Acquired data is later used for cracking the user’s accounts Spam email • Email sent to many recipients without prior permission intended for commercial purposes • Irrelevant, unwanted, and unsolicited email to collect financial information, social security numbers, and network information , y , Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 33. Computer-Based Social Engineering (cont d) (cont’d) Phishing Phi hi • A illegitimate email f l l claiming t b An ill iti t il falsely l i i to be from a legitimate site attempts to acquire user’s personal or account information • Lures online users with statements such as • Verify your account • Update your information • Your account will be closed or suspended • Spam filters, anti-phishing tools integrated with web browsers can be used to protect from Phishers Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 34. Computer-Based Social Engineering (cont d) (cont’d) E mail E-mail phishing hyperlink Web page phishing hyperlink Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 35. Computer-Based Social Engineering (cont d) (cont’d) Online E-mail Attacks and Costs Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 36. Insider Attack If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of b i t l iti l t t t f business, th j t h they just have t to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization It takes only one disgruntled person to take revenge and your company i compromised d is i d • 60% of attacks occur behind the firewall • An inside attack is easy to launch • Prevention is difficult • The inside attacker can easily succeed • Difficult to catch the perpetrator Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 37. Disgruntled Employee Most cases of insider abuse can be traced to i di id l who are d individuals h introverted, incapable of dealing with stress or conflict, and frustrated with their job, office politics, no respect, no promotions etc Disgruntled Company Employee Secrets Sends h data to S d the d competitors using Steganography Competitor Company Network Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 38. Preventing Insider Threat There is no single solution to prevent an insider threat Some recommendations: • Separation of duties • Rotation of duties • Least privilege • Controlled access • Logging and auditing i d di i • Legal policies • Archive critical data Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 39. Common Targets of Social Engineering Receptionists and help desk p p personnel Technical support executives Vendors of target organization System administrators and users Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 40. Social Engineering Threats and Defenses Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 41. Social Engineering Threats and Defenses Major attack vectors that a social engineering hacker uses: • Online • Telephone • Personal approaches • Reverse social engineering Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 42. Online Threats In a connected business world, staff often use and respond to requests and information that come electronically i f i h l i ll This connectivity enables hackers to make approaches to staff from the relative anonymity of Internet y y Online attacks, such as e-mail, pop-up application, and instant message attacks; use Trojan horses, worms, or viruses(malware) to damage or subvert computer resources Social engineering hacker persuades a staff member to provide information through a believable ruse, rather than infecting a computer with malware through a direct attack An attack may provide information that enables hacker to make a subsequent malware attack Solution: Ad i staff on h S l ti Advise t ff how t id tif and avoid online social engineering attacks to identify d id li i l i i tt k Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 43. Telephone-Based Threats Telephone offers a unique attack vector f social engineering h k T l h ff iq tt k t for i l i i hackers It is a familiar medium, but it is also impersonal, because target cannot see the hacker Communication options for most computer systems can also make Private Branch Exchange (PBX) an attractive target Stealing either credit card or telephone card PINs at telephone booths is another kind of attack Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 44. Telephone-Based Threats (cont d) (cont’d) There are three major goals for a hacker who attacks a PBX: • Request information, usually through the imitation of a legitimate user, either to access the telephone system itself or to gain remote access t computer systems to t t • Gain access to “free” telephone usage • Gain access to communications network Telephony PBX attack Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 45. Personal Approaches The simplest and cheapest way for a hacker to get information is to ask for it di tl kf directly This approach may seem crude and obvious, but it has been bedrock of confidence tricks since time b f fid i k i i began Four main successful approaches for social engineers: • Intimidation • Persuasion • Ingratiation • Assistance Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 46. Defenses Against Social Engineering Threats After you understand the wide range of threats, 3 steps are necessary to defend against social engineering threats • Develop a security management framework • Undertake risk management assessments • Implement social engineering defenses within your security policy Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 47. Defenses Against Social Engineering Threats (cont’d) (cont d) Risk Assessment: • You need to assess the level of risk that an attack possesses towards your company for deploying suitable security measures Risk categories include: • Confidential information • Business credibility • Business availability • Resources • Money Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 48. Factors that make Companies Vulnerable to Attacks Insufficient security training and awareness Several organizational units Lack of appropriate security policies Easy access of information e.g. e-mail Ids and phone extension numbers of employees Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 49. Why is Social Engineering Effective Security policies are as strong as its weakest link, and humans are the most susceptible factor Difficult to detect social engineering attempts There is no method to ensure the complete security from social engineering attacks No specific software or hardware for defending against p g g a social engineering attack Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 50. Warning Signs of an Attack An attacker may: • Show inability to give valid callback number • Make informal requests • Claim of authority • Show haste • Unusually compliment or praise • Show discomfort when questioned • Drop the name inadvertently • Threaten f dire Th t of di consequences if information i f ti is not provided Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 51. Tool : Netcraft Anti-Phishing Toolbar www.netcraft.com An anti-phishing system consisting of a toolbar and a central server that has p g y g information about URLs provided by Toolbar community and Netcraft Blocks phishing websites that are recorded in Netcraft’s central server Suspicious URLs can be reported to Netcraft by clicking Report a Phishing Site in the toolbar menu Shows all the attributes of each site such as host location, country, longevity, and popularity Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 52. Tool : Netcraft Anti-Phishing Toolbar ( cont’d) cont d) Netcraft Toolbar Site Report Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 53. Tool : Netcraft Anti-Phishing Toolbar ( cont’d) cont d) Location Website Network Information Copyright © by EC-Council EC-Council details All Rights Reserved. Reproduction is Strictly Prohibited
  • 54. Phases in a Social Engineering Attack Four phases of a Social Engineering Attack: Research on target company Dumpster diving, websites, employees, tour company and so on Select Victim Identify frustrated employees of the target company Develop relationship Developing relationship with the selected employees Exploit the relationship to achieve the objective p p j Collect sensitive account Financial information Current Technologies information Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 55. Behaviors Vulnerable to Attacks Trust • Human nature of trust is the basis of any social engineering attack Ignorance • Ignorance about social engineering and its effects among the workforce makes the organization an easy target Fear • Social engineers might threaten severe losses in case of non- compliance with their request h i Greed • Social engineers lure the targets to divulge information by p g g g y promising g something for nothing Moral duty • Targets are asked for the help, and they comply out of a sense of moral obligation Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 56. Impact on the Organization Economic losses Damage of goodwill Loss of privacy Dangers of terrorism Lawsuits and arbitrations Temporary or permanent closure Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 57. Countermeasures Training • An efficient training program should consist of all security policies and methods to increase awareness on social engineering Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 58. Countermeasures (cont’d) Password policies • Periodic password change • Avoiding guessable passwords • Account blocking after failed attempts • Length and complexity of passwords L th d l it f d • Minimum number of characters, use of special characters, and numbers etc. e.g. ar1f23#$g • Secrecy of p y passwords • Do not reveal if asked, or write on anything to remember them Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 59. Countermeasures (cont’d) Operational guidelines • Ensure security of sensitive information and authorized use of resources Physical security policies • Identification of employees e.g. issuing of ID cards, cards uniforms and so on • Escorting the visitors • Accessing area restrictions • Proper shredding of useless documents • Employing security personnel l l Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 60. Countermeasures (cont’d) Classification of Information • Categorize the information as top secret, proprietary, for internal use only, for public use, and so on Access privileges A i il • Administrator, user, and guest accounts with proper authorization Background check of employees and proper B k d h k f l d termination process • Insiders with a criminal background and terminated employees are easy targets for procuring information Proper incidence response system • There should be proper guidelines for reacting in case of a social engineering attempt Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 61. Policies and Procedures Policy is the most critical component for any information security program Good policies and procedures are ineffective if they are not taught and reinforced by the employees Employees need to emphasize their importance After receiving training, the employee should sign a statement acknowledging that they understand the g g y policies Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 62. Security Policies - Checklist Account setup Password change policy Help desk procedures Access privileges Violations Employee Emplo ee identification Privacy policy Paper documents Modems Physical access restrictions y Virus control Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 63. What Happened Next Source http://www.treasury.gov/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 64. Impersonating Orkut, Facebook, Facebook MySpace Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 65. News Source: http://www.dnaindia.com/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 66. News Source: http://www.marketingweek.co.uk/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 67. Orkut Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 68. Impersonating on Orkut Impersonation means imitates or copies the behavior or actions of others Orkut is a famous social networking site, and as a open source anyone can steal the personal and corporate information and create the account on others’ name On Orkut, accounts can be hacked by 2 main methods: Cookie Stealing and Phishing (Fake Page) Cookie Stealing involves a simple JavaScript which is backed up by a powerful PHP script in the back When this script is run by the victim, his cookie comes to the hacker, using which he can get into the victim’s account Fake pages look like pages of Orkut; when user name and password is put into their respective fields, they are sent to the email ID of the hacker Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 69. MW.Orc worm MW.Orc worm steals users' banking details, usernames, and passwords by propagating through Orkut This attack is triggered as the user launches an executable file disguised as a JPEG file The initial executable file that causes the infection, installs two additional files on the user's computer These files then pass e-mail banking details and passwords to the worm's anonymous creator when the infected users click on “My Computer” icon Infection spreads automatically by posting a URL in another user's Orkut Scrapbook; a guestbook where visitors can leave comments visible on user's page Apart from stealing personal information, this malware also enables a remote user to control PC and make it a part of botnet which is a network of infected PCs Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 70. News Source: http://www.theregister.co.uk/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 71. News Source: http://www.ibnlive.com/news/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 72. News Source: http://www.ibnlive.com/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 73. Facebook Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 74. Impersonating on Facebook Facebook bloggers use a nickname instead of the th real name l Fake accounts are a violation of Terms of Use Facebook requires users to provide their real first d last fi t and l t names The impostor keeps add g up friends e posto eeps adding e ds The impostor uses other’s profile to get critical and valuable information Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 75. Screenshot Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 76. News Source: http://www.timesnews.net/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 77. MySpace Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 78. Impersonating on MySpace MySpace M Space has become an effective marketing tool effecti e Various people have their profiles on MySpace to gain exposure All MySpace profiles are not genuine and real Adults impersonate as teen on MySpace which leads to tragedy Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 79. Identity Theft Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 80. News Source: http://www.mercurynews.com/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 81. What is “Identity Theft” Identity theft occurs when someone steals your name and other personal information for fraudulent purposes Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 82. Identity Theft Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 83. How do you steal Identity? d i Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 84. How to Steal Identity Original identity – Steven Charles Address: San Diego CA 92130 Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 85. STEP 1 Get hold of Steven’s telephone bill, water bill, or electricity bill using dumpster diving, stolen email, or onsite stealing diving email Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 86. STEP 2 Go to the Driving License Authority Tell them you lost your driver’s license They will ask you for proof of identity like a water bill,and electricity bill Show them the stolen bills Tell them you have moved from the original address The department employee will ask you to complete 2 forms – 1 for the replacement of the driver’s license and the 2nd for a change in address You will need a photo for the driver’s license Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 87. STEP 3 Your replacement driver’s license will be issued to your new home address Now you are ready to have some serious fun Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 88. Comparison Original Same name: Steven Charles Identity Theft Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 89. STEP 4 Go to a bank in which the original Steven Charles has an account (Example Citibank) Tell them you would like to apply for a new credit card Tell them you do not remember the account number and ask them to look it up using Steven’s name and address The bank will ask for your ID: Show them your driver’s license as ID ID is accepted. Your credit card is issued and ready for use Now you are ready for shopping Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 90. Fake Steven has a New Credit Card The fake Steven visits Wal-Mart and purchases a 42” plasma TV and state-of-the-art Bose speakers The fake Steven buys a Vertu Gold Phone worth USD 20K Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 91. Fake Steven Buys Car The fake Steven walks into a store and applies for a car loan; minutes later he is driving a new Audi Present your driver’s license as a form of ID f The loan officer does the credit check, and it comes out clean since the original Steven has a clean credit history y Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 92. Real Steven Gets Huge Credit Card Statement – USD 40k 4 Ahhh!!! Somebody stole my identity!! Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 93. What Else…Oh My God! Fake Steven can apply for a new passport Fake Steven can apply for a new bank account Fake Steven can shut down your utility services FAKE STEVEN CAN MAKE THE LIFE OF REAL STEVEN HELL Scary eh? Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 94. “One bit of personal One information is all someone needs to steal your identity” y y Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 95. Identity Theft - Serious Problem Identity theft is a serious problem The number of violations has continued to increase Securing personal i f S i l information i the i in h workplace and at home, and looking over credit card reports are just few of the ways to minimize the risk of the identity theft Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 96. http://www.consumer.gov/idtheft/ Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 97. Summary Social Engineering is the human side of breaking into a corporate network human-side Social Engineering involves acquiring sensitive information or inappropriate access privileges by b an outsider t id Human-based social engineering refers to person-to-person interaction to retrieve the desired information d i di f i Computer-based social engineering refers to having computer software that attempts to retrieve the desired i f i h d i d information i A successful defense depends on having good policies and their diligent implementation Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 98. Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 99. Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited