This PPT is for my Introduction to Security course at UNO.

1. Social Engineering:
Exploiting the Human
Behavior
Author: James Krusic
IASC 1100

2. “You could spend a fortune purchasing technology and
services...and your network infrastructure could still remain
vulnerable to old-fashioned manipulation.”
-Kevin Mitnick

3. What is Social Engineering?
• Is the technique used by attackers to gain the trust of
employee’s, in efforts to get information.
• A companies greatest threat are themselves.
• Two categories of attacks
• Technical
• Non-Technical

4. Technical Attacks
• Are those that deceive the user into believing that the
application in use is truly providing them with security.
• Example would be logging into Facebook and a random pop-up
window is wanting your credentials. Once you supply the pop-up
window with your username/password, the attack has access to
your Facebook account.
• Once the attacker has your password, most of the time that same
password is used for bank accounts, network access and more.

5. Technical Attacks cont.
• Examples of technical attacks:
• Phishing
• Usually sent via e-mail, indicating to the victim that something has
happened. Once the victim opens the payload the attacker has
access to the network.
• Pop-up Window
• Spam-Emails
• This is a mass e-mail system. Which hundreds and thousands of e-
mails are sent out to individuals. Tightly related with phishing
attempts.

6. Non-Technical Attacks
• Are attacks that are purely perpetrated through the art of
deception. (Peer-to-Peer interaction)
• Examples:
• Dumpster Diving
• Support Staff
• Hoaxing
• Authoritative Voice

7. Human Behavior Manipulations
• Curiosity
• Fear
• Thoughtlessness

8. Curiosity
Why would exploiting curiosity be such an effective method?
- It is like saying, “Why do people go into the woods
when its dark?”
- People always want to know what’s behind the door.
- So when people receive an e-mail saying they won
$5,000 and all they need to do is follow the link, they more than
likely will.

9. Fear
• Fear is such a strong behavior, because once a person
experiences it, they do not want that feeling again.
• Example: Hoax’s are used to falsify information in-order to scare
the victim.

11. Thoughtlessness
• Is a human behavior that is done without thought. To not
think when doing.
• Example: Dumpster Diving
• When a person throws old credit cards away without first cutting
them up, or when they throw away bank account statements that
have your social security number on them, or credit card
information.
• An attackers gold mine, is to find personal information such as;
SSN, Account Number, Addresses and more.

13. How to help mitigate against
promising attacks of Social
Engineering
- Educate the users/employee’s
- Well-rounded policy
- Audit and ensure compliance
- Proper hardware mitigation
- E-mail filters
- Firewalls

14. User Education/Awareness
• User education is an important role to mitigate against social
engineering tasks.
• Simple education such as:
• Ensure employee’s check the person/s ID
• Ensure employee’s verify they have appointment with
management
• Ensure employee’s do not divulge company secrets, personal
information, and network information over the phone

15. Motivate the Users
• Self Interest- Most people tend to retain facts better when
they can personally identify with or use that information
personally
• Memory Persistence- Current news stories, or recent
situations that effect the organization.
• Perceived Importance- Effectively communicate the need for
stated security policies.
• Understanding- People are more inclined to follow procedures
that they fully understand.

16. Well Rounded Security Policy
• Why do we need a good security policy?
• It provides a framework for best practice
• Helps turn employee’s into participants in the company’s efforts
to secure its information assets.
• Shows internally and externally that assets are important

17. Audits & Compliance
• Why does a company need to audit and ensure compliance of
a security policy?
• Companies need to audit the security policy to ensure that
employee’s at all levels are following the policy
• Top-Down approach is good when auditing
• Most of the time upper management want more access to network
resources than standard employee’s
• This is a good place to start because if an attacker decides to do a spear
phishing attack they usually start high, because they do not believe that
they need to follow policy.

18. Hardware/Software Mitigation
• Employ multiple firewalls using different platforms
• This is security by obscurity, meaning that multiple platforms or
multiple setups ensures that by getting by one firewall doesn’t
mean an attacker can get by the second, or third.
• Deploy E-mail Filters
• Types of E-mail Filters:
• Bayesian Spam Filters: Work by scanning the e-mail for tokens
(usually words), and then calculating the probability that the e-mail
is spam.
• Very powerful, low false positives
• Spam Assassin: Uses rule sets to scan body and header of e-mail
messages. Can be very granular (extensive rules).
• Can be ran for all e-mail or can be ran by individual users.

19. Additional Resources
• www.mattslifebytes.com
• Can find a video about social engineering.
• Can find a experiment on dumpster diving
• Also can find images of servers that can help you understanding
hardening Linux. From IT-Adventures.
• End User Security Awareness Presentation
• http://www.slideshare.net/frostinel/end-user-security-
awareness-presentation-presentation
• Policy Enforcement
• http://www.sans.org/reading_room/whitepapers/policyissues/inf
ormation-security-policy-development-guide-large-small-
companies_1331