3. Outline
What is it?
How is it done?
Who is at risk?
Approach?
4. What is it?
Social engineering is the oldest form of
hacking.
Social engineers focus on the users of the
system. By gaining the trust of the user, a social
engineer can simply ask for whatever
information he or she wants…and usually get it.
5. The Social Engineering!!!!
Uses Psychological Methods
Exploits human tendency to trust
Goals are the Same as Hacking
“the art and science of getting people to
comply with your wishes”
8. The Mind of a Social Engineer
More like actors than hackers
Learn to know how people feel by observing their
actions
can alter these feelings by changing what they say and
do
make the victim want to give them the information
they need
9. How is it
done?
Attacks come in various forms:
On the phone, over e-mail, in person
impersonation
10. Impersonation
Play the part!
Social Engineers must:
Anticipate problems
Know jargon and procedures of the role
11. Impersonation
And most importantly, knowledge of how to
build trust with whomever they need
information from.
Social engineers most often impersonate
authority figures, assistants to authority
figure, and new employees.
13. Over the phone
The phone is the most popular method of social
engineering because it is difficult to verify or
deny someone’s identity.
14. Over e-mail and IM
E-mail attacks are very common (phishing).
E-mail is also used for impersonation.
Obtaining password for an IM account could
lead to access to a bank account, other personal
data.
16. Outline
What is it?
How is it done?
Who is at risk?
Approach?
17. Who is at risk?
Everyone.
Everyone with information is a potential target!
18. Real World Examples
90% of office workers gave away their password
for a pen.
70% of people who trade their password for a
bar of chocolate.
19. Real World Examples
1/3 of the IRS employees provided their user
name and changed their password in a 2005
security audit.
USC vs. Cal basketball game
21. Careless Approach
Victim is Careless
Does not implement, use, or enforce proper
countermeasures
Used for Reconnaissance
Looking for what is laying around
22. Careless Examples
Dumpster Diving/Trashing
Huge amount of information in the trash
Most of it does not seem to be a threat
The who, what and where of an organization
Knowledge of internal systems
Materials for greater authenticity
Intelligence Agencies have done this for years
23. Comfort Zone Examples
Impersonation
Could be anyone
Tech Support
Co-Worker
Boss
CEO
User
Maintenance Staff
Generally Two Goals
Asking for a password
Building access - Careless Approach
24. Comfort Zone Approach
Victim organization members are in a comfortable
environment
Lower threat perception
Usually requires the use of another approach
25. Helpful Approach
People generally try to help even if they do not know
who they are helping
Usually involves being in a position of obvious need
Attacker generally does not even ask for the help they
receive
26. Helpful Examples
Piggybacking
Attacker will trail an employee entering the building
More Effective:
Carry something large so they hold the door open for you
Go in when a large group of employees are going in
Pretend to be unable to find door key
27. Fear Approach
Usually draws from the other approaches
Puts the user in a state of fear and anxiety
Very aggressive
28. Fear Examples
Conformity
The user is the only one who has not helped out the
attacker with this request in the past
Personal responsibility is diffused
User gets justification for granting an attack.
29. Combating Social Engineers
User Education and Training
Identifying Areas of Risk
Tactics correspond to Area
Strong, Enforced, and Tested Security Policy
30. User Education and Training
Security Orientation for new employees
Yearly security training for all employees
Weekly newsletters, videos, brochures, games and
booklets detailing incidents and how they could
have been prevented
Signs, posters, coffee mugs, pens, pencils, mouse
pads, screen savers, etc with security slogans (I.e.
“Loose lips sink ships”).
31. Security Policy
Management should know the importance of
protecting against social engineering attacks
Specific enough that employees should not have to
make judgment calls
Include procedure for responding to an attack
32. Areas of Risk
Certain areas have certain risks
What are the risks for these areas?
Help Desk, Building entrance, Office, Mail
Room, Machine room/Phone
Closet, Dumpsters, Intranet/Internet, Overall
33. Conclusions
Social Engineering is a very real threat
Realistic prevention is hard
Can be expensive
Militant Vs. Helpful Helpdesk Staff
Reasonable Balance
34. “You could spend a fortune
purchasing
technology and services...and your
network infrastructure could still
remain vulnerable to old-fashioned
manipulation.”
-Kevin Mitnick
36. References
Psychological Based Social Engineering, Charles Lively. December
2003. SANS Institute. 10 September 2005.
http://www.giac.org/certified_professionals/practicals/gsec/3547.php
Sarah Granger, “Social Engineering Fundamentals: Part I”. Security
Focus. December 2001. 10 September 2005.
http://www.securityfocus.com/infocus/1527
Sarah Granger, “Social Engineering Fundamentals: Part II”. Security
Focus. January 2002. 10 September 2005.
http://www.securityfocus.com/infocus/1533