Preventing Social Engineering Attacks

advertisement
Kelly Corning
Julie Sharp


Human-based techniques: impersonation
Computer-based techniques: malware and
scams




Manipulates legitimate users into
undermining their own security system
Abuses trusted relationships between
employees
Very cheap for the attacker
Attacker does not need specialized
equipment or skills

Impersonation
 Help Desk
 Third-party Authorization
 Tech Support
 Roaming the Halls
 Repairman
 Trusted Authority Figure
 Snail Mail

Computer-Based Techniques
 Pop-up windows
 Instant Messaging and IRC
 Email Attachments
 Email Scams
 Chain Letters and Hoaxes
 Websites



Hacker pretends to be an employee
Recovers “forgotten” password
Help desks often do not require adequate
authentication

Targeted attack at someone who has
information
 Access to assets
 Verification codes


Claim that a third party has authorized the
target to divulge sensitive information
More effective if the third party is out of town



Hacker pretends to be tech support for the
company
Obtains user credentials for troubleshooting
purposes.
Users must be trained to guard credentials.

Hacker dresses to blend in with the
environment
 Company uniform
 Business attire

Looks for sensitive information that has been
left unattended
 Passwords written down
 Important papers
 Confidential conversations




Hacker wears the appropriate uniform
Often allowed into sensitive environments
May plant surveillance equipment
Could find sensitive information



Hacker pretends to be someone in charge of
a company or department
Similar to “third-party authorization” attack
Examples of authority figures
 Medical personnel
 Home inspector
 School superintendent

Impersonation in person or via telephone



Hacker sends mail that asks for personal
information
People are more trusting of printed words
than webpages
Examples
 Fake sweepstakes
 Free offers
 Rewards programs

More effective on older generations



Window prompts user for login credentials
Imitates the secure network login
Users can check for visual indicators to verify
security



Hacker uses IM, IRC to imitate technical
support desk
Redirects users to malicious sites
Trojan horse downloads install surveillance
programs.



Hacker tricks user into downloading
malicious software
Programs can be hidden in downloads that
appear legitimate
Examples
 Executable macros embedded in PDF files
 Camouflaged extension: “NormalFile.doc” vs.
“NormalFile.doc.exe”
 Often the final extension is hidden by the email
client.



More prevalent over time
Begins by requesting basic information
Leads to financial scams



More of a nuisance than a threat
Spread using social engineering techniques
Productivity and resource cost



Offer prizes but require a created login
Hacker capitalizes on users reusing login
credentials
Website credentials can then be used for
illegitimate access to assets







Never disclose passwords
Limit IT Information disclosed
Limit information in auto-reply emails
Escort guests in sensitive areas
Question people you don't know
Talk to employees about security
Centralize reporting of suspicious behavior



Remind employees to keep passwords secret
Don’t make exceptions
It’s not a grey area!



Only IT staff should discuss details about the
system configuration with others
Don’t answer survey calls
Check that vendor calls are legitimate



Keep details in out-of-office messages to a
minimum
Don’t give out contact information for
someone else.
Route requests to a receptionist

Guard all areas with network access
 Empty offices
 Waiting rooms
 Conference rooms

This protects against attacks
 “Repairman”
 “Trusted Authority Figure”



All employees should have appropriate
badges
Talk to people who you don’t recognize
Introduce yourself and ask why they are there



Regularly talk to employees about common
social engineering techniques
Always be on guard against attacks
Everyone should watch what they say and do.


Designate an individual or group
Social engineers use many points of contact
 Survey calls
 Presentations
 Help desk calls

Recognizing a pattern can prevent an attack
Davidson, Justin. "Best Practices to Prevent Social Engineering
Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar.
2013. <http://community.spiceworks.com/how_to/show/666-bestpractices-to-prevent-social-engineering-attacks>.
Information, Network & Managed IT Security Services. "Social
Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013.
<http://www.secureworks.com/consulting/security_testing_and_a
ssessments/social_engineering/>.
"Types of Social Engineering." NDPN.org. National Plant Diagnostic
Network, 2013. Web. 26 Mar. 2013.
<http://www.npdn.org/social_engineering_types>.
Download