Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Social Psychology
Uploaded by Hanumanthu VJk

Social Engineering

advertisement 
Social engineering
- Social engineering
- How to get what you want.
- Phishing and Social Media
Social Engineering
§
§
§
§
§
§
§
§
Psychological manipulation
Espionage
Confidence trick (con)
Scam
Swindle
Fraud
Lie
“Using cheap dirty psychological tricks to get
people to do what you want.” - Brian Brushwood
WARNING!
§
§
§
§
§
Pseudoscience and BS abounds in SE literature
Neurolinguistic programming (NLP) - BS
Using “microexpressions” - BS
“Pick up artist” (PUA) – BS
This stuff becomes very illegal very fast
Illusion of Transparency
§
§
§
§
§
Cognitive bias
Overestimate what people can tell about our
thoughts
Overestimate what we know about other
people’s thoughts
Dr. Elizabeth Newton tapping out songs
It’s easier to lie than you think it is
Information Gathering
§
Like any exploit, start with info on target
Information Gathering (Go deeper!)
§
§
§
§
§
§
§
§
Employee social media
Public records data
Maps
Local newspapers
Technical documents, academic papers
Training documents
Dumpster diving
http://inteltechniques.com/links.html
Elicitation
§
Getting a target to do what you want them to do
HOW TO GET WHAT YOU WANT
Slide 9
Just Ask For It
§
§
§
§
§
§
Dr. Ellen Langer at Harvard
The mindlessness of ostensibly thoughtful action: The role
of “placebic” information in interpersonal interaction
“Excuse me, I have 5 pages. May I use the Xerox
machine?” 60% compliance
“Excuse me, I have 5 pages. May I use the Xerox machine,
because I’m in a rush?” 94% compliance
“Excuse me, I have 5 pages. May I use the Xerox machine,
because I have to make some copies?” 93% compliance
Get comfortable making people uncomfortable
Pretexting
§
§
Use an invented scenario and/or identity
Impersonate
§ coworkers
§ boss
§ customers
§ law enforcement
§ IT department
Get It Wrong
§
§
“You guys use extension 5231, right?”
“No, we use 1212.”
Make Them Like You
§
§
§
§
§
§
Make them laugh
Let them to talk about themselves
Call them back
Elicit sympathy
Use the Ben Franklin effect, “Can you do me a favor?”
If not liked, at least seem transparent
Reciprocity
§
§
§
§
§
§
Give a gift
Best if it doesn’t look like a bribe, time delay
Dr. Dennis Regan of Cornell
Effects of a favor and liking on compliance
Subjects who got soda bought twice as many raffle tickets
Even if they reported disliking the assistant
Distraction
§
§
§
Misdirection
Multitasking is an illusion
Make them process information so they go on autopilot
Authority
§
§
§
§
§
§
Business card
Credential badges work
Internal lingo
Fake IDs/Badges
Send a legal or policy document
Or … just wear a suit
Ask Questions
§
§
Drive the conversation
Appear to be the receiver when you’re actually the
feeder
Tailgating/Piggybacking
§
Follow someone with access
Social engineering is an indirect process
§
§
§
§
§
§
§
§
Use elicitation to get an employee ID number
to pretext as a company employee
to gain information about management structure
to pretext as an authority in the company
to gain access to internal IT training documents
to pretext as technical support
to elicit access to an HR document
just to learn who knows the information you need about
your real target
Combined Attacks
§
§
§
§
§
§
The real threat: combine social and technical exploits
Spoof caller ID for elicitation
Use SE to clone SIM card to bypass 2FA
Hack a machine, “fix it”, then ask for information
Tell them you are IT, give them your number to call
Phishing/Vishing/Smishing
Baiting
§
§
§
Drop physical media with malware in parking lot
Tailor a personal gift
”Leak” documents
Social Engineering Mitigation
§
§
§
§
§
§
Be skeptical
Ask for call back numbers
Make sure employees understand sensitivity of data
Have explicit, clear security policies
Encourage employees to challenge authority and
requests
Audit employees by social engineering
your own organization
Phishing, Social Engineering, and
Social Media
What is Phishing?
• Phishing is a type of cyberattack which involves contacting
someone through email, phone, websites, or text message.
• The victim is then asked to click or do something that the
attacker wants, such as:
• Clicking a link
• Opening a document
• Sending money
Personal Account Phishing
• When you get a phishing email on a personal email, or your
personal phone, there are a few things it could be after:
• Money or financial information.
• Personal information.
• Account information.
• They are often widespread attacks after smaller amounts of
money or passwords.
Identify Phishing
• Look at the source of the email or text message.
• These two emails look similar:
• donotreply@mohawkcollege.ca
• donotreply@mohawkcollege.ca.scm.com
• Only the first email would be from Mohawk College, while
the other is from scm.com.
Social Engineering (1 of 2)
• This is a technique used to manipulate people into giving up
information or access through human error.
• It can be done on a computer through means such as phishing
or off a computer with methods such as spam phone calls.
• Criminals use Social Engineering to gain access to sensitive
information.
Social Engineering (2 of 2)
• Criminals will often claim to be someone who should have
access, without being checked for proper authorization.
• Social media websites are often filled with alleged games or
quizzes that will not allow a user to “play” them until they
authorize giving access to personal information.
Examples of Social Engineering (1/2)
• Quizzes and games trying to elicit personal information.
• “Want to find out your superhero name? The first half
corresponds with your birth day and the second half
corresponds with your birth month”.
• “Enter your first crush, full name, mother’s name, home
city…. Tag 10 of your friends”.
Examples of Social Engineering (2/2)
How Social Engineering Impacts
Social Media (1/2)
• Social media networks contain a ton of information about
users and have wide user bases.
• Everyone who uses any social media service has information
about them, potentially including:
• Email addresses, phone numbers, photographs, ages,
birthdays, friends/followers, geographical locations.
How Social Engineering Impacts
Social Media (2/2)
• Some may not be aware of what they are sharing, who they are
sharing it with, or how the information could be used against
them.
• By default, social media platforms have very minimal security
and privacy settings enabled.
• Most platforms do not tell you who is looking at your profile
or what they are accessing on it.
Tips to Avoid Social Engineering (1/2)
• Don’t share personal information.
• Even if it seems unimportant. Your dog’s name,
hometown or favourite movie; these are common
security questions.
• If you get a suspicious message or see a suspicious post from
someone you know, do not click it. Verify they sent it using
an alternative contact method.
Tips to Avoid Social Engineering (2/2)
• Be careful with the applications you install on your devices and social
media platforms.
• Avoid putting financial information on social media.
• Do not post anything online that you would not be okay with anyone in the
world seeing.
• Edit your security and privacy settings.
• See our Improve Social Media Security module for more detailed
information.
Stalking and Cyberbullying
• Previous coworkers, friends, partners, and random people and groups
can use social media to find out information about you and find your
location.
• Your personal information could be used to bully, harass or threaten
you.
• Social media can provide stalkers with a ton of information including
your location, common places you go, your network, and how to get a
hold of you.
Related documents
Task 5 Safe online Student
Task 5 Safe online Student
ANTI PHISHING HANDOUT
ANTI PHISHING HANDOUT
IANKIM
IANKIM
MALICIOUS ATTACKS What is Phishing?
MALICIOUS ATTACKS What is Phishing?
Malicious Attacks By: Jamie Woznicki Rahul-Anaadi Kurl Alexander Kaufmann
Malicious Attacks By: Jamie Woznicki Rahul-Anaadi Kurl Alexander Kaufmann
social engineering presentation
social engineering presentation
Download
advertisement