Social Engineering Presentation

advertisement
Enterprise Management
Social
Engineering
Presented by Mr. Nicholas Lemonias
MSc in Information Security
Presented at The University of Derby, 2013
Table of Contents
1. Introduction
2. Main subject
3. Examples
4. Conclusion
Your company slogan
Introduction
Key Aspects of Security Management
 Risk Assessment
 Auditing
 Security Standards
 Legal
 Trust
 Business Continuity
 The classification in security
management, occurs according to a social,
a technological and an organisational
dimension.
Your company slogan
Security's Weakest Link
 Social Engineering refers to a concept
where the human dimension is
attacked, and where there is direct
influence and impact on a societal
aspect, either a corporation - of a large
scale, and that with the objective to
bypass the technological controls in
place, by exploiting the human factor.
Therefore Social Engineering is the
science of influence.
 Thus the human factor is considered
the weakest link in Computer Security.
[1]
Your company slogan
Key Controls
 Developing Security Policies
 Organisational Security
 Asset Clarification and Control
 Personnel Security
 Physical and Environmental Security
 Communication and Operations
Management
 Access Control
 System development and Maintenance.
 Compliance and Investigation.
 Security Architecture and Audit.
Your company slogan
The Human Element
"A company may have purchased the best
security technologies that money can buy,
trained their people so well that they lock
up all their secrets before going home at
night, and hired building guards from the
best security firm in the business. That
company is still totally Vulnerable.
Individuals may follow every bestsecurity practice recommended by the
experts, slavishly install every
recommended security product, and be
thoroughly vigilant about proper system
configuration and applying security
patches. Those individuals are still
completely vulnerable." [1]
Kevin Mitnick.
Your company slogan
Threat Landscape & Social
Engineering
 A number of increased threats in the
threat-landscape, brought new
technological solutions, while the human
factor was not considered.
 Employees have de–facto access and
knowledge about the system; they are
themselves a standard point of intrusion.
Your company slogan
A Social Engineering story
 One morning a few years ago , a group of
strangers walked into a large shipping firm and
walked out with access to the entire enterprise
network. How did they do it? By obtaining small
amounts of information , from a number of
employees in that firm. First, they did research
about the company for two days, before even
attempting to set foot. For example they learnt
key employees names, by calling HR, then they
pretended to have lost their key to the front door
and a man let them in. Then they lost their identity
badges, when entering the secured area, they
smiled, and a friendly employee opened the door
for them! The strangers knew the CFO was out of
town so they were able to enter his office, and
obtain financial data off his unlocked computer. [2]
Your company slogan
Social Engineering tactics
Internal
Disgruntled Employees
Untrained Personnel
Physical Element
Outsiders
Third Parties
External
Your company slogan
Social Engineering tactics
Pre-texting
Mathematical
Psychology
Phishing
NLP
Cloned Websites,
Login screens, asking for your
credentials.
Malware, Trojans
Your company slogan
Language and the Human Brain
Your company slogan
Probabilisitc Approach
 Probability is the chance or likelihood that a certain
event will happen. Mathematical probability is usually
expressed as a ratio. [3]
 Conditional Probability, Probability of some event A,
given the occurence of some other event B. For example
in a bag of 2 red balls, and 2 blue balls, the probability of
taking a red ball is 1/2.
 Indepedent Probability - If two events , A and B are
indepedent. For example if two coins are flipped the
chance of both being heads is 1/2 * 1/2 = 1/4
 Mutually Exclusive - If either event a OR event B or
both events occur on a single performance of an
experiment this is called the union of events A and .
Your company slogan
Probability formula
P(A) =
The Number Of Ways Event A Can Occur
________________________________
The Total Number Of Possible Outcomes
Your company slogan
Conclusion
"Security is always going to be a cat and
mouse game because there'll be people
out there that are hunting for the zero day
award, you have people that don't have
configuration management, don't have
vulnerability management, don't have
patch management. " [1]
Kevin Mitnick
Your company slogan
References.
[1] Mitnick, Kevin, Simon, William L., Wozniak,
Steve,. (2002). The Art of Deception: Controlling
the Human Element of Security.
[2] Symantec Corporation. 2013. Social Engineering
Fundamentals, Part I: Hacker Tactics.. [ONLINE]
Available at:
http://www.symantec.com/connect/articles/soci
al-engineering-fundamentals-part-i-hackertactics.
[3] Lauretta J. Fox. 2002. An Introduction to
Mathematical Probability by Yale-New Haven
Teachers Institute.
Your company slogan
Thank You..
Any
Questions?
The University of Derby
Faculty of Business , Computing & Law
@University of
Derby
University of Derby
Related documents
Download