defend your organization: build a culture of security
TRANSCRIPT
SOCIAL ENGINEERING PREVENTION– BE PREPARED. IT COULD HAPPEN TO YOU!
Defend Your Organization: Build a Culture of Security
“SOCIAL ENGINEERING IS DEFINED
AS THE PROCESS OF DECEIVING PEOPLE INTO GIVING AWAY ACCESS OR CONFIDENTIAL INFORMATION.”
Social engineering is one of the
key ways attackers gain access
to information about your
organization.
Through email, phone, texting and online platforms, social
engineers attempt to manipulate employees to access sensitive
information.
People are often the weakest link in the daily management of
network security.
Don’t Be A Victim.
Defend Yourself and Your Company.
Prepare Yourself for a Social Engineering Attack.
Knowledge is power. One way to avoid
unwanted security breaches is to
understand effective methods to defend
against social engineering attacks.
In this guide we look at the following:
• Onsite Social Engineering
• Remote Social Engineering
• Tricks of the Trade
• Social Engineers At Work – Based on True Stories
• Common Social Engineering Techniques
• Best Practices to Mitigate Security Risks
REMOTE SOCIAL ENGINEERING:
Cyber attacks performed via the phone, email or
online to employees, suppliers and contractors with
the intent to obtain an organization’s confidential
information.
______________________________________________
ONSITE SOCIAL ENGINEERING:
Attacks designed to gain physical access to the
premises obtaining records, files, equipment,
sensitive information and network access.
Social Engineers Are Launching Attacks
• The official looking gentleman with
the tool kit who said he was onsite to complete system repairs…
• The phone call from IT asking to verify your employee number…
• The nice ‘new employee’ full of questions about the company that approached you at lunch…
• The email from management asking you to click on a link and enter your credentials to test the strength of your network password…
• The camera crew outside the front gate filming a so-called corporate commercial…
…All were strategic maneuvers executed to gain access to sensitive information. …All were Social Engineers at work.
Did You Know? • More than 600,000
Facebook accounts are compromised every day
• Hacktivisim is the most common major motivation behind cyber attacks
• 48% of enterprises have been victims of social engineering attacks
TRICKS OF THE TRADE Social Engineers do not care if you are an entry-level employee or the CEO of an enterprise. These highly trained individuals leverage their skills to attack all levels within an organization. Using proven methods and employing new social media and online tactics to gain access to sensitive information, they can ruin reputations and cost enterprises millions in clean-up and recovery.
Talks the Talk A social engineer will take the time to study and learn the ‘corporate language’ of an organization. Their use of acronyms for key phrases or common corporate sayings works to ensure that their credibility increases with everyone they talk to during the attack.
Playing You Like a Song After calling in and recording the corporate phone ‘on-hold’ music, a social engineer will use this audio to his advantage. Replicating this hold music validates his story, and increases the odds of a successful intrusion.
A Good Connection Gone Wrong Posing as a potential business contact on LinkedIn, a social engineer will use the social media platform to send you email that may contain malicious links or instructions.
Spoofing a Phone Number Spoofing is the practice of altering the phone number appearing on the caller ID to trick the person receiving the call. Social Engineers can now pretend to be whomever they want – an internal staff member, trusted vendor, or a representative of an official sounding organization.
Social Engineers at Work - Based on a True Story
A social engineer looking to cause harm to a cable company because he did not agree with the company’s late payment policy, strategically placed five USB drives throughout the parking garage and grounds of the corporate headquarters. Each USB drive was titled “2013 Bonuses”. Unsuspecting employees fell prey to the ruse by picking up the drives and connecting the USB to their corporate device. The USB drives were loaded with malware which wrecked havoc on the company’s corporate network. The breach took down the entire corporate network for a day thus affecting customers’ access to the company’s external website, personal account information, and the ability to process payments. The recovery costs to resolve the breach, paired with the corporate website down time, cost the organization over US$3 million dollars.
“35% of incidents involved a
negligent employee” -2013 Cost of a Data Breach Study: Global Analysis, Ponemon Institute © Study, May 2013
Social Engineers at Work Based on a True Story
Jane received a call from a social engineer posing as a manger in the ‘Corporate Communications Department’, successfully obtaining her employee number. The social engineer then called HR exploiting this knowledge to access her cost center identifier. The employee and cost center intelligence was leveraged to acquire the company’s internal phone and email directory. The social engineer then conducted a phishing expedition whereby he crafted an e-mail appearing to be from the VP of Technology and sent the correspondence to 100 random employees. The email asked that each recipient click the embedded link to ‘test the strength of their network password.’ Taking advantage of the employees’ natural inclination to respect and respond to senior management, 95% of the targeted employees did as instructed, providing the social engineer with an entry to the corporate network and access to 50,000 customer records. In this scenario, one breach costs the company targeted by the attacker millions in damages.
Common Social Engineering Techniques
Social Media Stalking Social platforms like Facebook, LinkedIn and Twitter are a treasure trove of personal and corporate information. Using these sites, a social engineer can gain knowledge that can be used to plan and launch an attack against an individual or an entire company. Utilizing Tech Talk To appear credible and intimidate, a social engineer may use technical jargon to prey on his victim’s lack of technical knowledge, literally tricking them into divulging sensitive information that provides easy access to the equipment or network. Piggybacking Following closely behind a legitimate or authorized employee to gain physical entry into a restricted area or pass a security checkpoint. (also referred to as “tailgating”). Phishing Crafting emails that appear to be from an internal source requesting the recipient take action by clicking on a link that subsequently introduces malware into the organization.
Tips & Tactics: Defend Against Social Engineering Attacks
• Be friendly, but cautious. A social engineer preys on a person’s willingness to help others.
• Be suspicious of emails asking you to “verify” your account.
• Do not leave your computer unlocked.
• Be leery of website addresses with misspelled words.
• Type the website address into your browser to view vs. clicking on a link shared via social media or email
• Get to know your co-workers and clients and beware of impersonators.
• Validate the credentials of those requesting access to sensitive areas or information.
• When leaving for the day, don’t forget to lock up sensitive data.
• Remember, social engineers use social media sites to gain inside knowledge. Be careful what you post online about your work practices.
• “Out of office” messages can be used for reconnaissance. Limit what you disclose.
• Be suspicious of unsolicited phone calls asking about employees or other internal information
• Dispose of documents with sensitive data by shredding material according to corporate policy.
• Avoid completing online forms that ask for personal information.
• Be wary of alarmist email messages with urgent requests.
Knowledge is Power Threats to your information security can come in many forms. Unaware employees, poor design of your network architecture or lack of physical site security can lead to malicious attacks and breaches. Effective security awareness training for your employees and clients can improve your overall security posture, and could be the most important investment you make this year.
DDI’s Security Awareness Education program, SecurED® helps organizations provide relevant, entertaining, web-based training that helps to establish a culture of security.
SecurED®
A security awareness education program from Digital Defense, Inc. (DDI), that combines serious security expertise with fun, engaging characters to deliver memorable messages that employees can access anytime, anywhere, from virtually any device.
• Emmy® award-winning comedy sketch writer
• Hollywood talent
• Fun & Engaging
• Convenient
• Cost-Effective
• Training That Sticks
LEARN MORE ABOUT
SecurED ™
References & Resources
Information and research for this study were collected from a number of different sources including the following http://cybertimes.in/?q=node/199 http://www.social-engineer.org/framework/Social_Engineering_Defined http://nakedsecurity.sophos.com/2011/10/28/compromised-facebook-account-logins/ http://www.thenational.ae/business/industry-insights/technology/hacktivism-the-motivator-of-cyber-attacks-in-middle-east http://www.thenational.ae/business/industry-insights/technology/hacktivism-the-motivator-of-cyber-attacks-in-middle-east http://now-static.norton.com/now/en/pu/images/Promotions/2012/cybercrimeReport/2012_Norton_Cybercrime_Report_Master_FINAL_050912.pdf http://www.net-security.org/secworld.php?id=11665 http://www.go-gulf.com/blog/cyber-crime/ http://www.ponemon.org/local/upload/file/2011_US_CODB_FINAL_5.pdf http://www.csoonline.com/article/460135/social-engineering-eight-common-tactics http://www.fbi.gov/about-us/investigate/cyber http://www.veracode.com/blog/2013/03/hacking-the-mind-how-why-social-engineering-works/
Security Risk Assessments
Security Awareness Education
On-Demand SaaS Solution
Decisive Security Intelligence
Managed SaaS Solutions
Learn More About
Digital Defense, Inc.
Digital Defense, Inc. 9000 Tesoro Drive, Suite 100 San Antonio, TX 78217 888.273.1412
www.ddifrontline.com