Social Engineering – Posing Challenges ToThe Thinking Security Professional

Paul Devassy, CPP,Chairman ASIS Mumbai – India Chapter

December 12, 20132

Points to be covered

What does Social Engineering mean?1.

Practitioners through the ages2.

What are “Social engineers” looking for?3.

Human frailties4.

Who is at risk?5.

Cycle and Types of attack6.

What can we do?7.

Protection for us?8.

Disclaimer

All views expressed in this lecture is personal and is gathered fromexperiential information.

Examples quoted is just a means to emphasize a point and is in no waybeing judgemental of the person, actions or even events.

Definition of Social engineering

Merriam Webster's dictionary “Management of human beings in accordancewith their place and function in society, applied social science”

• "People inherently want to be helpfuland therefore are easily duped"

• "They assume a level of trust in orderto avoid conflict"

• "It's all about gaining access toinformation that people think isinnocuous when it isn't"

Practitioners through the ages

What are they are looking for?

Exploitation of Human frailties

Lack of training and awareness

Who is at risk?Do the social engineers only target these types people?

Or is everybody a potential target?

Cycle of an attack

Types of attacks

So what do we do?

Protection for us?

Protection 1

Protection 2

Training and awareness at all levels is a must

Questions?

ResourcesBibliographyGranger, Sarah "Social Engineering Fundamentals, Part I: Hacker Tactics"December 18, 2001 URL: http://www.securityfocus.com/infocus/1527 searchSecurity.com Definitions, whatis.com 2004 URLhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html

"Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013.<http://www.npdn.org/social_engineering_types>.

Mitnick, Kevin and Simon, William L. The Art of Deception Wiley Publishing 2002 Information Security Policy and Disaster Recovery Associates, UKURL: http://www.yourwindow.to/information-security/gl_dataclassification.htm.

Wilson, Sam "Combating the Lazy User: An Examination of Various Password Policies and Guidelines" Sept. 16, 2002. URL:http://www.sans.org/rr/papers/6/142.pdf.

Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013.<http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>.

Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013.<http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>.

Mandia, Kevin & Prosise Chris Incident Response McGraw-Hill 2001.Background Check International, LLC. URL: http://www.bcint.com/services.html

David Harley – Refloating the Titanic: Dealing with Social Engineering Attacks

Thank you!