good morning - matthias vermeiren - joachim seminck good morning

19
Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Upload: kayleigh-cornforth

Post on 14-Dec-2015

232 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Good morning

- Matthias Vermeiren

- Joachim Seminck

Good morning

Page 2: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Hackers... Or not?

Stereotype of a hacker

Uses computers, viruses, trojans, bugs

Steals confidential information through a computer

Stereotype of a hacker

Uses computers, viruses, trojans, bugs

Steals confidential information through a computer

Stereotype of a hacker

Page 3: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...what?

Breaching network using people skills

Powers of observation

Psychologically manupulating people

People are often the weakest link

Social Engineering...what?Social Engineering...what?

Page 4: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...how?Impersonating IT staff

“Your account is disabled, I need your password”

Gives password

EmployeeSocial Engineer Employee

Gives password

Social Engineering...how?

Page 5: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...how?Playing on users’ sympathy Pretending to be worker from the outside

( phone company, ISP,...)

“New on the job, have to check out some wiring, or else I get fired....”

Gaining physical access to computers and servers

In any case: Social engineer appears to be worried, afraid, upset of some dire consequence

Social Engineering...how?

Page 6: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...how?Wooing them with words

When the stakes are high (e.g. Big financial reward for getting into network)

Slowly becoming close friends with target victims

Elaborate, long-term schemes

Initiating and developing a romantic relationship

Victim trusts S.E. Enough to reveal confidential information (and smartcards,...)

Page 7: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...how?Intimidation tactics

S.E. Pretends to be someone important

Big boss from HQ

Government inspector

Someone who strikes fear in the employee’s heart

-Angry and yelling

-Threaten to fire the employee if they don’t get the information

Very few people would say no out of fear of losing their job

Social Engineering...how?

Page 8: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...how?The greed factor

S.E. Offers money or goods in exchange for the information

Usually more subtle

In general: S.E. Promises some benefit

(better paying job at competing company,...)

Social Engineering...how?

Page 9: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...how?Creating confusion

Creating a problem

Taking advantage of it

Social Engineering...how?

Page 10: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...how?Shoulder surfing

“Passive” form of social engineering

Observe victim whilst typing passwords

Without their knowledge Gaining trust so they don’t mind their being there

Social Engineering...how?

Page 11: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...how?Dumpster diving

Predates computers

Looking for hard copies of information to breach the network

S.E. could pose as a janitor

Access to discarted papers, cd’s, discs, etc

Social Engineering...how?

Page 12: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...how?Gone phishing

Well-publicised internet scam

Fake e-mails

Sites that are identical to the originals

Users enter confidential information ( passwords, id’s ,...)

Information gets forwarded to the S.E.

Social Engineering...how?

Page 13: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...how?Reverse social engineering

S.E. gets others to ask him/her the questions

Creating problem with network or software

S.E. is expert coming to fix the problem

Gets full access to the systems

Requires a lot of planning

Social Engineering...how?

Page 14: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...Protection

Number one line of defence :

User Education

Backed up by

Clear (written) policies

Who can enter server room?

To whom can users give their password?

...

Page 15: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...Protection

Social Engineering = Not a technological problem

It does have a technological solution

Multifactor authentication

Social Engineering...Protection

Page 16: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Social Engineering...Case study

Page 17: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Sources

-Ten common social engineering ploysBy Debra Shinder, TechRepublic

-Social Engineering – An attack vector most intricate to tackle!

By Ashish Thapar

-Malware campaign at YouTube uses social engineering tricks

By Dancho Danchev

-Junk mailers get the human touch

By BBC news

Sources

Page 18: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Questions?

Page 19: Good morning - Matthias Vermeiren - Joachim Seminck Good morning

Thank you!