Kelly CorningJulie Sharp

Human-based techniques: impersonation

Computer-based techniques: malware and scams

Manipulates legitimate users into undermining their own security system

Abuses trusted relationships between employees

Very cheap for the attackerAttacker does not need specialized

equipment or skills

Impersonation Help Desk Third-party Authorization Tech Support Roaming the Halls Repairman Trusted Authority Figure Snail Mail

Computer-Based Techniques Pop-up windows Instant Messaging and IRC Email Attachments Email Scams Chain Letters and Hoaxes Websites

Hacker pretends to be an employeeRecovers “forgotten” passwordHelp desks often do not require

adequate authentication

Targeted attack at someone who has information Access to assets Verification codes

Claim that a third party has authorized the target to divulge sensitive information

More effective if the third party is out of town

Hacker pretends to be tech support for the company

Obtains user credentials for troubleshooting purposes.

Users must be trained to guard credentials.

Hacker dresses to blend in with the environment Company uniform Business attire

Looks for sensitive information that has been left unattended Passwords written down Important papers Confidential conversations

Hacker wears the appropriate uniform

Often allowed into sensitive environments

May plant surveillance equipment Could find sensitive information

Hacker pretends to be someone in charge of a company or department

Similar to “third-party authorization” attack

Examples of authority figures Medical personnel Home inspector School superintendent

Impersonation in person or via telephone

Hacker sends mail that asks for personal information

People are more trusting of printed words than webpages

Examples Fake sweepstakes Free offers Rewards programs

More effective on older generations

Window prompts user for login credentials

Imitates the secure network loginUsers can check for visual indicators

to verify security

Hacker uses IM, IRC to imitate technical support desk

Redirects users to malicious sitesTrojan horse downloads install

surveillance programs.

Hacker tricks user into downloading malicious software

Programs can be hidden in downloads that appear legitimate

Examples Executable macros embedded in PDF files Camouflaged extension: “NormalFile.doc”

vs. “NormalFile.doc.exe” Often the final extension is hidden by the

email client.

More prevalent over timeBegins by requesting basic

informationLeads to financial scams

More of a nuisance than a threatSpread using social engineering

techniquesProductivity and resource cost

Offer prizes but require a created login

Hacker capitalizes on users reusing login credentials

Website credentials can then be used for illegitimate access to assets

Never disclose passwordsLimit IT Information disclosedLimit information in auto-reply

emailsEscort guests in sensitive areasQuestion people you don't knowTalk to employees about securityCentralize reporting of suspicious

behavior

Remind employees to keep passwords secret

Don’t make exceptions It’s not a grey area!

Only IT staff should discuss details about the system configuration with others

Don’t answer survey callsCheck that vendor calls are

legitimate

Keep details in out-of-office messages to a minimum

Don’t give out contact information for someone else.

Route requests to a receptionist

Guard all areas with network access Empty offices Waiting rooms Conference rooms

This protects against attacks “Repairman” “Trusted Authority Figure”

All employees should have appropriate badges

Talk to people who you don’t recognize

Introduce yourself and ask why they are there

Regularly talk to employees about common social engineering techniques

Always be on guard against attacksEveryone should watch what they

say and do.

Designate an individual or groupSocial engineers use many points of

contact Survey calls Presentations Help desk calls

Recognizing a pattern can prevent an attack

Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013. <http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>.

Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013. <http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>.

"Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013. <http://www.npdn.org/social_engineering_types>.