1. Social Engineering Presented by Md. Mukul Hossen

2. What is social engineering? Social engineering is essentially the art of gainingaccess to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. 3. Why do people fall for social engineering techniques? People are fooled every day by these consbecause they haven't been adequately warned about social engineers. most people won't recognize a social engineer's tricks because they are often very sophisticated. Social engineers use a number of psychological tactics on unsuspecting victims. They simply act like they belong in a facility, even if they should not be, and their confidence and body posture puts others at ease. It is quite difficult to identify them because of 4. Social engineers motives Financial gain Personal interest External pressure Intellectual challenge Damage containment (Personal) grievance Politics 5. Some Social Engineering Exploit Techniques. Familiarity Exploit People are way morecomfortable responding and carrying out requests by familiar people than they are with complete strangers. Creating a hostile situation People withdraw from those that appear to be mad, upset or angry at something or someone other than themselves. For example, if you are on the phone and fake having a heated conversation with someone people around you will absolutely notice you but they will go out of their way to avoid you as well. 6. Continue. Gathering and Using Information When itcomes right down to it the key to being a successful social engineer is information gathering. Get a Job There Once you are on the inside you become way more trusted, even if you are a lowly clerk. Social engineering a co-worker is usually a piece of cake given the assumed trust you'll have as a fellow employee. Reading body language An experienced Social engineer will read and respond to their mark's body language. 7. How to protect Against Social Engineering? Password Management: Guidelines such as thenumber and type of characters that each password must include, how often a password must be changed, and even a simple declaration that employees should not disclose passwords to anyone (even if they believe they are speaking with someone at the corporate help desk) will help secure information assets. Two-Factor Authentication: Authentication for high-risk network services such as modem pools and VPNs should use two-factor authentication rather than fixed passwords. Anti-Virus/Anti-Phishing Defences: Multiple layers of anti-virus defences, such as at mail gateways and end-user desktops, can minimize the threat of phishing and other social-engineering attacks. 8. Continue. Change Management: A documented change-management process is more secure than an ad-hoc process, which is more easily exploited by an attacker who claims to be in a crisis. Information Classification: A classification policy should clearly describe what information is considered sensitive and how to label and handle it. Document Handling and Destruction: Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash. Physical Security: The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks. 9. Continue.. Organizations must address social-engineering threats as part of an overall riskmanagement strategy. The best way to mitigate the risk posed by rapidly evolving social-engineering methods is through an organizational commitment to a securityaware culture. On-going training will provide employees with the tools they need to recognize and respond to social-engineering threats, and support from the executive staff will create an attitude of ownership and accountability that encourages active participation in the security culture. 10. Thank you for your attention.