SOCIAL ENGINEERING AND INFORMATION PROTECTION BEST

PRACTICES

Social engineering

Who Are We?• Graduate students at UNM Anderson School of

Management, both studying toward graduate degree in Information Assurance

• Full time employees at Sandia National Laboratories, working in an IT department

INTRODUCTION

Social engineering

Why Are We Here?• We all need to learn to defend our information

from unauthorized access and use• Survey given 3/10/2013 discloses some areas

in which you can protect yourselves better• Major Topics

• Online Privacy/Protection• Social Engineering• Password Strength/Password Management

INTRODUCTION

Here are some of the more interesting results from the survey…

SURVEY RESULTS

Yes No Not Sure0

5

10

15

20

Do you reuse the same password across your online accounts?

Yes No Not Sure0

2

4

6

8

10

12

14

Do you regularly clear your browser cache?

Yes No Not Sure0

5

10

15

20

25

Do you use strong passwords for your online accounts?

Familia

r

S Fam

iliar

S Unf

amilia

r

Unfam

iliar

N/A

0

2

4

6

8

How familiar are you with social media privacy settings?

Social engineering

You may have heard recently that many celebrities email accounts were being hacked• So much information about celebrities on the

internet• Countless followers via Twitter, Facebook, and

other social media

ONLINE PRIVACY/PROTECTION

Social engineering

One of the biggest threats to your personal privacy protection is social media• Over-sharing• “Checking in”• Embarrassing pictures/posts/likes• Lack of controlling who can see what

• Anonymous information gathering

ONLINE PRIVACY/PROTECTION

Social engineering

Browser Safety• Cleaning cache

• Tracking and Cookies

• Double checking URLs

Email Safety• Spam filtering• Attachments

EMAIL / BROWSER SAFETY

Social engineering

Due to social media use today, we are all “celebrities”• Just as people have been able to hack real

celebrity accounts using information from the internet, the same can be done for anyone sharing via social media

• All this public information makes an individual vulnerable to social engineering attacks

SOCIAL ENGINEERING

Social engineering

“the art of manipulating people into performing actions or divulging confidential information”• Tricking the victim in to divulging information

• Only a few of you responded that you had previously given personal information over the internet

• Can involve pretexting, or creating a target specific scenario, to help give the victim the sense of legitimacy

SOCIAL ENGINEERING

Pretexting

“the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.”• Attackers will research their targets so that they can

create a more believable lie• Phishing email from your bank asking to confirm your

username and password• Use of other information such as work or school gained via

social networking sites.

PRETEXTING

Social engineering

1. Clear out your ________ ________ regularly to keep sites from tracking your internet activity.

MIDTERM EXAM

Browser Cache

2. The act of creating a scenario to engage a targeted victim to divulge information is known as what?

Pretexting

3. True or False. “Checking In” on Facebook on a regular basis is a safe practice.

False

4. The art of manipulating people to divulge confidential information is known as what?

Social Engineering

5. One of the greatest threats to our personal online privacy is how we use ________ ________.

Social Media

Password best practices

Password Strength• Most of you say you use strong passwords• What makes a strong password?

• At least 8 characters – more is better• Avoid any dictionary words• Mix of letters (upper and lower), numbers,

and other characters (like punctuation)• Some examples

• r3t7A#EM• Tad3cha5$uh#q

PASSWORD STRENGTH

WHY A COMPLEX PASSWORD?

There are several methods of acquiring a password

– Guessing* – use of personal information available– Dictionary-based attacks* – “Brute Force” attacks* – Programs that can guess

every possible combination of characters.– Phishing** – Shoulder surfing**

* These attacks are best mitigated through the use of a strong password. The stronger the password, the harder it is to guess by either people or programs.

** These attacks are best mitigated through personal security (preventing social engineering)

• Password strength criteria:– http://www.microsoft.com/security/online-pri

vacy/passwords-create.aspx

• Password strength checker:– https://www.microsoft.com/security/pc-secu

rity/password-checker.aspx

• Password generator:– https://secure.pctools.com/guides/passwor

d

• Importance of a strong password:– http://

www.utexas.edu/its/secure/articles/importance_strong_passwords.php

PASSWORD STRENGTH

HOW STRONG IS MY PASSWORD?

5 volunteers!

Password Strength Checker• How long would it take a Desktop PC to

crack a password• http://howsecureismypassword.net/• Do NOT put your REAL password into this

site – it is for relative strength checking only!

PASSWORD STRENGTH DEMONSTRATION

Password best practices

Password Reuse• While most of you said you use strong

passwords, most of you also said you reuse passwords

DON’T USE SAME PASSWORD ACROSS ALL ACCOUNTS!• Sites are hacked regularly and passwords

are retrieved• SERIOUSLY??? Did you see those

password examples?????

PASSWORD REUSE

Password best practices

Password Management• Various tools to manage passwords• Allows unique passwords to be used for

each account• Convenient features for ease of use

• Categorization• Auto-type/Auto-fill

• Online/Cloud based and client based• Each solution has its Pros and Cons

PASSWORD MANAGEMENT

Password best practices

Pros/Cons• Cloud-based – less secure, passwords

stored somewhere on the internet• Client-based – more secure, less

convenient as only available when installed

Solution: KeePass with Dropbox• Power of client-based, encrypted database

with availability provided by online storage

PASSWORD MANAGEMENT

Password best practices

Dropbox• Online storage• Web browser interface• Desktop sync• iPhone/iPad/Android sync• FREE! (2GB – more than enough for a

KeePass database file)

PASSWORD MANAGEMENT

KeePass• Encrypted password database• Categorize by folder• Lightweight install• Password generator/strength indicator• Secure notes• Auto-type• iPhone/iPad/Android app support• FREE!

Result: encrypted database of passwords synced across all devices – only have to remember one really strong password! For FREE!

Password best practices

PASSWORD MANAGEMENT DEMONSTRATION

KeePass & Dropbox Demo

Password best practices

Best Practices• Use spam filters• Don’t open unusual/unknown attachments• Double-check URLs before clicking• Lock-down public information on social

media sites• Be absolutely sure you know who you are

divulging information to• Use strong passwords• Use a password management tool to

enable unique passwords across the internet

REVIEW

Password best practices

QUESTIONS???

QUESTIONS