social engineering and its importance in pentesting engineering and its importance in pentesting ......
TRANSCRIPT
Social Engineering and its importance in Pentesting
ISACA CPE Meet – 13th June, 2015
Manasdeep PCI-QSA, CISA, ISO 27001:2013 LA
SISA Information Security Pvt. Ltd.
www.sisainfosec.com
About Me
• Consultant @ SISA Information Security Pvt. Ltd.
• PCI QSA, CISA, ISO 27001:2013
• Regular contributor to information security magazines such as ClubHack Mag, Pentestmag.
• Interested in PCI DSS, Compliance and Penetration Testing
• Like to learn and demonstrate latest security attack vectors and technologies.
www.sisainfosec.com
Agenda
• What is Social Engineering (SE) ?
• Why is Social Engineering SO successful?
• Case Study Demonstration
• Macroexpressions & Body Language
• Microexpressions
• Social Engineering Trends : At a Glance
• Social Engineering and PCI DSS v3.0
• Achieving maximum efficiency : Social engineering tests
• Thwarting social engineering attacks
www.sisainfosec.com
What is Social Engineering?
“Act of influencing a person to take action that may or may not be in target’s interest”
www.sisainfosec.com
Is Social Engineering always bad?
Good Social Engineers: Parents, Doctors, Criminal Psychologists, Negotiators, Salespersons, Diplomats, Whistle-blowers, Magicians
Bad Social Engineers: Fraudsters, Confidence tricksters Malicious Insiders, Espionage Agents, Double-Agents, Blackmailers, Human Traffickers, Terrorists
www.sisainfosec.com
Why is Social Engineering SO successful?
We are hard-wired to respond to a favor, often not in direct proportion to the size of the favor done to us.
Principle 1 - Reciprocation:
www.sisainfosec.com
Why is Social Engineering SO successful?
Once we have made a choice or taken a stand, we will encounter personal and inter-personal pressures to behave consistently with
that commitment.
Principle 2 - Commitment and Consistency
www.sisainfosec.com
Why is Social Engineering SO successful?
One means we use to determine what is correct is to find out what other people think is correct. The principle applies especially to the
way we decide what constitutes correct behavior.
Principle 3 - Social Proof:
www.sisainfosec.com
Why is Social Engineering SO successful?
As a rule, we prefer to say yes to the requests of someone we know and like
Principle 4 - Liking
www.sisainfosec.com
Why is Social Engineering SO successful?
The real culprit is our inability to resist the psychological power wielded by the person in authority.
Principle 5 - Authority
www.sisainfosec.com
Why is Social Engineering SO successful?
The influence of the scarcity principle in determining the worth of an item.
Principle 6 - Scarcity:
www.sisainfosec.com
Case Study: The Canteen episode
During graduation days, we planned to have food from the canteen without paying huge bills when our friend group grew large in size.
The Objective -
www.sisainfosec.com
Case Study: The Canteen episode
Those days, Reliance had launched an offer that enabled you to talk free between 2 sims if you buy both of them.
The Opportunity
www.sisainfosec.com
Case Study: The Canteen episode
We gave the 2 sims to canteen serving boy for having him to talk “as much as he desires” to his village.
We made an understanding that whenever our friend circle was visiting canteen, he
shall bring extra snacks or cold drinks without charging us extra on them.
The Social Engineering Attack -
www.sisainfosec.com
Case Study: The Canteen episode
We used to get almost double the food for the price of few items or the half of the price. This went on un-noticed for 7-8 months after
which the plan failed.
The Effect -
www.sisainfosec.com
Case Study: Analysis
• Why did the plan work?
• What could have caused failure of plan after 7-8 months?
• What could have happened if we were caught earlier ?
www.sisainfosec.com
Macro-expressions / Body language
Macro-expression / Body language is a form of mental and physical ability of human non-verbal communication, which consists of body posture, gestures, facial expressions, and eye movements. Humans send and interpret such signals almost entirely subconsciously.
Communication consists of :
• 7% of what we say • 38% vocal(tone, accent, dialect) • 55% Non Verbal
www.sisainfosec.com
Macro-expressions / Body language
Non Verbal behavior is depicted fundamentally by some body parts and how they act:
• Feet/Legs (Most Accurate) • Torso • Hands • Neck • Mouth • Face (Least Accurate)
www.sisainfosec.com
Micro-expressions
A micro-expression is a brief, involuntary facial expression shown on the face of humans according to emotions experienced.
www.sisainfosec.com
Characteristics of micro-expressions:
• They are very brief in duration, lasting only 1/25 to 1/15 of a second.
• Highly Accurate in depicting the "actual" thought of the person.
• Almost involuntary reflexes barely felt by the subject
• Express the seven universal emotions: disgust, anger, fear, sadness, happiness, surprise, and contempt
• It is difficult to hide micro-expression reactions
www.sisainfosec.com
Puppy Dog Eyes Expression
Animals too…..are able to Social engineer us successfully !!
With whom you’d rather share your biscuit with??
Can you give me a biscuit? Please……
May I join in too? Please……
Where is MY biscuit? GIVE IT TO ME NOW !! Or else…….
www.sisainfosec.com
Social Engineering and PCI DSS v3.0
www.sisainfosec.com
Achieving maximum efficiency : Social engineering tests
• On confronting an anti social or angry person; frown a bit and tilt your head by relaxing your shoulders. This indicates you are interested to hear him/her out and are not confronting directly.
• If you enter with a sad expression, the subject will involuntary feel sympathetic for you and will offer to help in most cases.
www.sisainfosec.com
Achieving maximum efficiency : Social engineering tests
• A friendly and warm reception always has higher chances of information retrieval than a rash or unfriendly behavior you know you are trapped.
• Dress up nicely (as per occasion) and walk in short sure steps. It gives an impression of authority and people are much likely to yield under this charismatic effect.
www.sisainfosec.com
Golden rule for thwarting social engineering attacks
TRUST, BUT VERIFY
www.sisainfosec.com
Resources
Books: • Social Engineering: The Art of Human Hacking by Christopher Hadnagy
• The Art of Deception: Controlling the Human Element of Security by
Kevin Mitnick
• Influence: The Psychology of Persuasion by Robert B. Cialdini
www.sisainfosec.com
Resources
Links: Body Language – Expressions on Google Android App Store:
• https://play.google.com/store/apps/details?id=com.Mazuzu.Expression
Training&hl=en
Video: Nonverbal Human Hacking Derbycon 2012
• http://www.irongeek.com/i.php?page=videos/derbycon2/2-1-2-chris-hadnagy-nonverbal-human-hacking
www.sisainfosec.com
THANK YOU !!!
The information provided here is for knowledge purpose only. The author views represented here are personal and may not necessarily represent the views of SISA.