Social Engineering Networks

Reid Chapman

Ciaran Hannigan

What is Social Engineering

Social Engineering is the art of manipulating people into performing actions or divulging confidential information.

This type of attack is non-technical and rely heavily on human interaction.

Social Engineering

Hackers use Social Engineering attacks to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system.

History of Social Engineering

The term Social Engineering was made popular ex-computer criminal Kevin Mitnick.

Confessed to illegally accessing private networks and possession of forged documents.

Claimed to of only used Social Engineering techniques with no help from software programs.

Types of Attacks

PretextingOn-Line Social EngineeringReverse Social Engineering Phone Social Engineering

Pretexting

The act of creating and using an invented situation in order to convince a target to release information or grant access to sensitive materials.

This type of attack is usually implemented over the phone and can be used to obtain customer information, phone records, banking records and is also used by private investigators.

Pretexting cont’

The hacker will disguise their identity in order to ask a series of questions intended to get the information he/she is wanting from their target.

By asking these questions the victim will unknowingly provide the attacker with all the information the hacker needs to carry out their attack.

Online Social Engineering

This attack exploits the fact that many users use the same password for all their accounts online such as for their e-mail, banking, or facebook accounts.

So once an attacker has access to one account he/she has admittance to all of them.

Online cont’

Another common online attack is for a hacker to pretend to be a network admin and send out emails which request usernames and passwords, this attack is not as common or successful because people have become more conscious of this type of attack.

Reverse Social Engineering

Probably the least used of the attacks.Requires extensive research and planning.The key is to establish yourself in a

position of authority and have your targets come to you.

Giving you a better chance of retrieving info.

Reverse Social Engineering

This form of attack can be divided into three stages.

Stage one - Sabotage: Cause a problem (Crash the network)

Stage two - Advertise: Send out notice that you are the one to go to to solve the problem.

Stage three - Assist: Help the employees and get from them the info you came for.

When all is done you fix the problem, leave, and no one is the wiser because the problem is fixed and everyone is happy.

Phone Social Engineering

The most common practice of social engineering

A Hacker will call someone up and imitate a person of authority and slowly retrieve information from them.

Help Desks are incredible vunerable to this type of attack.

Help Desks are Gold Mines

Its main purpose is to help. Putting them at a disadvantage against an attacker.

People employed at a help desk usually are being paid next to nothing. Giving them little incentive to do anything but answer the questions and move onto the next phone call.

So how do you protect yourself?

Protecting Against These Attacks

As you know these attacks can take two different approaches; Physical and Psychological

The physical aspect; the workplace, over the phone, dumpster diving, and on-line.

The psychological aspect; persuasion, impersonation, ingratiation, conformity, and good ol’ fashion friendliness

How To Defend Against the Physical

Check and Verify all personnel entering the establishment.

More important files should be locked up. Shred all important papers before disposing. Erase all magnetic media (hard drives, disks). All machines on the network should be well protected by

passwords. Lock and store dumpsters in secure areas.

Security Policies and Training!!!

Corporations make the mistake of only protecting themselves from the physical aspect leaving them almost helpless to the psychological attacks hackers commonly use.

Advantage: Alleviates responsibility of worker to make judgment call on the hacker’s request.

Policy should address aspects of access control and password changes and protection.

Locks, ID’s, and shredders are important and should be required for all employees.

Set it in Stone: Violations should be well known and well enforced.

Security Policies and Training!!!

All employees should know how to keep confidential information safe.

All new employees should attend a security orientation

All employees should attend an annual refresher course on these matters.

Also sending emails to employees concerning this matter; how to spot an attacker, methods in preventing them from falling victim, and stories of current and landmark cases on Social Engineering.

Spotting an Attack

What to look for: refusal to give contact information, rushing, name-dropping, intimidation, small mistakes, and requesting protected information.

Put yourself in their shoes. Think like a hacker.

What to do for the Average Joe

DO NOT DISCLOSE ANY PERSONAL INFORMATION UNLESS PERSON AND/OR SITE IS TRUSTED.

Don’t fall prey to all the get rich quick schemes. Update your security software regularly. Have a strong password and change it regularly.

Try not to have the same one for all your passwords.

Shred your important papers before throwing them out.