social engineering – posing challenges to the thinking security professional 05 dec 2013
DESCRIPTION
Social engineering, from posterity has been a lethal tool in the hands of the immorally minded. This activity targets human weakness so no amount of hardware investment would deter such attempts. Upgrading the human capital in organizations become more necessary. Social engineering exploits natural human tendencies of trustworthiness and helpfulness. Lack of awareness of among staff on the value of the information they possess also make them complacent in protecting it. ‘Social engineering can be said to be an Art and Science of getting people to comply with your wishes. It is not a way of mind control, it will not allow you to get people to perform tasks wildly outside of their normal behavior and it is far from foolproof’ [David Harley 1997]. Humans are programmed to be social engineers at a very early age as we are social beings. We like to know more about our friends and colleagues or what is happening in other organizations the problem starts when this gathered information is used to manipulate. Social engineering is always been a silent killer eating away the vitals of organizations. Organizations which are affected usually never disclose such attempts as this would have disastrous consequences on the organizational reputation with investors viewing it rather dimly. Due to this practitioners of these skills keeps on at it. Social engineering is frequently overlooked with organization preferring to turn their attention on to more visible or media tracked risks. It is frequently viewed as a soft threat due to which budgetary allocation to combat this is rarely allocated. All these conditions in tandem assist the ‘bad guys’ to make use of psychological manipulations to subvert systems and personnel to compromise data of individuals and organizations. The start for an organization in this battle is to recognize that the problem exists and requires addressing. That is been the genesis of this pptTRANSCRIPT
Social Engineering – Posing Challenges ToThe Thinking Security Professional
Paul Devassy, CPP,Chairman ASIS Mumbai – India Chapter
December 12, 20132
Points to be covered
What does Social Engineering mean?1.
Practitioners through the ages2.
What are “Social engineers” looking for?3.
Human frailties4.
Who is at risk?5.
Cycle and Types of attack6.
What can we do?7.
Protection for us?8.
Disclaimer
All views expressed in this lecture is personal and is gathered fromexperiential information.
Examples quoted is just a means to emphasize a point and is in no waybeing judgemental of the person, actions or even events.
Definition of Social engineering
Merriam Webster's dictionary “Management of human beings in accordancewith their place and function in society, applied social science”
• "People inherently want to be helpfuland therefore are easily duped"
• "They assume a level of trust in orderto avoid conflict"
• "It's all about gaining access toinformation that people think isinnocuous when it isn't"
Practitioners through the ages
What are they are looking for?
Exploitation of Human frailties
Lack of training and awareness
Who is at risk?Do the social engineers only target these types people?
Or is everybody a potential target?
Cycle of an attack
Types of attacks
So what do we do?
Protection for us?
Protection 1
Protection 2
Training and awareness at all levels is a must
Questions?
ResourcesBibliographyGranger, Sarah "Social Engineering Fundamentals, Part I: Hacker Tactics"December 18, 2001 URL: http://www.securityfocus.com/infocus/1527 searchSecurity.com Definitions, whatis.com 2004 URLhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html
"Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013.<http://www.npdn.org/social_engineering_types>.
Mitnick, Kevin and Simon, William L. The Art of Deception Wiley Publishing 2002 Information Security Policy and Disaster Recovery Associates, UKURL: http://www.yourwindow.to/information-security/gl_dataclassification.htm.
Wilson, Sam "Combating the Lazy User: An Examination of Various Password Policies and Guidelines" Sept. 16, 2002. URL:http://www.sans.org/rr/papers/6/142.pdf.
Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013.<http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>.
Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013.<http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>.
Mandia, Kevin & Prosise Chris Incident Response McGraw-Hill 2001.Background Check International, LLC. URL: http://www.bcint.com/services.html
David Harley – Refloating the Titanic: Dealing with Social Engineering Attacks
Thank you!