social engineering: the forgotten information assurance risk

Social Engineering: The

Forgotten Information

Assurance Risk

© Copyright 2004 Marcus K. Rogers All Rights Reserved. (ISC)² Presents: Securing Your Company's Infrastructure”

2

Marc Rogers PhD, CISSP, CCCI

Associate Professor

Department of Computer Technology

Center for Education and Research in Information Assurance & Security (CERIAS)

Purdue University


3

Outline

• How Big is the Problem?

• What is Social Engineering?

• Why is SE so Effective?

• Anatomy of an SE Attack

• How to Mitigate the Risk

• Conclusions


4


5

How big is the Problem?


6


• CSI/FBI 2004

• $141,496,560 decrease from last year ???

• Denial of Service most costly

• Theft of IP second

• 2002-03 Australian Cyber Crime Survey

• Volume of attacks doubled since 2001

• Deloitte 2004 Global Security Survey

• Financial Institutions’ concern tied to regulatory compliance

• 83% of respondents had suffered a compromise

• PWC/Department of Trade & Industry: information Security Breaches Survey 2004 (UK)

• Number of breaches increased

• Average cost of incident to large business was roughly $250,000


7


CERT/CC StatsCERT/CC Stats

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.



Incidents ReportedIncidents Reported


8


• CSO 2003 Survey

• Respondents who suffered the most damages from security incidents were two times more likely than the average respondent to plan on decreasing security spending next year.

• Those with the most damages were nearly half as likely to list staff training as one of their top three priorities.

????

????


9


• We don’t really know????

• Lack of meaningful metrics

• Trends indicate that it is increasing yearly

• The monetary loss has been estimated from $400 Million - $12 Billion

• Identity theft - fastest growing non-violent criminal activity

• Phishing exploits seem to be on the rise


10


• ID Theft: Fastest growing non-violent criminal activity in the US – FTC




11


•“Phishing”

•Fraudulent e-mail messages designed to fool the recipients into divulging personal authentication data.

• account usernames and passwords, credit card numbers, social security numbers, ATM card PINs,

•These e-mails look “official” and recipients trust the brand, they often respond to them, resulting in financial losses, identity theft, and other fraudulent activity.


12


13

Phishing




14

Phishing

• A Closer Look!

• Complete email Headers:

• Received: from customer-201-133-75-84.prod-infinitum.com.mx ([201.133.75.84]) by exchange.purdue.edu with Microsoft SMTPSVC(6.0.3790.0); Mon, 6 Sep 2004 18:05:57 -0500

• Whois on this domain:

• Registered to a company on the Island of Curacao


15

Phishing

Real site: www.citizensbank.com

16

Phishing: Source View

•Snippet of the source:</A></a>in 1847 Windows Me All the best

you are stupid Napster = Kid Rock Costumes in 2005 ?????? smart in 1861 Hold on in 1822 Pokemon =

Gold It's not for me Temptation Island Big Brother I can't answer it's =

beautiful Just tonight no more Terra in 1861 going to Wrong number =

</html>


17

What is Social Engineering?

• Social/Psychological phenomenon

• Original Definition

“The practical application of sociological principles to particular social problems.”

• Not necessarily a “negative” term

• Persuasion

• Various psychological/communications theories

• Cognitive Dissonance

• Language Expectation Theory

• Has now become a negative technology issue


18

What is Social Engineering?

• “Successful or unsuccessful attempts to influence a person(s) into either revealing information or acting in a manner that would result in; unauthorized access, unauthorized use, or unauthorized disclosure, to an information system, network or data.” (Rogers & Berti, 2001)

• Basically using deception or persuasion to “con” someone into providing information or access they would not usually have provided.


19

Why is SE so Effective?

• The Information Assurance/Security Field has focused primarily on technical security

• Almost no attention to the person-machine interaction

• Only as strong as the weakest link-People are the weakest link

• Why spend time attacking the technology when a person will give you access?

• Extremely hard to detect as there is no IDS for “lack of common sense” or more appropriately, ignorance


20

Why is SE so Effective?

• 2 Primary Factors

• Basic Human Nature & Business Environment

• Human Nature:

• Helpful

• Trusting

• Naïve

• Business Environment

• Service Oriented

• Time Crunch/Multitasking

• Distributed Locations

• Virtual Offices

• Transient Workforce


21

Anatomy of an SE Attack

• Very similar to how Intelligence Agencies infiltrate their targets

• 3 Phased Approach

• Phase 1- Intelligence Gathering

• Phase 2- “Victim” Selection

• Phase 3 -The Attack

• Usually a very methodical approach


22


• Phase 1 -Intelligence Gathering

• Primarily Open Source Information

• Dumpster Diving

• Web Pages

• Ex-employees

• Contractors

• Vendors

• Strategic Partners

• The foundation for the next phases


23


• Phase 2 -”Victim” Selection

• Looking for weaknesses in the organization’s personnel

• Help Desk

• Tech Support

• Reception

• Admin. Support

• Etc.


24


• Phase 3 - The Attack

• Commonly known as the “con”

• Primarily based on “peripheral” routes to persuasion

• Authority

• Liking & Similarity

• Reciprocation

• Commitment & Consistency

• Uses emotionality as a form of distraction


25

The SE Attack

• 4 General categories of attacks:

• Technical Attacks

• Ego Attacks

• Sympathy Attacks

• Intimidation Attacks


26


• The Technical Attack - (Authority/Consistency)

• No direct interpersonal contact with victims

• Attacker forges e-mail messages, pop ups, web sites, or some other medium

• Pretends to be an authorized support or system admin. person legitimizes the request

• Tries to obtain sensitive account information from users (e.g., passwords, user-ids, CC #s, PINs etc.)

• “PHISHING”

• Has been very successful to date


27


• The Ego Attack - (Reciprocation/Liking)

• Attacker appeals to the vanity, or ego of the victim

• Usually targets someone they sense is frustrated with their current job position

• The victim wants to prove how smart or knowledgeable they are and provides sensitive information or even access to the systems or data

• Attacker may pretend to be law enforcement, the victim feels honored to be helping

• Victim usually never realizes


28


• Sympathy Attacks - (Liking/Commitment)

• Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc.

• There is some urgency to complete some task or obtain some information

• Needs assistance or they will be in trouble or lose their job etc.

• Plays on the empathy & sympathy of the victim

• Attackers “shop around” until they find someone who will help

• Very successful attack


29


• Intimidation Attack - (Authority)

• Attacker pretends to be someone influential (e.g., authority figure, law enforcement)

• Attempt to use their authority to coerce the victim into cooperation

• If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.)

• If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.


30

Mitigating the Risk

• The Impact of SE is usually high

• The ease of the Attack is high

• Technical controls alone will not prevent the attack

• Operational/Administrative controls alone will not prevent it

• Environmental controls alone will not prevent it


31

Mitigating the Risk

• We need a combination of Operational/Administrative, Technical (logical), & Environmental (Physical) Control Principles

• It really comes down to:

• Technology

• Policies

• Education

• Awareness

• Training


32

Mitigating the Risk

• All employees should have a security mind-set and question things

• Need to recognize good “catches”

• Have proper incident response procedures and teams to mitigate the damage if a breach occurs

• Immediate notification of targeted groups

• Apply technology where possible

• Need to test your readiness periodically

• IT Security reviews/assessments that include SE


33

Conclusions

• SE Attacks are a serious threat

• SE Attacks are very easy and very effective

• We cannot forget about the person-machine interaction

• Information Assurance/Security is a hardware, software, firmware, and “peopleware” problem

• The best defense is proper education and awareness training combined with technical approaches


34

Parting Thoughts

” Those who fail to learn the lessons of history are doomed to repeat them." (Santayana)

QuickTime™ and aTIFF (Uncompressed) decompressor



35

Questions/Comments?


36

Contact Information

Dr. Marc Rogers

[email protected]

Department of Computer Technology

Purdue University

765-494-2561

social engineering: the forgotten information assurance risk

Documents