Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cyber-security regulation wikipedia , lookup
Information security wikipedia , lookup
Information privacy law wikipedia , lookup
Denial-of-service attack wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Medical privacy wikipedia , lookup
Computer security wikipedia , lookup
Mobile security wikipedia , lookup
Password strength wikipedia , lookup
Social Engineering By: Pete Guhl and Kurt Murrell Techniques Phases of Social Engineering - Very similar to how Intelligence Agencies infiltrate their targets - 3 Phased Approach Phase 1- Intelligence Gathering Phase 2- “Victim” Selection Phase 3 -The Attack - Usually a very methodical approach Phase 1 -Intelligence Gathering - Phase 1 -Intelligence Gathering - Primarily Open Source Information Dumpster Diving Web Pages Ex-employees Contractors Vendors Strategic Partners - The foundation for the next phases Phase 2 -”Victim” Selection Looking for weaknesses in the organization’s personnel Help Desk Tech Support Reception Admin. Support Etc. - Phase 3 - The Attack - Commonly known as the “con” - Primarily based on “peripheral” routes to persuasion Authority Liking & Similarity Reciprocation - Uses emotionality as a form of distraction 3 General Types of Attack Ego Attacks Sympathy Attacks Intimidation Attacks Intimidation Attack Attacker pretends to be someone influential (e.g., authority figure, law enforcement) Attempt to use their authority to coerce the victim into cooperation If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.) If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc. Sympathy Attacks Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc. There is some urgency to complete some task or obtain some information Needs assistance or they will be in trouble or lose their job etc. Plays on the empathy & sympathy of the victim Attackers “shop around” until they find someone who will help Very successful attack The Ego Attack Attacker appeals to the vanity, or ego of the victim Usually targets someone they sense is frustrated with their current job position The victim wants to prove how smart or knowledgeable they are and provides sensitive information or even access to the systems or data Attacker may pretend to be law enforcement, the victim feels honored to be helping Victim usually never realizes More info on attacks Attacks can come from anywhere/anytime Social Engineering can circumvent current security practices - What good is a password if everyone has it? No one is immune - Everyone has information about the company Preventing Social Engineering Training Warn Users of Imminent Attack - Users that are forewarned are less free with information Training Define Sensitive Information Training Define Sensitive Information Passwords Training Define Sensitive Information Passwords DOB Training Define Sensitive Information Passwords DOB Maiden Names Training Define Sensitive Information Passwords DOB Maiden Names Social Security Number Training Define Sensitive Information Passwords DOB Maiden Names Social Security Number Account Numbers Training Define Sensitive Information Passwords DOB Maiden Names Social Security Number Account Numbers Billing Amounts Training Users Passwords, phone numbers, other data Training Users Passwords, phone numbers, other data System Admins Tougher authentication protocol for password resets Testing Users - Reveal seemingly innocuous data? Testing Users - Reveal seemingly innocuous data? System Admins – Divulge network information? Testing Users - Reveal seemingly innocuous data? System Admins – Divulge network information? Helpdesk personnel – Reset passwords on faulty authentication? Removing the Weak Link Remove the user’s ability to divulge information - Remove all non essential phones - Restrict to internal communications - Remove Internet access - Disable removable drives - Make false information accessible Removing the Weak Link Forced strong authentication - Use secure software requiring strong authentication for password resets - Require callback to user’s directory listed number Removing the Weak Link Secure Protected Doors - Employ Guards - Use Revolving Door - Two Door Checkpoint - Deploy CCTV to remote facility