Download Intimidation Attack

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts

Cyber-security regulation wikipedia , lookup

Information security wikipedia , lookup

Information privacy law wikipedia , lookup

Denial-of-service attack wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Medical privacy wikipedia , lookup

Computer security wikipedia , lookup

Mobile security wikipedia , lookup

Password strength wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Social engineering (security) wikipedia , lookup

Transcript 
Social Engineering
By: Pete Guhl and Kurt Murrell
Techniques
Phases of Social Engineering
- Very similar to how Intelligence Agencies
infiltrate their targets
- 3 Phased Approach
Phase 1- Intelligence Gathering
 Phase 2- “Victim” Selection
 Phase 3 -The Attack

- Usually a very methodical approach
Phase 1 -Intelligence Gathering
- Phase 1 -Intelligence Gathering
- Primarily Open Source Information
Dumpster Diving
 Web Pages
 Ex-employees
 Contractors
 Vendors
 Strategic Partners

- The foundation for the next phases
Phase 2 -”Victim” Selection

Looking for weaknesses in the organization’s
personnel
Help Desk
 Tech Support
 Reception
 Admin. Support
 Etc.

- Phase 3 - The Attack
- Commonly known as the “con”
 - Primarily based on “peripheral” routes to
persuasion

Authority
 Liking & Similarity
 Reciprocation


- Uses emotionality as a form of distraction
3 General Types of Attack
 Ego
Attacks
 Sympathy Attacks
 Intimidation Attacks
Intimidation Attack
Attacker pretends to be someone influential
(e.g., authority figure, law enforcement)
 Attempt to use their authority to coerce the
victim into cooperation
 If there is resistance they use intimidation, and
threats (e.g., job sanctions, criminal charges
etc.)
 If they pretend to be Law Enforcement they will
claim the investigation is hush hush and not to
be discussed etc.

Sympathy Attacks
Attacker pretends to be a fellow employee (new
hire), contractor, or a vendor, etc.
 There is some urgency to complete some task
or obtain some information
 Needs assistance or they will be in trouble or
lose their job etc.
 Plays on the empathy & sympathy of the victim
 Attackers “shop around” until they find
someone who will help
 Very successful attack

The Ego Attack
Attacker appeals to the vanity, or ego of the
victim
 Usually targets someone they sense is
frustrated with their current job position
 The victim wants to prove how smart or
knowledgeable they are and provides sensitive
information or even access to the systems or
data
 Attacker may pretend to be law enforcement,
the victim feels honored to be helping
 Victim usually never realizes

More info on attacks
Attacks can come from anywhere/anytime
 Social Engineering can circumvent current
security practices
- What good is a password if everyone has it?
 No one is immune

- Everyone has information about the company
Preventing Social Engineering
Training

Warn Users of Imminent Attack
- Users that are forewarned are less free
with information
Training

Define Sensitive Information
Training

Define Sensitive Information
Passwords
Training

Define Sensitive Information
Passwords
DOB
Training

Define Sensitive Information
Passwords
DOB
Maiden Names
Training

Define Sensitive Information
Passwords
DOB
Maiden Names
Social Security Number
Training

Define Sensitive Information
Passwords
DOB
Maiden Names
Social Security Number
Account Numbers
Training

Define Sensitive Information
Passwords
DOB
Maiden Names
Social Security Number
Account Numbers
Billing Amounts
Training

Users
Passwords, phone numbers, other data
Training

Users
Passwords, phone numbers, other data

System Admins
Tougher authentication protocol for
password resets
Testing

Users - Reveal seemingly innocuous data?
Testing

Users - Reveal seemingly innocuous data?

System Admins – Divulge network
information?
Testing

Users - Reveal seemingly innocuous data?

System Admins – Divulge network
information?

Helpdesk personnel – Reset passwords on
faulty authentication?
Removing the Weak Link

Remove the user’s ability to divulge
information
- Remove all non essential phones
- Restrict to internal communications
- Remove Internet access
- Disable removable drives
- Make false information accessible
Removing the Weak Link

Forced strong authentication
- Use secure software requiring strong
authentication for password resets
- Require callback to user’s directory
listed number
Removing the Weak Link

Secure Protected Doors
- Employ Guards
- Use Revolving Door
- Two Door Checkpoint
- Deploy CCTV to remote facility
Related documents
User Defined Tag 1 - DA Document Manager
User Defined Tag 1 - DA Document Manager
The Internet and Security
The Internet and Security
Security
Security
attacks
attacks
first aid handbook
first aid handbook
Dear Sir/Madam I write with regard to the enormous problem in
Dear Sir/Madam I write with regard to the enormous problem in
Annex 1
Annex 1
www.bestitdocuments.com
www.bestitdocuments.com
(journal3.pdf)
(journal3.pdf)