• No results found

Social Engineering. Hacking Human Nature

N/A
N/A
Protected

Academic year: 2021

Share "Social Engineering. Hacking Human Nature"

Copied!
34
0
0

Loading.... (view fulltext now)

Full text

(1)

Social Engineering

(2)

About ERM

(3)

About The Speakers

Stacey Blau

Physical Security Penetration Expert with Enterprise Risk Management, Inc.

B.S. from MIT in Mathematics and Computer Science Served a decade in the CIA’s clandestine service as a case officer in Central Eurasia

(4)

About The Speakers

George Mortakis

Director of Consulting Services with Enterprise Risk Management, Inc.

M.S./MBA from University of Miami in Computer Science and Information Systems

CISSP, CISA, CRISC, PCIP, PCI QSA

(5)

How Do We Approach Social Engineering?

Look at what is vulnerable Premises

People

Information

Break in (usually with subtlety!) to show the weaknesses

Make recommendations to mitigate problems

(6)

Who Are the Social Engineers?

Must look at who/what the threat could be

Corporate spying (break-ins, insider threats) Foreign governments

Common thieves, identity thieves Scam artists

Hackers

Character assassins/opportunists Information brokers

Disgruntled employees

Violent actors (disgruntled employees, active shooters, terrorists)

(7)

What Other Threats?

Silent threats—the mere availability of special types of information irrespective of the specific attacker

Personnel files, HIPAA-protected info, and other personally identifiable information (PII)

Various categories of financial information

Threat or no threat, an institution will land in hot water for mere failure to secure this information

(8)

Sources of PII and Financial Information

Internet Phone calls

Malware spread via e-mail attachments, malicious websites, infected websites

Social networking Company breaches

Printouts, faxes, and physical media Storage media

Lost or stolen laptops

Instant messaging programs File sharing programs

Active attacks by hackers

(9)

Social Engineering Top Threats

Most common concerns Hackers

Corporate spies

Workplace violence

Regulatory compliance on access to sensitive information (PII and financial)

Clients want to know the answer to the following: How easy is it for someone to get inside my company and get access to what they want?

(10)

Know thy Enemy and Thyself

“Someone” generally has moderate-to-strong capabilities and moderate-to-strong motivation

Testers must be a team to mimic that threat to get access to people, information, devices, etc.

Sun Tzu: Know thy enemy—and know thyself Study the client

Studying the specific threat

Ensure skills (Hacking? Lock picking? Great social skills? Ability to pose as a certain individual?)

(11)

Social Engineering: Physical + Information

Information security ensures that

Only authorized users (confidentiality) Have access to accurate and complete information (integrity)

When necessary (availability)

Using physical penetration (exploiting “human

hardware bugs”) to effect theft of information—a social engineering force multiplier

(12)

Information Security: Recent Headlines

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

Hackers Demonstrate Car Hacking Using a Laptop

Hacking Google Glass with QR Code To Sniff User Data

Sim Card Cloning Hack Affects 750 Million Users around the World

GPS Flaw Could Let Terrorists Hijack Ships, Planes

Hackers Break into Smartphones to Access Your Bank Account

International Hackers Stole 160 Million Credit and Debit Card Numbers in Largest U.S. Hacking Scheme, Feds Say

Stanford University Computers Breached

Network Enabled Samsung TVs Vulnerable to Denial of Service Attack

(13)

Information Security: Challenges

Should we attack the fortress?

Web application firewalls DMZ firewalls

Intrusion detection/ prevention systems

Active directory credentials Encryption

Data loss prevention systems Application/service whitelisting

Network monitoring/traffic pattern analysis

(14)

Social Engineering: The Benefits

Or should we exploit the path of least resistance?

Receptionists Helpdesk

Call centers

Administrative assistants Security guards

Former employees, you, me… anyone Poor policies and procedures

Various human foibles: friendliness, helpfulness, guilelessness, laziness, boredom, vengefulness

(15)

Social Engineering Terminology

Baiting Phishing

“Spear” phishing

Vishing (voice phishing) Pre-contexting

Keyloggers

Shoulder-surfing Dumpster diving

Tailgating/piggybacking Quid pro quo

Impersonation

(16)

Attacks have become increasingly

sophisticated

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

Telephone:

• Analog device for voice transmissions.

• Preferred tool of the Social Engineer, circa 2002

“Maltego”:

• Social Engineering Intelligence Software • Free and open source

• Integrates with numerous hacking tools

• Automatic collection, aggregation and analysis of publicly available information

(17)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

• Hackers / Mercenary Penetration Specialists • Corporate Spies or Espionage Specialists • Identify Thieves • Disgruntled Employees • Scam Artists • Sales • Information Brokers • Foreign Governments

• Character Assassins / Opportunists

(18)

Attacks are highly coordinated and

(19)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(20)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(21)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(22)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(23)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(24)

This email is not empty…see?

“I-Frame Attack” – an image file embedded in the email Zero pixels wide by Zero pixels tall containing a script which when “rendered” by your mail client retrieves malicious code from the internet.

Note: “Preview Pane” can be just as dangerous as opening the mail file.

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(25)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(26)

Social Engineering: Hacking

Any information on a network is at risk How can I steal data from networks?

“Innocent” calls to helpdesk or scoured

information from internet can help tailor attacks Spear phishing (spam with malware downloads or links to sites with malware)

Exploitation of lack of antivirus programs and timely updates

Convincing scams and ploys

(27)

Social Engineering: Corporate Spies

Trade secrets and products usually at risk

How can I steal them, or who can give me them?

Break into a facility to take them (or plant device) “Recruit” a source to voluntarily provide them

Paid source to steal or plant a device

Use a cut-out (friend), pose as a journalist, etc. Dumpster dive

Serendipity at a bar (2010 iPhone mishap)

(28)

Social Engineering: Workplace Violence

Lives of personnel at risk—and horrendous public scrutiny will follow

The attacker will ask: How can I kill my targets?

Use brute force the entire way, especially for a spectacular show of violence

Subvert the facility’s access control (Navy Yard shooter 2013)

Manipulate access/alarm systems (remotely, too) Use PII to target victims off facility grounds

(29)

Social Engineering: Regulatory Compliance

Financial information, HIPAA, and other PII at risk How might this information be accessed (on a one-time or ongoing basis)?

Nosy insider with friends in HR

Shoulder surfing, dumpster diving

Poor security procedures with safes, locks, etc.

Emplacement of a device (via people with temporary access to the premises or a disgruntled employee, paid insider, etc.)

(30)

Prevention and Countermeasures: Physical

Perimeter security

Guards, fencing, lighting, signs… and policies and procedures! Camera system/closed-circuit TV

Quality imaging, trained monitors, solid archives… and policies and procedures! Access control

Badges, tokens… and policies and procedures! Human security

Background checks—employment history, qualifications, credit/criminal, references Training—security awareness as a priority and requirement for all employees Employee assistance programs—HR as a first line of defense

Consider a counterintelligence unit—at the bare minimum, institute an employee feedback mechanism Physical document/media security—policies and procedures underlie success

Outside mail/packages—Unabomber/anthrax situations Safes, locked cabinets, drawers

Disposal of paper and digital media—shredding and destruction Protection against loss/theft—always use encryption Classified or protectively marked materials

Incident response policies and procedures for lost/stolen data, physical &electronic breaches

(31)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(32)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(33)

Keep software updated

Never respond using information contained in the e-mail, particularly links to Web sites

Maintain awareness and skepticism

Articles/newsletters made available on the intranet Internal webcasts and podcasts

Posters, awareness quizzes, and seminars

Awareness presentations, events, and live demos

Clear policies and procedures on employee use of electronic systems, telephones, social media

Professional social engineers performing blind tests

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(34)

Your go to advisors

for all matters in

information security.

www.emrisk.com 800 S Douglas Road #940 Coral Gables, FL 33134 Phone: 305-447-6750 Email: info@emrisk.com

References

Related documents

The Border Security, Economic Opportunity, and Immigration Modernization Act (S. 744), for example, would require carriers to collect electronic machine-readable biographic data

Nigel has in-depth knowledge of cyber security, information security, business risk, data breach incident response, digital forensics, business continuity, cyber warfare, cyber

AWAK shall invite applications, select and award scholarships to bright and needy Kenyan students joining or already in form one (1) in any public secondary school in Kenya

Others proposals circulate, even at the highest levels of politics: the creation of a public investment bank, the creation of a sovereign wealth fund, the creation of

Park et al, 1999 ). The two maize genes are compared to their shared single orthologs in the Sorghum, fox- tail millet, rice and Brachypodium genomes. The conserved

Class Division Time CHILDREN Bible Study Check-in: 5th Fl E Building Grades 1-3 Saturday 5PM Sunday 8:15AM Sunday 11AM JUMP Worship Check-in: 5th Fl E Building Grades

training” [59]. The title encompasses the content of the session. Clearly, public health deficiencies in veterinary education are recognized by the AAVMC and ASPH. Should the

Items 5 and 6 were asked of participants in the control (no attentional instruction) condition, and response options ranged from 1 (not at all) to 5 (very much). Items 7 and 8