Social Engineering
About ERM
About The Speakers
Stacey Blau
Physical Security Penetration Expert with Enterprise Risk Management, Inc.
B.S. from MIT in Mathematics and Computer Science Served a decade in the CIA’s clandestine service as a case officer in Central Eurasia
About The Speakers
George Mortakis
Director of Consulting Services with Enterprise Risk Management, Inc.
M.S./MBA from University of Miami in Computer Science and Information Systems
CISSP, CISA, CRISC, PCIP, PCI QSA
How Do We Approach Social Engineering?
Look at what is vulnerable Premises
People
Information
Break in (usually with subtlety!) to show the weaknesses
Make recommendations to mitigate problems
Who Are the Social Engineers?
Must look at who/what the threat could be
Corporate spying (break-ins, insider threats) Foreign governments
Common thieves, identity thieves Scam artists
Hackers
Character assassins/opportunists Information brokers
Disgruntled employees
Violent actors (disgruntled employees, active shooters, terrorists)
What Other Threats?
Silent threats—the mere availability of special types of information irrespective of the specific attacker
Personnel files, HIPAA-protected info, and other personally identifiable information (PII)
Various categories of financial information
Threat or no threat, an institution will land in hot water for mere failure to secure this information
Sources of PII and Financial Information
Internet Phone calls
Malware spread via e-mail attachments, malicious websites, infected websites
Social networking Company breaches
Printouts, faxes, and physical media Storage media
Lost or stolen laptops
Instant messaging programs File sharing programs
Active attacks by hackers
Social Engineering Top Threats
Most common concerns Hackers
Corporate spies
Workplace violence
Regulatory compliance on access to sensitive information (PII and financial)
Clients want to know the answer to the following: How easy is it for someone to get inside my company and get access to what they want?
Know thy Enemy and Thyself
“Someone” generally has moderate-to-strong capabilities and moderate-to-strong motivation
Testers must be a team to mimic that threat to get access to people, information, devices, etc.
Sun Tzu: Know thy enemy—and know thyself Study the client
Studying the specific threat
Ensure skills (Hacking? Lock picking? Great social skills? Ability to pose as a certain individual?)
Social Engineering: Physical + Information
Information security ensures that
Only authorized users (confidentiality) Have access to accurate and complete information (integrity)
When necessary (availability)
Using physical penetration (exploiting “human
hardware bugs”) to effect theft of information—a social engineering force multiplier
Information Security: Recent Headlines
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Hackers Demonstrate Car Hacking Using a Laptop
Hacking Google Glass with QR Code To Sniff User Data
Sim Card Cloning Hack Affects 750 Million Users around the World
GPS Flaw Could Let Terrorists Hijack Ships, Planes
Hackers Break into Smartphones to Access Your Bank Account
International Hackers Stole 160 Million Credit and Debit Card Numbers in Largest U.S. Hacking Scheme, Feds Say
Stanford University Computers Breached
Network Enabled Samsung TVs Vulnerable to Denial of Service Attack
Information Security: Challenges
Should we attack the fortress?
Web application firewalls DMZ firewalls
Intrusion detection/ prevention systems
Active directory credentials Encryption
Data loss prevention systems Application/service whitelisting
Network monitoring/traffic pattern analysis
Social Engineering: The Benefits
Or should we exploit the path of least resistance?
Receptionists Helpdesk
Call centers
Administrative assistants Security guards
Former employees, you, me… anyone Poor policies and procedures
Various human foibles: friendliness, helpfulness, guilelessness, laziness, boredom, vengefulness
Social Engineering Terminology
Baiting Phishing
“Spear” phishing
Vishing (voice phishing) Pre-contexting
Keyloggers
Shoulder-surfing Dumpster diving
Tailgating/piggybacking Quid pro quo
Impersonation
Attacks have become increasingly
sophisticated
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICSTelephone:
• Analog device for voice transmissions.
• Preferred tool of the Social Engineer, circa 2002
“Maltego”:
• Social Engineering Intelligence Software • Free and open source
• Integrates with numerous hacking tools
• Automatic collection, aggregation and analysis of publicly available information
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
• Hackers / Mercenary Penetration Specialists • Corporate Spies or Espionage Specialists • Identify Thieves • Disgruntled Employees • Scam Artists • Sales • Information Brokers • Foreign Governments
• Character Assassins / Opportunists
Attacks are highly coordinated and
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
This email is not empty…see?
“I-Frame Attack” – an image file embedded in the email Zero pixels wide by Zero pixels tall containing a script which when “rendered” by your mail client retrieves malicious code from the internet.
Note: “Preview Pane” can be just as dangerous as opening the mail file.
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Social Engineering: Hacking
Any information on a network is at risk How can I steal data from networks?
“Innocent” calls to helpdesk or scoured
information from internet can help tailor attacks Spear phishing (spam with malware downloads or links to sites with malware)
Exploitation of lack of antivirus programs and timely updates
Convincing scams and ploys
Social Engineering: Corporate Spies
Trade secrets and products usually at risk
How can I steal them, or who can give me them?
Break into a facility to take them (or plant device) “Recruit” a source to voluntarily provide them
Paid source to steal or plant a device
Use a cut-out (friend), pose as a journalist, etc. Dumpster dive
Serendipity at a bar (2010 iPhone mishap)
Social Engineering: Workplace Violence
Lives of personnel at risk—and horrendous public scrutiny will follow
The attacker will ask: How can I kill my targets?
Use brute force the entire way, especially for a spectacular show of violence
Subvert the facility’s access control (Navy Yard shooter 2013)
Manipulate access/alarm systems (remotely, too) Use PII to target victims off facility grounds
Social Engineering: Regulatory Compliance
Financial information, HIPAA, and other PII at risk How might this information be accessed (on a one-time or ongoing basis)?
Nosy insider with friends in HR
Shoulder surfing, dumpster diving
Poor security procedures with safes, locks, etc.
Emplacement of a device (via people with temporary access to the premises or a disgruntled employee, paid insider, etc.)
Prevention and Countermeasures: Physical
Perimeter security
Guards, fencing, lighting, signs… and policies and procedures! Camera system/closed-circuit TV
Quality imaging, trained monitors, solid archives… and policies and procedures! Access control
Badges, tokens… and policies and procedures! Human security
Background checks—employment history, qualifications, credit/criminal, references Training—security awareness as a priority and requirement for all employees Employee assistance programs—HR as a first line of defense
Consider a counterintelligence unit—at the bare minimum, institute an employee feedback mechanism Physical document/media security—policies and procedures underlie success
Outside mail/packages—Unabomber/anthrax situations Safes, locked cabinets, drawers
Disposal of paper and digital media—shredding and destruction Protection against loss/theft—always use encryption Classified or protectively marked materials
Incident response policies and procedures for lost/stolen data, physical &electronic breaches
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Keep software updated
Never respond using information contained in the e-mail, particularly links to Web sites
Maintain awareness and skepticism
Articles/newsletters made available on the intranet Internal webcasts and podcasts
Posters, awareness quizzes, and seminars
Awareness presentations, events, and live demos
Clear policies and procedures on employee use of electronic systems, telephones, social media
Professional social engineers performing blind tests
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS