Social Engineering is the human side of breaking into a corporate network.
Social engineering is the tactic or trick of gaining sensitive information by exploiting the basic human nature such as:
• Trust
• Fear
• Desire to Help
Social engineers attempt to gather information such as:
• Sensitive information
• Authorization details
• Access details
extract sensitive data such as: Security policies,Sensitive documents,Office network infrastructure,Passwords
People are usually the weakest link in the security chain.A successful defense depends on having good policies and educating employees to follow them.Social Engineering is the hardest form of
attack to defend against because it cannot be defended with hardware or software alone.
Social Engineering can be divided into two categories:
•Human-based: Gathers sensitive information by interaction.Attacks of this category exploits trust, fear, and helping nature of humans
Posing as Legitimate End User : Gives identity and asks for the sensitive information.“Hi! This is John, from Department X. I have forgotten my password. Can I get it?”
Posing as an Important User : Posing as a VIP of a target company, valuable customer, etc.“Hi! This is Kevin, CFO Secretary. I’m working on an urgent project and lost system password. Can you help me out?”
Posing as Technical Support : Calls as a technical support staff, and requests id & passwords to retrieve data.‘Sir, this is Mathew, Technical support, X company. Last night we had a system
crash here, and we are checking for the lost data.Can u give me your ID and Password?’
Eavesdropping or unauthorized listening of conversations or reading of messages.Interception of any form such as audio, video, or written
Shoulder Surfing : Looking over your shoulder as you enter a password.Simply, they look over your shoulder--or even watch from a distance using binoculars,in order to get those pieces of information
Dumpster Diving : Search for sensitive information at target company’s: Trash-bins, Printer Trash bins, user desk for sticky notes etc. Collect: Phone Bills, Contact Information, Financial Information, Operations related Information etc
In person : Survey a target company to collect information on Current technologies, Contact information, and so on
Third-party Authorization : Refer to an important person in the organization and try to collect data. “Mr. George, our Finance Manager, asked that I pick up the audit reports. Will you please provide them to me?
Tailgating : An unauthorized person, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door requiring key access
Piggybacking : “I forgot my ID badge at home. Please help me.”. An authorized person provides access to an unauthorized person by keeping the secured door open
Chain letters : Charity Hoaxes - These hoax messages ask you to forward them to all your friends for a good cause.Timothy Flyte (who doesn't exist) has ostriopliosis of the liver (the disease doesn't exist) and asks you to forward this message to all your friends. The National Diesese Society (which doesn't exist) will receive 7 cents for every person the message is forwarded to.Useless Petitions -These hoaxes take the form of petitions which try to get something done by collecting a lot of "signatures". Prayer Requests - These messages ask you to forward them to all your friends to get as many people as possible to pray for someone. Although these messages can't be called hoaxes, they do have the same flaws: They take up a lot of bandwidth and there's no way to stop them.
Insider Attack : If a competitor wants to cause damage to your organization,steal critical secrets, or put you out of business, they just have to
Netcraft Anti-Phishing Toolbar :
Behaviors Vulnerable to Attacks :
Countermeasures
Policies and Procedures
Impersonating on MySpace : effective marketing tool
Social engineering is the tactic or trick of gaining sensitive information by exploiting the basic human nature such as:
• Trust
• Fear
• Desire to Help
Social engineers attempt to gather information such as:
• Sensitive information
• Authorization details
• Access details
extract sensitive data such as: Security policies,Sensitive documents,Office network infrastructure,Passwords
People are usually the weakest link in the security chain.A successful defense depends on having good policies and educating employees to follow them.Social Engineering is the hardest form of
attack to defend against because it cannot be defended with hardware or software alone.
Social Engineering can be divided into two categories:
•Human-based: Gathers sensitive information by interaction.Attacks of this category exploits trust, fear, and helping nature of humans
Posing as Legitimate End User : Gives identity and asks for the sensitive information.“Hi! This is John, from Department X. I have forgotten my password. Can I get it?”
Posing as an Important User : Posing as a VIP of a target company, valuable customer, etc.“Hi! This is Kevin, CFO Secretary. I’m working on an urgent project and lost system password. Can you help me out?”
Posing as Technical Support : Calls as a technical support staff, and requests id & passwords to retrieve data.‘Sir, this is Mathew, Technical support, X company. Last night we had a system
crash here, and we are checking for the lost data.Can u give me your ID and Password?’
Eavesdropping or unauthorized listening of conversations or reading of messages.Interception of any form such as audio, video, or written
Shoulder Surfing : Looking over your shoulder as you enter a password.Simply, they look over your shoulder--or even watch from a distance using binoculars,in order to get those pieces of information
Dumpster Diving : Search for sensitive information at target company’s: Trash-bins, Printer Trash bins, user desk for sticky notes etc. Collect: Phone Bills, Contact Information, Financial Information, Operations related Information etc
In person : Survey a target company to collect information on Current technologies, Contact information, and so on
Third-party Authorization : Refer to an important person in the organization and try to collect data. “Mr. George, our Finance Manager, asked that I pick up the audit reports. Will you please provide them to me?
Tailgating : An unauthorized person, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door requiring key access
Piggybacking : “I forgot my ID badge at home. Please help me.”. An authorized person provides access to an unauthorized person by keeping the secured door open
Reverse Social Engineering : This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around.Reverse Social Engineering attack involves: Sabotage,Marketing,Providing Support - The first step involves the sabotage of a targeted network by any means necessary. The second step involves advertising your services to the network owners you sabotaged in the first place. The last step involves actual assistance, which will allow you access to your victims' databases and corporate information.
Vishing : There's phishing, and then there's vishing. In simplified terms, vishing is the phone equivalent of a phishing attack.A visher basically uses the anonymity afforded by a phone call to pretend to be a representative of a target's financial institution. By manipulating a victim to enter his PIN, credit card number, and so on using the phone keypad, a visher can get instant access to another person's bank credentialsAlcohol: It's a scarily effective way to get the information you want out of a so-called security expert or corporate executive. It's not just the hard drinks that does people in, though; it's a combination of their lowered guards, their inebriation, and the ambiance of the bar that compels them to spill the beans and disclose information they normally wouldn't share.
• Computer Based: Social engineering is carried out with the aid of computers Sex: You really don't need fancy cracking programs, hacking devices, and whatnot to steal the information you need. Before the concept of firewalls was even formulated, sex (or at the very least, sex appeal) has been used to manipulate targets into divulging their personal secrets with you (pillow talk, if you will), which may include work-related data.
Techie talk enables you to use your victim's lack of technology knowledge against him so that you can literally trick him into doing anything with his computer by "walking" him through the entire "process".Mail / IM attachments
Pop-up Windows : Windows that suddenly pops up, while surfing the Internet and asks for users information to login or sign-in
Websites / Sweepstakes : The Internet is fertile ground for social engineers looking to harvest passwords. The primary weakness is that many users often repeat the use of one simple password on every account: Yahoo, Travelocity, Gap.com, whatever. So once the hacker has one password, he or she can probably get into multiple accounts. One way in which hackers have been known to obtain this kind of password is through an on-line form: they can send out some sort of sweepstakes information and ask the user to put in a name (including e-mail address – that way, she might even get that person’s corporate account password as well) and password. These forms can be sent by e-mail.
Spam mail : Email sent to many recipients without prior permission intended for commercial purposes.Irrelevant, unwanted, and unsolicited email to collect financial information, social security numbers, and network information.
Hoaxes and chain letters : Hoax letters are emails that issue warnings to user on new virus, Trojans or worms that may harm the user’s system.Chain letters are emails that offer free gifts such as money, and software on the condition that if the user forwards the mail to said number of persons
Virus hoaxes : There are a lot of viruses out there. But some aren't really out there at all. Virus hoaxes are more than mere annoyances, as they may lead some users to routinely ignore all virus warning messages, leaving them vulnerable to a genuine, destructive virus. Next time you receive an urgent virus warning message, be sure to check the list of known virus hoaxes.Remember: Never open an email attachment unless you know what it is—even if it's from someone you know and trust.Virus writers can use known hoaxes to their advantage. For example, AOL4FREE began as a hoax virus warning. Then somebody distributed a destructive Trojan horse attached to the original hoax virus warning! The lesson is clear: remain vigilant and never open a suspicious attachment.Chain letters : Charity Hoaxes - These hoax messages ask you to forward them to all your friends for a good cause.Timothy Flyte (who doesn't exist) has ostriopliosis of the liver (the disease doesn't exist) and asks you to forward this message to all your friends. The National Diesese Society (which doesn't exist) will receive 7 cents for every person the message is forwarded to.Useless Petitions -These hoaxes take the form of petitions which try to get something done by collecting a lot of "signatures". Prayer Requests - These messages ask you to forward them to all your friends to get as many people as possible to pray for someone. Although these messages can't be called hoaxes, they do have the same flaws: They take up a lot of bandwidth and there's no way to stop them.
Instant Chat Messenger: Gathering of personal information by chatting with a selected online user to attempt to get information such as birth dates and maiden names.Acquired data is later used for cracking the user’s accounts.
Phishing : An illegitimate email falsely claiming to be from a legitimate site attempts to acquire user’s personal or account information.Lures online users with statements such as : Verify your account,Update your information,Your account will be closed or suspended.Spam filters, anti-phishing tools integrated with web browsers can be used to protect from Phishers.
Insider Attack : If a competitor wants to cause damage to your organization,steal critical secrets, or put you out of business, they just have to
find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization.It takes only one disgruntled person to take revenge and your company is compromised. 60% of attacks occur behind the firewall,An inside attack is easy to launch,Prevention is difficult,The inside attacker can easily succeed,Difficult to catch the perpetrator.Disgruntled Employee : Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their job, office politics, no respect, no promotions etc.
Preventing Insider Threat : Some recommendations: Separation of duties, Rotation of duties, Least privilege, Controlled access, Logging and auditing, Legal policies, Archive critical data.Common Targets of Social Engineering : Receptionists and help desk personnel,Technical support executives,Vendors of target organization,
Telephone-Based Threats : It is a familiar medium, but it is also impersonal, because target cannot see the hacker.Communication options for most computer systems can also make Private Branch Exchange (PBX) an attractive target.Stealing either credit card or telephone card PINs at telephone booths is another kind of attack.There are three major goals for a hacker who attacks a PBX: Request information, usually through the imitation of a legitimate user, either to access the telephone system itself or to gain remote access to computer systems.Gain access to “free” telephone usage.Gain access to communications network.
Personal Approaches : Four main successful approaches for social engineers : Intimidation(through fear), Persuasion(Win approval or support for- The goal is not to force but to get voluntary action,Target believes they are making the decision), Ingratiation(power to induce action or belief -System administrators and users
Social Engineering Threats and Defenses : Major attack vectors that a social engineering hacker uses: Online, Telephone, Personal approaches, Reverse social engineering
Online Threats : In a connected business world, staff often use and respond to requests and information that come electronically.This connectivity enables hackers to make approaches to staff from the relative anonymity of Internet.Online attacks, such as e-mail, pop-up application, and instant message attacks; use Trojan horses, worms, or viruses(malware) to damage or subvert computer resources.Social engineering hacker persuades a staff member to provide information through a believable ruse, rather than infecting a computer with malware through a direct attack.An attack may provide information that enables hacker to make a subsequent malware attack.Telephone-Based Threats : It is a familiar medium, but it is also impersonal, because target cannot see the hacker.Communication options for most computer systems can also make Private Branch Exchange (PBX) an attractive target.Stealing either credit card or telephone card PINs at telephone booths is another kind of attack.There are three major goals for a hacker who attacks a PBX: Request information, usually through the imitation of a legitimate user, either to access the telephone system itself or to gain remote access to computer systems.Gain access to “free” telephone usage.Gain access to communications network.
The target is lead to believe that compliance with the request will enhance their chances of receiving benefit : Gaining advantage over a competitor,getting in good with management,Giving assistance to a sultry sounding female), Assistance
Defenses Against Social Engineering Threats :
Develop a security management framework
Undertake risk management assessments - Risk Assessment: You need to assess the level of risk that an attack possesses towards your
company for deploying suitable security measures.Risk categories include: Confidential information, Business credibility, Business availability, Resources, Money.
Implement social engineering defenses within your security policy
Factors that make Companies Vulnerable to Attacks :
Insufficient security training and awareness
Several organizational units
Lack of appropriate security policies
Easy access of information e.g. e-mail Ids and phone extension numbers of employees
Warning Signs of an Attack, An attacker may:
• Show inability to give valid callback number
• Make informal requests
• Claim of authority
• Show haste
• Unusually compliment or praise
• Show discomfort when questioned
• Drop the name inadvertently
• Threaten of dire consequences if information is not provided
Netcraft Anti-Phishing Toolbar :
An anti-phishing system consisting of a toolbar and a central server that has information about URLs provided by Toolbar community and Netcraft.
Blocks phishing websites that are recorded in Netcraft’s central server.Suspicious URLs can be reported to Netcraft by clicking Report a Phishing Site
in the toolbar menu.Shows all the attributes of each site such as host location, country, longevity, and popularity
Four phases of a Social Engineering Attack:
Research on target company : Dumpster diving, websites, employees, tour company and so on
Select Victim : Identify frustrated employees of the target company
Develop relationship : Developing relationship with the selected employees
Exploit the relationship to achieve the objective: Collect sensitive account information, Financial information, Current Technologies
Behaviors Vulnerable to Attacks :
Trust : Human nature of trust is the basis of any social engineering attack
Ignorance : Ignorance about social engineering and its effects among the workforce makes the organization an easy target
Fear : Social engineers might threaten severe losses in case of non- compliance with their requestGreed : Social engineers lure the targets to divulge information by promising something for nothing
Moral duty : Targets are asked for the help, and they comply out of a sense of moral obligation
Impact on the Organization
Economic losses,Damage of goodwill,Loss of privacy,Dangers of terrorism,Lawsuits and arbitrations,Temporary or permanent closure
Countermeasures
Training : An efficient training program should consist of all security policies and methods to increase awareness on social engineering.
Password policies : Periodic password change, Avoiding guessable passwords, Account blocking after failed attempts, Length and complexity of passwords, Minimum number of characters, use of special characters, and numbers etc. e.g. ar1f23#$g , Secrecy of passwords, Do not reveal if asked, or write on anything to remember them
Operational guidelines : Ensure security of sensitive information and authorized use of resources
Physical security policies : Identification of employees e.g. issuing of ID cards uniforms and so on. Escorting the visitors. Accessing area restrictions. Proper shredding of useless documents. Employing security personnel.
Classification of Information : Categorize the information as top secret, proprietary, for internal use only, for public use, and so on
Access privileges : Administrator, user, and guest accounts with proper authorization
Background check of employees and proper termination process : Insiders with a criminal background and terminated employees are easy
targets for procuring information
Proper incidence response system : There should be proper guidelines for reacting in case of a social engineering attempt
Policies and Procedures
Good policies and procedures are ineffective if they are not taught and reinforced by the employees.
After receiving training, the employee should sign a statement acknowledging that they understand the policies.
Security Policies - Checklist
Account setup
Password change policy
Help desk procedures
Access privileges
Violations
Employee identification
Privacy policy
Paper documents
Modems
Physical access restrictions
Virus control
Impersonating Orkut,Facebook, MySpace
Impersonating on Orkut : anyone can steal the personal and corporate information and create the account on others’ nameOn Orkut, accounts can be hacked by 2 main methods: Cookie Stealing and Phishing (Fake Page).When JavaScript is run by the victim, his cookie comes to the hacker, using which he can get into the victim’s account.Fake pages look like pages of Orkut; when user name and password is put into their respective fields, they are sent to the email ID of the hacker
MW.Orc worm steals users' banking details, usernames, and passwords by propagating through Orkut.This attack is triggered as the user launches an executable file disguised as a JPEG file.The initial executable file that causes the infection, installs two additional files on the user's computer
Impersonating on Facebook : use a nickname instead of the real name.Fake accounts are a violation of Terms of UseThese files then pass e-mail banking details and passwords to the worm's anonymous creator when the infected users click on “My Computer” icon.
Infection spreads automatically by posting a URL in another user's Orkut Scrapbook; a guestbook where visitors can leave comments visible on user's page.Apart from stealing personal information, this malware also enables a remote user to control PC and make it a part of botnet which is a network of infected PCs.
Impersonating on MySpace : effective marketing tool
Identity Theft
Identity theft occurs when someone steals your name and other personal information for fraudulent purposes
Securing personal information in the workplace and at home, and looking over credit card reports are just few of the ways to minimize the risk of the identity theft.
No comments:
Post a Comment