1. SOCIAL ENGINEERING
By
Muhanned Alaqili ,
CCNA, ACE, Security+
Lewis University
2. • “ It’s human nature to trust our fellow man, especially when the request
meets the test of being reasonable. Social engineers use this knowledge
to exploit their victims and to achieve their goals.”
- Kevin Mitnick
3. WHAT ?
• What is Social Engineering?
It is the tactic or trick of gaining sensitive information by exploiting the basic human nature
such as:
Trust
Fear
Desire to help
4. WHY ?
Social engineers attempt to gather information such as:
Sensitive information
Authorization access
Access details
5. APPROACHES
• Human-based Social Engineering
Gathers sensitive information by interaction
Attacks of this category exploits trust, fear and helping nature of humans
• Computer-based Social Engineering
Carried out with the aid of computers to secretly install spyware or other malicious
software or to trick you into handing over your passwords, sensitive
financial or personal information
6. HUMAN-BASED SOCIAL ENGINEERING
• Posing as a legitimate End user
Gives identity and asks for sensitive information
• Posing as an important user
CEO, project manager,..,etc
• Posing as a Technical support
• Eavesdropping
• Shoulder surfing
• Dumpster diving
• Tailgating
• Piggybacking
a social engineer appears as a legitimate employee and walks into a secure building by
following behind someone who has access.
7. COMPUTER-BASED SOCIAL ENGINEERING
• USB Drive / Memory Stick, CD/DVD Malware
• Mail
• Instance Chat Messenger
Gathering of personal information by chatting with a selected online user to attempt
to get information such as birth dates and maiden names
• Pop-up Windows ask for users’ information to login/sing in
• Websites / Sweepstakes
• Spam mail
• Phishing
An illegitimate email falsely claiming to be from a legitimate site attempts to acquire
user’s personal or account information
8. COMMON TARGETS
• Receptionists
• Help desk personnel
• Vendors of targeted organization
• System Administrator
• End users
9. VECTORS
Major attack vectors that social engineers use:
• Online
• Telephone
• Personal approaches
• Reverse social engineering
10. REVERSE SOCIAL ENGINEERING
More advance method of Social Engineering and required a great deal of research and preparation.
It’s when the hacker create a persona that appears to be in a position of authority so that employees
in the target organization will ask him for information, rather than the other way around !!
Reverse Engineering attack involves three parts:
Marketing/advertising
Sabotage
Assisting/providing support
11. RSE EXAMPLE
• The hacker sabotages a network (e.g. switch) , causing a problem arise. That hacker then
advertises that he is the appropriate contact to fix the problem, and then, when he comes
to fix the network problem, he requests certain bits of information from the employees and
gets what he really came for. They never know it was a hacker, because their network
problem goes away and everyone is happy.
• The hacker marketing himself as a problem solver or an expert in networking for example.
Then, sabotage the network (e.g. switch) of targeted organization causing a problem
arise, and then, when he called to fix the problem, he request certain bits of information
(Server passwords, Network infrastructure, etc.).
12. CONCLUSION
Social Engineering is the hardest form of attack to defend against.
No matter what hardware / software you have or how much money did you spend so far
PEOPLE still the weakest link in the security chain.