SlideShare une entreprise Scribd logo

NII Social Engineering Case Study

Network Intelligence India
Network Intelligence India

Case-study of a Social Engineering exercise conducted by the Network Intelligence India Pvt. Ltd. (http://www.niiconsulting.com/) team.

Technologie
1  sur  31
Télécharger pour lire hors ligne
Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
 Information security at every organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
“Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
 Wordpress vulnerability on the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
 Phishing  Baiting  Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
 IT/ITES Company  Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
 Only 3 people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
 Security Auditor ◦ Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
www.niiconsulting.com
 Visit the office  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
 Gain unauthorized access  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
 Sensitive information on technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
 We registered a domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
www.niiconsulting.com
 About 10 users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
 Linkedin ◦ Fake employee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
www.niiconsulting.com
 Turns out they had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com
www.niiconsulting.com
 Confidential… www.niiconsulting.com
Contact:  wasim.halani@niiconsulting.com  http://www.niiconsulting.com  @washalsec www.niiconsulting.com

Recommandé

Application security enterprise strategies
Application security enterprise strategiesApplication security enterprise strategies
Application security enterprise strategies
Network Intelligence India
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Dinesh O Bareja
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Techsylvania
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan Richardson
Eduserv
 
GRC Summit London 2016 - THE CYBER CHALLENGE by Jiri Kram
GRC Summit London 2016 - THE CYBER CHALLENGE by Jiri KramGRC Summit London 2016 - THE CYBER CHALLENGE by Jiri Kram
GRC Summit London 2016 - THE CYBER CHALLENGE by Jiri Kram
Jiri Kram
 
Limitations E - Commerce Security measures
Limitations E - Commerce Security measuresLimitations E - Commerce Security measures
Limitations E - Commerce Security measures
Jeril Peter
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 

Recommandé

Application security enterprise strategies
Application security enterprise strategiesApplication security enterprise strategies
Application security enterprise strategies
Network Intelligence India
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Dinesh O Bareja
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Techsylvania
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan Richardson
Eduserv
 
GRC Summit London 2016 - THE CYBER CHALLENGE by Jiri Kram
GRC Summit London 2016 - THE CYBER CHALLENGE by Jiri KramGRC Summit London 2016 - THE CYBER CHALLENGE by Jiri Kram
GRC Summit London 2016 - THE CYBER CHALLENGE by Jiri Kram
Jiri Kram
 
Limitations E - Commerce Security measures
Limitations E - Commerce Security measuresLimitations E - Commerce Security measures
Limitations E - Commerce Security measures
Jeril Peter
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
iKeyPass...Unbreakable Password Security
iKeyPass...Unbreakable Password SecurityiKeyPass...Unbreakable Password Security
iKeyPass...Unbreakable Password Security
rambmohan
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Dinesh O Bareja
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0
Adam Lewis
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568
IJRAT
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Mobile security article
Mobile security articleMobile security article
Mobile security article
Kulani Mahadewa
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
Adam Lewis
 
GuardianGabriel
GuardianGabrielGuardianGabriel
GuardianGabriel
Brian Ethridge
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guide
Nis
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5
Salvatore D'Agostino
 
Social Engineering - Exploiting the Human Weakness
Social Engineering - Exploiting the Human WeaknessSocial Engineering - Exploiting the Human Weakness
Social Engineering - Exploiting the Human Weakness
Wasim Halani
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
Pankaj Dubey
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security
Lokender Yadav
 
IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research Environment
Nicholas Davis
 
IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research Environment
Nicholas Davis
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness Presentation
Jamie Proctor-Brassard
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For Healthcare
Nicholas Davis
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For Healthcare
Nicholas Davis
 
Chapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenChapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce Jen
VidaB
 

Contenu connexe

Tendances

Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0
Adam Lewis
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568
IJRAT
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 

Tendances (13)

iKeyPass...Unbreakable Password Security
iKeyPass...Unbreakable Password SecurityiKeyPass...Unbreakable Password Security
iKeyPass...Unbreakable Password Security
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
Mobile security article
Mobile security articleMobile security article
Mobile security article
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
 
GuardianGabriel
GuardianGabrielGuardianGabriel
GuardianGabriel
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guide
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5
 

Similaire à NII Social Engineering Case Study

IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research Environment
Nicholas Davis
 
IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research Environment
Nicholas Davis
 
Chapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenChapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce Jen
VidaB
 
3.5 Online Services and Security and Privacy of Data
3.5 Online Services and Security and Privacy of Data3.5 Online Services and Security and Privacy of Data
3.5 Online Services and Security and Privacy of Data
Momina Mateen
 

Similaire à NII Social Engineering Case Study (20)

Social Engineering - Exploiting the Human Weakness
Social Engineering - Exploiting the Human WeaknessSocial Engineering - Exploiting the Human Weakness
Social Engineering - Exploiting the Human Weakness
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security
 
IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research Environment
 
IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research Environment
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness Presentation
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For Healthcare
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For Healthcare
 
Chapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenChapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce Jen
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Breakfast Briefings - February 2018
Breakfast Briefings - February 2018Breakfast Briefings - February 2018
Breakfast Briefings - February 2018
 
How encryption works
How encryption worksHow encryption works
How encryption works
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Cyber Safety Class 9
Cyber Safety Class 9Cyber Safety Class 9
Cyber Safety Class 9
 
3.5 Online Services and Security and Privacy of Data
3.5 Online Services and Security and Privacy of Data3.5 Online Services and Security and Privacy of Data
3.5 Online Services and Security and Privacy of Data
 
Protect against id fraud workshop 2 of 2
Protect against id fraud workshop 2 of 2Protect against id fraud workshop 2 of 2
Protect against id fraud workshop 2 of 2
 
SECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxSECURITY AWARENESS.pptx
SECURITY AWARENESS.pptx
 
IT Security for Healthcare Professionals
IT Security for Healthcare ProfessionalsIT Security for Healthcare Professionals
IT Security for Healthcare Professionals
 
Masterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy BasicsMasterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy Basics
 

Plus de Network Intelligence India

RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
Network Intelligence India
 
Mobile Device Management (MDM)
Mobile Device Management (MDM)Mobile Device Management (MDM)
Mobile Device Management (MDM)
Network Intelligence India
 

Plus de Network Intelligence India (20)

Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
The Economics of Security
The Economics of SecurityThe Economics of Security
The Economics of Security
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
National Cyber Security Policy 2013
National Cyber Security Policy 2013National Cyber Security Policy 2013
National Cyber Security Policy 2013
 
RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Understanding Governance
Understanding GovernanceUnderstanding Governance
Understanding Governance
 
Cyber Security in Civil Aviation
Cyber Security in Civil AviationCyber Security in Civil Aviation
Cyber Security in Civil Aviation
 
Spear Phishing Methodology
Spear Phishing MethodologySpear Phishing Methodology
Spear Phishing Methodology
 
Mobile Device Management (MDM)
Mobile Device Management (MDM)Mobile Device Management (MDM)
Mobile Device Management (MDM)
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 
Information Rights Management (IRM)
Information Rights Management (IRM)Information Rights Management (IRM)
Information Rights Management (IRM)
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing Methodology
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
XML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus ScannerXML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus Scanner
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Dernier (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

NII Social Engineering Case Study

  • 1. Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
  • 2. Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
  • 3. Information security at every organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
  • 4. “Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
  • 7.
  • 8.
  • 9. Wordpress vulnerability on the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
  • 10.
  • 11.  Phishing  Baiting  Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
  • 12. IT/ITES Company  Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
  • 13.
  • 14. Only 3 people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
  • 15. Security Auditor ◦ Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
  • 17. Visit the office  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
  • 18. Gain unauthorized access  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
  • 19.
  • 20. Sensitive information on technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
  • 21.
  • 22. We registered a domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
  • 24. About 10 users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
  • 25. Linkedin ◦ Fake employee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
  • 27.
  • 28. Turns out they had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com
  • 30. Confidential… www.niiconsulting.com