SlideShare une entreprise Scribd logo

Data security concepts chapter 2

Télécharger en tant que PPTX, PDF
Nickkisha Farrell
Nickkisha Farrell

An introductory look at Social Engineering and some measure to counteracting Social Engineering Exploits.

TechnologieBusiness
1  sur  28
Data Security Concepts COUNTERACTING SOCIAL ENGINEERING EXPLOITS BY NICKKISHA FARRELL BSc IT, DIP Ed January 2014
2 IN THIS PRESENTATION What is Social Engineering Identifying Social Engineering Exploits Counteracting Social Engineering Exploits Evolving Social Engineering Organization Policies
3 INTRODUCTION  During the last 15 years, software makers have improved their security practices.  Enterprises have deployed better security defenses.  These improvements have pushed cybercriminals to target vulnerable humans rather than vulnerable code.
4 INTRODUCTION
5 SOCIAL ENGINEERING  The art of gaining access to buildings, systems or data by exploiting or manipulating human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
6 ORIGINS OF SOCIAL ENGINEERING  Social Engineering attcks usually originate from one of three zones:   Trusted   Internal External Internal threats come from employees who manipulate other employees to gather sensitive information and access to IT systems. May include disgruntled employees, temporary employees, employees with criminal tendencies, and ancillary workers such as housekeeping and maintenance staff.
7 ORIGINS OF SOCIAL ENGINEERING  Trusted threats come from other individuals who are formally associated with your organization on a regular basis but are not on your payroll. These can include contractors and consultants, as well as partner organizations.  External threats come from people who are not associated with your organization. This category can include recreational hackers, competitors wanting to uncover confidential information, or criminals wanting to steal something.  This document focuses on the external attacker.
8 HOW SOCIAL ENGINEERS WORK  Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.  Once a social engineer is ready to strike, knowing the right thing to say, knowing whom to ask for, and having confidence are often all it takes to gain access to a facility or sensitive data.
9 SOCIAL ENGINEERING TACTICS  Tactic 1: Ten degrees of separation The number one goal of a social engineer who uses the telephone as his modus operandi is to convince his target that he is either    1) a fellow employee 2) a trusted outside authority (such as law enforcement or an auditor). According to Sal Lifrieri, a 20-year veteran of the New York City Police Department there might be ten steps between a criminal's target and the person he or she can start with in the organization. "The common technique [for the criminal] is to be friendly," said Lifrieri. "To act like: 'I want to get to know you. I want to get to know stuff that is going on in your life.' Pretty soon they are getting information you wouldn't have volunteered a few weeks earlier."
10 SOCIAL ENGINEERING TACTICS  Tactic 2: Learning your corporate language A social engineering criminal will study that language and be able to rattle it off with the best of them.  "It's all about surrounding cues, If I'm speaking a language you recognize, you trust me. You are more willing to give me that information I'm looking to get out of you if I can use the acronyms and terms you are used to hearing."
11 SOCIAL ENGINEERING TACTICS  Tactic 3: Borrowing your 'hold' music Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone.  "The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say "Oh, my other line is ringing, hold on," and put them on hold. "The person being scammed hears that familiar company music and thinks: 'Oh, he must work here at the company. That is our music.' It is just another psychological cue."
12 SOCIAL ENGINEERING TACTICS  Tactic 4: Phone-number spoofing Criminals often use phone-number spoofing to make a different number show up on the target's caller ID.  The criminal could be sitting in an apartment calling you, but the number that shows up on the caller ID appears to come from within the company.  Of course, unsuspecting victims are more than likely to give private information, like passwords, over the phone if the caller ID legitimizes it. And, of course, the crime is often undetectable after because if you dial the number back, it goes to an internal company number.
13 SOCIAL ENGINEERING TACTICS  Tactic 5: Using the news against you "Whatever is going on in the headlines, the bad guys are using that information as social engineering lures for spam, phishing and other scams.  Marcus said Avert has seen a rise in the number of presidential campaign-related and economic crunch-based spam emails lately.  “The email will say 'Your bank is being bought by this bank. Click here to make sure you update information before the sale closes.'
14 SOCIAL ENGINEERING TACTICS  Tactic 6: Abusing faith in social networking sites People have a lot of faith in social networking sites like facebook and linkedin. A recent spear-phishing incident targeted Linked In users, and the attack was surprising to many.  Emails are usually worded like this : “ site is doing maintenance, click here to update your information.” Of course, when you click on the link, you go to the bad guys' site."  One solution is to type in web addresses manually to avoid malicious links. And also to keep in mind that it is very rare for a site to send out a request for a password change or an account update.
15 SOCIAL ENGINEERING TACTICS  Tactic 7: Typo Squatting On the Web, scammers also bank on the common mistakes people make when they type. When you type in a URL that's just one letter off, suddenly you can end up on a completely different site looking just like the one you intended.  Instead of going where they wanted, unsuspecting users who make typing mistakes end up on a fake site that either intends to sell something, steal something, or push out malware.
16 IDENTIFY SOCIAL ENGINEERING EXPLOITS  On the phone: A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).  In the office: "Can you hold the door for me? I don't have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
17 IDENTIFY SOCIAL ENGINEERING EXPLOITS  -- Online: Social networking sites have opened a whole new door for social engineering scams. A common scam is to pose as a Facebook "friend."  Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.  One popular tactic used recently involved scammers hacking into Facebook accounts and sending a message on Facebook claiming to be stuck in a foreign city and they say they need money.  Social engineers also take advantage of current events and holidays to lure victims.
COUNTERACTING SOCIAL ENGINEERING EXPLOITS 18  Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used.  Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws.  Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.
COUNTERACTING SOCIAL ENGINEERING EXPLOITS 19
COUNTERACTING SOCIAL ENGINEERING EXPLOITS  Design 20 an in-house social engineering penetration test  Although it's a tactic to use with great caution, fear of embarrassment is a strong motivator. Nobody likes to look foolish.  Consider this factor if you choose to design an in-house social engineering penetration test. A little embarrassment will put everyone on their toes; crossing the line to humiliation will only make employees angry.
COUNTERACTING SOCIAL ENGINEERING EXPLOITS 21  A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.  Also worth checking out is social-engineer.org's Social Engineering Toolkit, which is a free download.  The toolkit helps automate penetration testing via social engineering, including "spear-phishing attacks", creation of legitimate-looking websites, USB drive-based attacks, etc.
EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES  22 1. Appeal to personal lives: Get people interested in security by arming them with techniques to secure their personal information; if they securely tend to their own business, they're more likely to tend to their employers. ► 2. Make the message visible: Put posters up at copy machines, bulletin boards, and lunchrooms. Make them eye-catching but simple; something anyone walking by can read and interpret without breaking stride— they're more likely to remember the content
EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 23  3. Provide treats: Have an occasional celebration where Security thanks the staff for doing their part.  4. Use their desk: Implement a clean desk policy and, perform random desk checks after hours.  Reward those who have no sensitive material out by leaving a small treat like a piece of candy or pack of gum and a "Thanks for Doing your Part" note, or enter them in a monthly drawing for a prize.  For those who aren’t meeting the criteria, leave a gentle reminder with specifics about what needs to be corrected. Repeat offenders should be discussed with management.
EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 24  5. Bring it to their computer screen: If you have a company newsletter, be certain to include a security article in each edition and provide information on the latest incidents that have occurred, particularly in your industry.  6. Require training: Training programs will be more effective if you include interactive exercises, contests, games, or give-aways.  7. Walk the walk: Perhaps the most impactful technique is for senior leadership members to display their own penchant for security. If it looks to be important at the top, you can bet it'll be important at the bottom.
• EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 25  Do background checks when hiring employees.  Screen temporary and ancillary workers.  Set up a clear reporting process for security problems.  Open the lines of communication between physical security and the IT department.  Monitor employee behavior patterns for abnormal activities and access violations.
EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 26 Lock out terminated employees immediately. Create a positive work environment, which will cut down on disgruntled employees. Publish a formal written company policy stating that the IT department will never ask for a user's password. Require ID badges for employees and mandate that an employee with a badge accompany visitors.
27 SUMMARY    Social Engineers increasingly employ elusive social engineering attack tactics to exploit natural human predispositions with the goal of bypassing defenses. These attacks can have very damaging consequences for an organization, but you can take a number of steps to mitigate such attacks. Remember that your employees can make or break your security program—keep them engaged in the process by soliciting feedback and suggestions. A security-aware culture is possible in any organization as long as it is the standard by which everyone operates, and concepts are consistently reinforced.
28 REFERENCES  http://www.csoonline.com/article/514063/socialengineering-the-basics#1  http://www.csoonline.com/article/460135/socialengineering-eight-common-tactics  http://www.techrepublic.com/article/change-yourcompanys-culture-to-combat-social-engineering-attacks/

Recommandé

Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkRichard Common
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"abercius24
 
Social Engineering CSO Survival Guide
Social Engineering CSO Survival GuideSocial Engineering CSO Survival Guide
Social Engineering CSO Survival GuideE.S.G. JR. Consulting, Inc.
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?JamRivera1
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0Murray Security Services
 
Social engineering
Social engineeringSocial engineering
Social engineeringBola Oduyale
 

Recommandé

Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkRichard Common
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"abercius24
 
Social Engineering CSO Survival Guide
Social Engineering CSO Survival GuideSocial Engineering CSO Survival Guide
Social Engineering CSO Survival GuideE.S.G. JR. Consulting, Inc.
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?JamRivera1
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0Murray Security Services
 
Social engineering
Social engineeringSocial engineering
Social engineeringBola Oduyale
 
Social engineering
Social engineeringSocial engineering
Social engineeringAlexander Zhuravlev
 
Social engineering
Social engineeringSocial engineering
Social engineeringankushmohanty
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Social engineering
Social engineering Social engineering
Social engineering Abdelhamid Limami
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Hovhannes Aghajanyan
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...ABHAY PATHAK
 
Unit 2
Unit 2Unit 2
Unit 2Jigarthacker
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attackPankaj Dubey
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.Pratum
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
E0334035040
E0334035040E0334035040
E0334035040theijes
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...MZERMA Amine
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales Ahmed Musaad
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringManish Chauhan
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 

Contenu connexe

Tendances

Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...ABHAY PATHAK
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attackPankaj Dubey
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.Pratum
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
E0334035040
E0334035040E0334035040
E0334035040theijes
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...MZERMA Amine
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales Ahmed Musaad
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 

Tendances (20)

Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Social engineering
Social engineering Social engineering
Social engineering
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
 
Unit 2
Unit 2Unit 2
Unit 2
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing Awareness
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionage
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
E0334035040
E0334035040E0334035040
E0334035040
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case Studies
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
 

Similaire à Data security concepts chapter 2

National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden PotentialEricaCiko
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdfRamya Nellutla
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyAlisa Alvich
 
Learn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityLearn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityAardwolf Security
 
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionWhite Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionEMC
 
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING ijmvsc
 
What is social engineering.pdf
What is social engineering.pdfWhat is social engineering.pdf
What is social engineering.pdfuzair
 
Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Kolluru N Rao
 
Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)CA.Kolluru Narayanarao
 
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...IRJET Journal
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scamsronpoul
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scamsronpoul
 
Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text graphhoc
 
Why is cybersecurity important for the entertainment industry
Why is cybersecurity important for the entertainment industry Why is cybersecurity important for the entertainment industry
Why is cybersecurity important for the entertainment industry Lisa Stockley
 
Cyber safety.pptx
Cyber safety.pptxCyber safety.pptx
Cyber safety.pptxAchu69
 

Similaire à Data security concepts chapter 2 (20)

Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness Presentation
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden Potential
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copy
 
Learn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityLearn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf Security
 
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionWhite Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
 
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
 
What is social engineering.pdf
What is social engineering.pdfWhat is social engineering.pdf
What is social engineering.pdf
 
Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)
 
Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)
 
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scams
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scams
 
Amir bouker
Amir bouker Amir bouker
Amir bouker
 
Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text
 
Why is cybersecurity important for the entertainment industry
Why is cybersecurity important for the entertainment industry Why is cybersecurity important for the entertainment industry
Why is cybersecurity important for the entertainment industry
 
Cyber safety.pptx
Cyber safety.pptxCyber safety.pptx
Cyber safety.pptx
 

Plus de Nickkisha Farrell

Database Management Systems 4 - Normalization
Database Management Systems 4 - NormalizationDatabase Management Systems 4 - Normalization
Database Management Systems 4 - NormalizationNickkisha Farrell
 
Database management systems 3 - Data Modelling
Database management systems 3 - Data ModellingDatabase management systems 3 - Data Modelling
Database management systems 3 - Data ModellingNickkisha Farrell
 
Database Management Systems 2
Database Management Systems 2Database Management Systems 2
Database Management Systems 2Nickkisha Farrell
 
Database Management Systems 1
Database Management Systems 1Database Management Systems 1
Database Management Systems 1Nickkisha Farrell
 
About the Rotaract Organization
About the Rotaract OrganizationAbout the Rotaract Organization
About the Rotaract OrganizationNickkisha Farrell
 
Cisco Systems: A company Analysis
Cisco Systems: A company AnalysisCisco Systems: A company Analysis
Cisco Systems: A company AnalysisNickkisha Farrell
 

Plus de Nickkisha Farrell (9)

Database Management Systems 4 - Normalization
Database Management Systems 4 - NormalizationDatabase Management Systems 4 - Normalization
Database Management Systems 4 - Normalization
 
Database management systems 3 - Data Modelling
Database management systems 3 - Data ModellingDatabase management systems 3 - Data Modelling
Database management systems 3 - Data Modelling
 
Trade Secrets Law
Trade Secrets LawTrade Secrets Law
Trade Secrets Law
 
Database Management Systems 2
Database Management Systems 2Database Management Systems 2
Database Management Systems 2
 
Database Management Systems 1
Database Management Systems 1Database Management Systems 1
Database Management Systems 1
 
A Teacher's Heart
A Teacher's HeartA Teacher's Heart
A Teacher's Heart
 
About the Rotaract Organization
About the Rotaract OrganizationAbout the Rotaract Organization
About the Rotaract Organization
 
Cisco Systems: A company Analysis
Cisco Systems: A company AnalysisCisco Systems: A company Analysis
Cisco Systems: A company Analysis
 
Copyright and Technology
Copyright and TechnologyCopyright and Technology
Copyright and Technology
 

Dernier

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Dernier (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Data security concepts chapter 2

  • 1. Data Security Concepts COUNTERACTING SOCIAL ENGINEERING EXPLOITS BY NICKKISHA FARRELL BSc IT, DIP Ed January 2014
  • 2. 2 IN THIS PRESENTATION What is Social Engineering Identifying Social Engineering Exploits Counteracting Social Engineering Exploits Evolving Social Engineering Organization Policies
  • 3. 3 INTRODUCTION  During the last 15 years, software makers have improved their security practices.  Enterprises have deployed better security defenses.  These improvements have pushed cybercriminals to target vulnerable humans rather than vulnerable code.
  • 5. 5 SOCIAL ENGINEERING  The art of gaining access to buildings, systems or data by exploiting or manipulating human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
  • 6. 6 ORIGINS OF SOCIAL ENGINEERING  Social Engineering attcks usually originate from one of three zones:   Trusted   Internal External Internal threats come from employees who manipulate other employees to gather sensitive information and access to IT systems. May include disgruntled employees, temporary employees, employees with criminal tendencies, and ancillary workers such as housekeeping and maintenance staff.
  • 7. 7 ORIGINS OF SOCIAL ENGINEERING  Trusted threats come from other individuals who are formally associated with your organization on a regular basis but are not on your payroll. These can include contractors and consultants, as well as partner organizations.  External threats come from people who are not associated with your organization. This category can include recreational hackers, competitors wanting to uncover confidential information, or criminals wanting to steal something.  This document focuses on the external attacker.
  • 8. 8 HOW SOCIAL ENGINEERS WORK  Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.  Once a social engineer is ready to strike, knowing the right thing to say, knowing whom to ask for, and having confidence are often all it takes to gain access to a facility or sensitive data.
  • 9. 9 SOCIAL ENGINEERING TACTICS  Tactic 1: Ten degrees of separation The number one goal of a social engineer who uses the telephone as his modus operandi is to convince his target that he is either    1) a fellow employee 2) a trusted outside authority (such as law enforcement or an auditor). According to Sal Lifrieri, a 20-year veteran of the New York City Police Department there might be ten steps between a criminal's target and the person he or she can start with in the organization. "The common technique [for the criminal] is to be friendly," said Lifrieri. "To act like: 'I want to get to know you. I want to get to know stuff that is going on in your life.' Pretty soon they are getting information you wouldn't have volunteered a few weeks earlier."
  • 10. 10 SOCIAL ENGINEERING TACTICS  Tactic 2: Learning your corporate language A social engineering criminal will study that language and be able to rattle it off with the best of them.  "It's all about surrounding cues, If I'm speaking a language you recognize, you trust me. You are more willing to give me that information I'm looking to get out of you if I can use the acronyms and terms you are used to hearing."
  • 11. 11 SOCIAL ENGINEERING TACTICS  Tactic 3: Borrowing your 'hold' music Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone.  "The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say "Oh, my other line is ringing, hold on," and put them on hold. "The person being scammed hears that familiar company music and thinks: 'Oh, he must work here at the company. That is our music.' It is just another psychological cue."
  • 12. 12 SOCIAL ENGINEERING TACTICS  Tactic 4: Phone-number spoofing Criminals often use phone-number spoofing to make a different number show up on the target's caller ID.  The criminal could be sitting in an apartment calling you, but the number that shows up on the caller ID appears to come from within the company.  Of course, unsuspecting victims are more than likely to give private information, like passwords, over the phone if the caller ID legitimizes it. And, of course, the crime is often undetectable after because if you dial the number back, it goes to an internal company number.
  • 13. 13 SOCIAL ENGINEERING TACTICS  Tactic 5: Using the news against you "Whatever is going on in the headlines, the bad guys are using that information as social engineering lures for spam, phishing and other scams.  Marcus said Avert has seen a rise in the number of presidential campaign-related and economic crunch-based spam emails lately.  “The email will say 'Your bank is being bought by this bank. Click here to make sure you update information before the sale closes.'
  • 14. 14 SOCIAL ENGINEERING TACTICS  Tactic 6: Abusing faith in social networking sites People have a lot of faith in social networking sites like facebook and linkedin. A recent spear-phishing incident targeted Linked In users, and the attack was surprising to many.  Emails are usually worded like this : “ site is doing maintenance, click here to update your information.” Of course, when you click on the link, you go to the bad guys' site."  One solution is to type in web addresses manually to avoid malicious links. And also to keep in mind that it is very rare for a site to send out a request for a password change or an account update.
  • 15. 15 SOCIAL ENGINEERING TACTICS  Tactic 7: Typo Squatting On the Web, scammers also bank on the common mistakes people make when they type. When you type in a URL that's just one letter off, suddenly you can end up on a completely different site looking just like the one you intended.  Instead of going where they wanted, unsuspecting users who make typing mistakes end up on a fake site that either intends to sell something, steal something, or push out malware.
  • 16. 16 IDENTIFY SOCIAL ENGINEERING EXPLOITS  On the phone: A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).  In the office: "Can you hold the door for me? I don't have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
  • 17. 17 IDENTIFY SOCIAL ENGINEERING EXPLOITS  -- Online: Social networking sites have opened a whole new door for social engineering scams. A common scam is to pose as a Facebook "friend."  Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.  One popular tactic used recently involved scammers hacking into Facebook accounts and sending a message on Facebook claiming to be stuck in a foreign city and they say they need money.  Social engineers also take advantage of current events and holidays to lure victims.
  • 18. COUNTERACTING SOCIAL ENGINEERING EXPLOITS 18  Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used.  Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws.  Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.
  • 20. COUNTERACTING SOCIAL ENGINEERING EXPLOITS  Design 20 an in-house social engineering penetration test  Although it's a tactic to use with great caution, fear of embarrassment is a strong motivator. Nobody likes to look foolish.  Consider this factor if you choose to design an in-house social engineering penetration test. A little embarrassment will put everyone on their toes; crossing the line to humiliation will only make employees angry.
  • 21. COUNTERACTING SOCIAL ENGINEERING EXPLOITS 21  A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.  Also worth checking out is social-engineer.org's Social Engineering Toolkit, which is a free download.  The toolkit helps automate penetration testing via social engineering, including "spear-phishing attacks", creation of legitimate-looking websites, USB drive-based attacks, etc.
  • 22. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES  22 1. Appeal to personal lives: Get people interested in security by arming them with techniques to secure their personal information; if they securely tend to their own business, they're more likely to tend to their employers. ► 2. Make the message visible: Put posters up at copy machines, bulletin boards, and lunchrooms. Make them eye-catching but simple; something anyone walking by can read and interpret without breaking stride— they're more likely to remember the content
  • 23. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 23  3. Provide treats: Have an occasional celebration where Security thanks the staff for doing their part.  4. Use their desk: Implement a clean desk policy and, perform random desk checks after hours.  Reward those who have no sensitive material out by leaving a small treat like a piece of candy or pack of gum and a "Thanks for Doing your Part" note, or enter them in a monthly drawing for a prize.  For those who aren’t meeting the criteria, leave a gentle reminder with specifics about what needs to be corrected. Repeat offenders should be discussed with management.
  • 24. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 24  5. Bring it to their computer screen: If you have a company newsletter, be certain to include a security article in each edition and provide information on the latest incidents that have occurred, particularly in your industry.  6. Require training: Training programs will be more effective if you include interactive exercises, contests, games, or give-aways.  7. Walk the walk: Perhaps the most impactful technique is for senior leadership members to display their own penchant for security. If it looks to be important at the top, you can bet it'll be important at the bottom.
  • 25. • EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 25  Do background checks when hiring employees.  Screen temporary and ancillary workers.  Set up a clear reporting process for security problems.  Open the lines of communication between physical security and the IT department.  Monitor employee behavior patterns for abnormal activities and access violations.
  • 26. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 26 Lock out terminated employees immediately. Create a positive work environment, which will cut down on disgruntled employees. Publish a formal written company policy stating that the IT department will never ask for a user's password. Require ID badges for employees and mandate that an employee with a badge accompany visitors.
  • 27. 27 SUMMARY    Social Engineers increasingly employ elusive social engineering attack tactics to exploit natural human predispositions with the goal of bypassing defenses. These attacks can have very damaging consequences for an organization, but you can take a number of steps to mitigate such attacks. Remember that your employees can make or break your security program—keep them engaged in the process by soliciting feedback and suggestions. A security-aware culture is possible in any organization as long as it is the standard by which everyone operates, and concepts are consistently reinforced.