Privacy and Electronic Communications (EC Directive) Regulations 2003
Social engineering
1. Social Engineering “Amateurs hack computers Professionals hack people” Alexander Zhuravlev MSLU 2010
2. Contenst Security issues today What is social engineering? Why social engineering? Categories of social engineering How to safeguard against social engineering? Conclusion
3. Security issues today Security has never been as important as it is today. The essential need for information security is not only apparent in every country and organization, but also for the individual. Consequently, victims of these crimes can be left with debt, bad credit, higher interest rates, and possibly criminal charges against them until they are able to prove themselves innocent.As a result, it could take years or even a lifetime, to recover from these wrongdoings. According to a survey released on May 15, 2008 by the United States Department of Justice “An estimated 3.6 million--or 3.1 percent-of American households became victims of identity theft in 2007
4. What is social engineering? Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or a simple fraud, the term typically applies to trickery for information gathering or computer system access. In most of the cases the attacker never comes face-to-face with the victims and the latter seldom realize that they have been manipulated. They prey on human behavior, such as the desire to be helpful, the attitude to trust people and the fear of getting in trouble. The sign of truly successful social engineers is that they receive the information without any suspicion. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.
5. Why social engineering? Social Engineering uses human error or weakness to gain access to any system despite the layers of defensive security controls that may have been implemented. A hacker may have to invest a lot of time & effort in breaking an access control system, but he or she will find it much easier in persuading a person to allow admittance to a secure area or even to disclose confidential information. Despite the automation of machines and networks today, there is no computer system in the world that is not dependent on human operators at one point in time or another.
6. Behaviors Vulnerable to Social Engineering Attacks Social Engineering has always been prevailing in some form or the other; primarily because of the some very natural facets of human behavior. A social engineer exploits these behavior patterns to drive the target towards becoming a victim in the attack. Common human behaviors that are exploited by social engineers are shown in the image provided. Exploitation of human behavior
7.
8. Attacks based on non-technical approach are perpetrated purely through deception; i.e. by taking advantage of the victim's human behavior weaknesses (as described earlier). For instance, the user gets a popup window, informing him that the computer application has a problem, and the user will need to re-authenticate in order to proceed. Once the user provides his ID and password on that pop up window, the damage is done. For instance, the attacker impersonates a person having a big authority; places a call to the help desk, and pretends to be a senior Manager, and says that he / she has forgotten his password and needs to get it reset right away.
9.
10. Non – Technical Approach Pretexting / Impersonation This is the act of creating and using an invented scenario (the pretext) to persuade a target to release information. It's more than a simple lie as it most often involves some prior research or set up and makes use of pieces of known information (e.g. date of birth, mother's maiden name, billing address etc.) to establish legitimacy in the mind. Dumpster Diving If the junk mail contains personal identification information, a 'dumpster diver' can use it in carrying out an identity theft.A hacker can retrieve confidential Information from the hard disk of a computer as there are numerous ways to retrieve information from disks, even if the user thinks the data has been 'deleted' from the disk. Spying and Eavesdropping A clever spy can determine the id and password by observing a user typing it in (Shoulder Surfing). All that needs to be done is to be there behind the user and be able to see his fingers on the keyboard. Acting as a Technical Expert This is the case where an intruder pretends to be a support technician working on a network problem requests the user to let him access the workstation and 'fix' the problem. Support Staff Here a hacker may pose as a member of a facility support staff and do the trick. A man dressed like the cleaning crew, walks into the work area, carrying cleaning equipment. In the process of appearing to clean your desk area, he can snoop around and get valuable information - such as passwords, or a confidential file that you have forgotten to lock up.
13. Personnel security - screening prospective employees, contractors to ensure that they do not pose a security threat to the organization, if employed
14. Physical security - to secure the facility from unauthorized physical access with the help of sign in procedures