Embed Size (px)
Citation preview
Building your Social Engineering Awareness ProgramDave Keene
Wells Fargo
Information Security Engineer
May 7, 2015
22
Agenda
Definition of Social Engineering and why it is effective
Recent Examples
Social Engineering Techniques
Building Your Awareness Program
Testing Your Awareness Program
Remediation
33
Social Engineering Defined
Social Engineering is the practical application of manipulation and deception against the human element
Relies on instinctive trust in people, a trust that is a survival tactic as part of human evolution
– Think about your youth, things you were taught
• Politeness
• Kindness
• Sense of community
44
Why does Social Engineering work?
Techniques used leverage this ingrained vulnerability of trust
In other words, this is a zero day exploit with no patch on the horizon
Like any other security risk, there are mitigating controls
55
Recent Examples of Social Engineering
Hospital Sues Bank of America Over Million-Dollar Cyber heist – Krebs On Security– “A Bank of America employee, contacted the Chelan County Treasurer’s office later
that morning and asked if a pending transfer request of $603,575.00 was authorized,” … an employee in the Chelan County Treasurer’s Office, responded immediately that the $603,575.00 transfer request was not authorized. Nonetheless, Bank of America processed the $603,575.00 transfer request and transferred the funds as directed by the hackers.”
Anthem – Tom DeSot, Digital Defense– “It is highly possible that they are preparing for another attack, such as a
social engineering or phishing attack, that may give them access to systems that they were unable to reach,”
66
Social Engineering Techniques
Phishing
– Using crafted emails to manipulate a person into doing something other than what they would normally do
Voice Phishing (Vishing)
– Traditional use of phone calls to convince a person to disclose information
SMS Phishing (Smishing)
– Text messages with links that lead to charges on phone bill
77
Social Engineering Techniques
Flyer drops
– Flyers with enticing advertisements that lead people to manually entering a link into their browser
Removable media drops
– CDs/DVDs labeled with interesting possible contents, USB drives
– Content included contains malware, some of which can be made undetectable by anti-virus
88
Building Your Education ProgramCreate you policies and reporting processes
Before instruction can begin, you must have basic policies in place for employees to understand
– Acceptable Use Policy
– Social Media Use Policy
Employees need a way to report Social Engineering attempts
– Phishing mail box
– Phone line or voicemail box
• Monitoring and response is key!
99
Building Your Education ProgramPhishing Education
Teach users how to spot a phishing email
Unify communications and reduce use of email blasts to all employees
1010
Building Your Education ProgramVishing Education
Educate users about voice calls
– Phone numbers are easily spoofed
Caller authentication
– Programs that will allow a challenge/response to ensure the caller is authentic
1111
Building Your Education ProgramSmishing Education
Alert users to what smishing is, as it is not a commonly used term
Disable short codes on company phones, or restrict short codes to require an additional PIN
1212
Building Your Education ProgramFlyer Drop Education
Don’t keep a sterile work environment
Don’t allow flyers with shortened links
Have someone designated to check flyers for validity
1313
Building Your Education ProgramMedia Drop Education
Make users aware of the risk of enticing USB keys or other media that appears to have exciting/sensitive data
Don’t allow unknown media into corporate computers, or at minimum don’t allow files to be executed
– Restrict to certain USB identifiers or encrypted only devices to be used on corporate systems
– Use Endpoint protection
1414
Testing Your Education ProgramPhish your employees
Use phishing software to phish employees
– Change the difficultly in spotting the phish, starting with obvious then gradually removing obvious phish identifiers
• First phish contains gratuitous spelling mistakes, sense of urgency, invalid sender and/or receiver, bogus URLs, etc.
• Each level reduces the phishing elements making the phish harder to spot and reinforcing training
While there are open source phishing software, larger organizations may need assistance from phishing service providers and/or development of tools to assist in phishing
1515
Testing Your Education ProgramVish your employees
This may take more effort as vishing is a live manipulation exercise
– Find someone outside of the organization willing to assist
Many security firms offer these services as this is a specialized skill yet highly important due to effectiveness
1616
Testing Your Education ProgramTest flyer and removable media drops
Create internal tracking that can detect when users:
– Enter the flyer URL
– Execute removable media
Engage your technical staff for assistance, there are tutorials on tracking with open source software for testing your programs effectiveness
1717
Remediate when training fails
Don’t just track failure, make sure you notify employees if they put the company at risk
Engage legal and HR for advise on repeat offenses
Remember there is no perfect solution, there will still be a small percentage that fall for these every time
– Investigate on restricting these users due to repeat offenses
1818
Summary
Definition of Social Engineering and why it is effective
Recent Examples
Social Engineering Techniques
Building Your Awareness Program
Testing Your Awareness Program
Remediation
1919
Questions?
People are the weakest link in a security practice, but properly trained can become the strongest asset in
protecting your company
Insert Sun Tzu quote here
