Upload
briana-owens
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Defending Layer Defending Layer 88How to recognize andHow to recognize andcombat social engineeringcombat social engineeringSteve RileySteve RileySenior Security StrategistSenior Security StrategistSecurity Technology UnitSecurity Technology [email protected]@microsoft.comhttp://blogs.technet.com/sterileyhttp://blogs.technet.com/steriley
ses. ses. codecode
When was the last time you…When was the last time you…Heard about social engineering?Heard about social engineering?Or physical security even?Or physical security even?
The problemThe problemPeople spend a fortune on technology and People spend a fortune on technology and are still vulnerable to old-fashioned are still vulnerable to old-fashioned manipulation!manipulation!
Don’t believe me?Don’t believe me?Hired pen test exampleHired pen test example
Physical and electronicPhysical and electronic
Help desk exampleHelp desk exampleBetty is a bit too helpfulBetty is a bit too helpful
Get a credit card number easilyGet a credit card number easilyCall “friend” at cross-town storeCall “friend” at cross-town store
No SecurID? No problem!No SecurID? No problem!Show me yoursShow me yours
Try it yourself!Try it yourself!1.1. Be professional.Be professional.2.2. Be calm.Be calm.3.3. Know your mark.Know your mark.4.4. Do not fool a superior scammer.Do not fool a superior scammer.5.5. Plan your escape from your scam.Plan your escape from your scam.6.6. Be a woman.Be a woman.7.7. Use watermarks.Use watermarks.8.8. Make business cards and fake names.Make business cards and fake names.9.9. Manipulate the less fortunate, the unaware, Manipulate the less fortunate, the unaware,
and the stupid.and the stupid.10.10. Use a team if you have to.Use a team if you have to.
Exploits “layer 8”Exploits “layer 8”There is no computer system on Earth that There is no computer system on Earth that does not rely on humansdoes not rely on humansS.E. completely bypasses all information S.E. completely bypasses all information controls and goes directly after the weakest controls and goes directly after the weakest link:link:
Social engineeringSocial engineeringThe art and science of getting people to The art and science of getting people to comply to your wishes.comply to your wishes.
NotNot a form of mind control a form of mind controlLots of groundworkLots of groundwork
Information-gatheringInformation-gatheringIdle chit-chatIdle chit-chatAmusing accentsAmusing accentsMost of the work is in preparationMost of the work is in preparation
Uh, isn’t that what selling is?Uh, isn’t that what selling is?To sell: create a To sell: create a sparksparkPredictPredict
What the eye will seeWhat the eye will seeWhat the ear will hearWhat the ear will hearWhat the mind will thinkWhat the mind will think
The highest form of selling:The highest form of selling:In a way that the consumer is unaware she is In a way that the consumer is unaware she is being soldbeing sold
Social engineeringSocial engineeringThe art and science of getting people to The art and science of getting people to comply to your wishes.comply to your wishes.
Is the highest form of hackingIs the highest form of hackingCan be very easyCan be very easyOften yields largest rewardsOften yields largest rewards
Natural human desire to help leaves us Natural human desire to help leaves us vulnerablevulnerable
And can undermine all technical countermeasuresAnd can undermine all technical countermeasures
Suave and sophisticatedSuave and sophisticatedOnly amateurs ask for passwordsOnly amateurs ask for passwordsBuild emotional bond—even trustBuild emotional bond—even trust
AdministratorsAdministratorsSecurity personnelSecurity personnelAny likely possessor of informationAny likely possessor of information
Anyone with access is a potential riskAnyone with access is a potential riskElectronic or physicalElectronic or physicalIncludes people outside the policyIncludes people outside the policy
Types of exploitsTypes of exploits
Diffusion of responsibilityDiffusion of responsibility““The veep says you won’t bear any responsibility…”The veep says you won’t bear any responsibility…”
Chance for ingratiationChance for ingratiation““Look at what you might get out of this!”Look at what you might get out of this!”
Trust relationshipsTrust relationships““He’s a good guy, I think I can trust him”He’s a good guy, I think I can trust him”
Moral dutyMoral duty““You must help me! Aren’t you so mad about this?”You must help me! Aren’t you so mad about this?”
Types of exploitsTypes of exploits
GuiltGuilt““What, you don’t want to help me?”What, you don’t want to help me?”
IdentificationIdentification““You and I are really two of a kind, huh?”You and I are really two of a kind, huh?”
Desire to be helpfulDesire to be helpful““Would you help me here, please?”Would you help me here, please?”
CooperationCooperation““Let’s work together. We can do so much.”Let’s work together. We can do so much.”
Categories of exploitsCategories of exploitsDirect requestDirect request
Usually the least likely to succeedUsually the least likely to succeed
Contrived situationContrived situationAdditional factors the target must considerAdditional factors the target must consider
Dressing the partDressing the partService person, employee, carry clipboardService person, employee, carry clipboard
Personal persuasionPersonal persuasionIncrease voluntary complianceIncrease voluntary complianceMake target believe he/she is in controlMake target believe he/she is in control
Involvement vs. influenceInvolvement vs. influenceInvolvementInvolvement Influenced byInfluenced by Not influenced byNot influenced by
HighHighSysadminsSysadminsInfosec Infosec officersofficersTechniciansTechnicians
Strong Strong argumentsargumentsCompelling Compelling reasons for reasons for needing needing informationinformation
Weak argumentsWeak argumentsInvite counter Invite counter argumentsargumentsDecrease likelihood of Decrease likelihood of compliancecompliance
LowLowReceptionistReceptionistssCustodial Custodial workersworkersSecurity Security guardsguards
Other Other informationinformationUrgencyUrgencyNumber of Number of reasonsreasonsStatus of Status of requesterrequester
The actual reasonsThe actual reasonsNot relevant: Not relevant: they don’t carethey don’t careWill ignore persuasive Will ignore persuasive banterbanter
The help deskThe help deskPeople are naturally helpfulPeople are naturally helpfulIts function is to help—to provide answersIts function is to help—to provide answers
Like all customer serviceLike all customer service
Generally not trained to question the validity Generally not trained to question the validity of each callof each call
Minimally-educated about securityMinimally-educated about securityDon’t get paid muchDon’t get paid muchObjective: move on to next callObjective: move on to next call
You might have seen theseYou might have seen these““Cool pics attached”Cool pics attached”ILOVEYOU!ILOVEYOU!Helpful dialog boxesHelpful dialog boxes
Tools And Tools And TechniquesTechniques
So you wanna be social So you wanna be social engineerengineerYou need two things:You need two things:
A telephoneA telephoneA “mark”A “mark”
Public access terminals are good, tooPublic access terminals are good, too
Other useful bitsOther useful bitsANI (caller ID) if planning a callback scamANI (caller ID) if planning a callback scamVoice changerVoice changerAbility to think quicklyAbility to think quickly
Fingering the markFingering the markNeed collection of information tidbits to Need collection of information tidbits to create sense of authenticitycreate sense of authenticityObtain a list of employee and computer Obtain a list of employee and computer namesnames
whoiswhoisfingerfingerDomain registration recordsDomain registration recordsTarget organization’s own web siteTarget organization’s own web siteGoogle, anyone?Google, anyone?
Make a site visitMake a site visitLook good!—blend inLook good!—blend inFake ID badgeFake ID badgeObserve typical entry/exit behaviorObserve typical entry/exit behaviorStride with confidence; pretend you belongStride with confidence; pretend you belongPrivate offices are bestPrivate offices are bestComputer connectionsComputer connectionsPosted lists and notesPosted lists and notesAsk low-level employeesAsk low-level employees
Dumpster divingDumpster divingMemosMemosPhone booksPhone booksPolicy manualsPolicy manualsCalendarsCalendarsSystem manualsSystem manualsDisks and tapesDisks and tapesOrganizational chartsOrganizational chartsPrintouts of names and passwordsPrintouts of names and passwordsPrintouts of source codePrintouts of source codeOld discarded hardwareOld discarded hardware
Building the pictureBuilding the pictureFaking a phone rep could work…Faking a phone rep could work…Try the written word: built-in trustTry the written word: built-in trust
““You might already be a winner!”You might already be a winner!”““We value your opinion…”We value your opinion…”Be official-looking mass mailBe official-looking mass mail““We will need a password to verify…”We will need a password to verify…”
Follow up with a phone callFollow up with a phone callAsk for the password and other dataAsk for the password and other dataListen to speech patternListen to speech pattern
Fingerprinting a systemFingerprinting a systemNMAPNMAPICMP (Ofir Arkin’s paper)ICMP (Ofir Arkin’s paper)Telnet for bannersTelnet for bannersDomain records and job web sitesDomain records and job web sitesPortscanningPortscanning
Mounting the attackMounting the attackYou’ve got information on—You’ve got information on—
Your markYour markThe computer systemThe computer system
Call organization’s help deskCall organization’s help deskFeign inability to log onFeign inability to log onCan pass verification checks with info you’ve Can pass verification checks with info you’ve gatheredgatheredPrey on lack of social skills Prey on lack of social skills ““I’ve seen you at work…”I’ve seen you at work…”Be judicious—don’t ask for too muchBe judicious—don’t ask for too much
Reverse social engineeringReverse social engineeringSabotageSabotage
Cause a problem on target’s networkCause a problem on target’s network
AdvertisingAdvertisingLeave business card aroundLeave business card aroundIncorporate contact info in error messageIncorporate contact info in error message
AssistanceAssistanceFix the problem while obtaining infoFix the problem while obtaining infoDon’t forget to leave a back door or two…Don’t forget to leave a back door or two…
Protecting YourselfProtecting Yourself
S.E. usually ignoredS.E. usually ignoredS.E. viewed as attack against intelligenceS.E. viewed as attack against intelligence
No one wants to admit they were dupedNo one wants to admit they were duped
Technical people are proud of their Technical people are proud of their knowledgeknowledge
Often like to shareOften like to share
Everyone is susceptible, given a sufficiently Everyone is susceptible, given a sufficiently persuasive social engineerpersuasive social engineer
A multi-level defenseA multi-level defenseLevelLevel DefenseDefense
FoundationFoundationalal
PoliciesPolicies
ParameterParameter Security awareness and Security awareness and educationeducation
FortressFortress Resistance trainingResistance training
PersistencePersistence Ongoing remindersOngoing reminders
GotchaGotcha Social engineering land minesSocial engineering land mines
OffensiveOffensive Incident responseIncident response
Foundational: Foundational: PoliciesPoliciesEnables management to make statement Enables management to make statement about value of information to the businessabout value of information to the businessProvides legal foundataion for personnel Provides legal foundataion for personnel decisionsdecisionsDefines things people should (not) doDefines things people should (not) do
Lists penalties for violationsLists penalties for violations
Targets people who regularly respond to Targets people who regularly respond to requestsrequests
Helps people feel as if only choice is to resistHelps people feel as if only choice is to resist
Be realisticBe realisticBe regularly reviewedBe regularly reviewed
Foundational: Foundational: Policy elementsPolicy elementsAccount setup and maintenanceAccount setup and maintenancePassword change policyPassword change policyHelp desk proceduresHelp desk proceduresAccess privilegesAccess privilegesViolationsViolationsUser IDsUser IDsPrivacy policyPrivacy policyPaper documentsPaper documentsControlled accessControlled accessInformation disseminationInformation disseminationSystem hidingSystem hiding
Parameter: Parameter: Security awarenessSecurity awarenessDon’t allow trust to be exploitedDon’t allow trust to be exploitedKnow what has valueKnow what has value
What to do if you suddenly lost all access?What to do if you suddenly lost all access?
Friends aren’t always friendsFriends aren’t always friendsOver-the-phone friendships lack trustOver-the-phone friendships lack trust
Passwords are personalPasswords are personalAnd always undervaluedAnd always undervalued
Uniforms are cheapUniforms are cheapMutually authenticate when your bank calls Mutually authenticate when your bank calls you!you!
Parameter: Parameter: Signs of an attackSigns of an attackLearn to recognizeLearn to recognize
Refusal by caller to give contact informationRefusal by caller to give contact informationRushingRushingName-droppingName-droppingIntimidationIntimidationMisspellingsMisspellingsOdd questionsOdd questions
Learn to say “no”Learn to say “no”Needs backing of managementNeeds backing of management
Parameter: Parameter: User educationUser educationSecurity management campaignSecurity management campaignPeriodic refreshersPeriodic refreshersNewslettersNewslettersGroup meetingsGroup meetingsScreensaversScreensaversSignatures on acceptable use policiesSignatures on acceptable use policiesShredders and bulk erasersShredders and bulk erasers
Updated erasers—old ones are too weakUpdated erasers—old ones are too weakConsider: the band sawConsider: the band saw
Regular auditsRegular audits
Fortress: Fortress: Resistance trainingResistance trainingHarden the people!Harden the people!InoculationInoculation
Teach possible arguments and counter-argumentsTeach possible arguments and counter-arguments
ForewarningForewarningBoth content and persuasive intentBoth content and persuasive intentUnderstand that attacker’s intent is criminalUnderstand that attacker’s intent is criminal
Reality checkReality check1.1.It’s out thereIt’s out there2.2.It can happen to othersIt can happen to others3.3.It can happen to me—experientialIt can happen to me—experiential
Resistance: Resistance: Ongoing remindersOngoing remindersRegular reminders to keep people awareRegular reminders to keep people aware
One training session won’t last foreverOne training session won’t last foreverPolice departments do this continuallyPolice departments do this continually
Be creativeBe creativeDon’t become yet another source of noise to be Don’t become yet another source of noise to be ignoredignored
Gotcha: Gotcha: Social engineering land Social engineering land minesminesJustified “know-it-all”Justified “know-it-all”
Who are you? I’m escorting you outWho are you? I’m escorting you out
Centralized security logCentralized security logHelps defeat foot-in-the-door techniquesHelps defeat foot-in-the-door techniques
Call-backs by policyCall-backs by policyDefeats PBX trickeryDefeats PBX trickery
““Please hold” by policyPlease hold” by policyTime to consider and validate requestTime to consider and validate request
Key questionsKey questionsThree questions ruleThree questions ruleBogus questionBogus question
Offensive: Offensive: Incident responseIncident responseWell-defined process that—Well-defined process that—
Mitigates attackers activitiesMitigates attackers activitiesAlert other potential victimsAlert other potential victimsNotify security personnelNotify security personnel
Who to notify?Who to notify?Log monitorsLog monitorsCorporate securityCorporate security
Regularly test and modifyRegularly test and modify
Prevention strategiesPrevention strategiesArea of riskArea of risk Attacker tacticAttacker tactic Combat strategyCombat strategy
Help deskHelp desk Impersonation and Impersonation and persuasion persuasion
Train employees to never give out passwords or other Train employees to never give out passwords or other confidential info by phone confidential info by phone
Building Building entrance entrance
Unauthorized physical Unauthorized physical access access
Tight badge security, employee training, and security Tight badge security, employee training, and security officers present officers present
Office Office Shoulder surfing Shoulder surfing Don’t type in passwords with anyone else present (or if Don’t type in passwords with anyone else present (or if you must, do it quickly!) you must, do it quickly!)
Help deskHelp desk Impersonation on help Impersonation on help desk calls desk calls
All employees should be assigned a PIN specific to help All employees should be assigned a PIN specific to help desk support desk support
Office Office Wandering through halls Wandering through halls looking for open offices looking for open offices
Require all guests to be escorted Require all guests to be escorted
Mail room Mail room Insertion of forged memos Insertion of forged memos Lock and monitor mail room Lock and monitor mail room
Machine Machine room/Phone room/Phone closet closet
Attempting to gain access, Attempting to gain access, remove equipment, and/or remove equipment, and/or attach a protocol analyzer attach a protocol analyzer to grab confidential data to grab confidential data
Keep phone closets, server rooms, etc. locked at all Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment times and keep updated inventory on equipment
Phone and Phone and PBX PBX
Stealing phone toll access Stealing phone toll access Control overseas and long-distance calls, trace calls, Control overseas and long-distance calls, trace calls, refuse transfers refuse transfers
Dumpsters Dumpsters Dumpster diving Dumpster diving Keep all trash in secured, monitored areas, shred Keep all trash in secured, monitored areas, shred important data, erase magnetic media important data, erase magnetic media
Intranet/Intranet/internet internet
Creation and insertion of Creation and insertion of mock software on intranet mock software on intranet or internet to snarf or internet to snarf passwords passwords
Continual awareness of system and network changes, Continual awareness of system and network changes, training on password use training on password use
Office Office Stealing sensitive Stealing sensitive documents documents
Mark documents as confidential and require them to be Mark documents as confidential and require them to be locked locked
General— General— psychologicpsychological al
Impersonation and Impersonation and persuasion persuasion
Keep employees on their toes through continued Keep employees on their toes through continued awareness and training programs awareness and training programs
Where to learn more?Where to learn more?No MS Press titles or courseware available on No MS Press titles or courseware available on social engineeringsocial engineeringMake your own page of links!Make your own page of links!
http://www.google.com/search?q=social+engineeringhttp://www.google.com/search?q=social+engineering
© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Steve RileySteve [email protected]@microsoft.comhttp://blogs.technet.com/http://blogs.technet.com/
sterileysteriley