Defending Layer 8 How to recognize and combat social engineering Steve Riley Senior Security Strategist Security Technology Unit steve.riley@microsoft.com

  • View
    214

  • Download
    0

Embed Size (px)

Text of Defending Layer 8 How to recognize and combat social engineering Steve Riley Senior Security...

  • Slide 1
  • Defending Layer 8 How to recognize and combat social engineering Steve Riley Senior Security Strategist Security Technology Unit steve.riley@microsoft.com http://blogs.technet.com/steriley ses. code
  • Slide 2
  • When was the last time you Heard about social engineering? Or physical security even?
  • Slide 3
  • The problem People spend a fortune on technology and are still vulnerable to old-fashioned manipulation!
  • Slide 4
  • Dont believe me? Hired pen test example Physical and electronic Help desk example Betty is a bit too helpful Get a credit card number easily Call friend at cross-town store No SecurID? No problem! Show me yours
  • Slide 5
  • Try it yourself! Be professional. Be calm. Know your mark. Do not fool a superior scammer. Plan your escape from your scam. Be a woman. Use watermarks. Make business cards and fake names. Manipulate the less fortunate, the unaware, and the stupid. Use a team if you have to.
  • Slide 6
  • Exploits layer 8 There is no computer system on Earth that does not rely on humans S.E. completely bypasses all information controls and goes directly after the weakest link:
  • Slide 7
  • Social engineering The art and science of getting people to comply to your wishes. Not a form of mind control Lots of groundwork Information-gathering Idle chit-chat Amusing accents Most of the work is in preparation
  • Slide 8
  • Uh, isnt that what selling is? To sell: create a spark Predict What the eye will see What the ear will hear What the mind will think The highest form of selling: In a way that the consumer is unaware she is being sold
  • Slide 9
  • Social engineering The art and science of getting people to comply to your wishes. Is the highest form of hacking Can be very easy Often yields largest rewards Natural human desire to help leaves us vulnerable And can undermine all technical countermeasures
  • Slide 10
  • Suave and sophisticated Only amateurs ask for passwords Build emotional bondeven trust Administrators Security personnel Any likely possessor of information Anyone with access is a potential risk Electronic or physical Includes people outside the policy
  • Slide 11
  • Types of exploits Diffusion of responsibility The veep says you wont bear any responsibility Chance for ingratiation Look at what you might get out of this! Trust relationships Hes a good guy, I think I can trust him Moral duty You must help me! Arent you so mad about this?
  • Slide 12
  • Types of exploits Guilt What, you dont want to help me? Identification You and I are really two of a kind, huh? Desire to be helpful Would you help me here, please? Cooperation Lets work together. We can do so much.
  • Slide 13
  • More psychological triggers Strong affect OverloadingReciprocation Deceptive relationships Authority Integrity and consistency
  • Slide 14
  • Categories of exploits Direct request Usually the least likely to succeed Contrived situation Additional factors the target must consider Dressing the part Service person, employee, carry clipboard Personal persuasion Increase voluntary compliance Make target believe he/she is in control
  • Slide 15
  • Involvement vs. influence Involvement Influenced by Not influenced by HighSysadmins Infosec officers Technicians Strong arguments Compelling reasons for needing information Weak arguments Invite counter arguments Decrease likelihood of compliance LowReceptionists Custodial workers Security guards Other information Urgency Number of reasons Status of requester The actual reasons Not relevant: they dont care Will ignore persuasive banter
  • Slide 16
  • The help desk People are naturally helpful Its function is to helpto provide answers Like all customer service Generally not trained to question the validity of each call Minimally-educated about security Dont get paid much Objective: move on to next call
  • Slide 17
  • You might have seen these Cool pics attached ILOVEYOU! Helpful dialog boxes
  • Slide 18
  • Tools And Techniques
  • Slide 19
  • So you wanna be social engineer You need two things: A telephone A mark Public access terminals are good, too
  • Slide 20
  • Other useful bits ANI (caller ID) if planning a callback scam Voice changer Ability to think quickly
  • Slide 21
  • Fingering the mark Need collection of information tidbits to create sense of authenticity Obtain a list of employee and computer names whoisfinger Domain registration records Target organizations own web site Google, anyone?
  • Slide 22
  • Make a site visit Look good!blend in Fake ID badge Observe typical entry/exit behavior Stride with confidence; pretend you belong Private offices are best Computer connections Posted lists and notes Ask low-level employees
  • Slide 23
  • Dumpster diving Memos Phone books Policy manuals Calendars System manuals Disks and tapes Organizational charts Printouts of names and passwords Printouts of source code Old discarded hardware
  • Slide 24
  • Building the picture Faking a phone rep could work Try the written word: built-in trust You might already be a winner! We value your opinion Be official-looking mass mail We will need a password to verify Follow up with a phone call Ask for the password and other data Listen to speech pattern
  • Slide 25
  • Fingerprinting a system NMAP ICMP (Ofir Arkins paper) Telnet for banners Domain records and job web sites Portscanning
  • Slide 26
  • Mounting the attack Youve got information on Your mark The computer system Call organizations help desk Feign inability to log on Can pass verification checks with info youve gathered Prey on lack of social skills Prey on lack of social skills Ive seen you at work Be judiciousdont ask for too much
  • Slide 27
  • Reverse social engineering Sabotage Cause a problem on targets network Advertising Leave business card around Incorporate contact info in error message Assistance Fix the problem while obtaining info Dont forget to leave a back door or two
  • Slide 28
  • Protecting Yourself
  • Slide 29
  • S.E. usually ignored S.E. viewed as attack against intelligence No one wants to admit they were duped Technical people are proud of their knowledge Often like to share Everyone is susceptible, given a sufficiently persuasive social engineer
  • Slide 30
  • A multi-level defense LevelDefense FoundationalPolicies Parameter Security awareness and education Fortress Resistance training Persistence Ongoing reminders Gotcha Social engineering land mines Offensive Incident response
  • Slide 31
  • Foundational: Policies Enables management to make statement about value of information to the business Provides legal foundataion for personnel decisions Defines things people should (not) do Lists penalties for violations Targets people who regularly respond to requests Helps people feel as if only choice is to resist Be realistic Be regularly reviewed
  • Slide 32
  • Foundational: Policy elements Account setup and maintenance Password change policy Help desk procedures Access privileges Violations User IDs Privacy policy Paper documents Controlled access Information dissemination System hiding
  • Slide 33
  • Parameter: Security awareness Dont allow trust to be exploited Know what has value What to do if you suddenly lost all access? Friends arent always friends Over-the-phone friendships lack trust Passwords are personal And always undervalued Uniforms are cheap Mutually authenticate when your bank calls you!
  • Slide 34
  • Parameter: Signs of an attack Learn to recognize Refusal by caller to give contact information RushingName-droppingIntimidationMisspellings Odd questions Learn to say no Needs backing of management
  • Slide 35
  • Parameter: User education Security management campaign Periodic refreshers Newsletters Group meetings Screensavers Signatures on acceptable use policies Shredders and bulk erasers Updated erasersold ones are too weak Consider: the band saw Regular audits
  • Slide 36
  • Fortress: Resistance training Harden the people! Inoculation Teach possible arguments and counter-arguments Forewarning Both content and persuasive intent Understand that attackers intent is criminal Reality check Its out there It can happen to others It can happen to meexperiential
  • Slide 37
  • Resistance: Ongoing reminders Regular reminders to keep people aware One training session wont last forever Police departments do this continually Be creative Dont become yet another source of noise to be ignored
  • Slide 38
  • Gotcha: Social engineering land mines Justified know-it-all Who are you? Im escorting you out Centralized security log Helps defeat foot-in-the-door techniques Call-backs by policy Defeats PBX trickery Please hold by policy Time to consider and validate request Key questions Three questions rule Bogus question
  • Slide 39
  • Offensive: Incident response Well-defined process that Mitigates attackers activities Alert other potential victims Notify security personnel

Recommended

View more >