Text of Defending Layer 8 How to recognize and combat social engineering Steve Riley Senior Security...
Defending Layer 8 How to recognize and combat social engineering Steve Riley Senior Security Strategist Security Technology Unit email@example.com http://blogs.technet.com/steriley ses. code
When was the last time you Heard about social engineering? Or physical security even?
The problem People spend a fortune on technology and are still vulnerable to old-fashioned manipulation!
Dont believe me? Hired pen test example Physical and electronic Help desk example Betty is a bit too helpful Get a credit card number easily Call friend at cross-town store No SecurID? No problem! Show me yours
Try it yourself! Be professional. Be calm. Know your mark. Do not fool a superior scammer. Plan your escape from your scam. Be a woman. Use watermarks. Make business cards and fake names. Manipulate the less fortunate, the unaware, and the stupid. Use a team if you have to.
Exploits layer 8 There is no computer system on Earth that does not rely on humans S.E. completely bypasses all information controls and goes directly after the weakest link:
Social engineering The art and science of getting people to comply to your wishes. Not a form of mind control Lots of groundwork Information-gathering Idle chit-chat Amusing accents Most of the work is in preparation
Uh, isnt that what selling is? To sell: create a spark Predict What the eye will see What the ear will hear What the mind will think The highest form of selling: In a way that the consumer is unaware she is being sold
Social engineering The art and science of getting people to comply to your wishes. Is the highest form of hacking Can be very easy Often yields largest rewards Natural human desire to help leaves us vulnerable And can undermine all technical countermeasures
Suave and sophisticated Only amateurs ask for passwords Build emotional bondeven trust Administrators Security personnel Any likely possessor of information Anyone with access is a potential risk Electronic or physical Includes people outside the policy
Types of exploits Diffusion of responsibility The veep says you wont bear any responsibility Chance for ingratiation Look at what you might get out of this! Trust relationships Hes a good guy, I think I can trust him Moral duty You must help me! Arent you so mad about this?
Types of exploits Guilt What, you dont want to help me? Identification You and I are really two of a kind, huh? Desire to be helpful Would you help me here, please? Cooperation Lets work together. We can do so much.
More psychological triggers Strong affect OverloadingReciprocation Deceptive relationships Authority Integrity and consistency
Categories of exploits Direct request Usually the least likely to succeed Contrived situation Additional factors the target must consider Dressing the part Service person, employee, carry clipboard Personal persuasion Increase voluntary compliance Make target believe he/she is in control
Involvement vs. influence Involvement Influenced by Not influenced by HighSysadmins Infosec officers Technicians Strong arguments Compelling reasons for needing information Weak arguments Invite counter arguments Decrease likelihood of compliance LowReceptionists Custodial workers Security guards Other information Urgency Number of reasons Status of requester The actual reasons Not relevant: they dont care Will ignore persuasive banter
The help desk People are naturally helpful Its function is to helpto provide answers Like all customer service Generally not trained to question the validity of each call Minimally-educated about security Dont get paid much Objective: move on to next call
You might have seen these Cool pics attached ILOVEYOU! Helpful dialog boxes
Tools And Techniques
So you wanna be social engineer You need two things: A telephone A mark Public access terminals are good, too
Other useful bits ANI (caller ID) if planning a callback scam Voice changer Ability to think quickly
Fingering the mark Need collection of information tidbits to create sense of authenticity Obtain a list of employee and computer names whoisfinger Domain registration records Target organizations own web site Google, anyone?
Make a site visit Look good!blend in Fake ID badge Observe typical entry/exit behavior Stride with confidence; pretend you belong Private offices are best Computer connections Posted lists and notes Ask low-level employees
Dumpster diving Memos Phone books Policy manuals Calendars System manuals Disks and tapes Organizational charts Printouts of names and passwords Printouts of source code Old discarded hardware
Building the picture Faking a phone rep could work Try the written word: built-in trust You might already be a winner! We value your opinion Be official-looking mass mail We will need a password to verify Follow up with a phone call Ask for the password and other data Listen to speech pattern
Fingerprinting a system NMAP ICMP (Ofir Arkins paper) Telnet for banners Domain records and job web sites Portscanning
Mounting the attack Youve got information on Your mark The computer system Call organizations help desk Feign inability to log on Can pass verification checks with info youve gathered Prey on lack of social skills Prey on lack of social skills Ive seen you at work Be judiciousdont ask for too much
Reverse social engineering Sabotage Cause a problem on targets network Advertising Leave business card around Incorporate contact info in error message Assistance Fix the problem while obtaining info Dont forget to leave a back door or two
S.E. usually ignored S.E. viewed as attack against intelligence No one wants to admit they were duped Technical people are proud of their knowledge Often like to share Everyone is susceptible, given a sufficiently persuasive social engineer
A multi-level defense LevelDefense FoundationalPolicies Parameter Security awareness and education Fortress Resistance training Persistence Ongoing reminders Gotcha Social engineering land mines Offensive Incident response
Foundational: Policies Enables management to make statement about value of information to the business Provides legal foundataion for personnel decisions Defines things people should (not) do Lists penalties for violations Targets people who regularly respond to requests Helps people feel as if only choice is to resist Be realistic Be regularly reviewed
Parameter: Security awareness Dont allow trust to be exploited Know what has value What to do if you suddenly lost all access? Friends arent always friends Over-the-phone friendships lack trust Passwords are personal And always undervalued Uniforms are cheap Mutually authenticate when your bank calls you!
Parameter: Signs of an attack Learn to recognize Refusal by caller to give contact information RushingName-droppingIntimidationMisspellings Odd questions Learn to say no Needs backing of management
Parameter: User education Security management campaign Periodic refreshers Newsletters Group meetings Screensavers Signatures on acceptable use policies Shredders and bulk erasers Updated erasersold ones are too weak Consider: the band saw Regular audits
Fortress: Resistance training Harden the people! Inoculation Teach possible arguments and counter-arguments Forewarning Both content and persuasive intent Understand that attackers intent is criminal Reality check Its out there It can happen to others It can happen to meexperiential
Resistance: Ongoing reminders Regular reminders to keep people aware One training session wont last forever Police departments do this continually Be creative Dont become yet another source of noise to be ignored
Gotcha: Social engineering land mines Justified know-it-all Who are you? Im escorting you out Centralized security log Helps defeat foot-in-the-door techniques Call-backs by policy Defeats PBX trickery Please hold by policy Time to consider and validate request Key questions Three questions rule Bogus question
Offensive: Incident response Well-defined process that Mitigates attackers activities Alert other potential victims Notify security personnel