SOCIAL ENGINEERING:THE ART OF HUMAN HACKINGTyler Leet, Director of Risk and Compliance Services

2© Copyright 2014. Computer Services, Inc.

ABOUT ME– 10+ years consulting experience related to InfoSec, risk and compliance

– Past life: network/security administrator

– Training and experience in vulnerability assessment and network penetration

– Hold the following certifications:

• Certified Information Systems Security Professional (CISSP)

• Certified Information Security Manager (CISM)

• Certified in Risk and Information Systems Control (CRISC)

• GIAC Certified Incident Handler (GCIH)

• GIAC Certified Penetration Tester (GPEN)

• GIAC Web Application Penetration Tester (GWAPT)

• EC-Council Certified Ethical Hacker (CEH)

3© Copyright 2014. Computer Services, Inc.

TODAY’S AGENDA

• The Basics

• The Guidance

• The Scenario

• The Process

• Some Defenses

4© Copyright 2014. Computer Services, Inc.

WHAT IS SOCIAL ENGINEERING?

The art of manipulating people into performing actions or

divulging confidential information

5© Copyright 2014. Computer Services, Inc.

THE TARGET

6© Copyright 2014. Computer Services, Inc.

CORE METHODS

Phishing BaitingPretexting

• Email• IVR/Phone (Vishing)• SMS Text Messages

(Smishing)

7© Copyright 2014. Computer Services, Inc.

FFIEC• June 6, 2013

Formation of a regulatory working group to improve coordination on critical infrastructure and cybersecurity issues

• October 2, 2013Support of Cybersecurity Awareness Month

• October 7, 2013Microsoft’s discontinuation of support for Windows XP

• April 10, 2014OpenSSL “Heartbleed” Vulnerability

• April 2, 2014Cyber-attacks on ATMs and card authorization systems and the continued DDoS threat

• May 7, 2014Promotes cybersecurity preparedness for CFIs

• June 24, 2014Announcement of cybersecurity web page

• September 26, 2014Bash “ShellShock” Vulnerability

• November 3, 2014Cybersecurity assessment observations

8© Copyright 2014. Computer Services, Inc. 8© Copyright 2014. Computer Services, Inc.

FFIEC GUIDANCE

“Criminals may begin the attack by sending phishing emails to employees of financial institutions as a means to install malicious software (malware) onto the institution’s network.

Once installed, criminals use the malware to monitor the institution’s network to determine how the institution accesses ATM control panels and obtain employee login credentials.”

9© Copyright 2014. Computer Services, Inc.

ONE “SCARY” RECOMMENDATION …The guidance goes on to outline a number of risk management steps that the FFIEC expects financial institutions to take, as appropriate.

One in particular tends to be very scary to many institutions:

• Test incident response plans– “Consider conducting an exercise at the financial institution that simulates this type of attack”

10© Copyright 2014. Computer Services, Inc.

DECISIONS, DECISIONS• Phishing for value – beyond link clicks and statistics

– Why should we “simulate an attack”?

– How far should we take it?

11© Copyright 2014. Computer Services, Inc.

THE BENEFITS

• User Awareness

• Security of End-user Systems

• Defense Technologies

• Incident Response

• Exfiltration Protection

• Ability to Identify Persistence

EVALUATE MEASURE DEMONSTRATE

• Defense Capabilities

– Comparison of Susceptible Users

– Incident Response Times

• Impact

– Employee Paradigms

– Outcomes of an Attack

12© Copyright 2014. Computer Services, Inc.

THE SCENARIO• A determined attacker has set out to infiltrate your organization's

infrastructure.

• After network reconnaissance, the attacker has determined that the best path to the internal network will be through a phishing attack, rather than by trying to "hack" the outside.

13© Copyright 2014. Computer Services, Inc.

THE PROCESS

Reconnaissance

Reconnaissance

Reconnaissance

Reconnaissance

Attack

14© Copyright 2014. Computer Services, Inc.

THE RECON

• Recon, Recon, Recon

• Domain name selection

• Domain name registration

• MX records

• Target validation

• Payload and pretext testing

15© Copyright 2014. Computer Services, Inc.

THE PHISH

16© Copyright 2014. Computer Services, Inc.

PHISH STATISTICS

Followed link: 27.3% | Provided creds: 4.5% | Ran the file: 4.5%

Followed link: 23.5% | Provided creds: 17.7% | Ran the file: 11.8%

Followed link: 37.0% | Provided creds: 29.0%

Followed link: 50.0% | Ran the file: 36.0%

Followed link: 73.0% | Provided creds: 60.0%

Followed link: 74.5% | Ran the file: 39.2%

17© Copyright 2014. Computer Services, Inc.

DEFENSES

Intelligence Leakage

Spam/Proxy Filtering

SMTP Configuration

Malicious Code

Prevention

Incident Response

Ingress/ Egress

Filtering

User Awareness &

Training

Data Loss Prevention/ Protection

Patch Management

& System Hardening

18© Copyright 2014. Computer Services, Inc.

SOLUTIONS

VULNERABILITY ASSESSMENT

SOCIAL ENGINEERING

PENETRATION TESTINGINTERNAL \ EXTERNAL

19© Copyright 2014. Computer Services, Inc.

QUESTIONS?

20© Copyright 2014. Computer Services, Inc.

THANK YOU!PLEASE CONTACT ME WITH ANY QUESTIONS

Tyler LeetDirector of Risk and Compliance Services, CSI

tyler.leet@csiweb.com

(888) 494-8449, ext. 17204