Embed Size (px)
DESCRIPTION
Social Engineering Training. Why Social Engineering Training?. The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments of DOE laboratories. The Red Team used Social Engineering tactics to attempt to infiltrate the laboratories in Spring 2008. - PowerPoint PPT Presentation
Citation preview
Social Engineering Training
Why Social Engineering Training? The Department of Energy (DOE) authorized the
Red Team to perform vulnerability assessments of DOE laboratories.
The Red Team used Social Engineering tactics to attempt to infiltrate the laboratories in Spring 2008.
They were successful in gaining access and maneuvering without detection at two DOE laboratories and one Site Office.
This training class was developed to provide the tools required to identify, detect and deter advanced Social Engineering attempts.
Definition
What is social engineering?
Art of manipulating people into performing actions or divulging confidential information.
Using trickery to gather information or computer system access.
In most cases the attacker never comes face-to-face with the victim.
What motivates social engineering?
Obtaining personal information for profit.
Gaining unauthorized access to an organization.
Circumventing established procedures.
Just because they can.
Techniques Pretexting Phishing1
Trojan Horse1
Baiting1,2
1The DOE Red Team used these techniques in their latest successful attacks on two DOE laboratories and one site office.
2The DOE Red Team was successful using these methods to infiltrate DOE laboratories in the past.
Pretexting Description
Create and use an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action, typically over the telephone.
Phone Calls Claim a need to perform a service. Ask for information about organization (i.e. reporters,
prospective students). Claim to be calling for a friend or family members need access
to something. Prevention
Be polite. Ask for a number to call *them* back; may allow tracing later. Ask a question for which the answer is not publicly available.
Phishing Description
The attacker sends an e-mail that appears to come from a legitimate business (bank, credit card company) requesting “verification” of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate and may include company logos and content.
Types of e-mail Standard Viagra, off-shore lottery, etc…spam.
Easy to spot and avoid. E-mail claiming to be from DOE, ISU or a bank
requiring a quick response and personal information. Unsolicited CVs, requests for feedback on proposals,
requests *for* proposals.
Phishing
Prevention Examine e-mail headers
http://www.internal.ameslab.gov/is/desktopprocedures/FAQ/email-analysis.html
Verify sender prior to opening attachments or clicking on web links. Call sender. Contact an associate or representative of sender, if
known. Instead of clicking on e-mail web links, copy and
paste them into a browser. Forward suspicious e-mail to
[email protected] for verification.
Phishing – Email Links
Phishing - Email Headers
Trojan Horse Description
The “e-mail virus” arrives as an e-mail attachment promising anything from a “cool” screen saver, an important anti-virus or system upgrade, or the latest gossip about a celebrity.
Baiting Description
Attacker leaves a malware infected CD ROM or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
Attacker sends the infected device via “Snail”-mail
Baiting Types of mail
Unsolicited CDs/DVDs. Claim to provide training, information but really installs
malware. Unsolicited thumb drives. “Lost” CDs, thumb drives, other media.
Prevention Verify unexpected mailings with sender. Never put anything into your computer if you don’t know where
it’s been. Bring “lost” items to IS for examination.
If unsure, ask the IS office.
Tools used by Social Engineers
Any publicly available information Postings on public web pages. Phone book information. Professional information.
Personal and professional relationships Association with ISU. Association with DOE. Conferences and collaborations in field of
expertise.
Quick TestsWhich of these emails in legitimate? Which is fake?
Quick Tests Can you think of ways the information on
Ames Laboratory’s public web page could be exploited to execute a social engineering attack?
Can you think of an unsolicited e-mail, phone call, or snail-mail attack which would be impossible to verify or handle safely?
How to avoid Social Engineering tactics
Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
Be certain of a person’s authority to have the information before providing personal information or information about your organization, including its structure or networks.
How to avoid Social Engineering Tactics (Cont)
Never reveal personal or financial information in email or respond to email solicitations for this information. This includes following links sent in an email.
Check a website’s security before sending sensitive information over the internet.
Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
How to avoid Social Engineering Tactics (Cont)
If you are unsure whether an email request is legitimate, try to verify it by contacting the company or person directly. Check previous statements for contact information rather than using contact information provided on a web site connected to the request or in an email sent to you.
Install and maintain anti-virus software, firewalls, and email filters to reduce unwanted traffic.
How to report Social Engineering If Social Engineering techniques are attempted
while at work… If you believe you might have revealed
sensitive information about the Ames Laboratory…
Report it to the IS office at: Phone: 4-8348 Email: [email protected]
This will alert us to any suspicious or unusual activity.
Certificate of Completion
This certifies the individual listed below has successfully completed the course entitled
Social Engineering TrainingPrepared by the Ames Laboratory
Information Systems Office
Employee Name Employee # Date
![Social Engineering and Internal Threats in Organizations833494/... · 2015-06-30 · Protection against social engineering is primarily education[9]. Training personnel about what](https://img.pdfslide.net/doc/110x75/5f6f16f85a3c8a58244c5cdd/social-engineering-and-internal-threats-in-organizations-833494-2015-06-30.jpg)
