Defending Layer Defending Layer 88How to recognize andHow to recognize andcombat social engineeringcombat social engineeringSteve RileySteve RileySenior Security StrategistSenior Security StrategistSecurity Technology UnitSecurity Technology Unitsteve.riley@microsoft.comsteve.riley@microsoft.comhttp://blogs.technet.com/sterileyhttp://blogs.technet.com/steriley

ses. ses. codecode

When was the last time you…When was the last time you…Heard about social engineering?Heard about social engineering?Or physical security even?Or physical security even?

The problemThe problemPeople spend a fortune on technology and People spend a fortune on technology and are still vulnerable to old-fashioned are still vulnerable to old-fashioned manipulation!manipulation!

Don’t believe me?Don’t believe me?Hired pen test exampleHired pen test example

Physical and electronicPhysical and electronic

Help desk exampleHelp desk exampleBetty is a bit too helpfulBetty is a bit too helpful

Get a credit card number easilyGet a credit card number easilyCall “friend” at cross-town storeCall “friend” at cross-town store

No SecurID? No problem!No SecurID? No problem!Show me yoursShow me yours

Try it yourself!Try it yourself!1.1. Be professional.Be professional.2.2. Be calm.Be calm.3.3. Know your mark.Know your mark.4.4. Do not fool a superior scammer.Do not fool a superior scammer.5.5. Plan your escape from your scam.Plan your escape from your scam.6.6. Be a woman.Be a woman.7.7. Use watermarks.Use watermarks.8.8. Make business cards and fake names.Make business cards and fake names.9.9. Manipulate the less fortunate, the unaware, Manipulate the less fortunate, the unaware,

and the stupid.and the stupid.10.10. Use a team if you have to.Use a team if you have to.

Exploits “layer 8”Exploits “layer 8”There is no computer system on Earth that There is no computer system on Earth that does not rely on humansdoes not rely on humansS.E. completely bypasses all information S.E. completely bypasses all information controls and goes directly after the weakest controls and goes directly after the weakest link:link:

Social engineeringSocial engineeringThe art and science of getting people to The art and science of getting people to comply to your wishes.comply to your wishes.

NotNot a form of mind control a form of mind controlLots of groundworkLots of groundwork

Information-gatheringInformation-gatheringIdle chit-chatIdle chit-chatAmusing accentsAmusing accentsMost of the work is in preparationMost of the work is in preparation

Uh, isn’t that what selling is?Uh, isn’t that what selling is?To sell: create a To sell: create a sparksparkPredictPredict

What the eye will seeWhat the eye will seeWhat the ear will hearWhat the ear will hearWhat the mind will thinkWhat the mind will think

The highest form of selling:The highest form of selling:In a way that the consumer is unaware she is In a way that the consumer is unaware she is being soldbeing sold

Social engineeringSocial engineeringThe art and science of getting people to The art and science of getting people to comply to your wishes.comply to your wishes.

Is the highest form of hackingIs the highest form of hackingCan be very easyCan be very easyOften yields largest rewardsOften yields largest rewards

Natural human desire to help leaves us Natural human desire to help leaves us vulnerablevulnerable

And can undermine all technical countermeasuresAnd can undermine all technical countermeasures

Suave and sophisticatedSuave and sophisticatedOnly amateurs ask for passwordsOnly amateurs ask for passwordsBuild emotional bond—even trustBuild emotional bond—even trust

AdministratorsAdministratorsSecurity personnelSecurity personnelAny likely possessor of informationAny likely possessor of information

Anyone with access is a potential riskAnyone with access is a potential riskElectronic or physicalElectronic or physicalIncludes people outside the policyIncludes people outside the policy

Types of exploitsTypes of exploits

Diffusion of responsibilityDiffusion of responsibility““The veep says you won’t bear any responsibility…”The veep says you won’t bear any responsibility…”

Chance for ingratiationChance for ingratiation““Look at what you might get out of this!”Look at what you might get out of this!”

Trust relationshipsTrust relationships““He’s a good guy, I think I can trust him”He’s a good guy, I think I can trust him”

Moral dutyMoral duty““You must help me! Aren’t you so mad about this?”You must help me! Aren’t you so mad about this?”

Types of exploitsTypes of exploits

GuiltGuilt““What, you don’t want to help me?”What, you don’t want to help me?”

IdentificationIdentification““You and I are really two of a kind, huh?”You and I are really two of a kind, huh?”

Desire to be helpfulDesire to be helpful““Would you help me here, please?”Would you help me here, please?”

CooperationCooperation““Let’s work together. We can do so much.”Let’s work together. We can do so much.”

Categories of exploitsCategories of exploitsDirect requestDirect request

Usually the least likely to succeedUsually the least likely to succeed

Contrived situationContrived situationAdditional factors the target must considerAdditional factors the target must consider

Dressing the partDressing the partService person, employee, carry clipboardService person, employee, carry clipboard

Personal persuasionPersonal persuasionIncrease voluntary complianceIncrease voluntary complianceMake target believe he/she is in controlMake target believe he/she is in control

Involvement vs. influenceInvolvement vs. influenceInvolvementInvolvement Influenced byInfluenced by Not influenced byNot influenced by

HighHighSysadminsSysadminsInfosec Infosec officersofficersTechniciansTechnicians

Strong Strong argumentsargumentsCompelling Compelling reasons for reasons for needing needing informationinformation

Weak argumentsWeak argumentsInvite counter Invite counter argumentsargumentsDecrease likelihood of Decrease likelihood of compliancecompliance

LowLowReceptionistReceptionistssCustodial Custodial workersworkersSecurity Security guardsguards

Other Other informationinformationUrgencyUrgencyNumber of Number of reasonsreasonsStatus of Status of requesterrequester

The actual reasonsThe actual reasonsNot relevant: Not relevant: they don’t carethey don’t careWill ignore persuasive Will ignore persuasive banterbanter

The help deskThe help deskPeople are naturally helpfulPeople are naturally helpfulIts function is to help—to provide answersIts function is to help—to provide answers

Like all customer serviceLike all customer service

Generally not trained to question the validity Generally not trained to question the validity of each callof each call

Minimally-educated about securityMinimally-educated about securityDon’t get paid muchDon’t get paid muchObjective: move on to next callObjective: move on to next call

You might have seen theseYou might have seen these““Cool pics attached”Cool pics attached”ILOVEYOU!ILOVEYOU!Helpful dialog boxesHelpful dialog boxes

Tools And Tools And TechniquesTechniques

So you wanna be social So you wanna be social engineerengineerYou need two things:You need two things:

A telephoneA telephoneA “mark”A “mark”

Public access terminals are good, tooPublic access terminals are good, too

Other useful bitsOther useful bitsANI (caller ID) if planning a callback scamANI (caller ID) if planning a callback scamVoice changerVoice changerAbility to think quicklyAbility to think quickly

Fingering the markFingering the markNeed collection of information tidbits to Need collection of information tidbits to create sense of authenticitycreate sense of authenticityObtain a list of employee and computer Obtain a list of employee and computer namesnames

whoiswhoisfingerfingerDomain registration recordsDomain registration recordsTarget organization’s own web siteTarget organization’s own web siteGoogle, anyone?Google, anyone?

Make a site visitMake a site visitLook good!—blend inLook good!—blend inFake ID badgeFake ID badgeObserve typical entry/exit behaviorObserve typical entry/exit behaviorStride with confidence; pretend you belongStride with confidence; pretend you belongPrivate offices are bestPrivate offices are bestComputer connectionsComputer connectionsPosted lists and notesPosted lists and notesAsk low-level employeesAsk low-level employees

Dumpster divingDumpster divingMemosMemosPhone booksPhone booksPolicy manualsPolicy manualsCalendarsCalendarsSystem manualsSystem manualsDisks and tapesDisks and tapesOrganizational chartsOrganizational chartsPrintouts of names and passwordsPrintouts of names and passwordsPrintouts of source codePrintouts of source codeOld discarded hardwareOld discarded hardware

Building the pictureBuilding the pictureFaking a phone rep could work…Faking a phone rep could work…Try the written word: built-in trustTry the written word: built-in trust

““You might already be a winner!”You might already be a winner!”““We value your opinion…”We value your opinion…”Be official-looking mass mailBe official-looking mass mail““We will need a password to verify…”We will need a password to verify…”

Follow up with a phone callFollow up with a phone callAsk for the password and other dataAsk for the password and other dataListen to speech patternListen to speech pattern

Fingerprinting a systemFingerprinting a systemNMAPNMAPICMP (Ofir Arkin’s paper)ICMP (Ofir Arkin’s paper)Telnet for bannersTelnet for bannersDomain records and job web sitesDomain records and job web sitesPortscanningPortscanning

Mounting the attackMounting the attackYou’ve got information on—You’ve got information on—

Your markYour markThe computer systemThe computer system

Call organization’s help deskCall organization’s help deskFeign inability to log onFeign inability to log onCan pass verification checks with info you’ve Can pass verification checks with info you’ve gatheredgatheredPrey on lack of social skills Prey on lack of social skills ““I’ve seen you at work…”I’ve seen you at work…”Be judicious—don’t ask for too muchBe judicious—don’t ask for too much

Reverse social engineeringReverse social engineeringSabotageSabotage

Cause a problem on target’s networkCause a problem on target’s network

AdvertisingAdvertisingLeave business card aroundLeave business card aroundIncorporate contact info in error messageIncorporate contact info in error message

AssistanceAssistanceFix the problem while obtaining infoFix the problem while obtaining infoDon’t forget to leave a back door or two…Don’t forget to leave a back door or two…

Protecting YourselfProtecting Yourself

S.E. usually ignoredS.E. usually ignoredS.E. viewed as attack against intelligenceS.E. viewed as attack against intelligence

No one wants to admit they were dupedNo one wants to admit they were duped

Technical people are proud of their Technical people are proud of their knowledgeknowledge

Often like to shareOften like to share

Everyone is susceptible, given a sufficiently Everyone is susceptible, given a sufficiently persuasive social engineerpersuasive social engineer

A multi-level defenseA multi-level defenseLevelLevel DefenseDefense

FoundationFoundationalal

PoliciesPolicies

ParameterParameter Security awareness and Security awareness and educationeducation

FortressFortress Resistance trainingResistance training

PersistencePersistence Ongoing remindersOngoing reminders

GotchaGotcha Social engineering land minesSocial engineering land mines

OffensiveOffensive Incident responseIncident response

Foundational: Foundational: PoliciesPoliciesEnables management to make statement Enables management to make statement about value of information to the businessabout value of information to the businessProvides legal foundataion for personnel Provides legal foundataion for personnel decisionsdecisionsDefines things people should (not) doDefines things people should (not) do

Lists penalties for violationsLists penalties for violations

Targets people who regularly respond to Targets people who regularly respond to requestsrequests

Helps people feel as if only choice is to resistHelps people feel as if only choice is to resist

Be realisticBe realisticBe regularly reviewedBe regularly reviewed

Foundational: Foundational: Policy elementsPolicy elementsAccount setup and maintenanceAccount setup and maintenancePassword change policyPassword change policyHelp desk proceduresHelp desk proceduresAccess privilegesAccess privilegesViolationsViolationsUser IDsUser IDsPrivacy policyPrivacy policyPaper documentsPaper documentsControlled accessControlled accessInformation disseminationInformation disseminationSystem hidingSystem hiding

Parameter: Parameter: Security awarenessSecurity awarenessDon’t allow trust to be exploitedDon’t allow trust to be exploitedKnow what has valueKnow what has value

What to do if you suddenly lost all access?What to do if you suddenly lost all access?

Friends aren’t always friendsFriends aren’t always friendsOver-the-phone friendships lack trustOver-the-phone friendships lack trust

Passwords are personalPasswords are personalAnd always undervaluedAnd always undervalued

Uniforms are cheapUniforms are cheapMutually authenticate when your bank calls Mutually authenticate when your bank calls you!you!

Parameter: Parameter: Signs of an attackSigns of an attackLearn to recognizeLearn to recognize

Refusal by caller to give contact informationRefusal by caller to give contact informationRushingRushingName-droppingName-droppingIntimidationIntimidationMisspellingsMisspellingsOdd questionsOdd questions

Learn to say “no”Learn to say “no”Needs backing of managementNeeds backing of management

Parameter: Parameter: User educationUser educationSecurity management campaignSecurity management campaignPeriodic refreshersPeriodic refreshersNewslettersNewslettersGroup meetingsGroup meetingsScreensaversScreensaversSignatures on acceptable use policiesSignatures on acceptable use policiesShredders and bulk erasersShredders and bulk erasers

Updated erasers—old ones are too weakUpdated erasers—old ones are too weakConsider: the band sawConsider: the band saw

Regular auditsRegular audits

Fortress: Fortress: Resistance trainingResistance trainingHarden the people!Harden the people!InoculationInoculation

Teach possible arguments and counter-argumentsTeach possible arguments and counter-arguments

ForewarningForewarningBoth content and persuasive intentBoth content and persuasive intentUnderstand that attacker’s intent is criminalUnderstand that attacker’s intent is criminal

Reality checkReality check1.1.It’s out thereIt’s out there2.2.It can happen to othersIt can happen to others3.3.It can happen to me—experientialIt can happen to me—experiential

Resistance: Resistance: Ongoing remindersOngoing remindersRegular reminders to keep people awareRegular reminders to keep people aware

One training session won’t last foreverOne training session won’t last foreverPolice departments do this continuallyPolice departments do this continually

Be creativeBe creativeDon’t become yet another source of noise to be Don’t become yet another source of noise to be ignoredignored

Gotcha: Gotcha: Social engineering land Social engineering land minesminesJustified “know-it-all”Justified “know-it-all”

Who are you? I’m escorting you outWho are you? I’m escorting you out

Centralized security logCentralized security logHelps defeat foot-in-the-door techniquesHelps defeat foot-in-the-door techniques

Call-backs by policyCall-backs by policyDefeats PBX trickeryDefeats PBX trickery

““Please hold” by policyPlease hold” by policyTime to consider and validate requestTime to consider and validate request

Key questionsKey questionsThree questions ruleThree questions ruleBogus questionBogus question

Offensive: Offensive: Incident responseIncident responseWell-defined process that—Well-defined process that—

Mitigates attackers activitiesMitigates attackers activitiesAlert other potential victimsAlert other potential victimsNotify security personnelNotify security personnel

Who to notify?Who to notify?Log monitorsLog monitorsCorporate securityCorporate security

Regularly test and modifyRegularly test and modify

Prevention strategiesPrevention strategiesArea of riskArea of risk Attacker tacticAttacker tactic Combat strategyCombat strategy

Help deskHelp desk Impersonation and Impersonation and persuasion persuasion

Train employees to never give out passwords or other Train employees to never give out passwords or other confidential info by phone confidential info by phone

Building Building entrance entrance

Unauthorized physical Unauthorized physical access access

Tight badge security, employee training, and security Tight badge security, employee training, and security officers present officers present

Office Office Shoulder surfing Shoulder surfing Don’t type in passwords with anyone else present (or if Don’t type in passwords with anyone else present (or if you must, do it quickly!) you must, do it quickly!)

Help deskHelp desk Impersonation on help Impersonation on help desk calls desk calls

All employees should be assigned a PIN specific to help All employees should be assigned a PIN specific to help desk support desk support

Office Office Wandering through halls Wandering through halls looking for open offices looking for open offices

Require all guests to be escorted Require all guests to be escorted

Mail room Mail room Insertion of forged memos Insertion of forged memos Lock and monitor mail room Lock and monitor mail room

Machine Machine room/Phone room/Phone closet closet

Attempting to gain access, Attempting to gain access, remove equipment, and/or remove equipment, and/or attach a protocol analyzer attach a protocol analyzer to grab confidential data to grab confidential data

Keep phone closets, server rooms, etc. locked at all Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment times and keep updated inventory on equipment

Phone and Phone and PBX PBX

Stealing phone toll access Stealing phone toll access Control overseas and long-distance calls, trace calls, Control overseas and long-distance calls, trace calls, refuse transfers refuse transfers

Dumpsters Dumpsters Dumpster diving Dumpster diving Keep all trash in secured, monitored areas, shred Keep all trash in secured, monitored areas, shred important data, erase magnetic media important data, erase magnetic media

Intranet/Intranet/internet internet

Creation and insertion of Creation and insertion of mock software on intranet mock software on intranet or internet to snarf or internet to snarf passwords passwords

Continual awareness of system and network changes, Continual awareness of system and network changes, training on password use training on password use

Office Office Stealing sensitive Stealing sensitive documents documents

Mark documents as confidential and require them to be Mark documents as confidential and require them to be locked locked

General— General— psychologicpsychological al

Impersonation and Impersonation and persuasion persuasion

Keep employees on their toes through continued Keep employees on their toes through continued awareness and training programs awareness and training programs

Where to learn more?Where to learn more?No MS Press titles or courseware available on No MS Press titles or courseware available on social engineeringsocial engineeringMake your own page of links!Make your own page of links!

http://www.google.com/search?q=social+engineeringhttp://www.google.com/search?q=social+engineering

© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Steve RileySteve Rileysteve.riley@microsoft.comsteve.riley@microsoft.comhttp://blogs.technet.com/http://blogs.technet.com/

sterileysteriley