Social Engineering:Exploiting the Human Behavior

Author: James KrusicIASC 1100

“You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”

-Kevin Mitnick

What is Social Engineering?• Is the technique used by attackers to gain the trust of

employee’s, in efforts to get information.• A companies greatest threat are themselves.• Two categories of attacks• Technical• Non-Technical

Technical Attacks• Are those that deceive the user into believing that the

application in use is truly providing them with security.• Example would be logging into Facebook and a random pop-up

window is wanting your credentials. Once you supply the pop-up window with your username/password, the attack has access to your Facebook account.• Once the attacker has your password, most of the time that same

password is used for bank accounts, network access and more.

Technical Attacks cont.• Examples of technical attacks:• Phishing

• Usually sent via e-mail, indicating to the victim that something has happened. Once the victim opens the payload the attacker has access to the network.

• Pop-up Window• Spam-Emails

• This is a mass e-mail system. Which hundreds and thousands of e-mails are sent out to individuals. Tightly related with phishing attempts.

Non-Technical Attacks• Are attacks that are purely perpetrated through the art of

deception. (Peer-to-Peer interaction)• Examples:• Dumpster Diving• Support Staff• Hoaxing• Authoritative Voice

Human Behavior Manipulations

• Curiosity

• Fear

• Thoughtlessness

Curiosity

Why would exploiting curiosity be such an effective method?- It is like saying, “Why do people go into the woods

when its dark?”- People always want to know what’s behind the door.- So when people receive an e-mail saying they won

$5,000 and all they need to do is follow the link, they more than likely will.

Fear• Fear is such a strong behavior, because once a person

experiences it, they do not want that feeling again.• Example: Hoax’s are used to falsify information in-order to scare

the victim.

Thoughtlessness• Is a human behavior that is done without thought. To not think

when doing.• Example: Dumpster Diving• When a person throws old credit cards away without first cutting

them up, or when they throw away bank account statements that have your social security number on them, or credit card information.• An attackers gold mine, is to find personal information such as; SSN,

Account Number, Addresses and more.

How to help mitigate against promising attacks of Social Engineering

- Educate the users/employee’s- Well-rounded policy- Audit and ensure compliance- Proper hardware mitigation

- E-mail filters- Firewalls

User Education/Awareness• User education is an important role to mitigate against social

engineering tasks.• Simple education such as:• Ensure employee’s check the person/s ID• Ensure employee’s verify they have appointment with

management• Ensure employee’s do not divulge company secrets, personal

information, and network information over the phone

Motivate the Users• Self Interest- Most people tend to retain facts better when

they can personally identify with or use that information personally

• Memory Persistence- Current news stories, or recent situations that effect the organization.

• Perceived Importance- Effectively communicate the need for stated security policies.

• Understanding- People are more inclined to follow procedures that they fully understand.

Well Rounded Security Policy• Why do we need a good security policy?• It provides a framework for best practice• Helps turn employee’s into participants in the company’s efforts

to secure its information assets.• Shows internally and externally that assets are important

Audits & Compliance• Why does a company need to audit and ensure compliance of

a security policy?• Companies need to audit the security policy to ensure that

employee’s at all levels are following the policy• Top-Down approach is good when auditing

• Most of the time upper management want more access to network resources than standard employee’s• This is a good place to start because if an attacker decides to do a spear

phishing attack they usually start high, because they do not believe that they need to follow policy.

Hardware/Software Mitigation• Employ multiple firewalls using different platforms• This is security by obscurity, meaning that multiple platforms or

multiple setups ensures that by getting by one firewall doesn’t mean an attacker can get by the second, or third.

• Deploy E-mail Filters• Types of E-mail Filters:

• Bayesian Spam Filters: Work by scanning the e-mail for tokens (usually words), and then calculating the probability that the e-mail is spam.• Very powerful, low false positives

• Spam Assassin: Uses rule sets to scan body and header of e-mail messages. Can be very granular (extensive rules).• Can be ran for all e-mail or can be ran by individual users.

Additional Resources• www.mattslifebytes.com• Can find a video about social engineering.• Can find a experiment on dumpster diving

• Also can find images of servers that can help you understanding hardening Linux. From IT-Adventures.

• End User Security Awareness Presentation• http://www.slideshare.net/frostinel/end-user-security-

awareness-presentation-presentation• Policy Enforcement• http://www.sans.org/reading_room/whitepapers/policyissues/

information-security-policy-development-guide-large-small-companies_1331