1 / 36

Social Engineering: The Forgotten Information Assurance Risk

Social Engineering: The Forgotten Information Assurance Risk. Marc Rogers PhD, CISSP, CCCI Associate Professor Department of Computer Technology Center for Education and Research in Information Assurance & Security (CERIAS) Purdue University. Outline. How Big is the Problem?

fatima-whitney
Download Presentation

Social Engineering: The Forgotten Information Assurance Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering: The Forgotten Information Assurance Risk

  2. Marc Rogers PhD, CISSP, CCCI Associate Professor Department of Computer Technology Center for Education and Research in Information Assurance & Security (CERIAS) Purdue University

  3. Outline • How Big is the Problem? • What is Social Engineering? • Why is SE so Effective? • Anatomy of an SE Attack • How to Mitigate the Risk • Conclusions

  4. How big is the Problem?

  5. How big is the Problem? • Deloitte 2004 Global Security Survey • Financial Institutions’ concern tied to regulatory compliance • 83% of respondents had suffered a compromise • PWC/Department of Trade & Industry: information Security Breaches Survey 2004 (UK) • Number of breaches increased • Average cost of incident to large business was roughly $250,000 • CSI/FBI 2004 • $141,496,560 decrease from last year ??? • Denial of Service most costly • Theft of IP second • 2002-03 Australian Cyber Crime Survey • Volume of attacks doubled since 2001

  6. How big is the Problem? CERT/CC Stats Incidents Reported

  7. How big is the Problem? • CSO 2003 Survey • Respondents who suffered the most damages from security incidents were two times more likely than the average respondent to plan on decreasingsecurity spending next year. • Those with the most damages were nearly half as likely to list staff training as one of their top three priorities. ???? ????

  8. How big is the Problem? • We don’t really know???? • Lack of meaningful metrics • Trends indicate that it is increasing yearly • The monetary loss has been estimated from $400 Million - $12 Billion • Identity theft - fastest growing non-violent criminal activity • Phishing exploits seem to be on the rise

  9. How big is the Problem? • ID Theft: Fastest growing non-violent criminal activity in the US – FTC

  10. How big is the Problem? • “Phishing” • Fraudulent e-mail messages designed to fool the recipients into divulging personal authentication data. • account usernames and passwords, credit card numbers, social security numbers, ATM card PINs, • These e-mails look “official” and recipients trust the brand, they often respond to them, resulting in financial losses, identity theft, and other fraudulent activity.

  11. Phishing

  12. Phishing • A Closer Look! • Complete email Headers: • Received: from customer-201-133-75-84.prod-infinitum.com.mx ([201.133.75.84]) by exchange.purdue.edu with Microsoft SMTPSVC(6.0.3790.0); Mon, 6 Sep 2004 18:05:57 -0500 • Whois on this domain: • Registered to a company on the Island of Curacao

  13. Phishing Real site: www.citizensbank.com

  14. Phishing: Source View • Snippet of the source: </A></a></font></p><p><font = color=3D"#FFFFFA">in 1847 Windows Me All the best you are stupid Napster = Kid Rock Costumes in 2005 ?????? smart in 1861 Hold on in 1822 Pokemon = Gold It's not for me Temptation Island Big Brother I can't answer it's = beautiful Just tonight no more Terra in 1861 going to Wrong number = </font></p></html>

  15. What is Social Engineering? • Social/Psychological phenomenon • Original Definition “The practical application of sociological principles to particular social problems.” • Not necessarily a “negative” term • Persuasion • Various psychological/communications theories • Cognitive Dissonance • Language Expectation Theory • Has now become a negative technology issue

  16. What is Social Engineering? • “Successful or unsuccessful attempts to influence a person(s) into either revealing information or acting in a manner that would result in; unauthorized access, unauthorized use, or unauthorized disclosure, to an information system, network or data.” (Rogers & Berti, 2001) • Basically using deception or persuasion to “con” someone into providing information or access they would not usually have provided.

  17. Why is SE so Effective? • The Information Assurance/Security Field has focused primarily on technical security • Almost no attention to the person-machine interaction • Only as strong as the weakest link-People are the weakest link • Why spend time attacking the technology when a person will give you access? • Extremely hard to detect as there is no IDS for “lack of common sense” or more appropriately, ignorance

  18. Why is SE so Effective? • 2 Primary Factors • Basic Human Nature & Business Environment • Human Nature: • Helpful • Trusting • Naïve • Business Environment • Service Oriented • Time Crunch/Multitasking • Distributed Locations • Virtual Offices • Transient Workforce

  19. Anatomy of an SE Attack • Very similar to how Intelligence Agencies infiltrate their targets • 3 Phased Approach • Phase 1- Intelligence Gathering • Phase 2- “Victim” Selection • Phase 3 -The Attack • Usually a very methodical approach

  20. Anatomy of an SE Attack • Phase 1 -Intelligence Gathering • Primarily Open Source Information • Dumpster Diving • Web Pages • Ex-employees • Contractors • Vendors • Strategic Partners • The foundation for the next phases

  21. Anatomy of an SE Attack • Phase 2 -”Victim” Selection • Looking for weaknesses in the organization’s personnel • Help Desk • Tech Support • Reception • Admin. Support • Etc.

  22. Anatomy of an SE Attack • Phase 3 - The Attack • Commonly known as the “con” • Primarily based on “peripheral” routes to persuasion • Authority • Liking & Similarity • Reciprocation • Commitment & Consistency • Uses emotionality as a form of distraction

  23. The SE Attack • 4 General categories of attacks: • Technical Attacks • Ego Attacks • Sympathy Attacks • Intimidation Attacks

  24. Anatomy of an SE Attack • The Technical Attack - (Authority/Consistency) • No direct interpersonal contact with victims • Attacker forges e-mail messages, pop ups, web sites, or some other medium • Pretends to be an authorized support or system admin. person legitimizes the request • Tries to obtain sensitive account information from users (e.g., passwords, user-ids, CC #s, PINs etc.) • “PHISHING” • Has been very successful to date

  25. Anatomy of an SE Attack • The Ego Attack - (Reciprocation/Liking) • Attacker appeals to the vanity, or ego of the victim • Usually targets someone they sense is frustrated with their current job position • The victim wants to prove how smart or knowledgeable they are and provides sensitive information or even access to the systems or data • Attacker may pretend to be law enforcement, the victim feels honored to be helping • Victim usually never realizes

  26. Anatomy of an SE Attack • Sympathy Attacks - (Liking/Commitment) • Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc. • There is some urgency to complete some task or obtain some information • Needs assistance or they will be in trouble or lose their job etc. • Plays on the empathy & sympathy of the victim • Attackers “shop around” until they find someone who will help • Very successful attack

  27. Anatomy of an SE Attack • Intimidation Attack - (Authority) • Attacker pretends to be someone influential (e.g., authority figure, law enforcement) • Attempt to use their authority to coerce the victim into cooperation • If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.) • If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.

  28. Mitigating the Risk • The Impact of SE is usually high • The ease of the Attack is high • Technical controls alone will not prevent the attack • Operational/Administrative controls alonewill not prevent it • Environmental controls alone will not prevent it

  29. Mitigating the Risk • We need a combination of Operational/Administrative, Technical (logical), & Environmental (Physical) Control Principles • It really comes down to: • Technology • Policies • Education • Awareness • Training

  30. Mitigating the Risk • All employees should have a security mind-set and question things • Need to recognize good “catches” • Have proper incident response procedures and teams to mitigate the damage if a breach occurs • Immediate notification of targeted groups • Apply technology where possible • Need to test your readiness periodically • IT Security reviews/assessments that include SE

  31. Conclusions • SE Attacks are a serious threat • SE Attacks are very easy and very effective • We cannot forget about the person-machine interaction • Information Assurance/Security is a hardware, software, firmware, and “peopleware” problem • The best defense is proper education and awareness training combined with technical approaches

  32. Parting Thoughts ” Those who fail to learn the lessons of history are doomed to repeat them." (Santayana)

  33. Questions/Comments?

  34. Contact Information Dr. Marc Rogers rogersmk@exchange.purdue.edu Department of Computer Technology Purdue University 765-494-2561

More Related