1 / 29

Social Engineering and Phishing ( Fish are not the only things that need to be concerned. )

Social Engineering and Phishing ( Fish are not the only things that need to be concerned. ). August 24, 2011. Introduction.

isabelle-duncan
Download Presentation

Social Engineering and Phishing ( Fish are not the only things that need to be concerned. )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering and Phishing(Fish are not the only things that need to be concerned.) August 24, 2011

  2. Introduction During the course of this presentation, I will illustrate methods that attackers and others with malicious intent have used to compromise Personally Identifiable Information (PII) and other sensitive data. I will also examine several case studies that show how PII was compromised and how the breach could have been prevented. Finally, I will offer several defense and protection mechanisms. I am SeNet’s Chief Technology Officer (CTO). Previously, I worked for the security consulting practices of both KPMG and Deloitte and Touche. I have led and performed numerous vulnerability assessments and penetration tests in support of financial audits, FISMA audits, and other compliance-related efforts. I can be reached at 703-206-9383 or gus.fritschie@senet-int.com.

  3. About SeNet SeNet International is a small business founded in 1998 to deliver network and information security consulting services to government and commercial clients. • High-End Consulting Services Focus • Government Certification and Accreditation Support • Network Integration • Security Compliance Verification and Validation • Security Program Development with Business Case Justifications • Complex Security Designs and Optimized Deployments • Proven Solution Delivery Methodology • Contract Execution Framework for Consistency and Quality • Technical, Management, and Quality Assurance Components • Exceptional Qualifications • Executive Team – Security Industry Reputation and Active Project Leadership • Expertise with Leading Security Product Vendors, Technologies, and Best Practices • Advanced Degrees, Proper Clearances, Standards Organization Memberships, and IT Certifications • Corporate Resources • Located in Fairfax, Virginia • Fully Equipped Security Lab • Over 40 Full-time Security Professionals

  4. The PII Challenge • Definition • Personally Identifiable Information (PII) is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. • Challenges of PII • Pervasive – traditional and new, non-traditional end points • Highly sensitive and highly coveted • Difficult to do away with

  5. PII Examples • Examples of PII Include: • Full name (if not common) • National identification number • IP address (in some cases) • Vehicle registration/plate number • Driver's license number • Face, fingerprints, or handwriting • Credit card numbers • Digital identity • Birthday • Birthplace • Genetic information

  6. PII Leakage Paths • E-mail attachments • Printouts and faxes • Lost tapes, zip drives, and other storage media • Lost or stolen laptops • Social networking • Instant messaging programs • File sharing programs • Unsecure Web sites • Active attacks by bad actors PII can “leak out” intentionally and unintentionally in many ways, such as:

  7. Data Leakage Paths

  8. PII Attack Vectors • Phishing (no, it’s not a typo) • Social Engineering • Cross-site Scripting (XSS) • SQL Injection • Malware • Many others

  9. Phishing Attacks and Social Engineering While there are several different attack vectors that could be used to gain unauthorized access to PII, two of the most common are old fashion social engineering and phishing attacks.

  10. What is Social Engineering? Social engineering is the process of deceiving people into giving away access or confidential information. Wikipedia defines it as “the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.” Many consider social engineering to be the greatest risk to security.

  11. Categories of Social Engineers • Hackers • Spies or Espionage • Identify Thieves • Disgruntled Employees • Scam Artists • Sales • Governments

  12. Why Social Engineering? "Because there is no patch for human stupidity“ "People are the largest vulnerability in any network" Path of Least Resistance A hacker can spend hours, weeks, or months trying to brute force his or her way to a password... when a phone call with the right pretext and perfect questions can identify the same password or more in a few minutes.

  13. What is Pretexting? • Pretexting is the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases, it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they have never performed themselves. • Pretexting is also not a “one size fits all” solution. A social engineer will have to develop many different pretexts over his or her career. All of them will have one thing in common: research. Good information gathering techniques can make or break a good pretext. Being able to mimic the perfect technical support representative is useless if your target does not use outside support. • One of the most important aspects of social engineering is trust.

  14. Common SE Attack Vectors In the world of social engineering, there are numerous attack vectors. Some involve a lot of technology; others contain none at all. • Customer Service • Tech Support • Marketing • Phone • Delivery Person

  15. Phishing vs. Spear Phishing Phishing – E-mails that typically contain a link to a counterfeit Web site and are designed to look like an authentic login page. They will actually capture personal data for cyber criminals, who will use the data to commit financial fraud. Spear Phishing– Targets are identified in advance and the e-mails that attempt to trick them into handing over personal data can be highly specific. They might claim to come from a friend or colleague, or seek to exploit the target’s known interests.

  16. Social Engineering Tools • SET – Social Engineering Toolkit • (http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)) • BeEF– Browser Exploitation Framework • (http://www.bindshell.net/tools/beef.html) • Metasploit– http://www.metasploit.com/

  17. Demo Demo Time

  18. APT and PII APT is not about smashing and grabbing; rather, it is about methodically reaching your objectives, establishing a beachhead within the organization, and exploiting as much of the organization as possible for as long as possible without being detected.

  19. APT and PII (cont’d) • APT is: • Advanced – Assumes everything from mundane attack attempts to sophisticated custom crafting of exploits. • Persistent – Focused on an objective, so this is not just a “drive-by” or “smash-and-grab.” The threat will not go away or move out of legal reach. “Persistent” means trying to maximize exploitation of information over a period of time, sometimes a long period of time. • Threat – Targeting your organization for a specific reason. This takes advantage of human ability and creativity, and is not a bot or worm, although those tools may be employed.

  20. Case Study 1 Operation Aurora • Began in mid-2009 and continued through December 2009. Involved several other companies in addition to Google. • Google stated that some of its intellectual property had been stolen. • Attackers were interested in accessing Gmail accounts of Chinese dissidents. • Attackers had exploited purported zero-day vulnerabilities in Internet Explorer.

  21. Case Study 1 (cont’d) • Additional vulnerabilities were found in Perforce, the source code revision software used by Google to manage their source code. • Once a victim's system was compromised, a back-door connection that masqueraded as an SSL connection made connections to command and control servers. • The victim's machine then began exploring the protected corporate intranet of which it was a part, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories.

  22. Case Study 2 This case study explores an example where data (including PII) in an Oracle database is compromised. Initially, a scan is conducted to identify Oracle databases.

  23. Case Study 2 (cont’d) Weak passwords are not just a problem with Microsoft. This tool can be used to determine whether default Oracle passwords exist.

  24. Case Study 2 (cont’d) With the correct credentials obtained, a tool such as DB-Examiner can be used to obtain a graphical view of the database structure.

  25. Case Study 2 (cont’d) Of course, data is the crown jewel that many attackers are after. In this example, using the compromised account and information about the data structure, a query is executed to view personal data including name, social security number, and salary.

  26. Methods to Protect PII • Encryption • Multi-factor Authentication • Strong Access Controls • Security Awareness Training • End-point Security • Data Leakage Prevention

  27. Social Engineering Protections • Education/training • Be aware of the information you are releasing. • Determine which of your assets are most valuable to criminals. • Keep your software up to date. • When asked for information, consider whether the person you are talking to deserves the information they are asking about. • Report suspicious activity. • Be skeptical. • Never respond using information contained in the e-mail, particularly links to Web sites.

  28. Conclusions As can be seen throughout this presentation, there are many different attack vectors that can be used to gain access to your PII or other sensitive information. Often, attackers choose the easiest target, which is why social engineering and phishing are being used more frequently. While no method can guarantee 100% protection against these types of attacks, by understanding how these attacks work, you can better defend yourself against them.

  29. Questions Questions?

More Related