1 / 70

United States Department of the Interior

United States Department of the Interior. Social Engineering & Internal/External Threats March 22, 2006 Leland C.Dudek Leland_dudek@ios.doi.gov. Agenda. What’s at stake? DOI FY 2005 Threat/Incident Statistics Survey of Government Departments - Alarming Statistics

jbrake
Download Presentation

United States Department of the Interior

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. United States Department of the Interior Social Engineering& Internal/External ThreatsMarch 22, 2006Leland C.DudekLeland_dudek@ios.doi.gov

  2. Agenda • What’s at stake? • DOI FY 2005 Threat/Incident Statistics • Survey of Government Departments - Alarming Statistics • Social Engineering – Often the first vector of attack • Internal and External Threats

  3. Train2Secure What’s at Stake • Information Privacy - Confidentiality • Provision of Services - Availability • Data Manipulation - Integrity • Critical Roles and Missions • Critical Infrastructure • Agency Reputation

  4. DOI FY 2005 Threat/Incident Statistics • Over 650 million suspicious probes/attacks blocked • Over 3.4 million viruses, trojans, worms detected, deleted, cleaned

  5. Train2Secure Survey of Government Departments - Alarming Statistics • 99% use anti-virus software, yet 82% have been hit by viruses, worms, etc. • 98% have firewalls and 73% have IDS, yet 36% report penetration from the outside • 90% detected computer security breaches • 84% blame their most recent security breach on human error • 80% attribute human error to lack of security knowledge, a lack of training or a failure to follow security procedures. • 75% acknowledged financial losses due to breaches. Sources: 2003 CSI/FBI Computer Crime and Security Survey & 2004 CompTia Survey

  6. Social Engineering Hey! I need to reset your password… can you tell me your old one? Help Desk or Social Engineering? Can be either an internal or external threat…

  7. What is Social Engineering • Social Engineering is the unauthorized acquisition of sensitive information or inappropriate access privileges by a potential threat source, based upon the building of an inappropriate trust relationship with a legitimate user of an information technology system. • The goal of social engineering is to trick someone • into providing valuable information or access to that information.

  8. Social Engineering… a Wikipedia definition • In the field of computer security, social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. Perhaps the simplest, but still effective attack is tricking a user into thinking one is an administrator and requesting a password for various purposes. Users of Internet systems frequently receive messages that request password or credit card information in order to "set up their account" or "reactivate settings" or some other benign operation in what are called phishing attacks. Users must be warned early and frequently not to divulge passwords or any other sensitive information to anyone for any purpose, even to legitimate system administrators. In reality, administrators of computer systems rarely, if ever, need to know the user's password to perform administrative tasks. • Social engineering also applies to the act of face-to-face manipulation to gain physical access to computer systems. • In an IT security survey, 90% of office workers gave away their password in exchange for a cheap pen.

  9. The Weakest Link in the IT Security Chain • People are usually the weakest link in the security chain. • Social engineering is still the most effective method used to get around security obstacles. • A skilled social engineer will often try to exploit this weakness before spending time and effort on other methods to crack passwords.

  10. The Weakest Link in the IT Security Chain • Why try to hack through someone’s security system when you can get a user to open the door for you? • Social engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone. • A successful defense depends on having good policies in place ensuring that all employees are trained to follow them.

  11. Different Avenues of Persuasion • In attempting to persuade someone to do something, there are two methods a persuader can employ: • The Direct Route • the social engineer simply asks for the information or access with no set up • often challenged and refused • seldom used due to low probability of success • The Peripheral Route • Contrived situation - The more factors the target must consider in addition to the basic request, the more likely the target is to be persuaded. • Forgot a password • Manager on vacation • Looming deadlines • Personal Persuasion - Many social engineers are adept at using personal persuasion to overcome initial resistance. • The goal is not to force compliance but to get voluntary action • Target believes they are making the decision

  12. Different Avenues of Persuasion A Direct Route uses: • Systematic • logical arguments To: • stimulate a favorable response • prompting the recipient to action

  13. Different Avenues of Persuasion A Peripheral Route uses: • peripheral cues • mental shortcuts • misrepresent their objectives To: • trigger acceptance without thinking

  14. Different Avenues of Persuasion • One way in which the social engineer can make prospective victims more susceptible to Peripheral routes to persuasion is by making some statement at the outset that triggers a strong emotion such as: • Excitement “The Chief of Staff is writing up an award nomination for you and needs some additional information!” • Fear “The Chief Information Officer is waiting for this!”

  15. Perception • In a typical transaction our perception about the request for service begins with a basic belief that each party is who they say they are. • Some social engineering victims may tend to rely primarily on their belief that the person with whom they dealt was honest, and to give little thought to the activities.

  16. Common Types of Social Engineering Exploit Methods • Social engineering can be broken into : • Human based: person-to-person interactions to retrieve the desired information • Computer based: computer software that attempts to retrieve the desired information.

  17. Human-based • Impersonation - Case studies indicate that help desks are the most frequent targets of social engineering attacks. • A Social Engineer calls the help desk • Help desk is helpful • Social engineer will often know names of employees • Important User - A common ploy is to pretend to be a senior executive. • Help desk is less likely to turn down a request coming from a high-level official • Social engineer may threaten to report the employee to their supervisor.

  18. Human-based • Third-party Authorization - The social engineer may have obtained the name of someone in the organization who has the authority to grant access to information. • Mr. Martinez says its OK. • “Before he went on vacation, Mr. Martinez said I should call you to get this information. • Tech Support - Social engineer pretends to be someone from the infrastructure-support groups. • System is having a problem • Needs them to log on to test the connection

  19. Human-based • In Person - The social engineer may enter the building and pretend to be an employee, guest or service personnel. • May be dressed in a uniform • Allowed to roam • Becomes part of the cleaning crew • Dumpster diving - Going through the trash • Shoulder Surfing - Looking over a shoulder to see what someone is typing. • Passwords • Phone-card numbers

  20. Computer-based • Popup Windows - A window will appear on the screen telling the user they have lost their network connection and needs to reenter their user name and password. • A program will then e-mail the intruder the information. • Mail attachments - Programs can and are frequently hidden in e-mail attachments. • Viruses • Worms • Trojans

  21. Computer-based • Spam, Chain Letters and Hoaxes - These all rely on social engineering to be spread. • While they do not usually cause damage, they do cause a loss of productivity. • Frequently used by entrepreneurs in African countries (e.g., Nigerian scams) • They use valuable network resources. • Websites - A common ploy is to offer something • free or a chance to win a sweepstakes on a Website. To register requires an e-mail address and password.

  22. Computer-based Hacking Made Easy (http://www.washingtonpost.com/wp-dyn/content/article/2006/03/16/AR2006031600916_pf.html) • When Graeme Frost received an e-mail notice that an expensive digital camera had been charged to his credit card account, he immediately clicked on the Internet link included in the message that said it would allow him to dispute the charge. As the 29-year-old resident of southwestern England scoured the resulting Web page for the merchant's phone number, the site silently installed a password-stealing program that transmitted all of his personal and financial information. • Frost is just one of thousands of victims whose personal data has been stolen by what security experts are calling one of the more brazen and sophisticated Internet fraud rings ever uncovered. The Web-based software employed by ring members to manage large numbers of illegally commandeered computers is just as easy to use as basic commercial office programs. No knowledge of computer programming or hacking techniques is required to operate the software, which allows the user to infiltrate and steal financial information from thousands of PCs simultaneously. • The quality of the software tools cyber criminals are using to sort through the mountains of information they've stolen is a clear sign that they are seeking more efficient ways to monetize that data, experts say.

  23. Computer-based Hacking Made Easy • Frost's data, along with information stolen from thousands of other victims, made its way to a Web site hosted by a Russian Internet service provider. The site is currently the home base of a network of sites designed to break into computers through a security hole in Microsoft's Internet Explorer Web browser. The data thieves use the IE flaw to install programs known as "keyloggers" on computers that visit the specially coded Web pages. The keyloggers then copy the victims' stored passwords and computer keystrokes and upload that information to the database. • The hacking software also features automated tools that allow the fraudsters to make minute adjustments or sweeping changes to their networks of hacked PCs. With the click of a mouse or a drag on a pull-down menu, users can add or delete files on infected computers. • They can even update their spyware installations with new versions tailored to defeat the most recent anti-virus updates. With one click on the Web site's "Add New Exploit" button, users can simultaneously modify all of the keylogger programs already installed on their networks. • Symantec and other security experts also have spotted earlier versions of the software installed on at least two other Web sites, one of which is still active and has harvested password information from nearly 30,000 victims, the bulk of whom reside in the United States and Brazil.

  24. Computer-based Hacking Made Easy (http://www.washingtonpost.com/wp-dyn/content/article/2006/03/16/AR2006031600916_pf.html) Keyloggers – Watching while you type… • Fast becoming among the most prevalent and insidious online threats: More than half of the viruses, worms and other malicious computer code that Symantec now tracks are designed not to harm host machines but to surreptitiously gather data from them. • These keylogger-control Web sites follow a trend toward automation in other realms of online fraud, such as virus-creation programs, spamming software and pre-packaged toolkits to help fraudsters set up "phishing" sites -- Web pages designed to trick people into giving away their personal and financial data at what looks like a legitimate e-commerce or banking site. • "This type of plug-and-play, click-and-hack software simply represents the commercialization of criminal activity, and in many respects lowers the technical knowledge barrier of entry to this type of crime." • Online criminals hack into thousands of small-merchant Web sites and embed code that silently install keyloggers when users browse the sites with Internet Explorer. • A recent analysis for SANS estimated that nearly 10 million U.S. households own a computer that is infected with some type of keystroke logging program. Although not every PC user whose keystrokes are being logged has experienced financial losses the analysis estimates that organized-crime groups have access to roughly $24 billion in bank assets from accounts associated with the owners of infected machines.

  25. … and so do Spyware sites Computer-based eBay, Yahoo, Microsoft – All ask us to click Yes

  26. Computer-based

  27. Computer-based Drag the window to Reveal the real info!

  28. Computer-based • Drive-by social engineering Free game Sites! Hey we ALL love free stuff!

  29. Free Games site Exploits our desktop to install a Trojan Computer-based

  30. Computer-based Each user session includes different exploit content

  31. Common Types of Social Engineering Exploit Methods • Most dire request (e.g., recent PayPal e-mail phishing scams) • Contrived situation (e.g., Nigerian e-mail scams)

  32. Exploiting Human Nature and Personality Traits Social engineers prey on qualities of human nature and personality traits: • the desire to be helpful, cooperative, or a team player • the tendency to trust people • the fear of getting into trouble, moral obligation or duty, guilt The most skilled social engineer is able to obtain information without raising any suspicion as to what they are doing.

  33. Personality Traits • In the following discussion we will examine how various social engineering personality traits enhance the possibility of successful social engineering. • When present, these traits increase the likelihood of compliance.

  34. Personality Traits • Diffusion of responsibility - The target is made to believe that they are not solely responsible for their actions. • The social engineer creates situations with many factors that dilute personal responsibility for decision making. • The social engineer may drop names. • May claim someone higher up has made the decision. • Chance for ingratiation - The target is lead to believe that compliance with the request will enhance their chances of receiving some sort of benefit. • Gaining advantage over a competitor. • Getting in good with the boss.

  35. Personality Traits • Trust Relationships - The social engineer expends time developing a trust relationship with the intended victim. • Usually following a series of small interactions. • Moral duty - Encouraging the target to act out of a sense of moral duty or moral outrage. • Requires the social engineer to gather information on the target and the organization. • Tries to get the target to believe that compliance will mitigate some sort of wrong that has been done.

  36. Personality Traits • Guilt-Most individuals attempt to avoid guilt feelings if possible. • Social engineers create situations designed to: • tug at the heartstrings • manipulate empathy • create sympathy • If granting a request will lead to avoidance of guilt, target is more likely to comply. • Believing that not granting the request will lead to significant problems to the requestor is often enough to weigh the balance in favor of compliance with the request.

  37. Personality Traits • Identification - Trying to get the target to identify with the social engineer. • The social engineer tries to build a connection with the target based on information gathered. • Informality is another trait social engineers excel at. • Desire to help - Social engineers rely on people’s desire to be helpful. • Holding the door. • Logging on to an account. • Lack of assertiveness or refusal skills.

  38. Personality Traits • Cooperation - The less conflict with the target the better. • Voice of reason • logic • patience

  39. Social Engineering Example Mr. Smith:Hello? Caller: Hello, Mr. Smith. This is Fred Jones in tech support. Due to some disk space constraints, we’re going to be moving some user’s home directories to another disk at 8:00 this evening. Your account will be part of this move, and will be unavailable temporarily. Mr. Smith:Uh, okay. I’ll be home by then, anyway. Caller: Good. Be sure to log off before you leave. I just need to check a couple of things. What was your username again, smith? Mr. Smith:Yes. It’s smith. None of my files will be lost in the move, will they? Caller: No sir. But I’ll check your account just to make sure. What was the password on that account, so I can get in to check your files? Mr. Smith:My password is Tuesday, in lower case letters. Caller: Okay, Mr. Smith, thank you for your help. I’ll make sure to check you account and verify all the files are there. Mr. Smith:Thank you. Bye.

  40. Potential Security Breaches • Help Desks - They try too hard to be helpful. • Websites - As we discussed before, setting up a bogus website to trap information (e.g., clone any well-known web site and cause people to click on a bogus link in an e-mail to enter their logon credentials – phishing). • A social engineer may simply walk in and behave like one of the employees. • We tend NOT to challenge unfamiliar personnel often enough

  41. Common Defenses • Everyone that enters the building (contractors, business partners, vendors, employees) must show identification. • Passwords should never be spoken over the phone. • Passwords are not to be left lying around – they must be stored in a secure location only accessible to the individual they were issued to. • Caller ID technology can be used to help verify who you are speaking to. • Properly destroy passwords and all sensitive but unclassified (SBU) information - invest in and properly use shredders and degaussers.

  42. Recognize the Signs • Recognize key signs that indicate you may be the target of a social engineering attack: • Refusal to give contact information • “I cannot be contacted” • “I’m on my cell phone and the battery is about to die” • The number they give you is a “call out only” number • Rushing • Name-dropping • Intimidation • Small mistakes • Requesting sensitive information

  43. Defense… the 2 step… (actually 4 step) Step 1 • If you cannot personally identify a caller who asks for Personal information about you or anyone else (including badge number or employee number), for information about your computer system, or for any other sensitive information, do not provide the information. • Insist on verifying the caller’s identity by calling them back at their proper telephone number as listed in organization’s telephone directory. This procedure creates minimal inconvenience to legitimate activity when compared with the scope of potential losses.

  44. Defense… the 2 step… (actually 4 step) Step 2 • Remember that passwords are sensitive. A password for your personal account should be known ONLY to you. Systems administrators or maintenance technicians who need to do something to your account will not require your password. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal you password. If a system administrator or maintenance technician asks you for your password, be suspicious, very suspicious.

  45. Defense… the 2 step… (actually 4 step) Step 3 • Systems maintenance technicians from outside vendors who come on site should be accompanied by the local site administrator (who should be known to you). If the site administrator is not familiar to you, or if the technician comes alone, it is wise to give a call to your known site administrator to check if the technician should be there. Unfortunately, many people are reluctant to do this because it makes them look paranoid, and it is embarrassing to show that they do not trust a visitor.

  46. Defense… the 2 step… (actually 4 step) Step 4 • If you feel you have thwarted or perhaps been victimized by an attempt at social engineering, report the incident to your manager and to security personnel immediately!

  47. Final Thoughts • A social engineer with enough time, patience and tenacity will eventually exploit some weakness in the security of an enterprise. • The best defense against social engineering attacks combines raising the bar of awareness among employees, volunteers and contractors, a sense of personal responsibility to protect DOI’s mission and IT assets, an understanding of the signs of social engineering attacks, and reporting any suspected incidents.

  48. Credits (or who I stole this presentation from…) • Plagiarism is the greatest form of flattery • With Permission from Stan Lowe (DOI BLM) • Melissa Guenther • Wikipedia • Foundstone

  49. Ready for a break? Questions?

  50. United States Department of the Interior Social Engineering& Internal/External ThreatsMarch 22, 2006Lawrence K. RuffinLawrence_Ruffin@ios.doi.gov

More Related