1 / 21

Social Engineering Training

Social Engineering Training. Why Social Engineering Training?. The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments of DOE laboratories. The Red Team used Social Engineering tactics to attempt to infiltrate the laboratories in Spring 2008.

lanai
Download Presentation

Social Engineering Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering Training

  2. Why Social Engineering Training? • The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments of DOE laboratories. • The Red Team used Social Engineering tactics to attempt to infiltrate the laboratories in Spring 2008. • They were successful in gaining access and maneuvering without detection at two DOE laboratories and one Site Office. • This training class was developed to provide the tools required to identify, detect and deter advanced Social Engineering attempts.

  3. Definition What is social engineering? Art of manipulating people into performing actions or divulging confidential information. Using trickery to gather information or computer system access. In most cases the attacker never comes face-to-face with the victim.

  4. What motivates social engineering? Obtaining personal information for profit. Gaining unauthorized access to an organization. Circumventing established procedures. Just because they can.

  5. Techniques • Pretexting • Phishing1 • Trojan Horse1 • Baiting1,2 1The DOE Red Team used these techniques in their latest successful attacks on two DOE laboratories and one site office. 2The DOE Red Team was successful using these methods to infiltrate DOE laboratories in the past.

  6. Description Create and use an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action, typically over the telephone. Phone Calls Claim a need to perform a service. Ask for information about organization (i.e. reporters, prospective students). Claim to be calling for a friend or family members need access to something. Prevention Be polite. Ask for a number to call *them* back; may allow tracing later. Ask a question for which the answer is not publicly available. Pretexting

  7. Phishing • Description • The attacker sends an e-mail that appears to come from a legitimate business (bank, credit card company) requesting “verification” of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate and may include company logos and content. • Types of e-mail • Standard Viagra, off-shore lottery, etc…spam. • Easy to spot and avoid. • E-mail claiming to be from DOE, ISU or a bank requiring a quick response and personal information. • Unsolicited CVs, requests for feedback on proposals, requests *for* proposals.

  8. Phishing • Prevention • Examine e-mail headers • http://www.internal.ameslab.gov/is/desktopprocedures/FAQ/email-analysis.html • Verify sender prior to opening attachments or clicking on web links. • Call sender. • Contact an associate or representative of sender, if known. • Instead of clicking on e-mail web links, copy and paste them into a browser. • Forward suspicious e-mail to cybersec@ameslab.gov for verification.

  9. Phishing – Email Links

  10. Phishing - Email Headers

  11. Description The “e-mail virus” arrives as an e-mail attachment promising anything from a “cool” screen saver, an important anti-virus or system upgrade, or the latest gossip about a celebrity. Trojan Horse

  12. Baiting • Description • Attacker leaves a malware infected CD ROM or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. Attacker sends the infected device via “Snail”-mail

  13. Types of mail Unsolicited CDs/DVDs. Claim to provide training, information but really installs malware. Unsolicited thumb drives. “Lost” CDs, thumb drives, other media. Prevention Verify unexpected mailings with sender. Never put anything into your computer if you don’t know where it’s been. Bring “lost” items to IS for examination. If unsure, ask the IS office. Baiting

  14. Tools used by Social Engineers • Any publicly available information • Postings on public web pages. • Phone book information. • Professional information. • Personal and professional relationships • Association with ISU. • Association with DOE. • Conferences and collaborations in field of expertise.

  15. Quick TestsWhich of these emails in legitimate? Which is fake?

  16. Quick Tests • Can you think of ways the information on Ames Laboratory’s public web page could be exploited to execute a social engineering attack? • Can you think of an unsolicited e-mail, phone call, or snail-mail attack which would be impossible to verify or handle safely?

  17. How to avoid Social Engineering tactics • Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. • Be certain of a person’s authority to have the information before providing personal information or information about your organization, including its structure or networks.

  18. How to avoid Social Engineering Tactics (Cont) • Never reveal personal or financial information in email or respond to email solicitations for this information. This includes following links sent in an email. • Check a website’s security before sending sensitive information over the internet. • Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

  19. How to avoid Social Engineering Tactics (Cont) • If you are unsure whether an email request is legitimate, try to verify it by contacting the company or person directly. Check previous statements for contact information rather than using contact information provided on a web site connected to the request or in an email sent to you. • Install and maintain anti-virus software, firewalls, and email filters to reduce unwanted traffic.

  20. How to report Social Engineering • If Social Engineering techniques are attempted while at work… • If you believe you might have revealed sensitive information about the Ames Laboratory… • Report it to the IS office at: • Phone: 4-8348 • Email: cybersec@ameslab.gov • This will alert us to any suspicious or unusual activity.

  21. Certificate of Completion This certifies the individual listed below has successfully completed the course entitled Social Engineering Training Prepared by the Ames Laboratory Information Systems Office Employee Name Employee # Date

More Related