Kelly Corning Julie Sharp Human-based techniques: impersonation Computer-based techniques: malware and scams Manipulates legitimate users into undermining their own security system Abuses trusted relationships between employees Very cheap for the attacker Attacker does not need specialized equipment or skills Impersonation Help Desk Third-party Authorization Tech Support Roaming the Halls Repairman Trusted Authority Figure Snail Mail Computer-Based Techniques Pop-up windows Instant Messaging and IRC Email Attachments Email Scams Chain Letters and Hoaxes Websites Hacker pretends to be an employee Recovers “forgotten” password Help desks often do not require adequate authentication Targeted attack at someone who has information Access to assets Verification codes Claim that a third party has authorized the target to divulge sensitive information More effective if the third party is out of town Hacker pretends to be tech support for the company Obtains user credentials for troubleshooting purposes. Users must be trained to guard credentials. Hacker dresses to blend in with the environment Company uniform Business attire Looks for sensitive information that has been left unattended Passwords written down Important papers Confidential conversations Hacker wears the appropriate uniform Often allowed into sensitive environments May plant surveillance equipment Could find sensitive information Hacker pretends to be someone in charge of a company or department Similar to “third-party authorization” attack Examples of authority figures Medical personnel Home inspector School superintendent Impersonation in person or via telephone Hacker sends mail that asks for personal information People are more trusting of printed words than webpages Examples Fake sweepstakes Free offers Rewards programs More effective on older generations Window prompts user for login credentials Imitates the secure network login Users can check for visual indicators to verify security Hacker uses IM, IRC to imitate technical support desk Redirects users to malicious sites Trojan horse downloads install surveillance programs. Hacker tricks user into downloading malicious software Programs can be hidden in downloads that appear legitimate Examples Executable macros embedded in PDF files Camouflaged extension: “NormalFile.doc” vs. “NormalFile.doc.exe” Often the final extension is hidden by the email client. More prevalent over time Begins by requesting basic information Leads to financial scams More of a nuisance than a threat Spread using social engineering techniques Productivity and resource cost Offer prizes but require a created login Hacker capitalizes on users reusing login credentials Website credentials can then be used for illegitimate access to assets Never disclose passwords Limit IT Information disclosed Limit information in auto-reply emails Escort guests in sensitive areas Question people you don't know Talk to employees about security Centralize reporting of suspicious behavior Remind employees to keep passwords secret Don’t make exceptions It’s not a grey area! Only IT staff should discuss details about the system configuration with others Don’t answer survey calls Check that vendor calls are legitimate Keep details in out-of-office messages to a minimum Don’t give out contact information for someone else. Route requests to a receptionist Guard all areas with network access Empty offices Waiting rooms Conference rooms This protects against attacks “Repairman” “Trusted Authority Figure” All employees should have appropriate badges Talk to people who you don’t recognize Introduce yourself and ask why they are there Regularly talk to employees about common social engineering techniques Always be on guard against attacks Everyone should watch what they say and do. Designate an individual or group Social engineers use many points of contact Survey calls Presentations Help desk calls Recognizing a pattern can prevent an attack Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013. <http://community.spiceworks.com/how_to/show/666-bestpractices-to-prevent-social-engineering-attacks>. Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013. <http://www.secureworks.com/consulting/security_testing_and_a ssessments/social_engineering/>. "Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013. <http://www.npdn.org/social_engineering_types>.