Social Engineering:The Non-Technical Threatto Information SecurityInformation SecuritySecurity is a People ProblemWho’s the biggest threat?Helen KellerThe Great [Fire] WallSun TzuKnow Your EnemyThreats to Information SecurityThreats to Information SecurityTop Threats to Information SecuritySocial EngineeringExamplesExamples - 2PretextingPhishingExample 1Example 2Example 3Example 4-AExample 4-BExample 4-CThe SolutionSpheres of SecurityPlanningPolicySecurity Education, Training and Awareness (SETA)Awareness BehaviorAwarenessSETA Awareness ComponentsTrainingEducationProsecution and PartneringSupport for The SolutionsThe Human FirewallThe Human Firewall ManifestoThe Human Firewall ManifestoSocial Engineering FuturesPharmingAlbert EinsteinHelen KellerContact InformationSocial Engineering:The Non-Technical Threatto Information SecurityHerbert J. Mattord, CISSPManager of Operations, Center for Information Security Education and AwarenessCoordinator, Information Security & Assurance CertificateInstructor of Information SystemsSocial Engineering: The Non-Technical Threat 2Information SecurityInformation security is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information It is the protection of the confidentiality, integrity and availability of information while in transmission, storage or processing, through the application of policy, technology, and education and awarenessSocial Engineering: The Non-Technical Threat 3Security is a People ProblemMoney may be the root of all evil, but people are the root of all problemsPeople, who are all fallible, are usually recognized as one of the weakest links in securing informationThe problem is: no matter how much work is placed in the protection of information, it only takes one misguided soul to completely defeat all effortsSocial Engineering: The Non-Technical Threat 4Who’s the biggest threat?Harriet AllthumbsAccidentally deletedthe only copy of a critical reportTommy TwostoryConvicted burglarDick Davisa.k.a. WannabeAmateur HackerSocial Engineering: The Non-Technical Threat 5Helen KellerScience may have found a cure for most evils; but it has found no remedy for the worst of them all—the apathy of human beings.Social Engineering: The Non-Technical Threat 6The Great [Fire] WallSocial Engineering: The Non-Technical Threat 7Sun Tzu“Know the enemy and know yourself; in a hundred battles you will never be in peril.When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal.If ignorant both of your enemy and yourself, you are certain in every battle to be in peril.”Social Engineering: The Non-Technical Threat 8Know Your EnemyThreats to Information SecurityA Study in 2002 examined the dominant threats to information security, and prioritized them based on their overall level of concern.Social Engineering: The Non-Technical Threat 9Threats to Information Security1. Acts of Human Error or Failure 2. Compromises to Intellectual Property3. Deliberate Acts of Espionage or Trespass 4. Deliberate Acts of Information Extortion 5. Deliberate Acts of Sabotage or Vandalism 6. Deliberate Acts of Theft 7. Deliberate Software Attacks 8. Forces of Nature9. Quality of Service Deviations - Service Providers10. Technical Hardware Failures or Errors11. Technical Software Failures or Errors 12. Technological ObsolescenceSocial Engineering: The Non-Technical Threat 10Threats to Information SecuritySocial Engineering: The Non-Technical Threat 11Top Threats to Information Security1. Deliberate Software Attacks – viruses – created by people, propagated by people– DOS – caused by people2. Technical Software Failures or Errors– Programming glitches – caused by people3. Act of Human Error or Failure– people errors, people failures4. Deliberate Acts of Espionage or Trespass– Hacking and sniffing – by people5. Deliberate Acts of Sabotage or Vandalism– Web page defacements, trashing hardware/software –by peopleSocial Engineering: The Non-Technical Threat 12Social Engineering♦ Wikipedia:– Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies– By this method, social engineers exploit the natural tendency of a person to trust rather than exploiting technical computer security holes– It is generally agreed upon that users are the weak link in security and this principle is what makes social engineering possibleSocial Engineering: The Non-Technical Threat 13Examples♦ A contemporary example is the use of e-mail attachments that contain malicious payloads – After earlier malicious e-mails led software vendors to disable automatic execution of attachments, users now have to explicitly activate attachments for this to occur– Many users, however, will blindly click on any attachments they receive, thus allowing the attack to work♦Another effective attack is tricking a user into thinking one is an administrator and requesting a password for various purposes– Users of Internet systems frequently receive messages that request password or credit card information in order to "set up their account" or "reactivate settings" or some other benign operation in what are called phishing attacks– Users of these systems must be warned early and frequently not to divulge sensitive information, passwords or otherwise, to people claiming to be administrators– Administrators of computer systems rarely, if ever, need to know the user's password to perform administrative tasks♦An Infosecurity survey found that 90% of office workers gave away their password in exchange for a cheap penSocial Engineering: The Non-Technical Threat 14Examples - 2♦ Social engineering also applies to the act of face-to-face manipulation to gain physical access to locations and systems♦ Training users about security policies and ensuring that they are followed is the primary defense against social engineering♦ One of the most famous social engineers in recent history is Kevin MitnickSocial Engineering: The Non-Technical Threat 15Pretexting♦ From Wikipedia:– Pretexting is to pretend that you are someone who you are not, telling an untruth, or creating deception– The practice of pretexting involves tricking [someone,