View Full Document

8 views

Unformatted text preview:

Social Engineering The Non Technical Threat to Information Security Herbert J Mattord CISSP Manager of Operations Center for Information Security Education and Awareness Coordinator Information Security Assurance Certificate Instructor of Information Systems Information Security Information security is the protection of information and its critical elements including the systems and hardware that use store and transmit that information It is the protection of the confidentiality integrity and availability of information while in transmission storage or processing through the application of policy technology and education and awareness Social Engineering The Non Technical Threat 2 Security is a People Problem Money may be the root of all evil but people are the root of all problems People who are all fallible are usually recognized as one of the weakest links in securing information The problem is no matter how much work is placed in the protection of information it only takes one misguided soul to completely defeat all efforts Social Engineering The Non Technical Threat 3 Who s the biggest threat Tommy Twostory Convicted burglar Dick Davis a k a Wannabe Amateur Hacker Harriet Allthumbs Accidentally deleted the only copy of a critical report Social Engineering The Non Technical Threat 4 Helen Keller Science may have found a cure for most evils but it has found no remedy for the worst of them all the apathy of human beings Social Engineering The Non Technical Threat 5 The Great Fire Wall Social Engineering The Non Technical Threat 6 Sun Tzu Know the enemy and know yourself in a hundred battles you will never be in peril When you are ignorant of the enemy but know yourself your chances of winning or losing are equal If ignorant both of your enemy and yourself you are certain in every battle to be in peril Social Engineering The Non Technical Threat 7 Know Your Enemy Threats to Information Security A Study in 2002 examined the dominant threats to information security and prioritized them based on their overall level of concern Social Engineering The Non Technical Threat 8 Threats to Information Security 1 2 3 4 5 6 7 8 9 10 11 12 Acts of Human Error or Failure Compromises to Intellectual Property Deliberate Acts of Espionage or Trespass Deliberate Acts of Information Extortion Deliberate Acts of Sabotage or Vandalism Deliberate Acts of Theft Deliberate Software Attacks Forces of Nature Quality of Service Deviations Service Providers Technical Hardware Failures or Errors Technical Software Failures or Errors Technological Obsolescence Social Engineering The Non Technical Threat 9 Threats to Information Security Social Engineering The Non Technical Threat 10 Top Threats to Information Security Deliberate Software Attacks 1 viruses created by people propagated by people DOS caused by people Technical Software Failures or Errors 2 Programming glitches caused by people Act of Human Error or Failure 3 people errors people failures Deliberate Acts of Espionage or Trespass 4 Hacking and sniffing by people Deliberate Acts of Sabotage or Vandalism 5 Web page defacements trashing hardware software by people Social Engineering The Non Technical Threat 11 Social Engineering Wikipedia Social engineering is the practice of obtaining confidential information by manipulation of legitimate users A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies By this method social engineers exploit the natural tendency of a person to trust rather than exploiting technical computer security holes It is generally agreed upon that users are the weak link in security and this principle is what makes social engineering possible Social Engineering The Non Technical Threat 12 Examples A contemporary example is the use of e mail attachments that contain malicious payloads After earlier malicious e mails led software vendors to disable automatic execution of attachments users now have to explicitly activate attachments for this to occur Many users however will blindly click on any attachments they receive thus allowing the attack to work Another effective attack is tricking a user into thinking one is an administrator and requesting a password for various purposes Users of Internet systems frequently receive messages that request password or credit card information in order to set up their account or reactivate settings or some other benign operation in what are called phishing attacks Users of these systems must be warned early and frequently not to divulge sensitive information passwords or otherwise to people claiming to be administrators Administrators of computer systems rarely if ever need to know the user s password to perform administrative tasks An Infosecurity survey found that 90 of office workers gave away their password in exchange for a cheap pen Social Engineering The Non Technical Threat 13 Examples 2 Social engineering also applies to the act of face to face manipulation to gain physical access to locations and systems Training users about security policies and ensuring that they are followed is the primary defense against social engineering One of the most famous social engineers in recent history is Kevin Mitnick Social Engineering The Non Technical Threat 14 Pretexting From Wikipedia Pretexting is to pretend that you are someone who you are not telling an untruth or creating deception The practice of pretexting involves tricking someone such as a telecom carrier into giving up personal information in most cases with the scammer pretending to be the customer At present the majority of wireless providers consider the practice of pretexting as illegal Social Engineering The Non Technical Threat 15 Phishing From Wikipedia A form of criminal activity using social engineering techniques characterized by attempts to fraudulently acquire sensitive information such as passwords and credit card details by masquerading as a trustworthy person or business in an apparently official electronic communication such as an email or an instant message The term phishing arises from the use of increasingly sophisticated lures to fish for users financial information and passwords Social Engineering The Non Technical Threat 16 Example 1 Social Engineering The Non Technical Threat 17 Example 2 Social Engineering The Non Technical Threat 18 Example 3 Social Engineering The Non Technical Threat 19


Access the best Study Guides, Lecture Notes and Practice Exams

Loading Unlocking...
Login

Join to view SOCIAL ENGINEERING and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view SOCIAL ENGINEERING and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?