1 / 26

Social-engineering for engineers

Social-engineering for engineers. The Whats , Whys, Wheres and Hows of social-engineering. Agenda. On-going technology development Social-engineering What's the story with the frauds? How to prevent and defend against them? And what to do if we fail to do the above?

amiel
Télécharger la présentation

Social-engineering for engineers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social-engineeringfor engineers The Whats, Whys, Wheres and Hows of social-engineering

  2. Agenda On-going technology development Social-engineering What's the story with the frauds? How to prevent and defendagainstthem? And what to do if we fail to do the above? Whatelseshould be done?

  3. On-goingtechnology development For the last 20 years (or so), we've been witnessing anamazing technological development. The challenge is not to be the first orthe best... ... but not to be the last. It's not easy however.

  4. On-goingtechnology development Who'shaving the problemsthen? Content and service providers Software and hardware vendors Legislators and law enforcement Internet users

  5. On-goingtechnology development For millions of years, mankind lived just like the animals. Then something happened which unleashed the power of our imagination. We learned to talk and we learned to listen... Nope, that's not Pink Floyd. It's Stephen Hawking. But Internet-based communication is much more than text and sound.

  6. On-goingtechnology development Pictures Video Instant messaging and VoIP Memes And more to come sooner or later

  7. On-goingtechnology development Still there are things that haven't changed e.g. non-verbal communication. For ages our behaviour's been based on the same rules. So what? Well, IT systems and applications are prone to errors just like the humans who develop and operate them.

  8. Social-engineering The practice of making laws or using other methods to influence public opinion and solve social problems or improve social conditions. source: Merriam-Webster Dictionary In the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. source: http://en.wikipedia.org/

  9. Social-engineering Baiting Pretexting Phishing Quid pro quo Boooooriiiiinnnngggg...

  10. Social-engineering Robert Cialdini's six rules of influence: Reciprocity Commitment and Consistency Social Proof Authority Liking Scarcity

  11. Reciprocity Nigerian scams - anAfrican king (or Asian general, or South-American dictator) asks for your help in recovering his huge money assets locked in the country of his origin. You'll be rewarded but first, you have to help.Some encouragement follows. Favours - someone pretending to be an IT help-desk specialist, callsyou and offers help in sorting out your PC's problem (apparently caused by himself). For this, you'll give him - for example - your password.

  12. Commitment and Consistency "Free" IQ tests- itsresultsshall be shownonceyousend a premium-ratetextmessage (doesitaffect the overallscore BTW? ;) Limited content - to view a fullarticleor video youneed to paymoneyorfollow a dodgy link. Mobile apps - ifyouclicked "download", "install", willyouclick "no, I don't want you to access my contacts, texts, data connectionand location"?

  13. Liking Phishing- fake e-mails and websiteslookreallylike the genuineones (well, not in Poland, how'sit in Georgia? ;) Funnyor hot content - youcan'tview the funnycontentunlessyouinstall a "missing plugin". Whichiswe-all-exactly-know-what. Share - contentlikedorshared by our "friends" (whom we likeoratleastknow) isperceived as legitimate.

  14. Authority Donations - on-linepayment and money exchange services, together with Bitcoin, make for a goodbase for money-laundering and otherfrauds. Voice phishing- somepeoplerevealtheirpersonalorfinancialinformationwhencalled "by THE bank", justbecausethey'retoldit's"THE bank" calling.

  15. Scarcity "Lastminute" offers - somepeoplewillpay for goodsor services difficult to obtainortime-limited. YOU are the 999. person on thiswebsite - and ifyoufollow the link you'll win an iPad... Or willyou? Slashdoteffect- peopledesperatelywanting to be (all) the first to seethe news willDDoS the website. Like ACTA-case in Poland. Err,soft of.

  16. Some numbers... • discounts • guarantees • trialperiods • returns

  17. How do they happen? In a number of ways: sometimes a simplephonecallisenough malwareleading to an APT attack network snooping IP / MAC / e-mail / Called-ID spoofing creditcardsskimming dumpsterdiving (no, really!) But it's not allabout the technology.

  18. How to prevent and detect them? DLP (Data LeakPrevention) IPS / IDS (IntrusionPrevention/Detection Systems) Application firewall URL filtering BGP / DNS blackholing SIEM (monitoring) Host agents Threatintelligence and whistle-blowers But...

  19. How to prevent and detect them? If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier You can't defend. You can't prevent. The only thing you can do is detect and respond. Bruce Schneier Source:http://www.clubhack.com/wp-content/uploads/2010/12/DSC_6514.jpg

  20. And what to do if we fail todo the above? Detection should be based on both: user awareness and network / system monitoring - one won't work without another. Incident response must be a process with appropriate procedures, staffing, support, funding and tools. Computer forensics is just a tool in incident responders' hands. A powerful one but...

  21. Computer forensics With all this cloud, big data, BYOD, data encryption and huge HDDs it's really hard to respond to incidents efficiently. That's when live forensics come into play: Volatile data (e.g. RAM) acquisition Imaging of unencryptedencrypteddiskdrives Preservation of data in the cloud Minimisingdelays in availability

  22. Computer forensics Triageis a simpleway to preserve and examinecomputerevidencefaster and moreefficientlywhilekeepingup with the standards and regulatory requirements (e.g. chain of custody). Triagecan be performed by a trainedincidentresponder ("a rescue team" member) on the scene. Computerforensicsexpert ("a surgeon") doesn'thave to be involvedyet.

  23. CSIRTs / CERTs Computer Security Incident Response Teams (CSIRTs) provide professional incident response capabilities. Effectiveness of their work depends on appropriate communication and co-operations with other governmental and business CSIRTs/CERTs. Maintaining defense capabilities and readiness on high level means exercising and constantly improving.

  24. CSIRT Services

  25. And the conclusion is... People are the first and the last line of defense from the attacks against them and the technology. The difference between us and the computers is that we think. Sometimes too much. It causes problems but that can also help avoid them. So it's always better to think twice.

  26. Quiz https://www.paypal.com/webapps/mpp/security/antiphishing-canyouspotphishing http://www.sonicwall.com/furl/phishing/ http://www.opendns.com/phishing-quiz/ http://www.mailfrontier.com/forms/msft_iq_test.html http://survey.mailfrontier.com/survey/quiztest.cgi?themailfrontierphishingiqtest http://www.contentverification.com/phishing/quiz/ http://www.onguardonline.gov/media/game-0011-phishing-scams http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html

More Related