1 / 15

Social Engineering

Social Engineering. Part IA: How Scammers Manipulate Employees to Gain Information. When money or goods are stolen, somebody will notice they are gone. When information is stolen, most of the time no one will notice because the information is still there. What Is Social Engineering?.

chandler
Télécharger la présentation

Social Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering Part IA: How Scammers Manipulate Employees to Gain Information

  2. When money or goods are stolen, somebody will notice they are gone. • When information is stolen, most of the time no one will notice because the information is still there. 2014 DHS IT Security & Privacy Training

  3. What Is Social Engineering? • It’s an art -- of manipulating people into saying or doing something that reveals confidential information or access to it. • It often involves tricking other people to break normal security procedures. • It relies on the natural helpfulness of people as well as on their weaknesses. • It is sometimes called a "con game." 2014 DHS IT Security & Privacy Training

  4. Stopping Social Engineering There is no technology in the world that can stop social engineering attacks. 2014 DHS IT Security & Privacy Training

  5. Protecting DHS Sensitive Information • How do we protect DHS sensitive information? • How do you protect your personal information? 2014 DHS IT Security & Privacy Training

  6. How Do We Protect Sensitive Information if Technology Can't? • Educate every employee on DHS security and privacy policies and procedures; this leads to  Social Awareness. • Understand how attackers manipulate people to get information. • Learn appropriate and inappropriate behavior related to providing information. 2014 DHS IT Security & Privacy Training

  7. The Problem Is …Whois Asking for Sensitive Information • We don’t want to stop being helpful to coworkers or to customers. • So, we need to have specific verification procedures to use when anybody makes a request for computer access or confidential information. • That way we can be helpful to those who need information, but at the same time we will protect DHS information assets and computer systems. 2014 DHS IT Security & Privacy Training

  8. How Attackers Take Advantage Of Us • Social engineering = manipulation. • Attackers try to manipulate us to obtain our compliance with their requests for information. • There are several key methods attackers use to manipulate us to obtain information. 2014 DHS IT Security & Privacy Training

  9. What It Boils Down To • By giving out information, we may unintentionally be giving manipulators information they should not have. • This information may hurt: • DHS, • DHS clients, or • DHS employees. • Complying with inappropriate requests may also mean DHS employees lose personal information, including personal passwords. • This make DHS vulnerable if the employees use the same passwords at DHS and at home. 2014 DHS IT Security & Privacy Training

  10. Manipulation Attacks Take Many Forms • We are most experienced with manipulation through email attacks – and we’re not very good at foiling those. • But manipulation can take many forms, and the scammers are patient, and willing to do whatever it takes to get the information they want. 2014 DHS IT Security & Privacy Training

  11. How Social Engineers Attempt To Manipulate Us These behaviors are used in the majority of manipulation attempts: The next slides explain these behaviors and give examples of how they are used to manipulate us. 2014 DHS IT Security & Privacy Training

  12. The Manipulation Attack Process 2014 DHS IT Security & Privacy Training

  13. The Manipulation Attack Process • Gather Information: Attackers use a variety of techniques to gather information about their targets, such as phone lists, Social Security numbers, dates of birth, mothers' maiden names, system designs or organizational structures/procedures. The gathered information will be used to build a relationship, however temporary, with someone connected to the eventual target. • Develop Relationship: It's human nature to be somewhat trusting. Attackers exploit this tendency to develop a rapport with their targets. In some cases, this takes place in a single phone call; in others, it can span weeks or longer. By developing a relationship, attackers place themselves in a position of trust, which can then be exploited. 2014 DHS IT Security & Privacy Training

  14. The Manipulation Attack Process • Exploit Relationship: The attacker exploits the target into revealing information (e.g., passwords, credit card numbers or vacation schedules) or performing an action (e.g., creating an account or reversing telephone charges) that would not normally occur. This information or action can be the end objective or can be used to stage the next attack/cycle of attack. • Use Information to Achieve Objective: The attacker uses the information to achieve the end objective. Often an attack can include a number of these cycles to achieve the end objective. 2014 DHS IT Security & Privacy Training

  15. When in doubt, don’t give it out. 2014 DHS IT Security & Privacy Training

More Related