1 / 13

Social Engineering

Social Engineering. Part IC: How Scammers Manipulate Employees to Gain Information. Consistency Attack -- Example. For example, consider this scenario :

dalmar
Télécharger la présentation

Social Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering Part IC: How Scammers Manipulate Employees to Gain Information

  2. Consistency Attack -- Example For example, consider this scenario: You have been working for DHS for only a few months, when you get a phone call from a person who says he is from the security unit and he is calling to remind you of your agreement to abide by the agency security and privacy policies. After discussing a few security practices, the caller asks you for your password to verify that you are following the agency rules for creating passwords. You comply and give the password because you have agreed to follow policy and you want to be sure you are responding correctly. 2014 DHS IT Security & Privacy Training

  3. Consistency Attack -- Response See how twisted it is? You tried to show that you were following policy, and you broke policy in the process. • In this example, you MUST file a Security Incident Report within one business day of the incident. • You should also change your password immediately… although it may be too late. • Remember, never give out your username and/or password! 2014 DHS IT Security & Privacy Training

  4. Consistency Attacks • We tend to comply with a request after we have promised to do something. • Once we have promised something, we don’t want to appear untrustworthy or undesirable, so we usually comply with the request. 2014 DHS IT Security & Privacy Training

  5. Social Validation -- Example Here is one scenario: You work in the DHS Donaghey Central Office Complex and are entering a door that requires an access card for entry. Someone “tailgates” into the building behind you. You have never seen the tailgater. However, you have seen other employees hold the door open so people could enter, and nobody has ever been questioned or asked to show an ID. So, you assume that this is just another employee you don’t know, because there are a lot of them; and you don’t say or do anything. 2014 DHS IT Security & Privacy Training

  6. Social Validation -- Response Someone who has no business being in the DHS Complex may just have entered. This person could have malicious intent: • to physically harm an employee, • to steal money or credit cards from employees, or • to wander into an empty office and go through the drawers or papers on the desk, looking for documents with Social Security Numbers or other sensitive information. You ignored this situation because you have seen other DHS employees ignore it. DHS requires everyone inside a DHS facility to wear an ID badge. If a person who wants entrance to a facility is not wearing ID, that person should be escorted to the person or location that checks ID. 2014 DHS IT Security & Privacy Training

  7. Social Validation Attacks • We tend to comply when we know or see that others are doing the same thing. • We accept the action of other people as validation that what we are doing is the correct and appropriate action. 2014 DHS IT Security & Privacy Training

  8. Social Validation -- Example Here is another scenario: Barry was checking his home email from his computer at the office. He received an electronic greeting card in his home email that he liked. He liked it so much that he forwarded it to his work email address. Then, from his work email account, he forwarded it to Judy, Lisa, and Mark. Every recipient had to click on the attachment to view the card. Judy saw that Barry had sent the card to her and to several other DHS employees, so she assumed it was safe. She clicked the attachment to view the card. She liked the greeting card so much that she forwarded it to several of her DHS friends at their DHS computers. 2014 DHS IT Security & Privacy Training

  9. Social Validation -- Response Judy opened the card and clicked the attachment because another DHS employee sent it to her and several other people, so she assumed the card was ok. • Opening the attachment in the card could have installed malicious software on the computer. If this card had been infected, Barry, Judy and the others may have just infected the DHS computer system. • This is why DHS employees are restricted from installing software, screensavers, special mouse pointers, wallpaper programs, weather-monitoring software, and other computer programs on the DHS computers. 2014 DHS IT Security & Privacy Training

  10. How To Protect Yourself and DHS • Learn to trust your more paranoid instincts. If you think someone is trying to con you, stand back from the situation and think about it. Buy yourself some time if you can; for example, take a number and promise to call back. • Be conscious of personal information: bank details, credit card numbers, passwords are obvious, but a fraudster can make use of trivial information such as where you work, information about friends and family, etc. • Check credentials carefully. For example, if someone claims to be working for a group home, look up the number of the home and call it and check. 2014 DHS IT Security & Privacy Training

  11. How To Protect Yourself and DHS • Be firm. Con artists can be very persistent and persuasive, playing on human emotions like guilt, greed and the desire to be liked. Stick to your guns. • Don’t accept unknown people as legitimate on the grounds that they sound authoritative or knowledgeable. Just because somebody knows a company practice or uses internal terminology is no reason to assume that his/her identity doesn’t need to be verified in other ways. • Always follow DHS policies and make use of your DHS contacts. 2014 DHS IT Security & Privacy Training

  12. Watch For These Tipoffs Also… The Computer Security Institute provides tips to users that should trigger alarm when you are asked to provide information to unknown persons or from unsolicited e-mails. Be suspicious if a caller or emailer: • Refuses to provide contact information, • Exhibits undue haste for a response, • Name-drops VIPs within the organization, • Attempts to intimidate or ingratiate, • Makes mistakes such as misspellings or inaccuracies, • Asks odd questions or requests information that is for official use only. Don’t give out any information, and file a security report at once! 2014 DHS IT Security & Privacy Training

  13. When in doubt, don’t give it out. 2014 DHS IT Security & Privacy Training

More Related