1 / 27

A Multi-Level Defense Against Social Engineering

A Multi-Level Defense Against Social Engineering. Allen Stone 9/14/2005. Social Engineering. Social Engineering is the process of deceiving people into giving away access or confidential information.

rollin
Télécharger la présentation

A Multi-Level Defense Against Social Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Multi-Level Defense Against Social Engineering Allen Stone 9/14/2005

  2. Social Engineering Social Engineering is the process of deceiving people into giving away access or confidential information. This paper explores the psychological means of the enemy and victims and outlines an effective defense against it. It is really the first paper to recognize all of the levels necessary for proper defense and suggest a defense to not only deter such attacks but to also identify or isolate the attacker.

  3. Constructing an Effective Defense • Understand the Enemy’s tactics • Find our psychological vulnerabilities • Identify the various levels of defense • Devise defense strategies at all levels

  4. The Enemy – Methods • Develop Trust • Reverse Social Engineering • Avenues and Media • Avoid pigeonholing the enemy: He/she will call/approach/email you under the pretenses of authority/customer/coworker/author/etc.

  5. Why these attacks work • Psychological Triggers in all of us • Strong Affect • Overloading • Reciprocation • Deceptive Relationships • Diffusion of Responsibility and Moral Duty • Authority • Integrity and Consistency

  6. Strong Effect • A heightened emotional state tends to impair logical thinking • Fear • Panic • Joy • You’ve just won! • Trip to San Francisco - AoD • Surprise • Call at 4:30am

  7. Overloading • Sensory Overload • 30 true statements with 5 untrue, suspect statements in between. • The 1-cent Cell Phone - AoD • Arguing from an unexpected perspective • We need time to process How can we defend against this?

  8. Reciprocation • If someone gives us something, whether or not we asked for it, we feel inclined to help them. • Reverse Social Engineering • “mental shortcut” – Mitnick • Yielding points in an argument

  9. Deceptive Relationships • Developing a relationship with the intent of exploiting the other person. • AOL attack • Hacker and mark are “alike”

  10. Diffusion of Responsibility and Moral Duty • Diffusion of Responsibility – the mark feels that he/she will not be held solely responsible • Moral Duty – avoid feeling guilt • “Save the company”, “Save someone’s job”

  11. Authority • Impersonation attacks

  12. Integrity and Consistency • People generally follow through on their promises, whether or not it is wise to do so.

  13. Levels of Defense • Foundational Level • Parameter Level • Fortress Level • Persistence Level • Gotcha Level • Offensive Level

  14. Foundational Level • End users are targeted to respond to questionable requests • They should not decide what information can and cannot be divulged • Confidence • Metacognition and Persuasion Theory

  15. Defense (Foundational) • General Policy • Explicitly state what information can be divulged and by whom • Train early and often, post policy clearly in public view, encourage and enforce compliance • Combats Authority, Diffusion of Responsibility, Moral Duty

  16. Parameter Level And Its Defense • Employees need to know when to say “no” and that mgmt backs them • Warning signs • No contact info, rushing, name-dropping, intimidation, misspellings, odd questions, requesting suspect info • Security Awareness • Know what has value • Friends are not always friends • Passwords are personal • Uniforms are cheap

  17. Fortress Level • Attackers Target Key Personnel • Help Desk Personnel • Customer Service • Business Assistants • Secretaries and Receptionists • System Administrators How are they prepared?

  18. Defense (Fortress) • Resistance training for key personnel • Inoculation – weakened examples • Forewarning – Not just the intent, but the methods • Reality Check – Defeat their image of personal invulnerability. Deceive them to show how easy it is.

  19. Persistence Level And Its Defense • Forgetfulness and Wrongful Prioritization of Policy • Pervasive and persistent reminders • Police Station example

  20. Gotcha Level Defense • Social Engineering Land Mines (SELM): traps set up to expose and stop an attack • Active Defense Ideas • The Justified Know-It-All • Centralized Security Log • Call Backs by Policy • Key Questions • Three Questions Rule • Bogus Question • “Please Hold” by Policy

  21. Offensive Level Defense • Incident Response • There needs to be a clearly written and well-understood policy surrounding the manner in which to respond to a security incident • If the first mark is wise to the con but does not alert security, it is only a matter of time before another mark is selected.

  22. How well have we defended? • Strong Affect • Overloading • Reciprocation • Deceptive Relationships • Diffusion of Responsibility and Moral Duty • Authority • Integrity and Consistency

  23. Other vulnerabilities • New employees • Poor administration policies

  24. Policy from a Social Engineer“The Art of Deception” – K. Mitnick Kevin Mitnick outlines an excellent security policy at the end of the book with detailed reasoning at every level to defend against Social Engineering Attacks.

  25. Conclusion • Social Engineering will always exist, and it is extremely difficult to defend against, but the success of such attacks can be decreased substantially with proper policy and personnel training

  26. Questions and Comments?

  27. References • “A Multi-Level Defense Against Social Engineering” by David Gragg, GSEC Option 1 version 1.4b, Dec. 2002 • “The Art of Deception”, Kevin Mitnick

More Related