Post on 26-Mar-2015
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Social engineering
Spot it and stop it
September 2011
Security awareness
seminar
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 2
Introduction
Social engineeringis a way of tricking people
into doing things they shouldn’t do, such as
disclosing secrets
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 3
Blending-in
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 4
Who are social engineers?• Kids, partners, friends
• Sales reps
• Hackers, virus writers
• Journalists
• Jilted lovers
• Industrial spies &unethical competitors
• Private investigators
• Spies
• Former, current orprospective employees
• Visitors, phone callers, emailers, chatters, gift givers, ‘friends’ …
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 5
New tricks• Fake survey or prize draw• Discarded USB stick, CD, cellphone …• Note on the windshield, FAX, letter …• Fake maintenance worker, courier,
cleaner, auditor, customer, supplier, manager, executive assistant …
• Lottery win, inheritance or tax refund …
• Stuck in a hotel, wallet stolen, in a fix• “Friend” or “friend of a friend”• ‘Check out this cool video’ …• Fake job ad and interview
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 6
How they do it
Search onlinee.g. Myspace &
Ask the victim’s friends & colleagues
Gather personal information about
the victim
Hack the victim’s PC
Use a virus
Exploit the informatione.g. to commit identity
theft
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 7
Clues to watch out for
Have you ever been pestered by a persistent, pushy sales rep, trying hard to sell you something you really don’t want?
Parents of 7 year olds will probably appreciate their
ability to manipulate us into doing what they want
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 8
Warning signs
• Unexpected callers or visitors probing your for information or acting suspiciously
• Unusual requests, FAXes, emails, text messages, Tweets or phone calls
• Probing, pushy or threatening behavior
• Name-dropping or using company slang out of context
• Evasive, defensive or aggressive reaction when asked to verify their identity
• Nervousness and other nonspecific clues
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 9
DART them!
Delay
Authenticate
Resist
Transfer
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 10
Front-line defenses
I just need to
confirm your
voicemail :
could you
reset your PIN
code to 1234
please?
Mmmm, sounds fishy … I’d better
refer this call to IT
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 11
Other aspects
Human
facto
rs in
infor
mat
ion
secu
rity
PoliciesProceduresGuidelinesLaws & regulationsManagement instructions
Security instinctsTrust & assuranceSecurity culture
Psychology
Human threatsCheats & fraudsSocial engineersHackers & spies
Chinese whispers
Specifying ...… using ...
… managing …… & maintaining …
… technical controls
Technology use
Technical security
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 12
Conclusion
• Be alert for the signs that someone might be socially engineering you, and DART (Delay, Authenticate, Resist and Transfer) them!
• Report possible social engineering incidents, suspicious calls and near misses to IT Help/Service Desk
• Help us create a stronger security culture
Cop
yrig
ht ©
201
1 Is
ecT
Ltd.
Slide 13
Further information
Speak to your manager, call the IT Help/Service desk or contact
Information Security.
Discuss social engineering with your work colleagues and family.
Visit the intranet Security Zone.