1

Security Management

09: Security Testing

- Technical Security Testing

Mathias Fischer

Summer term 2017

2

Introduction – Penetration Tests

Simulated attacks on productive systems out of attacker perspective

Goals– Security evaluation of IT systems and networks

– Confirmation of IT security by independent auditor

– Check for implementation of security guidelines

– Assessment on probability of occurrence / damage of an attack

Disclosure of vulnerabilities caused by– Old and vulnerable software

– Erroneous configuration

– Badly designed / implemented business processes

Conducted by specialized service providers

3

Procedures for Penetration Tests

BSI-Study: Concept for penetration testing (“Durchführungskonzept für Penetrationstests“)

1. Inquiry on information about the target system

2. Scan of target system and offered services

3. Detection of systems and applications

4. Investigate vulnerabilities

5. Exploit vulnerabilities

NIST: „Technical Guide to Information Security Testingand Assessment“

– Primary for self-assessment

– 4 phases: Planning, Discovery, Attack, Reporting

Open Source Security Testing Methodology Manual (OSSTMM)

– Description of test subjects and test methods

– Rules for engagement

https://www.bsi.bund.de/DE/Publikationen/Studien/Pentest/index_htm.htmlhttp://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdfhttp://www.osstmm.org

4

Procedure (according to BSI study on Penetration Testing)

5

Classification of Penetration Tests (according to BSI)

Criteria Approach

Information basis Black-Box, White-Box

Aggressivity Passive scan, careful, deliberative, aggressively

Extend Complete, restricted, focused

Procedure Concealed, evident

Technique Network access, all other communication,physical access, social-engineering

Origin External, internal

6

Legal Framework

Criminal law

– European Cybercrime Convention requires that possession and misuse of tools that can be used to attack IT systems has to be punished (Section 1, Title 1, Art. 6).

Implementation in Germany, August 2007: §202c StGB

– §202a (Ausspähen von Daten): „(1) Wer unbefugt sich oder einem anderen Zugang zu Daten, die nicht für ihn bestimmt und die gegen unberechtigten Zugang besonders gesichert sind, unter Überwindung der Zugangssicherung verschafft,wird mit Freiheitsstrafe bis zu drei Jahren oder mit Geldstrafe bestraft. (2) Daten im Sinne des Absatzes 1 sind nur solche, die elektronisch, magnetisch oder sonst nicht unmittelbar wahrnehmbar gespeichert sind oder übermittelt werden.“

– §202b (Abfangen von Daten): „Wer unbefugt sich oder einem anderen unter Anwendung von technischen Mitteln nicht für ihn bestimmte Daten (§202a Abs. 2) aus einer nichtöffentlichen Datenübermittlung oder aus der elektromagnetischen Abstrahlung einer Datenverarbeitungsanlage verschafft, wird mit Freiheitsstrafe bis zu zwei Jahren oder mit Geldstrafe bestraft, wenn die Tat nicht in anderen Vorschriften mit schwererer Strafe bedroht ist.“

– §202c: „Wer eine Straftat nach §202a oder §202b vorbereitet, indem er […] Computerprogramme, deren Zweck die Begehung einer solchen Tat ist, herstellt, sich oder einem anderen verschafft, verkauft, einem anderen überlässt, verbreitet oder sonst zugänglich macht, wird mit Freiheitsstrafe bis zu einem Jahr oder mit Geldstrafe bestraft.“

Who prepares a criminal act by developing computer programs for this, sells it, or gives it to someone else can be penalized with up to one year imprisonment or with a fine

Who gains illegitimate access for himself or others to data that is specifically protected can be penalized with up to three years imprisonment or with a fine.

Who gains illegitimate access to data from a non-public data transmission can be penalized with up to two years imprisonment or with a fine.

7

“Hacker paragraph“§ 202c StGB (1)

New legal situation: To which extent is§ 202c StGB applicable to the usage of sniffers, spoofing-tools, and port scanners for security analysis?

Such dual-use-tools can be used for good or bad purposes

Statement of federal constitutional court (Bundesverfassungsgericht) in June 2006:Usage of dual-use-tools is only punishable in case of deliberate acts

Common sense in law: With precisely formulated order, usage for penetration tests unproblematic

Problem: Usage apart from penetration testing and open-source software on publicly accessible websites

8

“Hacker paragraph“§ 202c StGB (2)

1. Problem: Usage apart from penetration testing

BSI: Practical guideline for the evaluation of software with regard to §202c StGB

– Evaluation scheme for assessing whether criminal offense is given in individual cases

– Takes into account functionality, actual purpose of usage, and user intention

– Port and vulnerability scanner: unproblematic

– Spoofing tools and password cracker: problematic

2. Problem: Open-source software on publicly accessible websites

Sale, relinquishment, and distribution is punishable

Provisioning of tools in Internet, amongst others “for persons […], whose trustworthiness cannot be assumed” punishable

Public offering in Germany not recommendable

9

Security Scanner

Security scanner are used for reconnaissance in penetration testing– Identification of existing hosts and offered services

– Identification of OS and application versions

– Automatic check of services for known vulnerabilities

Applications– Attacker: searching for vulnerabilities before attacking target

– Admins: security testing

• Examination of firewall configuration

• Are all systems on the latest patch level?

• Are there non-approved server or services?

Two kinds of scanners– Port canner (e.g., nmap)

– Vulnerability scanner (e.g., Nessus, ISS Internet Scanner, eEye Retina)

10

Reconnaissance with network tools

Reconnaissance examples

– Which IP addresses belong to the company network?

– Which hosts in network 134.100.0.0/16 are online?

– Which services are hosted on 134.100.1.2?

Whois service: identification of IP address space

– Many organization have a registered address block

Ping scan: identification of all available hosts in network

– Result: list of hosts that replied

Port scan: identification of active services running on particular machine

– Result: list of hosts and corresponding list of services

11

Whois Service

Domain: uni-hamburg.deNserver: dns-3.dfn.deNserver: dns1.rrz.uni-hamburg.de 134.100.33.228 2001:638:710:21:0:0:0:531Nserver: dns2.rrz.uni-hamburg.de 134.100.33.229 2001:638:710:21:0:0:0:532Nserver: ns.rrz.uni-hamburg.de 134.100.29.165Nserver: rzdspc1.informatik.uni-hamburg.de 134.100.9.61Status: connectChanged: 2015-08-17T13:28:06+02:00

[Tech-C]Type: PERSONName: Heino PetersAddress: Universitaet HamburgAddress: Regionales RechenzentrumAddress: Schlueterstr. 70PostalCode: 20146City: HamburgCountryCode: DEPhone: +49 40 42838 6969Fax: +49 40 42838 3096Email: netgroup@rrz.uni-hamburg.deChanged: 2005-04-21T13:56:06+02:00

[Zone-C]Type: PERSON

whois uni-hamburg.de

12

Excursus - TCP/IP Three-Way-Handshake

TCP connection initialization requires 3 messages

– Sequence of TCP flags: SYN, SYN-ACK, ACK

Host 1 Host 2Zeit

TCP 3-Way-Handshake

13

Port Scanner nmap: Overview

Open Source, developed by Gordon Lyon (fyodor)

Portings for Linux, Windows, MacOS X, and more

Huge selection of scan types

– Ping-Scan

– TCP-Connect-Scan

– TCP-SYN-Scan

– TCP-Null-Scan

– TCP-FIN-Scan

– TCP-ACK-Scan

– Xmas-Tree-Scan

– UDP-Scan

– Idle-Scan

Report: list of all open, closed, and filtered ports

Host 1 Host 2

Zeit

TCP 3-Way-Handshake

14

Port Scanner nmap: Ping-Scan

Sending ICMP-Echo-Request Packets

Some firewalls drop ICMP-Ping packets because of security reasons

nmap can send additional TCP orUDP packets, to detect available hosts

Exploitation of differences in the generated replied packets:

– Is the host available and a port is in used bya service, service will respond to incoming connection request

– Host is (probably) offline in case there is no reaction to a request

Host 1 Host 2

Zeit

TCP 3-Way-Handshake

15

Portscanner nmap: Ping-Scan

client:~ dh$ nmap -sP 91.52.57.* -T4

Starting Nmap 5.51 ( http://nmap.org ) at 2013-05-31 06:30 CESTNmap scan report for p5B343906.dip0.t-ipconnect.de (91.52.57.6)Host is up (0.057s latency).Nmap scan report for p5B343908.dip0.t-ipconnect.de (91.52.57.8)Host is up (0.056s latency).Nmap scan report for p5B343913.dip0.t-ipconnect.de (91.52.57.19)Host is up (0.054s latency).Nmap scan report for p5B3439F1.dip0.t-ipconnect.de (91.52.57.241)Host is up (0.063s latency).Nmap scan report for p5B3439F2.dip0.t-ipconnect.de (91.52.57.242)Host is up (0.069s latency).Nmap scan report for p5B3439F4.dip0.t-ipconnect.de (91.52.57.244)Host is up (0.078s latency).Nmap scan report for p5B3439F8.dip0.t-ipconnect.de (91.52.57.248)Host is up (0.058s latency).Nmap scan report for p5B3439F9.dip0.t-ipconnect.de (91.52.57.249)Host is up (0.043s latency).Nmap done: 256 IP addresses (8 hosts up) scanned in 22.10 seconds

16

Port Scanner nmap: Port-Scan (1)

TCP-Connect-Scan as standard type for scanning

– Full run of 3-Way-Handshake

– Very obtrusive, as connection is completely established (log entries of services)

Recommendation: Use TCP-SYN-Scan connection establishment only until step 2

UDP-Scan for connectionless services(e.g., DNS)

More scan types for firewall traversal(NUL, FIN) and for special application scenarios (ACK, Xmas-Tree).

Host 1 Host 2

Zeit

TCP 3-Way-Handshake

17

Port Scanner nmap: Port-Scan (2)

client:~ dh$ sudo nmap -sS 91.52.57.19

Starting Nmap 5.51 ( http://nmap.org ) at 2013-05-31 06:33 CEST

Nmap scan report for p5B343913.dip0.t-ipconnect.de (91.52.57.19)Host is up (0.067s latency).Not shown: 999 filtered portsPORT STATE SERVICE8089/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 6.72 seconds

18

Port Scanner nmap: Special Functions

Decoys

– nmap can hide originator of a port scan via IP spoofing source address

– Intrusion-Detection systems cannot identify attackers

Idle-Scan:

– Exploitation of a side-channel (IPID) to conduct port scan

– Target host is scanned by doing IP spoofing using a dumb “zombie host“ that is used to bounce messages back and forth

IP address of host that conducts scan cannot be identified by target host

19

Port Scanner nmap: Decoys

20

Idle Scan – Hiding the IP Address of the Scanner (1)

IP fragments are identified by IP Identification (IPID) field (like sequencenumber) and fragment offset

Destination Address

Source Address

TTL

IP Identification

Protocol IP Checksum

Flags Fragment Offset

LengthTOSVer. IHL

IP Options (if any)

IPHeader

21

Idle Scan – Hiding the IP Address of the Scanner (2)

22

Port Scanner nmap: Version and OS Detection (1)

Frequent advice: Do not run services on theirstandard ports, use non-typical ports, e.g.,

– SSH on port 1763 instead of 22

– HTTP on port 61048 instead of 80

nmap provides a version detection

– Enables discovery of services by analyzing banners

– Enables discovery of outdated versions

Deactivation of banners possible, but no effective protection against targeted attacks (security by obscurity)

client:~ dh$ telnet www.XXX.de 80Trying 132.199.1.XXX...Connected to www.XXX.de.

> GET / HTTP/1.1> Host: www.XXX.de

< HTTP/1.1 200 OK< Date: Sun, 25 May 2008 13:44:07 GMT< Server: Apache/1.3.39 (Unix) PHP/5.2.5 DAV/1.0.3 mod_ssl/2.8.30 OpenSSL/0.9.7c< Connection: close< Content-Type: text/html

<HTML><HEAD>…

23

Port Scanner nmap: Version and OS Detection (2)

OS detection can identify used OS based on characteristic implementations of TCP/IP stacks (OS fingerprinting)

nmap contains >2600 signatures of different OS

24

Portscanner Port Scanner nmap: Version and OS Detection (3)

client:~ dh$ sudo nmap -sS 91.52.57.19 -A

Starting Nmap 5.51 ( http://nmap.org ) at 2013-05-31 06:35 CESTNmap scan report for p5B343913.dip0.t-ipconnect.de (91.52.57.19)Host is up (0.074s latency).

Not shown: 999 filtered portsPORT STATE SERVICE VERSION8089/tcp open upnp Microsoft Windows UPnP

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: WAP|webcam|VoIP adapter|general purpose|broadband routerRunning (JUST GUESSING): Linux 2.6.X|2.4.X (88%), Asus embedded (86%), AXIS embedded(85%), AXIS Linux 2.6.X (85%), D-Link embedded (85%), Sphairon embedded (85%)Aggressive OS guesses: AVM FRITZ!Box FON WLAN 7170 WAP (Linux 2.6.13) (88%), Asus WL-500gP wireless broadband router (86%), AXIS 207W Network Camera (85%), ...No exact OS matches for host (test conditions non-ideal).Network Distance: 9 hops

TRACEROUTE (using port 8089/tcp)HOP RTT ADDRESS1 18.26 ms fritz.box (192.168.178.1)...5 59.93 ms f-sa1-i.F.DE.NET.DTAG.DE (62.154.14.129)6 60.20 ms m-sb2-i.M.DE.NET.DTAG.DE (62.154.4.186)7 45.43 ms m-ea6-i.M.DE.NET.DTAG.DE (62.154.27.105)8 40.26 ms 87.190.177.339 62.51 ms p5B343913.dip0.t-ipconnect.de (91.52.57.19)

25

GUI for nmap: Zenmap (1)

Convenient control program for nmap that runs within terminal

Available for Windows,Linux, MacOS X

Well-arranged overviewon results

26

GUI for nmap: Zenmap (2)

Convenient control program for nmap

Graphical selection of scan types and options

Storing of profiles for later reuse

27

Pros and Cons of Port Scanners

Pro

– High scan speed

– Port-Scans are inconspicuous

– Precise control on network parameters

– Allows to detect non-authorized hosts and services

Contra

– Knowledge on technical details necessary to interpret results

– Open ports do not provide any indication on concrete weaknesses

– Insufficient consideration of web applications

28

Vulnerability Scanner Nessus (1)

Client-server principle

– Unix: Server nessusd, Client nessus

– Standalone-Windows-Version available

Plugin Concept

Taken over by Tenable Security in 2005

– Version 4 free of charge, but not open source anymore

– Business model: fees for current plugins

• Professional Feed: 2190 USD/Jahr (April 2016)

• Home Feed: free of charge (selected plugins, max. 16 IPs)

– Support and trainings liable to pay costs

Alternative: OpenVAS (Open Vulnerability Assessment System)based on Nessus; free Software under GPL

29

Vulnerability Scanner Nessus (2)

Scan procedure

– Port scan (supports also Amap and nmap)

– Invocation of compatible plugins for identified services

Broad range of plugins

– Erroneous configurations (e.g., Open-Mail-Relays)

– Usage of standard passwords

– DoS attacks against the TCP/IP stack

Additional functions (after submission of Windows-Credentials)

– Search for missing Windows security updates

– Local check of installed software

– Inspection on compliance with concrete policies, e.g.,

• Active-directory group guidelines

• Pre-build compliance checks (e.g., for SANS Top 20)

30

Nessus Plugins

More than 78.000 Plugins that address more than 33.000 CVE-IDs and23.000 Bugtraq-IDs (April 2016)

Categories

AIX Local Security Checks

Backdoors

Brute force attacks

CentOS Local Security Checks

CGI abuses

CGI abuses : XSS

CISCO

Databases

Debian Local Security Checks

Default Unix Accounts

Denial of Service

Fedora Local Security Checks

Finger abuses

Firewalls

FreeBSD Local Security Checks

FTP

Gain a shell remotely

Gain root remotely

General

Gentoo Local Security Checks

HP-UX Local Security Checks

MacOS X Local Security Checks

Mandrake Local Security Checks

Misc.

Netware

NIS

Peer-To-Peer File Sharing

Policy Compliance

Port scanners

Red Hat Local Security Checks

Remote file access

RPC

SCADA

Service detection

Settings

Slackware Local Security Checks

SMTP problems

SNMP

Solaris Local Security Checks

SuSE Local Security Checks

Ubuntu Local Security Checks

Useless services

Web Servers

Windows

Windows : Microsoft Bulletins

Windows : User management

31

Example of an OpenVAS Scan Report

Bildquelle: insidetrust.blogspot.com

32

Pros and Cons of Vulnerability Scanners

Pro

– Direct search for vulnerabilities and patch levels possible

– Provides information for elimination of identified problems

– Partially automated check of security policies possible

Contra

– Scan is time-consuming

– Scan can be detected easily

– Automatic scan interpretation might be incorrect

– Could provide a false sense of security (false negatives)

– Current signatures and scripts are not free of charge

– Only basic support for web applications

33

Analyzing the Security of Web Applications

Classic network vulnerability scanner:Searching for vulnerabilities in known code

Classic vulnerability scanner are not suitable for the analysis of web applications:

– Exploitation of vulnerabilities is way more complicated

– Simple scripts of vulnerability scanner inadequate

– Version numbers to check for vulnerabilities inadequate

– Self-developed software requires adapted tests

Web-Site security affects layer 5 in the Internet model

– Measures in other layers are usually not effective

Security-scanner for web applications:Searching for known vulnerability classes in unknown code

34

Vulnerabilities in Web Applications and their Detection

Popular vulnerabilities in web applications: OWASP Top 10 (2013)– Injection

– Broken Authentication and Session Management

– Cross Site Scripting

– Insecure Direct Object References

– Security Misconfiguration

– Sensitive Data Exposure

– Missing Function Level Access Control

– Cross-Site Request Forgery (CSRF)

– Using Components with Known Vulnerabilities

– Unvalidated Redirects and Forwards

35

Procedure of Web-Security Scanning

Automatic detection of technical vulnerabilities

– Via URL crawling (following all links within a website)

– and fuzzing

• Automatic completion of form fields

• Automatic modification of URL parameters, e.g., /articles/1748206.shtml?model=109&color=111

– Detection of cross-site scripting, SQL, and command injection, buffer overflows, configuration file disclosure possible

But: vulnerabilities in business logic cannot be detected automatically, as scanner cannot distinguish in between “good” and “bad”

– Price modification

– Creation of user accounts with too extensive rights

– Stealing of user accounts

Further problems: JavaScript, CAPTCHAs, authentication systems

36

Examples for Web-Security-Scanner (1)

Google Skipfish

– Searches for XSS vulnerabilities, SQL and XML injections

Sqlmap

– Database fingerprinting, SQL injections, back-end attacks

– MySQL, Oracle, PostgreSQL, and Microsoft SQL Server

– Modi: inferential blind, time-based blind, batched queries, UNION queries

37

Examples for Web-Security-Scanner (2)

python sqlmap.py -u "http://172.16.213.131//get_int.php?id=1" -v 1

...testing if the url is stable, wait a few secondsurl is stabletesting if GET parameter 'id' is dynamicconfirming that GET parameter 'id' is dynamicGET parameter 'id' is dynamictesting sql injection on GET parameter 'id' with 0 parenthesistesting unescaped numeric injection on GET parameter 'id'confirming unescaped numeric injection on GET parameter 'id'GET parameter 'id' is unescaped numeric injectable with 0 parenthesistesting for parenthesis on injectable parameterthe injectable parameter requires 0 parenthesistesting MySQLconfirming MySQLretrieved: 0the back-end DBMS is MySQL

web application technology: PHP 5.2.6, Apache 2.2.9back-end DBMS: MySQL >= 5.0.0

python sqlmap.py -u "http://172.16.213.131//get_int.php?id=1" -v 1

...testing if the url is stable, wait a few secondsurl is stabletesting if GET parameter 'id' is dynamicconfirming that GET parameter 'id' is dynamicGET parameter 'id' is dynamictesting sql injection on GET parameter 'id' with 0 parenthesistesting unescaped numeric injection on GET parameter 'id'confirming unescaped numeric injection on GET parameter 'id'GET parameter 'id' is unescaped numeric injectable with 0 parenthesistesting for parenthesis on injectable parameterthe injectable parameter requires 0 parenthesistesting MySQLconfirming MySQLretrieved: 0the back-end DBMS is MySQL

web application technology: PHP 5.2.6, Apache 2.2.9back-end DBMS: MySQL >= 5.0.0

38

Further Approaches

Metasploit Framework

– Collection of directly executable exploits that make use of known vulnerabilities

– >3100 exploit modules in version 4.6 (April 2016)

– To ease research, development of more secure software and to analyze systems for security vulnerabilities

– Open source project with commercial support

Commercial alternatives

– Core Impact (www.coresecurity.com)

– Canvas (www.immunitysec.com)

39

Metasploit: Model Kit for Exploitation of Vulnerabilities

Usual procedure: responsible disclosure

– Discoverer informs software producer first

– In case software producer does not react within reasonable time: additional pressure by disclosing vulnerability

Goal: Simple verification of the exploitation of vulnerabilities

– Newly discovered vulnerabilities are encapsulated ass exploit modules(automatic update for subscribers)

– Independently available: payload modules that provide additional access possibilities (VNC, webcam, microphone, console)

More or less security by Metasploit?

– Metasploit framework accelerates development of new exploits

– Early proof of security problems

– But: no knowledge about execution of exploits necessary anymore

40

Metasploit (1)

41

Metasploit (2)

42

Metasploit (3)

43

Summary on Technical Security Testing

Penetration tests

– Measures to analyze IT security from the perspective of an attacker

– Can be used to provide evidence for high IT security level

Port scanner

– For reconnaissance in unknown networks

– Enables identification of available hosts and services

Vulnerability scanner

– Automatic analysis of hosts for vulnerabilities

– May pretend a non-existent security

Security scanner for web applications

– Limited informative value for complex applications

– Little coverage and automation level

44

09: Security Testing- Social Engineering

Mathias Fischer

Summer term 2017

45

Introduction

What is Social Engineering?

– Manipulate people into doing something

– “The clever manipulation of the natural human tendency to trust.”

Types of Social Engineering

– Direct attacks

– Exploiting the human tendency to help

– Phony sites and dangerous attachments

– Using sympathy, guilt, and intimidation

Ways to prevent Social Engineering

46

What is Social Engineering?

Attacker uses human interaction to obtain or compromise information

Attacker my appear unassuming or respectable

– Pretend to be a new employee, repair man, …

– May even offer credentials

Attacker might ask questions

– Attacker may piece enough information together to infiltrate company networks

– May attempt to get information from many sources

47

Kevin Mitnick

Famous Social Engineer / Hacker

– Went to prison for hacking

– Now an ethical hacker

"People are generally helpful, especially to someone who is nice, knowledgeable or insistent."

48

Kevin Mitnick - The Art of Deception

"People inherently want to be helpful and therefore are easily duped"

"They assume a level of trust in order to avoid conflict"

"It's all about gaining access to information that people think is innocuous when it isn't"

“When we hear a nice voice on the phone, we want to helpful.”

49

Examples of Social Engineering

Kevin Mitnick talks his way into LA central Telco office in the 90s

– Tells guard he will get a new badge

– Gets arrested locally

– Pretends to work there, give manager name from another branch

– Fakes a phone conversation when caught

Free food at McDonalds

– Counter: “Hello, what's your order?”

– “Hey my dad came in like an hour ago and you forgot 2 cheeseburgers and a soda? He just called me and asked me to pick it up...”

50

Hidden Value of Information

Much of seemingly innocuous information in company's possession isn’t

– It can play vital role in attacker effort to dress himself in cloak of believability

– Each piece of information may be irrelevant by itself, but when put together clear picture emerges

– “Dumpster Diving” – searching for sensible information in company garbage

Don't give out

– any personal

– or internal company information

– or identifiers to anyone,

unless

– his or her voice is recognizable

– and requestor has a need to know.

51

Building Trust

One of the most effective social engineering tactics

The more social engineer can make his contact seem like business as usual, the less suspicion he will raise

– When people don't have a reason to be suspicious, it's easy for a social engineer to gain their trust

Trust wisely

– Almost everyone in organization needs training on protecting organization from spies and information thieves

– Risk assessment necessary that includes social engineering tactics

52

Direct Attacks

Attackers might just ask for information required

Human nature is to trust, especially when request meets the test of being reasonable.

Social engineers use this knowledge to exploit their victims and to achieve their goals.

Knowledge of

– a company’s lingo,

– its corporate structure including its various offices and departments,

– what each does,

– and what information each has

is part of the essential bag of tricks of successful social engineer

53

Exploiting the Human Tendency to Help

Can you help me?

– Social engineer manipulates by pretending he needs other person to help him

Let Me Help You

– We're all grateful when having problem and somebody with knowledge, skill, and willingness comes along offering to solve it for us

– Social engineer also knows how to cause problem for you and then make you grateful when he resolved the problem

– Then asking for a small favor…

– Quid Pro Quo: Something for something

Example

– Call random numbers at a company and claim to be from technical support

– Eventually, you will reach someone with legitimate problem

– Attacker will "help" user and calls him back

– User will follow instructions and attacker will trick him to type commands, e.g., to install malware

54

Phony sites and dangerous attachments - Phishing

Phishing: Obtaining private information via fraud

– Attacker sends email that looks like it comes from legitimate business

– Requests verification of information and warns of consequences

– Usually contains link to fraudulent web page that looks legitimate

– User hands over information to social engineer

– Example: Ebay / Paypal scam

Spear Phishing

– Targeted phishing, e.g., after obtaining email addresses of organization

– Example: email that makes claims using name of employee

Vishing

– Phone phishing to obtain private information

– Or: email to request callback, interactive voice system will request private information

– Always call bank / service provider to verify information!

55

Phony sites and dangerous attachments - Baiting

Real world Trojan horse

Attacker uses physical media and relies on greed/curiosity of victim, e.g., leaves a malware infected cd or usb drive in location sure to be found

Attacker tries to raise interest, e.g., by putting a label to raise curiosity

Example: "Company Earnings 2016" at floor of company elevator

– Curious employee / Good Samaritan

– User inserts cd/usb drive and malware gets installed

56

Using Sympathy, Guilt, and Intimidation

Social engineer uses psychology of influence to lead target to comply with request.

Skilled social engineers stimulate emotions, e.g., fear, excitement, or guilt

– They use psychological triggers = automatic mechanisms that lead people to respond to requests without in-depth analysis of all available information.

Social engineering attacks from current or former employees

– Background checks may be helpful to weed out prospects who may have a propensity toward this type of behavior.

– Only reasonable safeguard: enforce and audit procedures for verifying identity, including the person's employment status, prior to disclosing any information to anyone not personally known to still be with the company

57

Using Sympathy, Guilt, and Intimidation - Pretexting

Invented scenario

Prior research/setup used to establish legitimacy

– Give information that a user would normally not give away

Technique is used to impersonate someone with authority

– Elaborate lying

– Attacker gathers information and prepares answers to victim questions

Example: law enforcement

– Threat of alleged infraction to detain suspect and hold for questioning

58

Using Sympathy, Guilt, and Intimidation - Diversion Theft

Persuade delivery man that delivery is requested elsewhere - "Round the Corner"

When delivery is redirected, attacker persuades delivery man to unload delivery near address

Most companies do not prepare employees for this type of attack

Example:

– Attacker parks security van outside a bank.

– Victims going to deposit money into a night safe are told that the night safe is out of order.

– Victims then give money to attacker to put in fake security van

59

The Weakest Link

"The weakest link in the security chain is the human element“

Kevin Mitnick

No matter how strong your:

– Firewalls

– Intrusion Detection Systems

– Cryptography

– Anti-virus software

People are the weakest link in computer security!

– They are more vulnerable than computers

60

Countermeasures against Social Engineering (1)

Training!

User Awareness

– User knows that handing out certain information is bad

– People should be trained to challenge authority when security is at stake

Military requires networking department to hold

– Top secret security clearance

– Security certification

Policies

– Employees are not allowed to divulge private information

– Prevents employees from being socially pressured or tricked

– Clear desk and clear screen policies

– …

61

Countermeasures against Social Engineering (2)

Hire an ethical hacker

– Checks organization and attempts to hack network

– Will use social engineering methods to identify weak (human) spots and security problems

Be suspicious of

– unsolicited phone calls,

– visits,

– email messages from individuals

asking about internal information

If unsure if email is legitimate, contact person or company by another means for verification

Do not provide personal information, information on organization(e.g., on internal network) unless authority of person is verified

– Be paranoid and aware when interacting with anything that needs protected

– The smallest information could compromise what you're protecting

62

Conclusion

What is Social Engineering?

– Manipulate people into doing something, rather than by breaking in using technical means

Different Types of Social Engineering

– Direct Attacks

– Exploiting the human tendency to help

– Phony sites and dangerous attachments

– Using Sympathy, Guilt, and Intimidation

Countermeasures against Social Engineering

– Training

– Policies

– Be suspicious/paranoid

– Security testing by ethical hacker