NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack
-
Upload
north-texas-chapter-of-the-issa -
Category
Internet
-
view
390 -
download
0
Transcript of NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack
![Page 1: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/1.jpg)
TheRiseofSocialEngineering- AnatomyofaFullScaleAttack-
Presenter:DaveNelson,CISSP|PresidentatIntegrity
![Page 2: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/2.jpg)
DaveNelson,CISSP• CertifiedInformationSecurityProfessional(CISSP)
• Over20yearsexperienceasinformationsecurityprofessional
• FellowwiththeInformationSystemsSecurityAssociation
• PresidentEmeritusofISSADesMoinesIowaChapter
![Page 3: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/3.jpg)
Overview
Whatis“SocialEngineering”?
TypesofAttacks&RealWorldExamples
BestDefense
![Page 4: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/4.jpg)
Whatis“SocialEngineering”?WHAT IS
SOCIALENGINEERING?
![Page 5: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/5.jpg)
Social Engineering
• Usingknowledgeofhumanbehaviortoelicitadefinedresponse.
• Putsimply…gettingyoutowillinglydosomethingformewhichislikelynotinyourbestinterest.
![Page 6: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/6.jpg)
Sociology and Psychology
• Studyofhumanbehavior,interactionandsocietalnorms.
• Actionscanbepredictedquiteaccurately.
• Actionscanalsobeinfluencedquiteeasily.
![Page 7: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/7.jpg)
Simple Human Behavior
• TwoTypesofResponses– Natural– Learned
Hackerswillcraftascenarioforyoutoenter,inordertoelicitaresponsewhichtheybelievewillgivethemtheresulttheyarelookingfor.
![Page 8: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/8.jpg)
TypesofAttacks&RealWorldExamples
![Page 9: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/9.jpg)
Why talk about social engineering
Socialengineeringisacomponentoftheattackinnearly1of3successfuldatabreaches,andit’sontherise.
Source:2016VerizonDataBreachInvestigationReport
![Page 10: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/10.jpg)
5CommonAttackMethods
DumpsterDiving
Pretexting
Phishing
PhysicalEntry
Enticement
![Page 11: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/11.jpg)
Dumpster Diving
• Scouringthroughdiscardeditems– Calendars&Dayplanners– Handwrittennotes– Phone&EmailLists– Operationmanualsorprocedures– Systemdiagrams&IPaddresses– Sourcecode
![Page 12: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/12.jpg)
Pretexting
• Fraudulentphonecalls• Usedtoextractinformation• Alsousedtosetupotherattackssuchasfacilityentryorphishing
![Page 13: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/13.jpg)
Phishing
Attemptstogetuserstoprovideinformationorperformanaction
TipsForIdentifyingPhishingAttempts– Askstoupdateaccountinformationviaemail– Noverificationimageorvaryinglayoutdesigns– Providesunfamiliarhyperlinks
![Page 14: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/14.jpg)
Common Bait
• SweetDeals– FreeStuff– LimitedTimeOffers– PackageDelivery
• HelpMe,HelpYou!– TechSupport
• YouGotta’SeeThis!
![Page 15: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/15.jpg)
Spear Phishing Example
GoodMorningMike,
Youmayormaynotknow,butMary(CFO)andIareinAtlantaworkingtocloseadealwithourpartnersXYZCompanyandABCLimitedona$70milliondollarcontractwithOurBigPayday,Inc.Inordertogetthecontractssigned,Ineedyoutowire$85,620toXYZCompanyand$67,980toABCLimited.MarysaysthisshouldcomefromourBankNameHereaccountnumber123456789.TheroutingandaccountnumberforXYZis12345678– 7788994455andforABCis98765432–336699774411.
BecauseOurBigPayday,Inc.isapubliclytradedcompany,thetermsofthisagreementcannotbediscloseduntiltheyfiletheirSECreportsforthequartersoyourabsolutediscretionisexpected.Undernocircumstancesareyoutodiscussthistransactionwithanyoneinthedepartment.AleakcouldresultinSECfinesorprisonforbothofusforinsidertrading.Ifyouhaveanyquestionsaboutthis,pleaserespondtothisemailwithyourdirectlineandI’llcallyouwhenI’moutofthenegotiationmeetings.IappreciateallyoudoforuswhichiswhyI’mtrustingyouwiththiskeyproject.
Keepupthegoodwork!Sandy(CEO)
![Page 16: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/16.jpg)
Physical Presence
• Gainingphysicalaccesscanbeeasierthanvirtualaccess
• Mayprovideadditionalinformation
• Comesatahigherriskbutwithapotentiallygreaterreward
![Page 17: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/17.jpg)
Physical Presence Examples• DeliveryDrivers• EmployeeTailgating• MaintenanceorEmergencyCrews
• Thekeyistoactlikeyoubelong.Ifyoubelieveitsowilleveryoneelse.
![Page 18: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/18.jpg)
Enticement Examples
Afolderwithenticingtitle/labelleftongroundoutsideanemployeeentrancewithaUSBthumbdrivetapedinside.
• USB,CDorDVDsleftinconspicuousspaces.
• Maybeaccompaniedbyfakepaperfiles
• Curiositybeatscaution
Year-EndBonuses
![Page 19: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/19.jpg)
Putting It All Together
• Targetedattackswillalwaysusesomeformofsocialengineering.
• Justlikeinmilitaryoperations,intelmakesorbreaksamission
• Hackersmayneverevenneedtousesophisticatedtechnicalattacksifyouprovidetheinformationwillingly
![Page 20: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/20.jpg)
Stealth Mode
• Limitedsocialengineeringattackscanbehardtodetect.
• Relevantinformationallowsattackerstopinpointtheirattackwhichmakestheirfootprinthardtodiscover.
![Page 21: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/21.jpg)
Don’t Fall for The Long Con
• Socialengineeringisnothingmorethanacon-game.
• Theold“LongCon”hasbeenportedtothedigitalworld.
• Goodconsarehardtospot.
![Page 22: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/22.jpg)
BestDefenses
![Page 23: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/23.jpg)
Best Defenses
• Strongpaperdestructionprocess• Limitingfacilityingress/egresspoints• Challengeunknownpeopleinsecureareas• Implementtechnologytoscreenemailandwebsitesforattacks
![Page 24: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/24.jpg)
Employee Training
• TraditionalCBTmethodsdon’twork• Engagetheemployee,makeapersonalplea• Usegamificationtoenhancelearning• Preparefordifferentlearningstyles(audio,visual,hands-on)
• Awarenessisnottrainingandtrainingisnotawareness
![Page 25: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/25.jpg)
Program Validation
• Socialengineeringtestingengagementsprovideassessmentsofhowwellyourpeople,processandtechnologyarefunctioning.
![Page 26: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/26.jpg)
Summary
• Socialengineeringisheretostayandit’sgrowing• Yourorganizationwillsufferadatabreachduetosocialengineering
• Thestudyofhumanbehaviorhasbeenusedbycriminalsforcenturies,cybercriminalsarenodifferent
• Employeesmustbetrainedtospotsocialengineeringandhowtoreact
![Page 27: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2a4b71a28ab370d8b458d/html5/thumbnails/27.jpg)
Question & Answer
www.integritysrc.com/blog
DaveNelsonCISSP
@IntegrityCEO- @IntegritySRC
515-965-3756