Social Engineering

The fast and easy way to steal confidential information

Skip B. Smith GSLCManager Information Security

Indiana Farm Bureau InsuranceSkip.Smith@infarmbureau.com

317-692-7910

Agenda

• What is Social Engineering?• Social Engineering on the rise.• Types of Social Engineering Attacks.• The Social Engineering Attack Cycle.• Examples of Social Engineering In Action.• What can you do to protect yourself against social

engineering?• Questions?

What is Social Engineering?

Social Engineering (SE) is a blend of science, psychology and art. While it is amazing and complex, it is also very simple.

We define social engineering as, “Any act that influences a person to take an action that may or may not be in their best interest.” We have defined it in very broad and general terms because we feel that social engineering is not always negative, but encompasses how we communicate with our parents, therapists, children, spouses and others. – www.social-engineer.org

Social Engineering - Use on the rise

Social Engineering is on the rise, according to the 2017 Verizon Data BreachInvestigations Report, Social Engineering was involved in 43% of breaches.

Types of Social Engineering Attacks

Why Use Social Engineering?

• Path of least resistance, its just a whole lot easier• An attacker can spend many hours, weeks, or even months trying to brute

force their way into a network or computer system• As security controls and prevention techniques increase the attackers job

becomes harder• Human weakness is always present

The Social Engineering Attack Cycle

1. Information Gathering - Research2. Establish Relationship and Rapport3. Exploitation4. Execution

Attack Cycle1. Information Gathering

• The likelihood of success for most attacks depends on this phase so it is only natural to invest the majority of time and attention here.

• Some of the information gathered is used to determine the attack vector, possible passwords, identify likely responses from various individuals, refine goals, become familiar and comfortable with the target, and formulate strong pretext(s).

Attack Cycle2. Establish Relationship and Rapport

• This phase establishes a working relationship with the target. • This is a critical point as the quality of the relationship built by the attacker

determines the level of cooperation and extent to which the target will go to help the attacker accomplish the goal.

• It can be as brief as hurrying towards the door with a big smile and eye contact so the target holds the door open for the attacker to walk through.

• It could be connecting on a personal level over the phone or as personal as showing family pictures and sharing stories with the receptionist in the lobby. It can also be as extensive as building an online relationship with the target through a fake profile on a dating or social networking site.

Attack Cycle3. Exploitation

• This is when the attacker uses both information and relationships to actively infiltrate the target.

• In this phase, the attacker is focused on maintaining the momentum of compliance that was built in phase 2 without raising suspicion.

• Exploitation can take place through the divulging of seemingly unimportant information or access granted/transferred to the attacker.

Examples of successful exploitation include:• The act of holding the door open or otherwise allowing the attacker inside

the facilities• Disclosing password and username over the phone• Inserting a USB flash drive with a malicious payload to a company computer

Opening an infected email attachment

Attack Cycle4. Execution

• This phase is when the ultimate goal of the attack is accomplished, or for various reasons, the attack is ended in such a way as to not raise suspicion regarding what has occurred.

• A well planned and smooth exit strategy is the attacker’s goal and final act in the attack.

Pretexting

• Pretexting is the act of creating and using an invented scenario (the pretext).

• Pretexting attempts to build trust, one of the most important aspects of social engineering.

• A pretext involves an elaborate lie, it most often involves some prior research or setup and the use of this information for impersonation (e.g., date of birth, Social Security number, last bill amount) to establish legitimacy and trust in the mind of the target.

Pretexting continued

Pretexting has been hailed as one of the quickest ways to obtain information. It is utilized by federal and local law enforcement, private detectives, reporters, interrogators and many other types of people.

Social Engineering Example #1

Social Engineering Example 1 Discussion

• Did you recognize the pretexting cues?• The relationship and rapport building?

Social Engineering Example #2

Scotty’s Brewhouse W2 Data Breach

An employee payroll manager responded to a phishing email requesting employee information.

• How many victims? 4,000 employees.

• What type of information? Names, wages, tax information, and other personal information present on W-2 tax forms.

• What happened? An unknown individual posing as the company's CEO Scott Wise, sent a phishing email to a payroll account employee requesting the information of all 4,000 employee's W-2 forms in PDF format. The employee did as instructed.

Social Engineering Example #3Man in Construction Hat Steals $15K in Laptops at Memorial Sloan Kettering

• What was stolen? 8 Dell laptops valued at $15,300• Got onto the construction site via a hole in the fence

19

What can you do?Educate yourself, this is the only defense.

How can you protect yourself and your company against Phishing?

• Do not open any email or attachment if it seems suspicious to you• Technical support will never ask for your username and password• If you receive something from your boss unexpectedly, give you boss a call

and verify that the email is legitimate.• Report phishing or suspicious email to information security as outlined by

your company’s policies

How can you protect yourself and your company against Vishing?

• Confirm with whom you are speaking• Do not provide any sensitive information if you cannot verify the callers

identity• When in doubt ask the caller for more information• Ask for name, company, title• Ask for a phone number to call them back• Be aware of your information security policy

How can you protect yourself and your company against an Impersonation Attack?

• Be aware of your surroundings• Have a clear understanding of who should be in the facility• Understand the requirements for entry into the facility• If you see something that doesn’t look right or does not pass the smell test

report it immediately• PCI requires advanced notice of all visits for technicians.

Social Engineering AwarenessPhishing your own Company

• This is done to train and inoculate your employeesApril 2016 Phishing Campaign at IFBEmail Template #1

Social Engineering AwarenessPhishing your own Company, cont.

Email Template #2

Social Engineering AwarenessPhishing your own Company, cont.

Landing Page after you opened the attachment and click a link:

Resources• http://www.cnet.com/news/snapchat-hit-by-email-phishing-scam/• https://www.alienvault.com/blogs/security-essentials/watering-hole-attacks-

detecting-end-user-compromise-before-the-damage-is-done• http://www.cnet.com/news/snapchat-hit-by-email-phishing-scam/• http://www.social-

engineer.org/wiki/archives/CommonAttacks/CommonAttacks-ClassicSE.html

• https://www.dnainfo.com/new-york/20170705/lenox-hill/burglar-construction-hat-steals-laptops-memorial-sloan-kettering-cancer-center?utm_content=buffer3dc3e&utm_medium=social&utm_source=twitter.com&utm_campaign=DNAinfoNY

Much of the material for this presentation came from:• http://www.social-engineer.org/

27

Questions?

28

Thank you! Stay Aware!