Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools...
-
Upload
christian-ansell -
Category
Documents
-
view
214 -
download
2
Transcript of Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools...
![Page 1: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/1.jpg)
Social Engineering Training
![Page 2: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/2.jpg)
Training Goals
Increase Laboratory Awareness. Provide the tools required to identify, avoid
and report advanced Social Engineering attempts. Spot sophisticated e-mail phishing attempts. Avoid phone-based information elicitation. Detect “baiting” attacks via USB keys, CDs,
and other physical media.
![Page 3: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/3.jpg)
Why Social Engineering Training?
DOE Red Team Tests The Red Team used Social Engineering tactics to attempt
to infiltrate the laboratories in Spring 2008. They were successful in gaining access and maneuvering
without detection at two DOE laboratories and one Site Office.
Increased use and sophistication of Social Engineering tactics.
![Page 4: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/4.jpg)
Overview
Definition Attacker Motivation Techniques Tests Summary
![Page 5: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/5.jpg)
Definition
What is social engineering?
Art of manipulating people into performing actions or divulging confidential information.
Using trickery to gather information or computer system access.
In most cases the attacker never comes face-to-face with the victim.
![Page 6: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/6.jpg)
What motivates social engineers?
Obtaining personal information.
Gaining unauthorized access.
Circumventing established procedures.
Because they can.
![Page 7: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/7.jpg)
Pretexting Invented scenario
Can use any communication medium. Phone Calls E-mail Physical media
General Prevention Think about motivation – how could this be used maliciously? Be polite (it could be legitimate). Record available contact information. Ask a question for which the answer is not publicly available.
![Page 8: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/8.jpg)
Tools Used in Pretexting
Any publicly available information Postings on public web pages. Phone book information. Professional information.
Personal and professional relationships Association with ISU. Association with DOE. Conferences and collaborations in field of
expertise.
![Page 9: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/9.jpg)
Specific Techniques
Phone Cold Calls / Scams
E-Mail Phishing1
Trojan Horse1
Physical Media Baiting1,2
1The DOE Red Team used these techniques in their latest successful attacks on two DOE laboratories and one site office.
2The DOE Red Team was successful using these methods to infiltrate DOE laboratories in the past.
![Page 10: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/10.jpg)
Phone Scams Unexpected / Unsolicited Phone Calls
Attempt to elicit personal or organizational information.. Example Pretexts
Offer to perform a service. Ask for information about organization (i.e. reporters,
prospective students). Claim to be calling for a friend or family members that need
access to something.
Prevention Be polite. Ask for a number to call *them* back; may allow tracing later. Ask a question for which the answer is not publicly available.
![Page 11: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/11.jpg)
E-Mail Unsolicited / Unexpected E-Mail - entice user to:
Click on a link to a fraudulent web page. View or execute an attachment. Reply to message.
Example Pretexts Standard Viagra, off-shore lottery, etc…spam. Notice from DOE, ISU or other requiring a quick
response and personal information. Unsolicited CVs, proposals, professional requests.
![Page 12: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/12.jpg)
E-Mail – Trojan Horse
Malicious software delivered via e-mail Attachment Web link
Pretext Cool screen saver. Important anti-virus or
system upgrade. Latest gossip about a
celebrity.
![Page 13: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/13.jpg)
E-Mail - Prevention
Verify Web Links Known Site. URL and text match. Copy and paste rather than click.
Verify sender prior to opening attachments or clicking on web links. Contact through different medium (i.e. call sender). Verify via an associate of sender, if known.
Examine e-mail headers Forward suspect e-mail to [email protected]
![Page 14: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/14.jpg)
Email Example - Links
![Page 15: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/15.jpg)
Email Example - Headers
![Page 16: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/16.jpg)
Email Example - Headers
![Page 17: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/17.jpg)
Email Example - Attachments
![Page 18: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/18.jpg)
Email Example - Attachments
What you see: What you don’t see:
Attacker’s Server
![Page 19: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/19.jpg)
Physical Media - Baiting Deliver malware via
infected CD ROM or USB flash drive.
Pretexts “Lost” in a location sure to be
found (bathroom, elevator, sidewalk, parking lot).
Delivered with a legitimate looking curiosity-piquing label and simply waits for the victim to use the device.
![Page 20: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/20.jpg)
Physical Media - Prevention
Verify unexpected mailings with sender.
Never put anything into your computer if you don’t know where it’s been.
Bring found USB keys, CD-ROMs, or other digital media to IS for examination.
![Page 21: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/21.jpg)
Quick TestsName 3 clues in this e-mail that should make you suspicious
![Page 22: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/22.jpg)
Quick Tests – Solution
![Page 23: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/23.jpg)
Quick TestsWhich of these emails is legitimate? Which is fake?
![Page 24: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/24.jpg)
Quick TestsThe left email is a Red Team attack.The right email is from DOE.
![Page 25: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/25.jpg)
Quick Tests
Can you think of ways the information on Ames Laboratory’s public web page could be exploited to execute a social engineering attack?
Can you think of an unsolicited e-mail, phone call, or physical mail attack which would be impossible to verify or handle safely?
![Page 26: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/26.jpg)
When to report Social Engineering
What to report Spam emails with local information. Unusual DOE/Ames Laboratory emails. Unsolicited phone calls digging for
information/contacts. What not to report
General spam.
![Page 27: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/27.jpg)
How to report Social Engineering
If Social Engineering techniques are attempted while at work…
If you believe you might have revealed sensitive information about the Ames Laboratory…
Report it to the IS office at: Phone: 4-8348 Email: [email protected]
This will alert us to any suspicious or unusual activity.
![Page 28: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/28.jpg)
Summary
Be suspicious. Think about motivation when revealing
information. Verify identity. Be careful what you click on. No one will catch everything – Be willing to
ask for help.
![Page 29: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/29.jpg)
Thanks for Attending
![Page 30: Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.](https://reader035.fdocuments.us/reader035/viewer/2022070308/551c510a550346b1458b4d25/html5/thumbnails/30.jpg)