Social Engineering. Hacking Human Nature

Transcription

1 Social Engineering Hacking Human Nature

2 About ERM

3 About The Speakers Stacey Blau Physical Security Penetration Expert with Enterprise Risk Management, Inc. B.S. from MIT in Mathematics and Computer Science Served a decade in the CIA s clandestine service as a case officer in Central Eurasia

4 About The Speakers George Mortakis Director of Consulting Services with Enterprise Risk Management, Inc. M.S./MBA from University of Miami in Computer Science and Information Systems CISSP, CISA, CRISC, PCIP, PCI QSA

5 How Do We Approach Social Engineering? Look at what is vulnerable Premises People Information Break in (usually with subtlety!) to show the weaknesses Make recommendations to mitigate problems

6 Who Are the Social Engineers? Must look at who/whatthe threat could be Corporate spying(break-ins, insider threats) Foreign governments Common thieves, identity thieves Scam artists Hackers Character assassins/opportunists Information brokers Disgruntled employees Violent actors (disgruntled employees, active shooters, terrorists)

7 What Other Threats? Silent threats the mere availability of special types of information irrespective of the specific attacker Personnel files, HIPAA-protected info, and other personally identifiable information (PII) Various categories of financial information Threat or no threat, an institution will land in hot water for mere failure to secure this information

8 Sources of PII and Financial Information Internet Phone calls Malware spread via attachments, malicious websites, infected websites Social networking Company breaches Printouts, faxes, and physical media Storage media Lost or stolen laptops Instant messaging programs File sharing programs Active attacks by hackers

9 Social Engineering Top Threats Most common concerns Hackers Corporate spies Workplace violence Regulatory compliance on access to sensitive information (PII and financial) Clients want to know the answer to the following: How easy is it for someone to get inside my company and get access to what they want?

10 Know thy Enemy and Thyself Someone generally has moderate-to-strong capabilities and moderate-to-strong motivation Testers must be a team to mimic that threat to get access to people, information, devices, etc. Sun Tzu: Know thy enemy and know thyself Study the client Studying the specific threat Ensure skills (Hacking? Lock picking? Great social skills? Ability to pose as a certain individual?)

11 Social Engineering: Physical + Information Information security ensures that Only authorized users (confidentiality) Have access to accurate and complete information (integrity) When necessary (availability) Using physical penetration (exploiting human hardware bugs ) to effect theft of information a social engineering force multiplier

12 Information Security: Recent Headlines Hackers Demonstrate Car Hacking Using a Laptop Sim Card Cloning Hack Affects 750 Million Users around the World Hackers Break into Smartphones to Access Your Bank Account Hacking Google Glass with QR Code To Sniff User Data GPS Flaw Could Let Terrorists Hijack Ships, Planes International Hackers Stole 160 Million Credit and Debit Card Numbers in Largest U.S. Hacking Scheme, Feds Say Stanford University Computers Breached Network Enabled Samsung TVs Vulnerable to Denial of Service Attack

13 Information Security: Challenges Should we attack the fortress? Web application firewalls DMZ firewalls Intrusion detection/ prevention systems Active directory credentials Encryption Data loss prevention systems Application/service whitelisting Network monitoring/traffic pattern analysis

14 Social Engineering: The Benefits Or should we exploit the path of least resistance? Receptionists Helpdesk Call centers Administrative assistants Security guards Former employees, you, me anyone Poor policies and procedures Various human foibles: friendliness, helpfulness, guilelessness, laziness, boredom, vengefulness

15 Social Engineering Terminology Baiting Phishing Spear phishing Vishing(voice phishing) Pre-contexting Keyloggers Shoulder-surfing Dumpster diving Tailgating/piggybacking Quid pro quo Impersonation

16 Attacks have become increasingly sophisticated Telephone: Analog device for voice transmissions. Preferred tool of the Social Engineer, circa 2002 Maltego : Social Engineering Intelligence Software Free and open source Integrates with numerous hacking tools Automatic collection, aggregation and analysis of publicly available information Preferred tool of the social engineer

17 The Social Engineers Hackers / Mercenary Penetration Specialists Corporate Spies or Espionage Specialists Identify Thieves Disgruntled Employees Scam Artists Sales Information Brokers Foreign Governments Character Assassins / Opportunists

18 Attacks are highly coordinated and sophisticated

19 Malware Pop-Ups 19

20 Malicious Attachments 20

21 Certificate Pop-Ups 21

22 Phishing Attack 22

23 Embedded Invisible Attack in HTML 23

24 and HTML This is not empty see? I-Frame Attack an image file embedded in the Zero pixels wide by Zero pixels tall containing a script which when rendered by your mail client retrieves malicious code from the internet. Note: Preview Pane can be just as dangerous as opening the mail file. 24

25 Social Media 25

26 Social Engineering: Hacking Any information on a network is at risk How can I steal data from networks? Innocent calls to helpdesk or scoured information from internet can help tailor attacks Spear phishing (spam with malware downloads or links to sites with malware) Exploitation of lack of antivirus programs and timely updates Convincing scams and ploys

27 Social Engineering: Corporate Spies Trade secrets and products usually at risk How can I steal them, or who can give me them? Break into a facility to take them (or plant device) Recruit a source to voluntarily provide them Paid source to steal or plant a device Use a cut-out (friend), pose as a journalist, etc. Dumpster dive Serendipity at a bar (2010 iphone mishap)

28 Social Engineering: Workplace Violence Lives of personnel at risk and horrendous public scrutiny will follow The attacker will ask: How can I kill my targets? Use brute force the entire way, especially for a spectacular show of violence Subvert the facility s access control (Navy Yard shooter 2013) Manipulate access/alarm systems (remotely, too) Use PII to target victims off facility grounds

29 Social Engineering: Regulatory Compliance Financial information, HIPAA, and other PII at risk How might this information be accessed (on a onetime or ongoing basis)? Nosy insider with friends in HR Shoulder surfing, dumpster diving Poor security procedures with safes, locks, etc. Emplacement of a device (via people with temporary access to the premises or a disgruntled employee, paid insider, etc.)

30 Prevention and Countermeasures: Physical Perimeter security Guards, fencing, lighting, signs and policies and procedures! Camera system/closed-circuit TV Quality imaging, trained monitors, solid archives and policies and procedures! Access control Badges, tokens and policies and procedures! Human security Background checks employment history, qualifications, credit/criminal, references Training security awareness as a priority and requirement for all employees Employee assistance programs HR as a first line of defense Consider a counterintelligence unit at the bare minimum, institute an employee feedback mechanism Physical document/media security policies and procedures underlie success Outside mail/packages Unabomber/anthrax situations Safes, locked cabinets, drawers Disposal of paper and digital media shredding and destruction Protection against loss/theft always use encryption Classified or protectively marked materials Incident response policies and procedures for lost/stolen data, physical &electronic breaches

31 Prevention and Countermeasures 31

32 Prevention and Countermeasures 32

33 Prevention and Countermeasures Keep software updated Never respond using information contained in the , particularly links to Web sites Maintain awareness and skepticism Articles/newsletters made available on the intranet Internal webcasts and podcasts Posters, awareness quizzes, and seminars Awareness presentations, events, and live demos Clear policies and procedures on employee use of electronic systems, telephones, social media Professional social engineers performing blind tests 33

34 Your go to advisors for all matters in information security. 800 S Douglas Road #940 Coral Gables, FL Phone: info@emrisk.com