Chapter 11
tokens
"something you have" generally ensure at least a two factor authentication method because you need the item itself and a PIN you memorize to go along with it.
smartcards
"something you have" have a chip inside that holds tons of info, including identification certificates from a PKI system to identify the user. May also have RFID features to broadcast info for near swipe readers.
Five main reasons social engineering is effective
1. human nature 2. ignorance of social engineering 3. fear (consequence of not providing requested info.) 4. greed (promised gain for providing the info) 5. a sense of moral obligation
Four phases of successful social engineering
1. research (dumpster dive, visit websites, tour the company etc.) 2. select the victim (frustrated employee or other target) 3. develop a relationship 4. exploit the relationship (collect sensitive information)
Can help in identifying risky sites and phishing behavior
Netcraft Toolbar and the PhishTank Toolbar, Sign-in seal
ZitMo (ZeuS-in-the-mobile)
a piece of malware that turned up on android phones ensured that one time passwords also belonged to bad guys.
real world phishing example that is common and successful
adding "-benefits" to the end of a company name
Steps in reverse social engineering
advertisement, sabotage, support
Fake AV aka Rogue Security
allows an attacker potential access to PII such as billing address and credit card details. Be sure to verify any link in an email or other notification regarding this.
publishing malicious apps
an attacker creates an app that looks like, acts like, and is namely similar to a legitimate application.
SMS aka Smishing
an attacker sends SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. the user unwittingly calls the number and provides sensitive data in response.
repackaging legitimate apps
an attacker takes a legitimate app from the app store and modifies it to contain malware, posting it on a third party app store for download.
Physical measures
anything you can touch, taste, smell, or get shocked by. ie. lighting, locks, fences, guards with tasers, etc.
mobile based attack
app or SMS issue
Social Engineering
art of manipulating a person, or group of people. into providing information or a service they otherwise would never have given.
authority support
attacker calls help desk posing as a locked out user, help desk wants to help, and resets the password to something the attacker knows.. granting him access.
piggybacking
attacker doesn't have a badge but asks for someone to let them in anyway
tailgating
attacker has a fake badge and simply follows an authorized person through the opened security door
computer based social engineering attacks
attacks carried out with the use of a computer
pop-ups
attacks use code to create windows users will unknowingly click. Takes the user to a malicious site where stuff is downloaded to their machines. or users are prompted for credentials.
Yubikey
basic two factor authentication token that works right over a standard USB port. Every time it is used, it generates a one time password that renders all before it useless. As long as the user has the toke. and knows their own access code, every login is fresh and secure.
Might indicate a phishing email-can be checked to verify legitimacy
beware unknown, unexpected, or suspicious originators. beware whom the email is addressed to (company email are usually personally addressed). Verify phone numbers. beware bad spelling or grammar. Always check links (changing a letter, adding or removing a letter, changing letter o to 0, or changing letter l to a one changes the DNS lookup for the click. hovering mouse over it will show where the link really intends to send you)
chat or messenger channels
computer based social engineering attack; find out person info for future attacks, make use of channels to spread malicious code and install software.
mantrap
designed as a pure physical access control, provides additional control and screening at the door or access hallway to the controlled area. Two doors are used to create a small space to hold a person until appropriate authentication has occurred.
event something catastrophic occurs
disaster recovery and contingency plans
TRASHINT or Trash Intelligence
dumpster diving
RFID Identity theft aka RFID skimming
duplicating RFID signal from access card to gain physical access
sign-in seal
email protection method that uses a secret message or image that can be referenced on any official communication with the site. kept locally on your computer, so the theory is no one can copy or spoof it.
categories of social engineering attacks
human based, computer based, or mobile based
Why spear phishing is more effective than phishing
if the audience is smaller and has a specific interest or set of duties I. common, it makes it easier for the attacker to craft an email they'd be interested in reading.
most common form of social engineering
impersonation
reverse social engineering
impersonation attack involves getting that target to call you with the information. Attacker sets up a scenario in which user feels he must dial in for support.
physical security
includes the plans, procedures, and steps taken to protect your assets from deliberate or accidental events that could cause damage or loss.
single biggest threat to your security
insider attack
factors that allow social engineering to succeed
insufficient training, unregulated information (or physical) access, complex organizational structure, and lack of security policies.
phishing
involves crafting an email that appears legitimate but in fact contains links to fake websites or to download malicious content.
spear phishing
is a targeted attack against an individual or a small group of individuals within an organization. (usually the result of a little reconnaissance work)
potential targets for social engineering
known as rebecca or Jessica (can provide information on whom to target to other attackers)
technical measures
measures taken with technology in mind to protect explicitly at the physical level. i.e. smartcards and biometrics
Prevent social engineering attacks
multiple layers of defense, including change management procedures and strong authentication measures, promoting policies and procedures. setting up physical or technical controls. Most importantly user education. Training users how to recognize and prevent.
Physical circumstances you need to protect against
natural or manmade
Internet Relay Chat (IRC)
one of the primary ways zombies (computers that have been compromised by malicious code and are part of a bot-net) are manipulated by their malicious code masters
preventing phishing emails
perimeter email filters, but impossible to prevent them all. Best method is to educate users on methods to spot a bad email
simplest and most common method of computer based social engineering
phishing
access controls
physical measures designed to prevent access to controlled areas. include biometric controls, identification/entry cards, door locks, and man traps.
three major components of physical security measures
physical, technical, and operational
operational measures
policies and procedures you set up to enforce a security minded operation. i.e. background checks on employees, risk assessments on devices, and policies regarding key management and storage.
computer based attack
pop ups and phishing
impersonation
pretends to be someone he or she is not, and that someone or something-an employee, valid user, repairman, help desk, executive, IT security expert, FBI agent (illegal)-is someone or something the target either respects, fears, or trusts.
four categories of mobile based social engineering attacks
publishing malicious apps, repackaging legitimate apps, fake security applications, SMS
disgruntled employees social engineering deterrent
separation of duties. least privilege. controlled access. but at some point you must trust the individuals that work in your org. best efforts include vetting employees, providing everything necessary for them to succeed at work, and having really good disaster recovery and continuity of operations procedures in place.
halo effect
single trait influences the perception of other traits
Number one social engineering attack in today's world
spear phishing
whaling
spear phishing against high level targets in an organization (board of directors, CEO etc.)
computer based attacks
specially crafted pop up windows, hoax emails, chain letters, instant messaging, spam, and phishing. consider social networking.
Fake security applications
starts with a victimized pc: that attacker infects a PC with malware and then uploads a malicious app to an app store. once the user logs in, a malware pop up advises them to download bank security software to their phone. the user complies, thus infecting their mobile device.
mobile social engineering attacks
those that take advantage of mobile devices-applications or services in mobile devices-in order to carry out their end goal.
"defense in depth" or "layered security"
thought process involves not relying on any single method of defense but, rather, stacking several layers between the asset and the attacker.
Spear phishing is more effective than regular phishing
true
disgruntled employee doesn't need to still be employed at your organization to cause problems
true
inside to outside communication is always more trusted than outside to inside communication
true
human based social engineering
uses interaction in conversation or other circumstances between people to gather useful information (shoulder surfing, eavesdropping). presentation is everything.
Vishing (Voice Phishing)
using a phone during a social engineering effort
phishing
usually involves a mass mailing of a crafted email in Hope's of snagging some unsuspecting reader
monitoring mantraps
video surveillance or gaurds