Social Engineering
Social Engineering Pen-testing
1. Obtain authorization 2. Define scope of pen testing 3. Obtain a list of emails and contacts of predefined targets 4. Collect emails and contact details of employees in the target organization 5. Collect information using footprinting techniques 6. Create a script with specific pretexts 7. Email employees asking for personal information 8. Send and monitor emails with malicious attachments to target victims 8. Send phishing emails to target victims
Phases of Social Engineering
1. Research on Target Company 2. Selecting Target 3. Develop the Relationship 4. Exploit the Relationship
Tailgating
Implies access to a building or secured area without the consent of the authorized person. It is the act of following an authorized person through a secure entrance, as a polite user would open and hold the door for those following him.
PhishTank
collaborative clearinghouse for data and information about phishing on the Internet. It provides an open API for developers and researchers to integrate anti-phishing data into their applications.
Piggybacking
implies entry into the building or security area with the consent of the authorized person
Social engineering
is an attack that exploits human nature by convincing someone to reveal information or perform an activity. There are three forms
Pretexting
is the use of a fictitious scenario to persuade someone to perform an action or give information for which they are not authorized.
Security Policy countermeasure
o Avoid sharing a computer account. o Avoid using the same password for different accounts. o Avoid storing passwords on media or writing on a notepad or sticky note. o Avoid communicating passwords over the phone, email, or SMS. o Do not forget to lock or shut down the computer before leaving the des
Types of Identity Theft
o Child Identity Theft o Criminal Identity Theft o Financial Identity Theft o Driver's License Identity Theft o Insurance Identity Thef - closely related to medical identity theft -takes the victim's medical information in order to access his insurance for a medical treatment o Medical Identity Theft -most dangerous type of identity theft o Tax Identity Theft o Identity Cloning and Concealment o Synthetic Identity Theft -most sophisticated types of identity theft where the perpetrator obtains information from different victims to create a new identity o Social Identity Theft
Social Networking Threats to Corporate Networks
o Data Theft: o Involuntary Data Leakage: o Targeted Attacks: o Network Vulnerability o Spam and Phishing: o Modification of Content o Malware Propagation: o Business Reputation o Infrastructure and Maintenance Costs: o Loss of Productivity
Countermeasure an organization should take
o Disseminate policies among employees and provide proper education and training. Specialized training benefits employees in higher-risk positions against social engineering threats. o Obtain employees' signatures on a statement acknowledging that they understand the policies. o Define the consequences of policy violation.
Impact of Social Engineering Attack on Organization
o Economic Losses o Damage to Goodwill o Loss of Privacy o Dangers of Terrorism o Lawsuits and Arbitration o Temporary or Permanent Closure:
Reasons for Insider Attacks
o Financial Gain o Steal Confidential Data o Revenge o Become Future Competitors o Perform Competitors Bidding o Public Announcement
Types of Social Engineering
o Human-based Social Engineering o Computer-based Social Engineering o Mobile-Based Social Engineering
Types of Human-based Social Engineering
o Impersonating o Eavesdropping o Shoulder Surfing o Dumpster Diving o Reverse Social Engineering o Piggybacking o Tailgating o Vishing
Factors that Make Companies Vulnerable to Attacks
o Insufficient Security Training o Unregulated Access to the Information o Several Organizational Units o Lack of Security Policies
Physical Security Policies
o Issue identification cards (ID cards), and uniforms, along with other access control measures to the employees of a particular organization. o Office security or personnel must escort visitors into visitor rooms or lounges. o Restrict access to certain areas of an organization in order to prevent unauthorized users from compromising security of sensitive data. o Old documents containing some valuable information must be disposed of by using equipment such as paper shredders and burn bins. This prevents information gathering by attackers using techniques such as dumpster diving. o Employ security personnel in an organization to protect people and property. Assist trained security personnel by alarm systems, surveillance cameras, etc.
Types of Impersonation (Vishing)
o Over-Helpfulness of Help Desk o Tech Support o Third-party Authorization o Trusted Authority Figures
Types of Computer-based Social Engineering
o Phishing o Pop-up window attacks - Hoax Letter -non exist virus threat - Chain Letters - get a gift = Virus o Spam mail o Instant chat messenger
Types of Impersonation
o Posing as a legitimate end user o Posing as an important user o Posing as a technical support o Internal Employee/Client/Vendor o Repairman o Over helpfulness of help desk o Third-party authorization o Tech support o Trusted authority
Things that lead to Insider Threats
o Privileged Users o Disgruntled Employees - unhappy employees or contract workers o Terminated Employees o Accident-Prone Employees o Third Parties - remote employees, partners, dealers, vendors, o Undertrained Staff
Types of Mobile-Based Social Engineering
o Publishing malicious apps o Repackaging legitimate apps o Sending fake security applications o SMiShing (SMS Phishing)
Common Targets of Social Engineering
o Receptionists and Help-Desk Personnel: o Technical Support Executives o System Administrators o Users and Clients o Vendors of the target Organization
Identity Theft Countermeasures
o Secure or shred all documents containing private information o Ensure your name is not present in the marketers' hit lists o Review your credit card reports regularly and never let it go out of sight o Never give any personal information on the phone o To keep your mail secure, empty the mailbox quickly o Suspect and verify all the requests for personal data o Protect your personal information from being publicized
Netcraft
Anti-phishing tool - provides updated information about the sites users visit regularly and blocks dangerous sites.
Mobile-Based Social Engineering
Attackers trick the users by imitating popular applications and creating malicious mobile applications with attractive features and submitting them with the same name to the major app stores.
Type of Insider Threats
Malicious Insider - come from disgruntled or terminated employees who steal data or destroy company networks intentionally by injecting malware into the corporate network. Negligent Insider -Insiders, who are uneducated on potential security threats or simply bypass general security procedures to meet workplace efficiency, are more vulnerable to social engineering attacks. A large number of insider attacks result from employee's laxity towards security measures, policies, and practices. Professional Insider -Most harmful insiders where they use their technical knowledge to identify weaknesses and vulnerabilities of the company's network and sell the confidential information to the competitors or black market bidders. Compromised Insider -An outsider compromises insiders having access to critical assets or computing devices of an organization.( difficult to detect)
Social Engineering Toolkit (SET)
Pentesting Tool an open-source Python-driven tool aimed at penetration testing via social engineering. It is a generic exploit designed to perform advanced attacks against human elements to compromise a target to offer sensitive information. SET categorizes attacks such as email, web, and USB according to the attack vector used to trick humans.
Human-based Social Engineering
This social engineering involves human interaction. On the pretext of a legitimate person, the attacker interacts with the employee of a target organization to collect sensitive information about the organization such as business plans, network, etc. that might help him/her in launching an attack.
Computer-based Social Engineering
This type of social engineering relies on computers and Internet systems to carry out the targeted action.
Defense Strategy
o Social Engineering Campaign - An organization should conduct numerous social engineering exercises using different techniques on a diverse group of people in order to examine how its employees would react to a real social engineering attacks. o Gap Analysis-From the information obtained from the social engineering campaign, evaluation of the organization is based on industry leading practices, emerging threats and mitigation strategies. o Remediation Strategies - Depending upon the result of the evaluation in gap analysis, a detailed remediation plan is developed that would mitigate the weaknesses or the loopholes found in earlier step. The plan focuses mainly on educating and creating awareness among employees based on their roles, potential threats to an organization
Types of Phishing
o Spear phishing - content directed at a specific employee or small group of employees o Whaling - targets high profile executives like CEO, CFO, politicians, and celebrities with complete access to confidential and highly valuable information. o Pharming - attacker executes malicious programs that automatically redirects victim's traffic to a website controlled by the attacker. - DNS Cache Posioning - Host File Modification o Spimming - exploits Instant Messaging platforms and uses IM as a tool to spread spam.
Social Engineering Pen testing tools
o SpeedPhish Framework (SPF) o Gophish o King Phisher o LUCY o MSI Simple Phish o Ghost Phisher o Metasploit o Umbrella o Domain Hunter o Phishing Frenzy o SpearPhisher
Common Techniques Attackers Use to Obtain Personal Information for Identity Theft
o Theft of wallets, computers, laptops, cell phones, backup media, and other sources of personal informatio o Internet Searches o Pretexting - Fraudsters may pose as executives from financial institutions, telephone companies, and so on, who rely on "smooth talking" and win the trust of an individual to reveal sensitive information o Hacking o Keloggers and passowrd stealers (malware) o Wardriving o Mail Theft and Rerouting
Social Engineering Countermeasures
o Train Individuals on Security Policies o Implement Proper Access Privileges o Presence of Proper Incidence Response Time o Availability of Resources Only to Authorized Users o Scrutinize Information: . o Background Check and Proper Termination Process: o Anti-Virus/Anti-Phishing Defenses: o Implement Two-Factor Authentication o Adopt Documented Change Management o Ensure a Regular Update of Software
Masquerading
refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access.