HUMAN!

THE MIND GAME BEYOND Normal

Simple Definition
Social engineering is a psycho-social attack that

subverts human trust and helpfulness in order to attain the attackers goals.

Outline
What is it? How is it done? Who is at risk? Approach?

What is it?
Social engineering is the oldest form of

hacking.

Social engineers focus on the users of the

system. By gaining the trust of the user, a social engineer can simply ask for whatever information he or she wantsand usually get it.

The Social Engineering!!!!

Uses Psychological Methods
Exploits human tendency to trust Goals are the Same as Hacking

the art and science of getting people to comply with your wishes

Why Social Engineering?

Easier than technical hacking
Hard to detect and track

A social engineers mantra

There is no patch for human stupidity.

The Mind of a Social Engineer

More like actors than hackers
Learn to know how people feel by observing their

actions can alter these feelings by changing what they say and do make the victim want to give them the information they need

How is it done?
Attacks come in various forms:

On the phone, over e-mail, in person

impersonation

Impersonation
Play the part!
Social Engineers must: Anticipate problems Know jargon and procedures of the role

Impersonation
And most importantly, knowledge of how to

build trust with whomever they need information from.

Social engineers most often impersonate

authority figures, assistants to authority figure, and new employees.

More techniques
Dummy Mode Bury the key question Research (Google)

Over the phone

The phone is the most popular method of social

engineering because it is difficult to verify or deny someones identity.

Over e-mail and IM

E-mail attacks are very common (phishing). E-mail is also used for impersonation. Obtaining password for an IM account could

lead to access to a bank account, other personal data.

Dumpster diving
Digging through trash at corporations in search

of sensitive data.

Outline
What is it? How is it done? Who is at risk? Approach?

Who is at risk?
Everyone.
Everyone with information is a potential target!

Real World Examples

90% of office workers gave away their password

for a pen.

70% of people who trade their password for a

bar of chocolate.

Real World Examples

1/3 of the IRS employees provided their user

name and changed their password in a 2005 security audit.

USC vs. Cal basketball game

Approaches
Carelessness
Comfort Zone Helpfulness Fear

Careless Approach
Victim is Careless Does not implement, use, or enforce proper countermeasures Used for Reconnaissance
Looking for what is laying around

Careless Examples
Dumpster Diving/Trashing
Huge amount of information in the trash Most of it does not seem to be a threat The who, what and where of an organization Knowledge of internal systems Materials for greater authenticity Intelligence Agencies have done this for years

Comfort Zone Examples

Impersonation
Could be anyone Tech Support Co-Worker Boss CEO User Maintenance Staff Generally Two Goals Asking for a password Building access - Careless Approach

Comfort Zone Approach

Victim organization members are in a comfortable

environment
Lower threat perception

Usually requires the use of another approach

Helpful Approach
People generally try to help even if they do not know

who they are helping Usually involves being in a position of obvious need Attacker generally does not even ask for the help they receive

Helpful Examples
Piggybacking Attacker will trail an employee entering the building More Effective:

Carry something large so they hold the door open for you Go in when a large group of employees are going in

Pretend to be unable to find door key

Fear Approach
Usually draws from the other approaches
Puts the user in a state of fear and anxiety Very aggressive

Fear Examples
Conformity The user is the only one who has not helped out the attacker with this request in the past Personal responsibility is diffused User gets justification for granting an attack.

Combating Social Engineers

User Education and Training
Identifying Areas of Risk Tactics correspond to Area Strong, Enforced, and Tested Security Policy

User Education and Training

Security Orientation for new employees
Yearly security training for all employees Weekly newsletters, videos, brochures, games and

booklets detailing incidents and how they could have been prevented Signs, posters, coffee mugs, pens, pencils, mouse pads, screen savers, etc with security slogans (I.e. Loose lips sink ships).

Security Policy
Management should know the importance of

protecting against social engineering attacks Specific enough that employees should not have to make judgment calls Include procedure for responding to an attack

Areas of Risk
Certain areas have certain risks
What are the risks for these areas? Help Desk, Building entrance, Office, Mail Room, Machine room/Phone Closet, Dumpsters, Intranet/Internet, Overall

Conclusions
Social Engineering is a very real threat
Realistic prevention is hard Can be expensive Militant Vs. Helpful Helpdesk Staff Reasonable Balance

You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.
-Kevin Mitnick

Questions

References
Psychological Based Social Engineering, Charles Lively. December

2003. SANS Institute. 10 September 2005. http://www.giac.org/certified_professionals/practicals/gsec/3547.php Sarah Granger, Social Engineering Fundamentals: Part I. Security Focus. December 2001. 10 September 2005. http://www.securityfocus.com/infocus/1527 Sarah Granger, Social Engineering Fundamentals: Part II. Security Focus. January 2002. 10 September 2005. http://www.securityfocus.com/infocus/1533