Social Engineering Managing the Human Element

Dr John McCarthy

Cyber Research Fellow Cranfield University, UK Defence Academy & Vice President of Cyber Security,

ServiceTec Global Services

Social Engineering

Managing the

Human Element Dr John McCarthy Ph.D. B.Sc. (hons) MBCS

Vice President of Cyber Security ServiceTec International Inc./ServiceTec Research Fellow at Cranfield University / UK Defence Academy

Partners

Cyber-Physical Systems Research Centre based at

Cranfield and sponsored by ServiceTec

University of Nebraska

Federal Aviation Authority

Joint Information Operations Warfare Centre,

Vulnerability Assessment Branch (JVAB) USA

The Problem

What is Social Engineering

Social engineering is a methodology that allows an

attacker to bypass technical controls by attacking the

human element in an organisation.

Social engineering attacks are likely to increase, and it

is becoming increasingly important for organizations to

address this issue.

Phishing to Honeypots In the context of cybersecurity we often think of

complex computer systems, sophisticated hackers and

hacking techniques.

All too often the human element in cybersecurity is

overlooked. Many criminal gangs utilize social

engineering techniques and the crossover from

traditional criminal activities into the cyber world is

increasingly common

Social Engineering Attacks Cost In the past two years, 48% of large businesses have

suffered from socially engineered attacks at least 25

times, resulting in losses of between $25,000 and

$100,000 per incident

Attackers' primary motivation is stealing financial

information, Extracting trade secrets, or revenge

Who is the enemy?

Cyber terrorist

Hacktivists

Cyber criminals

Organised crime

Disgruntled employees

Kiddies

Foreign governments

Cultural Background It wont happen to me………

Catch Me If You Can

Frank Abagnale, who, before his 19th birthday, successfully performed cons worth millions of dollars by posing as a Pan American World Airways pilot, a Georgia doctor, and a Louisiana parish prosecutor.

His primary crime was check fraud; he became so skilful that the FBI eventually turned to him for help in catching other check forgers

Everyday Social Engineering

Stereotypes

Dorothea Puente

At the age of sixty,

police discovered

Puente was killing off

her boarders and

collecting the insurance

money.

Seven bodies buried in

her back yard.

Are you easily persuaded?

Attack Vectors

Phishing Attacks

Nigerian 419 email

scam

DHL delivery

Tax refund

An other bank notice

PayPal

Cracking websites of

companies or

organizations and

destroying their

reputation (twitter etc)

Socially Open to all……….

The primary tool used

for social engineering

attacks is the phishing

email

Followed by using social

networking sites that

disclose employees'

personal details

Targeted Malware

Targeted malware that is, in some cases, just hours old

Found a USB drive in the car park, great! A freebie!

Combating this type of APT can be incredibly difficult, because all it takes is one employee to open a seemingly innocuous--yet really malicious--attachment, and the business can be compromised

Common Attack Entry Points

Customer Service

Tech Support

Delivery Person

Tailgating

Information Gathering

Techniques

Research

Professional gangs can spend months gathering

information from the web and employees

Dumpster Diving

Poor disposal of confidential data

Traditional Sources

Websites

You can find information

about the company,

what they do, the

products and services

they provide, physical

locations, job openings,

contact numbers, bios

on the executives or

board of directors.

Public Servers A company's publicly

reachable servers.

Fingerprinting servers for

their OS, application,

and IP information can

tell you a great deal

about their

infrastructure.

Traditional Sources Social media is a technology that many companies

have recently embraced. User sites such as blogs, wikis,

and online videos may provide information about the

target company

A disgruntled employee that's blogging about his

company's problems may be susceptible to a

sympathetic ear from someone with similar opinions or

problems

Public data may be generated by entities inside and

outside the target company. This data can consist of

quarterly reports, government reports, analyst reports,

earnings posted for publicly traded companies, etc.

Non-Traditional

Industry experts or subject matter experts can provide detailed information about an area without providing anything regarding the target company

"When in Rome, do what the Romans do" Engaging in activities or frequenting places that employees from the target company also do/visit is an excellent opportunity to elicit information. Proximity to the employees provides opportunities for conversation, eavesdropping, or possibly even covert cloning of RFID cards

Influencing Others

Reciprocity, Obligation, Concession

Want a bar of chocolate?

Scarcity, Authority, Commitment and Consistency, Liking, Consensus or Social Proof, Framing

In his book, "Influence: The Psychology of Persuasion", Dr. Robert Cialdini states, "Social Proof - People will do things that they see other people are doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up into the sky to see what they were seeing. At one point this experiment aborted, as so many people were looking up that they stopped traffic."

Manipulation of Incentive

Financial Social Ideological

Towards a Solution

Lets build a bigger better

wall

Just Say No……………..

We cannot live in isolation

Social media has

become a necessary

part of business

Sharing of information

and the access to

information is now

expected

We need to understand

the risks

Cybersecurity Culture

Mitigation of social engineering begins with good

policy and awareness training

Most important of which is creating a cybersecurity

culture within an organization

This must start at the top and work down

Countermeasures

Establishing frameworks of trust on an employee/personnel level (i.e., specify and train personnel when/where/why/how sensitive information should be handled)

Identifying which information is sensitive and evaluating its exposure to social engineering and breakdowns in security systems (building, computer system, etc.)

Establishing security protocols, policies, and procedures for handling sensitive information

Training employees in security protocols relevant to their position. (e.g., in situations such as tailgating, if a person's identity cannot be verified, then employees must be trained to politely refuse.)

Countermeasures Performing unannounced, periodic tests of the security

framework

Reviewing the above steps regularly: no solutions to

information integrity are perfect

Using a waste management service that has dumpsters

with locks on them, with keys to them limited only to the

waste management company and the cleaning staff

Locating the dumpster either in view of employees

such that trying to access it carries a risk of being seen

or caught or behind a locked gate or fence where the

person must trespass before they can attempt to

access the dumpster

“

”

(As) the media characterizes social

engineering, hackers will call up and ask

for a password. I have never asked

anyone for their password

Kevin Mitnick

Email: john.mccarthy@servicetec.com

www.airportcybersecurity.com

Airport Cyber Security Podcast