Airport IT&T 2013 John McCarthy
-
Upload
russell-publishing -
Category
Technology
-
view
594 -
download
4
description
Transcript of Airport IT&T 2013 John McCarthy
Social Engineering Managing the Human Element
Dr John McCarthy
Cyber Research Fellow Cranfield University, UK Defence Academy & Vice President of Cyber Security,
ServiceTec Global Services
Social Engineering
Managing the
Human Element Dr John McCarthy Ph.D. B.Sc. (hons) MBCS
Vice President of Cyber Security ServiceTec International Inc./ServiceTec Research Fellow at Cranfield University / UK Defence Academy
Partners
Cyber-Physical Systems Research Centre based at
Cranfield and sponsored by ServiceTec
University of Nebraska
Federal Aviation Authority
Joint Information Operations Warfare Centre,
Vulnerability Assessment Branch (JVAB) USA
The Problem
What is Social Engineering
Social engineering is a methodology that allows an
attacker to bypass technical controls by attacking the
human element in an organisation.
Social engineering attacks are likely to increase, and it
is becoming increasingly important for organizations to
address this issue.
Phishing to Honeypots In the context of cybersecurity we often think of
complex computer systems, sophisticated hackers and
hacking techniques.
All too often the human element in cybersecurity is
overlooked. Many criminal gangs utilize social
engineering techniques and the crossover from
traditional criminal activities into the cyber world is
increasingly common
Social Engineering Attacks Cost In the past two years, 48% of large businesses have
suffered from socially engineered attacks at least 25
times, resulting in losses of between $25,000 and
$100,000 per incident
Attackers' primary motivation is stealing financial
information, Extracting trade secrets, or revenge
Who is the enemy?
Cyber terrorist
Hacktivists
Cyber criminals
Organised crime
Disgruntled employees
Kiddies
Foreign governments
Cultural Background It wont happen to me………
Catch Me If You Can
Frank Abagnale, who, before his 19th birthday, successfully performed cons worth millions of dollars by posing as a Pan American World Airways pilot, a Georgia doctor, and a Louisiana parish prosecutor.
His primary crime was check fraud; he became so skilful that the FBI eventually turned to him for help in catching other check forgers
Everyday Social Engineering
Stereotypes
Dorothea Puente
At the age of sixty,
police discovered
Puente was killing off
her boarders and
collecting the insurance
money.
Seven bodies buried in
her back yard.
Are you easily persuaded?
Attack Vectors
Phishing Attacks
Nigerian 419 email
scam
DHL delivery
Tax refund
An other bank notice
PayPal
Cracking websites of
companies or
organizations and
destroying their
reputation (twitter etc)
Socially Open to all……….
The primary tool used
for social engineering
attacks is the phishing
Followed by using social
networking sites that
disclose employees'
personal details
Targeted Malware
Targeted malware that is, in some cases, just hours old
Found a USB drive in the car park, great! A freebie!
Combating this type of APT can be incredibly difficult, because all it takes is one employee to open a seemingly innocuous--yet really malicious--attachment, and the business can be compromised
Common Attack Entry Points
Customer Service
Tech Support
Delivery Person
Tailgating
Information Gathering
Techniques
Research
Professional gangs can spend months gathering
information from the web and employees
Dumpster Diving
Poor disposal of confidential data
Traditional Sources
Websites
You can find information
about the company,
what they do, the
products and services
they provide, physical
locations, job openings,
contact numbers, bios
on the executives or
board of directors.
Public Servers A company's publicly
reachable servers.
Fingerprinting servers for
their OS, application,
and IP information can
tell you a great deal
about their
infrastructure.
Traditional Sources Social media is a technology that many companies
have recently embraced. User sites such as blogs, wikis,
and online videos may provide information about the
target company
A disgruntled employee that's blogging about his
company's problems may be susceptible to a
sympathetic ear from someone with similar opinions or
problems
Public data may be generated by entities inside and
outside the target company. This data can consist of
quarterly reports, government reports, analyst reports,
earnings posted for publicly traded companies, etc.
Non-Traditional
Industry experts or subject matter experts can provide detailed information about an area without providing anything regarding the target company
"When in Rome, do what the Romans do" Engaging in activities or frequenting places that employees from the target company also do/visit is an excellent opportunity to elicit information. Proximity to the employees provides opportunities for conversation, eavesdropping, or possibly even covert cloning of RFID cards
Influencing Others
Reciprocity, Obligation, Concession
Want a bar of chocolate?
Scarcity, Authority, Commitment and Consistency, Liking, Consensus or Social Proof, Framing
In his book, "Influence: The Psychology of Persuasion", Dr. Robert Cialdini states, "Social Proof - People will do things that they see other people are doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up into the sky to see what they were seeing. At one point this experiment aborted, as so many people were looking up that they stopped traffic."
Manipulation of Incentive
Financial Social Ideological
Towards a Solution
Lets build a bigger better
wall
Just Say No……………..
We cannot live in isolation
Social media has
become a necessary
part of business
Sharing of information
and the access to
information is now
expected
We need to understand
the risks
Cybersecurity Culture
Mitigation of social engineering begins with good
policy and awareness training
Most important of which is creating a cybersecurity
culture within an organization
This must start at the top and work down
Countermeasures
Establishing frameworks of trust on an employee/personnel level (i.e., specify and train personnel when/where/why/how sensitive information should be handled)
Identifying which information is sensitive and evaluating its exposure to social engineering and breakdowns in security systems (building, computer system, etc.)
Establishing security protocols, policies, and procedures for handling sensitive information
Training employees in security protocols relevant to their position. (e.g., in situations such as tailgating, if a person's identity cannot be verified, then employees must be trained to politely refuse.)
Countermeasures Performing unannounced, periodic tests of the security
framework
Reviewing the above steps regularly: no solutions to
information integrity are perfect
Using a waste management service that has dumpsters
with locks on them, with keys to them limited only to the
waste management company and the cleaning staff
Locating the dumpster either in view of employees
such that trying to access it carries a risk of being seen
or caught or behind a locked gate or fence where the
person must trespass before they can attempt to
access the dumpster
“
”
(As) the media characterizes social
engineering, hackers will call up and ask
for a password. I have never asked
anyone for their password
Kevin Mitnick
Email: [email protected]
www.airportcybersecurity.com
Airport Cyber Security Podcast