CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.
-
Upload
opal-lewis -
Category
Documents
-
view
241 -
download
1
Transcript of CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.
![Page 1: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/1.jpg)
CIS 5370 - Computer SecurityKasturi PoreRavi Vyas
![Page 2: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/2.jpg)
Public Definition from wikipedia.org “Social engineering is the art of
manipulating people into performing actions or divulging confidential information”
Gartner Research Group : “the manipulation of people, rather than machines, to successfully breach the security systems.”
![Page 3: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/3.jpg)
Kevin Mitinic was incarcerated in February1995 with more 25 charges.
In his book “Art of deception” he stated he did not use any hacking tools or software programs but used social engineering to obtain the passwords and secrets.
![Page 4: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/4.jpg)
Three Israli brothers: Ramy, Muzher, and Shadde Badir had 44 charges against them.
◦ Telecommunications fraud◦ Theft of computer data◦ Impersonation of a police officer
Damages around $2 million
![Page 5: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/5.jpg)
On September 16, 2008 an internet activist group 'anonymous‘gained access to governor Palin's email account [email protected].
[email protected] 2/11/64ZIP 99687
![Page 6: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/6.jpg)
Its easier to ask the user instead of hacking the system
With the exponential increase in technology it is becoming harder to hack in to systems
![Page 7: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/7.jpg)
VS
![Page 8: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/8.jpg)
Humans ◦ We are emotionally weak and like to help◦ We easily succumb to pressure ◦ We cant correctly judge if someone is lying – bias
towards truth and stereotypical thinking
Current defense mechanisms◦ Security policies – single loop◦ Employee training
Security policies ◦ Has humans involved in creation◦ Are not updated◦ Are not followed
![Page 9: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/9.jpg)
Information is readily and easily available
![Page 10: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/10.jpg)
First attain easily available data Use it to fake authority Attain more confidential information
Feedback loop - result of each action is fed back to get a better result in the next action
Final deadly attack on obtaining enough information
Devise attacks to minimize reaction and weaken security
![Page 11: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/11.jpg)
Pretexting◦ Creating a scenario that does not exist in an
attempt to pressure a victim in leaking information
◦ Generate cues to build the victim’s trust
![Page 12: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/12.jpg)
Phishing: The attacker typically sends an email
that appears to come from a legitimate source like a bank or credit card company, asking to verify some information and warns of dire consequences if action is not taken
![Page 13: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/13.jpg)
IVR or phone phishing: The attacker created a very legitimate
sounding copy of an organization’s IVR(Interactive voice response) system. The attacker will send an email urging people to call on the toll free number to verify information. On calling, they will readily give their information
![Page 14: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/14.jpg)
Trojan horse: They take advantage of the greed and
curiosity of people to propagate malware. They come as email attachments with attractive subject lines which, when opened introduce a virus in the system
![Page 15: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/15.jpg)
![Page 16: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/16.jpg)
![Page 17: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/17.jpg)
![Page 18: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/18.jpg)
Baiting: These are like physical Trojan horses.
The attacker leaves malware infected physical media like CD ROM with legitimate but curious labels around the workplace which when inserted by any attacker will cause the system to be infected.
![Page 19: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/19.jpg)
Online Social Engineering◦ Users repeat a single password for all their
accounts◦ attacker sends an email to sign up for some
interesting site or some important update asking for a username and a password
![Page 20: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/20.jpg)
Reverse social engineering◦ Make people come to you instead of you◦ Attacker sabotages a network, causing a problem◦ Advertise that he is the appropriate person to fix
the problem◦ When he comes to fix the network problem, he
requests of information from the employees
![Page 21: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/21.jpg)
Physical protection Security policies that separate documents
into different levels or compartments, separation of duty, double loop
Employee training Lie detectors
![Page 22: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/22.jpg)
Goodchild, J. (2008, Nov). Social Engineering: 8 Common Tactics. Retrieved Nov 2008, from NetworkWorld: http://www.networkworld.com/news/2008/110608-social-engineering-eight-common.html
Granger, S. (2001, Dec). Social Engineering Fundamentals, Part I: Hacker Tactics. Retrieved Nov 2008, from SecurityFocus: http://www.securityfocus.com/infocus/1527
Granger, S. (2002, Jan). Social Engineering Fundamentals, Part II: Combat Strategies. Retrieved Nov 2008, from SecurityFocus: http://www.securityfocus.com/infocus/1533
Jose J. Gonzalez, J. M. (2006). A Framework for Conceptualizing Social Engineering. CRITIS 2006, LNCS 4347 , 79-90.
Wikipedia. (n.d.). Social engineering (security). Retrieved Nov 2008, from Wikipedia: http://en.wikipedia.org/wiki/Social_engineering_(security)
![Page 23: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/23.jpg)
VP contender Sarah Palin hacked http://wikileaks.org/wiki/VP_contender_Sarah_Palin_hacked
Three Blind Phreaks http://www.wired.com/wired/archive/12.02/phreaks_pr.html
U.S. vs. Mitnick and DePayne http://www.cnn.com/SPECIALS/1999/mitnick.background/indictment/page01.html
New Trojan Bait: CNN Videos http://blog.trendmicro.com/new-trojan-bait-cnn-videos/
![Page 24: CIS 5370 - Computer Security Kasturi Pore Ravi Vyas.](https://reader035.fdocuments.net/reader035/viewer/2022062321/56649e735503460f94b72511/html5/thumbnails/24.jpg)