Social Engineering (Whiteboard)

[toggle_content title="Transcript"] I wanted to start this module with a little bit of a quote. Obstacles in the mind are much more important than obstacles along the journey. And the reason I want to start off with a quote you got to dissect this code apart. Obstacles in the mind in social engineering what you are doing is you are taking away removing or elevating these obstacles in the mind. Then someone may have to overcome what obstacles maybe in the journey let us say we want something like password or something like that - well if you could strategically plant information in someone's mind well they might strategically voluntarily give you some information that could yield a password. So keep that quote in mind as we move through our social engineering. Let us take a look - the targets here. The targets are often office workers because they are the closest to your assets or the closest to the things that corporations typically want to protect. Certainly not limited office workers realistically anybody can be socially engineered but the context of this module will keep it at social or office workers. The skills in which you need to be good at social engineering really have two foundations. One is based in the science and other is based in the arts. So there is technical ways to do this but there is very much an artistic craft to social engineering as well so good interpersonal skills add to the value of the person doing the social engineering. It is also helpful to be very very talkative the more talkative you are the more conversational you can be the more information you could ultimately get out of someone. Also it is a great idea to be creative. Why try to break AES256 bit encryption when you can social engineer the password and get access to what you need. So we always want to take the path of least resistance. Good communication skills aid in being talkative and creative as well. The most common mechanism in which we carry out social engineering attacks are basically emails. On the phone or in person. Anyone of those mediums is fair game in terms of carrying out a social engineering attack let us go into the techniques. There is a lot of different techniques in which you can apply but here is just a handful of the basics here. From doing this on the computer someone could be socially engineered through spam. Just send someone email "you want a million dollars Click Here Now!" Through chat. Chat is an easy mechanism because we typically don't authenticate chat conversations or we assume that the person at the other end of the chat line is the person which their name on the handle is. Chain letters hoaxes even popup phishing attacks or derivatives of phishing attacks. Later we will talk about spear phishing specifically. It could be a fake application or through sms text you could easily text message. Hey I lost my contacts and my phone please validate and that is a easy way to do it just over your phone text. Or even over social sites. Being that we are all connected socially there has been surplus of fake profiles that have made it to LinkedIn, Facebook and twitter and things like YouTube and things like that. So while the computer is - while computer technics are very very popular certainly not limited to that. Human - you could just show up in person alive one on one. Pretending to be a legitimate person or a important person like a CEO or a new hire or something to that capacity or the most common is probably being part of the support staff. Hey I am so and so. I am here to fix your computer give me your username and password and I will go ahead and fix it and get you back to work. Pretending to be support staff. Spear phishing very, very targeted phishing. Phishing is just fake emails they go out pretending to be someone but spear phishing is now you are targeting because you are throwing out a net and seeing what you catch. Now you are just doing that in a highly targeted manner. You net becomes a lot smaller or a lot focused to your target. Nowadays we can also do it over the phone. So it happens in the mobile application there has been a handful of malicious apps could be something as simple as everybody wants additional batteries battery power on the cellphone. Maybe there is a fake app - hey boost your battery life by 35% in somebody in their app store and they got – they downloaded this malicious app profiles their phone and then exfoliates data from their phone. It could be eavesdropping just passively listening and paying attention to certain things depending on where you are. It could be while you are on a customer service line. It could be while you on a lunch line. Something as simple as that. Shoulder surfing you could in an office place and just happen to be looking over someone’s shoulder and gain access to information or basically watch them type their password a bunch of times and each time you focus on a different finger. I mean if they use this finger how many times when they log in to a site. Well at least you know what characters their password is made up of you can slowly start building that password. Dumpster diving simply going through the trash. Tailgating following someone through an access control point. Make it happen in person you have reverse social engineering there is books on this subject of reverse social engineering. in other words instead of me trying to social engineer you. I present myself and in some way where you feel inclined to voluntarily give me the information instead of me trying to get it out of you, you voluntarily give the information to me in hopes of some reward later. Or pee whacking which is a derivative of tailgating now the impact here organization can suffer drastically for a variety of reasons. Social engineering just happens to be one of those ways which you can suffer large amounts of impacts. Let us look at what impact means, it could be a loss of privacy. It could be something as simple as a password but that password could get you access to more sensitive information like confidential documents. It could result in loss of goodwill a loss of reputation to an organization. In the worst case scenario you can go out of business depending on what the nature is of social engineered you certainly could find yourself out of business. Nowadays you are seeing in terrorism financial loss what if it is secret ingredients or colonel sanders secret recipe. If that proprietary information it is critical for a company to survive and now all of a sudden everybody can make that great chicken while then the information is no longer confidential and your competitive edge maybe lost. Theft - now traditional theft would yield bank accounts and credit card numbers and things like that but there is really nothing that you could not limit yourself to. I identity theft that is a big topic on itself what is the identity theft market worth these days. Last I heard it is multiple billions of dollars. So why does all of this happen? Right. It happens because in the world of social engineering you are taking advantage of human nature. Using your social skills to strategically get something out of someone. So people want to naturally be helpful if you can use that to your advantage there is a penetration test there then you do. Also ignorance while this is the - I didn't know I was not supposed to give him that if they didn't know they weren't trained that is why you can get this valuable information or why you can be socially engineered. Open promisese that is just a another one you can promise something somebody give you something and then you never make good on that promise. Meanwhile you already have what you need. You perform your penetration testing attack this often ends in the context of I will be back in a few minutes and Iwill give you the information that I promised you meanwhile you never come back. They feel morally obligated to him, right. They wanted to be helpful this is where you pretend I have to work here late and it is going to take me five hours to do this but if I just had that password. I could leave with you, all the person that you are telling that to, they may feel morally obligated to you. I will just give you my credentials so you can get the job done faster. So you don't have to stay here all night. No training. Simply stated people aren't trained they are not aware. Look at the demographics of office space. So if people are not getting trained they don't know half the stuff. They don't know when they are getting social engineered. When they are not getting socially engineered. That makes getting a password 60 & 70% of the time very, very likely. Also a lot of this information is easily accessible so you are just naturally walking around the workspace or office space and if things aren't easily accessible because you don't have a clean desk policy or something to that nature well that could result in a social engineering attack. With policies and also it is difficult to detect in the world of viruses and trojans. It is pretty easy to write a signature to say okay here meet this criteria alert. If people aren't trained tying into it being difficult to detect. How do you really know if you are being socially engineered? How do you know the person isn't trying to be a good person. So these are some of the top reasons on why social engineering happens, the value here in which the penetration tester is generally going after. We chalk this up to confidential information ideally you would like to get some sort of authentication or authorization information so that you can get access things that a regular user or in this case the pen tester doesn't have access to. Some sort of authentication or access control those are very, very valuable in the scope of social engineering some of the tools that we will use are the social engineering toolkit this is the first really major project where there is a computer program and it walks you through a wizard or tutorial and you can craft your phishing attack or crack your social engineering toolkit attack and then go ahead and launch it. Primarily in computer based attacks but there are some script oriented things for being in person. So let us go ahead and talk about some of the counter measures. If you want to stop social engineering to the organization well best practices apply here simply stated change your password because we are looking for authentication and access control something as simple as a change of password on a regular basis and not using the same password over and over again. They reduces the likelihood of the penetration tester being successful. Also you will see these in the financial world, account lockouts, account log out functions or account explorations. That is not limited to the banking or financial world but you will see this a little bit more if you go to you bank account if you have fifteen minutes of inactivity you get locked out or logged off rather training if people were trained on what social engineering is then they might be inclined to not participate in what they would think would be a social engineering attack. Also keep sensitive information secret or private. It is just that simple if you know what is sensitive because you have a classification system well then you are not going to disclose it to people who don't have that access. Also when it comes to a facility any sort of guests should ultimately be escorted and those escorts should stay with the people that they are escorting. Shred your documents have strict access control techniques use a classification program. One of my favorites since I have a background in incident response is actually have a capability to identify detect contain or eradicate and recover social engineering attacks along with any other attacks whatever it be. Also do a lot of preschool screening before you hire someone make sure that it is someone that you actually want to give access to. Don't just hire people off the street and say okay. Here is the access to my sensitive information make sure that they are of good solid background in the sort of criminal background that should help. Just the background checks in itself kind of is a screening piece of it also use two factor authentication remember the multi factor and the two factor this is based on something you know something that you have and something that you are. So instead of authenticating with something that you know. Use two factor means now you are known and something you have or something that you have and something that you are. So we call that two factor or multi factor. Use a change management program. Contract changes throughout the organization or improvements and then of course in a virus and a phishing software. Now with the whole subject of social engineering there is a whole landscape here in which the penetration tester can be very, very creative and ultimately get sensitive information. Again this is an art and a science but let us go back to the core from the beginning obstacles in the mind are more important than obstacles along the journey. We are going to use these obstacles in the mind and overcome them in someone's mind so that we don't have those obstacles throughout the journey or throughout the journey we want to get some sort of sensitive or critical information. If we can tap into somebody's mind using our social skills well then - they may voluntarily just give us the account information and give us the passwords. And that is why it is really important to approach this as not only a science and all the computer stuff but also using your interpersonal skills and communication skills. So that you can achieve your objective. So that is the basic make up of social engineering. [/toggle_content] In this Whiteboard lecture we discuss Social Engineering. Social engineering is a physical form of hacking that can be extremely effective. Organizations strive to make end users aware of the most common types of social engineering attacks so that they can try to avoid them. It can be something as simple as a link on an email from a seemingly legitimate source. Please Note: To help secure your entire organization from social engineering and other end user threats, Cybrary offers an End User Security Awareness training class that can be rolled out to your entire organization. Click Here for More Info
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?