C235 IT Security and Management

LP1
Lecture 3.1: Social Engineering
 Learning Objectives
• Ability to distinguish between various Social Engineering
techniques
• Understand why Social Engineering works and its impact
• Understand the importance of protecting organisations
from Social Engineering attacks
• Apply protective measures against Social Engineering
 Social Engineering
• Social engineering is the use of influence and persuasion
to deceive people for the purpose of obtaining
information or persuading the victim to perform some
action *

* EC-Council Ethical Hacking and Countermeasures (V4.0)

 Social Engineering
• Clever manipulation of the natural human tendency to
trust.
• Social engineering is an illegal act. You can be charged in
court and may face a jail term in some countries.
• People do it for various reasons. It can be for fun, gaining
competitive edge, or even sabotage.
• It is difficult to eliminate social engineering because people
are trusting by nature
 Watch video on ‘Social Engineering’
• https://www.youtube.com/watch?v=xcJV2JGeVn0
(Time 0.00 – 5.13)
 Social Engineering Techniques
– Pretexting
– Identity Theft
– Phishing
– Spear phishing
– Vishing
– Tailgating
– Dumpster Diving
– Shoulder Surfing
– Baiting
 Pretexting
• It is an act of creating and using an invented scenario
(the pretext) to engage a targeted victim in a manner
that increases the chance the victim will reveal
information.
• It is use to persuade the victim to release information or
perform an action.
• It involves some prior research or setup.
 Watch video on ‘Pretexting’
• https://www.youtube.com/watch?v=jnoE07TqNcE
(Time 0.32 – 2.24)
 Identity Theft
• It is a form of fraud or cheating of another person's
identity
• Someone pretends to be someone else by assuming that
person's identity, in order to access resources or obtain
credit and other benefits in that person's name.
 What video on ‘Identity Theft’
• https://www.youtube.com/watch?v=ziHI8htZV5g
(Time 0.29 – 27.40)
 Phishing
• It is an act of obtaining sensitive information from a user
by masquerading as a trusted entity in an email or
instant message sent to a large group of often random
users.
• It is used to fool a computer user into submitting
personal information by creating a counterfeit website
that looks like a real (and trusted) site.
 What video on ‘Phishing’
• https://www.youtube.com/watch?v=v8JCHu4VCZc
(Time 0.00 – 7.33)
 Spear Phishing
• Spear phishing is the term that has been created to refer
to the special targeting of groups with something in
common when launching a phishing attack.
• By targeting a specific groups, the ratio of successful
attacks (that is, the number of responses received) to the
number of e-mails or messages sent usually increases.
This is because a targeted attack will seem more
plausible than a message sent to users randomly.
 What video on ‘Know the Risk - Raise Your
Shield: Spear Phishing’
• https://www.youtube.com/watch?v=X5P-VYxPNrk
(Time 0.00 – 2.54)
 Vishing
• Vishing is a variation of phishing that uses voice
communication technology to obtain the information the
attacker is seeking.
• Vishing takes advantage of the trust that some people
place in the telephone network.
• Generally, the attackers are hoping to obtain credit card
numbers or other information that can be used in
identity theft.
 Watch video on ‘Vishing’
• https://www.youtube.com/watch?v=aL_m6jelF1M
(Time 0.00 – 3.36)
 Tailgating
• It is an act of an unauthorized person who follows
someone to a restricted area without the consent of the
authorized person.
 Watch video on ‘Tailgating’
• https://www.youtube.com/watch?v=9M_ri97l3Po
(Time 0.00 – 4.24)
 Dumpster Diving
– It is an act of gathering information through the victim’s
careless
-disposal of documents or uncollected documents in
common area (e.g. Documents left at the printer, document
thrown into the dustbin)
-disposal of hard disk, thumb
drive, and other forms
of storage of data
 Watch video on ‘Dumpster Diving’
• https://www.youtube.com/watch?v=Ld-fZVn85SU
(Time 0.00 – 3.50)
 Shoulder Surfing
• It is an act of looking over the shoulder of someone
doing something confidential.
• The best defence against this type of attack is simply to
survey your environment before entering confidential
data.
 Watch video on ‘Shoulder Surfing’
• https://www.youtube.com/watch?v=NQxwN8-wuV4
(Time 0.00 – 3.20)
 Impersonation
• The social engineer "impersonates" or plays the role of
someone you are likely to trust or obey convincingly
enough to fool you into allowing access to your office, to
information, or to your information systems.
• Impersonation differs from other forms of social
engineering because it occurs in person, rather than over
the phone or through email.
 Watch video on ‘Impersonation’
• https://www.youtube.com/watch?v=YX04oJa3ogc
(Time 0.00 – 3.39)
 Baiting
• It is an act of laying a trap for unsuspecting victims to fall
prey, usually counting on the curiosity or greed of the
victim (e.g. placing a disk with virus to be “found” by the
victim; the virus is triggered when the victim accesses
the disk out of curiosity.)
 Baiting
• https://www.youtube.com/watch?v=uff6oAF-XY4
(Time 0.00 – 1.49)
 Human Weakness
Social engineering focuses on the following human
weaknesses:
• Carelessness
• Fear
• Lack of Awareness
• Gullibility
• Trusting Nature
• Eagerness to help
 Countermeasures
• No measures can fully protect a person from Social
Engineering
– Human Factor can’t be eliminated totally
• Protect by Controls
– Security Policy
– Physical Security
– Education and Awareness
– Good IT Security Infrastructure
– Report Security incidents
SOCIAL ENGINEERING - A MEANS TO VIOLATE A COMPUTER SYSTEM
By Malcolm Allen (updated June 2006)
 Examples of Countermeasures
• Activating screen savers or locking the screen when away.
• Do not write passwords on papers or throw confidential
information in rubbish bin.
• Do not stick any pricings, passwords around the workstation.
• Visitors should report at the counter and exchange for visitor
pass.
• Do not allow visitors to wander by themselves.
• Verify visitors’ information.
• Do not disclose any information through phones or emails
• Verify email information and don’t click on any suspicious link.

……..and many more

 Watch video on Tips on withstanding social
engineering
https://www.youtube.com/watch?v=uVSfZPboVms
(Time 0.00 – 11.00)
 Social Engineering vs Malware
• Social Engineering
– Pertains to human factors, weaknesses
• Malware
– More technical in nature, e.g., exploiting software, OS
vulnerabilities
• Attackers can use a combination of Social
Engineering and Malware to achieve their objectives
– Example – using social engineering to trick users to
install malware (such as key loggers, trojans) on their
systems
 Notable Cases
• Frank Abagnale, Jr.
– Subject of the movie Catch Me If You Can
– Abagnele was portrayed by Leonardo DiCaprio
• Kevin Mitnick
– Hacker known for his social engineering skill
• ILOVEYOU worm
– Catchy email title
• Nigerian Scam
 Quiz
• The process of going through a target’s trash in
hopes of finding valuable information that might be
used in a penetration attempt is known as:
A. Trash trolling
B. Garbage gathering
C. Dumpster diving
D. Trash collector
 Quiz
• Which of the following social engineering techniques
involves using email to trick victims?
A. Tailgating
B. Shoulder surfing
C. Phishing
D. Vishing
 Quiz
• Passengers entering and exiting Singapore MRT
stations by tapping their cards at entry point shown
in the picture below. The entry point is designed to
prevent the following social engineering method.
Which one?
A. Identity Theft
B. Baiting
C. Tailgating
D. Pretexting
 Quiz
Which of the following social engineering methods can
be used by an attacker to place malware in victims
computer?
A. Baiting
B. Spear phishing
C. Phishing
D. Vishing
 At the end of this lesson, you
should be able to
• Distinguish between the different categories of social
engineering attacks.
• Explain how the different social engineering techniques
exploit human weaknesses
• Identify relevant countermeasures to prevent social
engineering.