social engineering how not to be a victim
play

SOCIAL ENGINEERING - HOW NOT TO BE A VICTIM! BHUSHAN GUPTA GUPTA - PowerPoint PPT Presentation

Feb 27, 2024 •333 likes •965 views

SOCIAL ENGINEERING - HOW NOT TO BE A VICTIM! BHUSHAN GUPTA GUPTA CONSULTING, LLC. WWW.BGUPTA.COM WHAT IS YOUR PASSWORD? Jimmy Kimmel Live @Gupta Consulting, LLC. www.bgupta.com 2 JIMMY KIMMEL LIVE - OBSERVATIONS Most Common Password

  1. SOCIAL ENGINEERING - HOW NOT TO BE A VICTIM! BHUSHAN GUPTA GUPTA CONSULTING, LLC. WWW.BGUPTA.COM

  2. WHAT IS YOUR PASSWORD? Jimmy Kimmel Live @Gupta Consulting, LLC. www.bgupta.com 2

  3. JIMMY KIMMEL LIVE - OBSERVATIONS Most Common Password – password123 • No hesitation to answer password specific questions • Only one person realized that he was being asked to reveal his password • Only one person realized that he has given away his password. Twitter Hack on June 9, 2016 120,000 Users opted for password - 123456 Its fair to assume that these people work somewhere and can be victims of serious social engineering attacks. @Gupta Consulting, LLC. www.bgupta.com 3

  4. 1987 - AT&T 3B2 with UNIX 4

  5. SOCIAL ENGINEERING INGREDIENT Human Persuasion!! 5 @Gupta Consulting, LLC. www.bgupta.com

  6. WHAT IS SOCIAL ENGINEERING? Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people in breaking normal security procedures. (WhatIs.com) @Gupta Consulting, LLC. www.bgupta.com 6

  7. WHAT IS SOCIAL ENGINEERING? Social engineering , in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. (Wikipedia) @Gupta Consulting, LLC. www.bgupta.com 7

  8. UBIQUITI NETWORKS ATTACK • Ubiquiti Network Inc. San Jose, CA (Hong Kong Subsidiary) • June 5, 2015 (after 7 months) • CEO Fraud/BEC Attack • Cost $46.7M • 2015 FBI Warning - $215M BEC – Business Email Compromise @Gupta Consulting, LLC. www.bgupta.com 8

  9. SOCIAL ENGINEERING - TROJAN HORSE (GREECE & TROY WAR) 9 @Gupta Consulting, LLC. www.bgupta.com

  10. THE BIGGEST THREAT “ The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you .” - Kevin Mitnick – Computer Security Consultant, Author @Gupta Consulting, LLC. www.bgupta.com 10

  11. Why Me? @Gupta Consulting, LLC. www.bgupta.com 11

  12. WE GROW UP WITH SOME CORE VALUES! 12 @Gupta Consulting, LLC. www.bgupta.com

  13. OUR FOUNDATION – TEACHINGS FROM CHILDHOOD @Gupta Consulting, LLC. www.bgupta.com 13

  14. REWARDED BASED UPON - TEAM WORK, WIN-WIN, HELPFUL, LOYALTY, OBEDIENCE! @Gupta Consulting, LLC. www.bgupta.com 14

  15. @Gupta Consulting, LLC. www.bgupta.com 15

  16. ATTACK VECTORS AND LURES @Gupta Consulting, LLC. www.bgupta.com 16

  17. ATTACK VECTORS - TACTICS Physical Vectors • Shoulder Surfing • Baiting – promise of goods to entice victim Infected USBs, CD • Quid Pro Quo – service IT Impersonator trying to fix your system, obtaining a password and convincing you to load a utility (malware) on your system @Gupta Consulting, LLC. www.bgupta.com 17

  18. ATTACK VECTORS - TACTICS Physical Vectors Cont.. • Tailgating – impersonation as a courier/messenger/friend of an employee • Impersonating as an authority - Ubiquity • Dumpster Diving • Pretexting – scammer creating false trust @Gupta Consulting, LLC. www.bgupta.com 18

  19. ATTACK VECTORS - TACTICS Digital Vectors: • Social Media – Obtaining information from Facebook or Instagram and create fake profiles Admiral James Stavridis (NATO Supreme Allied Commander Europe) Facebook Profile @Gupta Consulting, LLC. www.bgupta.com 19

  20. WHAT IS PHISHING? Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. While Phishing, an attacker casts a wider net hoping that someone will be tricked. Source: Wikipedia @Gupta Consulting, LLC. www.bgupta.com 20

  21. PHISHING TREND – JANUARY 2015 TO MARCH 2016 25M 15M 5M Source: Securitylist.com @Gupta Consulting, LLC. www.bgupta.com 21

  22. INCREASE IN PHISHING WEB SITES @Gupta Consulting, LLC. www.bgupta.com 22

  23. ATTACK VECTORS - PHISHING Types of phishing: • Phishing – attacker casts a broad net • Spear Phishing – somewhat more specific to one person • Whaling – phishing targeted at a person with specific valuable information @Gupta Consulting, LLC. www.bgupta.com 23

  24. PHISHING TARGETS - ALMOST ANYONE • Individuals (elderly, common people, security experts) • Influential people • Corporations @Gupta Consulting, LLC. www.bgupta.com 24

  25. MECHANICS OF A PHISHING ATTACK • Attacker sends out an email that appears to be legitimate • Email either directs the receiver to click on a link or perform an action • When sent to the linked site, the attacker intends to: • Gather personal and confidential information • Install malware to get access to the system • If the email requires an action it is either to collect confidential information or take an action (such as transferring money) to benefit the attacker • The email often has threats - harmful consequences @Gupta Consulting, LLC. www.bgupta.com 25

  26. A PHISHING EXAMPLE @Gupta Consulting, LLC. www.bgupta.com 26

  27. A SPEAR PHISHING EXAMPLE Bank of America Email, 8th Floor-NC1-002-08-25, 101 South Tryon St., Charlotte, NC 28255-0001 @Gupta Consulting, LLC. www.bgupta.com 27

  28. WHALING ATTACK Focused on an individual who has highly valuable information – C Levels For a successful whaling attack • Attacker performs significant research ahead of attack • Takes place when the C-Level executive admin forwards an email to the finance department @Gupta Consulting, LLC. www.bgupta.com 28

  29. CHARACTERISTICS OF A PHISHING EMAIL Not as polished as a legitimate email • Grammar • Salutation (generic) • Wrong Information @Gupta Consulting, LLC. www.bgupta.com 29

  30. ATTACK LURES – MOST POPULAR IN 2014 • Big News – Malaysian Airline Flight 370 • Celebrity Gossip – Death of Robin Williams in 2012 • Link to site to view the video, WORM_GAMARUE.WSTQ • Movies – Annie, Hobbit: Battle of the five armies • Malicious links, Adware • Tech Games – Flappy Bird • Social Media Scams – LinkedIn • Scare Tactics – Ebola Outbreak @Gupta Consulting, LLC. www.bgupta.com 30

  31. PHISHING - HOW TO PROTECT YOURSELF? @Gupta Consulting, LLC. www.bgupta.com 31

  32. @Gupta Consulting, LLC. www.bgupta.com 32

  33. THE BIGGEST THREAT Educate/ Train “ The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you .” - Kevin Mitnick – Computer Security Consultant, Author @Gupta Consulting, LLC. www.bgupta.com 33

  34. HUMAN TRAITS @Gupta Consulting, LLC. www.bgupta.com 34

  35. APPROACH Start YES Provide Training NO Needs Assess Fixing? Problem NO YES End @Gupta Consulting, LLC. www.bgupta.com 35

  36. ASSESS YOUR VULNERABILITY Assess your vulnerability by simulating controlled experiments: • Baiting – promise of goods to entice victim • Quid Pro Quo – service • Tailgating impersonation as a courier/messenger/friend of an employee Impersonating as an authority • Dumpster Diving Phishing, spear phishing, whaling @Gupta Consulting, LLC. www.bgupta.com 36

  37. SIMULATING A PHISHING EXPERIMENT Considerations • Support • Experiment Logistics • Metrics • Outcome @Gupta Consulting, LLC. www.bgupta.com 37

  38. SIMULATE A PHISHING EXPERIMENT – SUPPORT Build Support • Company ethics • Championship form upper management • Support from participating managers @Gupta Consulting, LLC. www.bgupta.com 38

  39. PHISHING EXPERIMENT – SAMPLE Characteristics • Statistically viable Sample size - 20 to 30% of population • Appropriate representation – high value targets • System Administrators – Level of Privilege • C-Levels (CEO, CFO, CTO)- Decision Makers • Finance – Revenue • Sales/Marketing - Extroverts • Human Resources – Access to personal information • Design Groups – seeking new ideas @Gupta Consulting, LLC. www.bgupta.com 39

  40. SIMULATE PHISHING EXPERIMENT - LOGISTICS Crafting a Phishing Email • Appear to come from a legitimate source • Compelling reason or enticing element to take an action • Incentive • Threat / consequence • Entice user to read and take action multiple times • Address interest of entire population @Gupta Consulting, LLC. www.bgupta.com 40

  41. SIMULATE PHISHING EXPERIMENT - LOGISTICS Data collection – time period • Optimal time • Follow the schedule Resources – Security operations + QA • Account for tools – price and training • Creation of experiments • Data analysis @Gupta Consulting, LLC. www.bgupta.com 41

  42. SIMULATE PHISHING EXPERIMENT - ASSESS PROBLEM MAGNITUDE Metrics: • Percentage of population fell victim • Victim Rate by Time: % by time – 24, 48, 72 hours, beyond • Percentage of people falling victim multiple times • Group affinity - # of victims by Group(s) • Rate of Proactive Reporting @Gupta Consulting, LLC. www.bgupta.com 42

  43. SIMULATE PHISHING EXPERIMENT - OUTCOME Analysis Outcome: • Is it a problem that needs attention based upon security policy? • How wide spread the problem is? • Particular group(s) - HR, Finance, Marketing • Entire Organization @Gupta Consulting, LLC. www.bgupta.com 43

Recommend

VICTIM A ASSISTANCE SSISTANCE VICTIM IN ALBANIA IN ALBANIA Presented by Victim Assistance

VICTIM A ASSISTANCE SSISTANCE VICTIM IN ALBANIA IN ALBANIA Presented by Victim Assistance

VICTIM A ASSISTANCE SSISTANCE VICTIM IN ALBANIA IN ALBANIA Presented by Victim Assistance Officer Albanian Mine Action Executive, (AMAE) Mine/UXO Victim Assistance Components Access Legislation Data and Public Collection Awareness

166 views • 5 slides
Victim Impact Statement Implementing the EU Directive: The voice of the victim in court; the

Victim Impact Statement Implementing the EU Directive: The voice of the victim in court; the

Victim Impact Statement Implementing the EU Directive: The voice of the victim in court; the victim impact statement in the Netherlands Alex Sas Policy advisor VSE Seminar Procedural Rights: Victim November 2014 Impact Statement Victim

393 views • 35 slides
SOCIAL ENGINEERING Jake Johnson Sixto Bernal AGENDA What is social engineering? Current events

SOCIAL ENGINEERING Jake Johnson Sixto Bernal AGENDA What is social engineering? Current events

SOCIAL ENGINEERING Jake Johnson Sixto Bernal AGENDA What is social engineering? Current events Social engineering risks Mitigation Strategies Q&A WHAT IS SOCIAL ENGINEERING? The Art of Deception, Kevin Mitnick: "Social

449 views • 19 slides
I ts Your Duty! Victim Notification Victim Notification a life saving measure a life

I ts Your Duty! Victim Notification Victim Notification a life saving measure a life

Louisiana Victim Notice and Registration Form I ts Your Duty! Victim Notification Victim Notification a life saving measure a life saving measure How many Victim How many Victim y Notification Forms have Notification Forms have

596 views • 33 slides
WHO WE ARE 2 Office of Victim Services (OVS) Independent Office of the Executive

WHO WE ARE 2 Office of Victim Services (OVS) Independent Office of the Executive

New York State Office of Victim Services Crime Victims Compensation and the Issue of Restitution Presented by the Office of Victim Services Legal Unit 1 WHO WE ARE 2 Office of Victim Services (OVS) Independent Office of the Executive

899 views • 44 slides
VICTIM SERVICE PORTAL (VSP) TRAINING Mission Statement It is the mission of the Office of Victim

VICTIM SERVICE PORTAL (VSP) TRAINING Mission Statement It is the mission of the Office of Victim

VICTIM SERVICE PORTAL (VSP) TRAINING Mission Statement It is the mission of the Office of Victim Services to: Provide compensation to innocent victims of crime in a timely, efficient and compassionate manner; Fund direct services to

760 views • 48 slides
Victim Support in Havering Jan Scott Divisional Manager 1 Victim Support National charity

Victim Support in Havering Jan Scott Divisional Manager 1 Victim Support National charity

Victim Support in Havering Jan Scott Divisional Manager 1 Victim Support National charity Formed in 1973 Locations across England and Wales Independent of government and police Free and confidential services

529 views • 11 slides
Victim Support Services (Barnet) Andrew Francalanza Victim Support January 2015 1 Background

Victim Support Services (Barnet) Andrew Francalanza Victim Support January 2015 1 Background

Victim Support Services (Barnet) Andrew Francalanza Victim Support January 2015 1 Background Victim Support has been delivering services to victims of crime for more than 40 years and supporting witnesses of crime attending court for

126 views • 8 slides
Victim Legal Assistance Network A Georgia CJCC Vision 21 Project What is the Victim Legal

Victim Legal Assistance Network A Georgia CJCC Vision 21 Project What is the Victim Legal

Victim Legal Assistance Network A Georgia CJCC Vision 21 Project What is the Victim Legal Assistance Network? (VLAN) VLAN is a network of victim service providers Core Partners provide comprehensive, pro bono "no-cost" legal

692 views • 29 slides
Social Engineering UDLS September 11, 2015 Neil Newman Social engineering is a non-

Social Engineering UDLS September 11, 2015 Neil Newman Social engineering is a non-

Social Engineering UDLS September 11, 2015 Neil Newman Social engineering is a non- technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security

340 views • 16 slides
DEFENSE INITIA DEFENSE INITIATED TED VICTIM VICTIM OUTRE OUTREACH Kate Siska Mitigation

DEFENSE INITIA DEFENSE INITIATED TED VICTIM VICTIM OUTRE OUTREACH Kate Siska Mitigation

DEFENSE INITIA DEFENSE INITIATED TED VICTIM VICTIM OUTRE OUTREACH Kate Siska Mitigation Specialist CLS Mitigation & Consulting Services April 2017 Tread ligh ad lightly tly, , but t reach o ach out t dir directly ctly. Include

347 views • 9 slides
Victim Support (Merton and Sutton) 1 Safet Vukalic Service Delivery Manager for Merton and

Victim Support (Merton and Sutton) 1 Safet Vukalic Service Delivery Manager for Merton and

Victim Support (Merton and Sutton) 1 Safet Vukalic Service Delivery Manager for Merton and Sutton branch of Victim Support Felicity Connolly Independent Domestic Violence Advocate in Merton. 2 What is Victim Support? Victim Support is

489 views • 11 slides
An average of 63 Afghans fell victim to mines and ERW each month during 2006: a more than 50%

An average of 63 Afghans fell victim to mines and ERW each month during 2006: a more than 50%

Islamic Republic of Afghanistan Islamic Republic of Afghanistan Victim Assistance in Victim Assistance in Afghanistan Afghanistan Dr. Faizullah Kakar Deputy Minister of Public Health April 2007 Current Situation: Landmines and ERW Victims

180 views • 6 slides
AGENDA Introduction and Bio What is Social Engineering? A T alk about Sales? What the

AGENDA Introduction and Bio What is Social Engineering? A T alk about Sales? What the

AGENDA Introduction and Bio What is Social Engineering? A T alk about Sales? What the Hell, you said Social Engineering?!? Profile? Process? Why not both! Defences against Social Engineering The Mystery Security T est

737 views • 50 slides
Support for victims of ASB Noura Yamout ASB Project March 2015 1 About Victim Support

Support for victims of ASB Noura Yamout ASB Project March 2015 1 About Victim Support

Support for victims of ASB Noura Yamout ASB Project March 2015 1 About Victim Support National charity across England and Wales Set up 40 years ago Help people affected by crime and anti-social behaviour Free,

118 views • 10 slides
DDoS Jeff Chase Duke University Flood Attacks Direct a stream of packets toward a victim.

DDoS Jeff Chase Duke University Flood Attacks Direct a stream of packets toward a victim.

DDoS Jeff Chase Duke University Flood Attacks Direct a stream of packets toward a victim. Require the victim to do work per packet. Classic: TCP SYN floods (2000pps sufficient) ICMP floods Victim has insufficient

382 views • 6 slides
StealthWare Social Engineering Malware Running malware for Social Engineering and Covert

StealthWare Social Engineering Malware Running malware for Social Engineering and Covert

StealthWare Social Engineering Malware Running malware for Social Engineering and Covert Operations By: Joey Dreijer StealthWare Social Engineering Malware Social Engineering and Covert Operations Introduction Research Security

403 views • 21 slides
Lunch Presentation Who is ARCH? Nonprofit homeless service providers, victim services providers,

Lunch Presentation Who is ARCH? Nonprofit homeless service providers, victim services providers,

FEB. 22, 2018 Lunch Presentation Who is ARCH? Nonprofit homeless service providers, victim services providers, faith-based organizations, governments, businesses, advocates, public housing authorities, school districts, social service

671 views • 11 slides
Major development progress of Victim Assistance Programs Formulation and adoption of the Master

Major development progress of Victim Assistance Programs Formulation and adoption of the Master

26 May 2009 Dr.Prachaksvich Lebnak, MD. Major development progress of Victim Assistance Programs Formulation and adoption of the Master Plan 1. for Mine Victim Assistance Project on Mine Victim Survey and Situation 2. Analysis Master plan

355 views • 6 slides
OVC Fiscal Year (FY) 2018 Victim Assistance Fellowship: Translation & Dissemination of

OVC Fiscal Year (FY) 2018 Victim Assistance Fellowship: Translation & Dissemination of

OVC Fiscal Year (FY) 2018 Victim Assistance Fellowship: Translation & Dissemination of Statistical Data June 7, 2018 Presented by: Lynn Langton, Chief, Victimization Statistics, BJS And Mary Atlas-Terry, Victim Justice Program Specialist,

253 views • 24 slides
Transitioning your Team to the New New Normal for Victim Assistance Programs Funded by:

Transitioning your Team to the New New Normal for Victim Assistance Programs Funded by:

6/16/2020 Jennifer Amstutz & Alan Krieger Transitioning your Team to the New New Normal for Victim Assistance Programs Funded by: New York State Office of Victim Services 1 Upcoming Webinars June 16, 2020 Transitioning your

458 views • 10 slides
The Devil is in the details Social Engineering by means of Social Media B Y D A A N W A G E N A

The Devil is in the details Social Engineering by means of Social Media B Y D A A N W A G E N A

The Devil is in the details Social Engineering by means of Social Media B Y D A A N W A G E N A A R Y A N N I C K S C H E E L E N Introduction Online Social Networks LinkedIn (service data, disclosed data) Facebook

541 views • 51 slides
Becoming a victim of crime can be traumatic. Restorative Justice can change this. What is

Becoming a victim of crime can be traumatic. Restorative Justice can change this. What is

Becoming a victim of crime can be traumatic. Restorative Justice can change this. What is Restorative Justice? Restorative Justice (RJ) is a victim focused approach that empowers victims and communities by giving them the opportunity to:

164 views • 5 slides
Computer and Information Security Fall 2020 Human Factors and Social Engineering Tyler Bletsch

Computer and Information Security Fall 2020 Human Factors and Social Engineering Tyler Bletsch

ECE590 Computer and Information Security Fall 2020 Human Factors and Social Engineering Tyler Bletsch Duke University Definition What is non-social engineering? Manipulating objects to achieve an end What is social engineering?

627 views • 21 slides

More recommend