Social Engineering

UTHSC Information Security Team

What is Social Engineering?
Attacker uses human interaction to obtain or
compromise information

Attacker my appear unassuming or respectable

o Pretend to be a new employee, repair man, etc.
o May even offer credentials

By asking questions, the attacker may piece enough

information together to infiltrate a companies network
o May attempt to get information from many sources
 What is Social Engineering
At its core it is manipulating a person into knowingly or
unknowingly giving up information; essentially 'hacking' into
a person to steal valuable information.

Psychological manipulation

Trickery or Deception for the purpose of information gathering

 What is Social Engineering
It is a way for criminals to gain access to information
systems.
The purpose of social engineering is usually to secretly
install spyware, other malicious software or to trick
persons into handing over passwords and/or other
sensitive financial or personal information
 What is Social Engineering
Social engineering is one of the most effective routes to
stealing confidential data from organizations, according
to Siemens Enterprise Communications, based in
Germany. In a recent Siemens test, 85 percent of office
workers were duped by engineering.

Most employees are utterly unaware that they are being manipulated, says Colin
Greenlees, security and counter-fraud consultant at Siemens.
Watch this video
Types of Attacks
Phishing
Impersonation on help desk calls
Quid Pro Quo - Something for something
Baiting
Pretexting
Invented Scenario
Diversion Theft - A con
Physical access (such as tailgating)
Shoulder surfing
Dumpster diving
Stealing important documents
Fake software
Trojans
Phishing
Use of deceptive mass mailing
Can target specific entities (spear phishing)
Prevention:
Honeypot email addresses
Education
Awareness of network and website changes
Impersonation on help desk calls
Calling the help desk pretending to be someone else
Usually an employee or someone with authority
Prevention:
Assign pins for calling the help desk
Dont do anything on someones order
Stick to the scope of the help desk
Quid Pro Quo
Something for Something
o Call random numbers at a company, claiming to be
from technical support.

o Eventually, you will reach someone with a legitamite

problem

o Grateful you called them back, they will follow your

instructions

o The attacker will "help" the user, but will really have
the victim type commands that will allow the attacker
to install malware
Baiting
o Uses physical media

o Relies on greed/curiosity of victim

o Attacker leaves a malware infected cd or usb drive

in a location sure to be found

o Attacker puts a legitimate or curious label to gain

interest

o Ex: "Company Earnings 2009" left at company elevator

Curious employee/Good Samaritan uses
User inserts media and unknowingly installs
malware
Pretexting
Invented Scenario
o Prior Research/Setup used to
establishlegitimacy
Give information that a user would normally not
divulge

o This technique is used to impersonate

Authority etc.
Using prepared answers to victims questions
Other gathered information

o Ex: LawEnforcement
Threat of alleged infraction to detain suspect
and hold for questioning
Pretexting Real Example:
Signed up for Free Credit Report

Saw Unauthorized charge from another credit company

o Called to dispute charged and was asked for Credit

Card Number

They insisted it was useless without the security

code

o Asked for Social Security number

Talked to Fraud Department at my bank

Diversion Theft
A Con
o Persuade deliver person that delivery is
requested elsewhere - "Round the Corner"

o When deliver is redirected, attacker persuades

delivery driver to unload delivery near address

o Ex: Attacker parks security van outside a bank.

Victims going todepositmoney into a night
safe are told that the night safe is out of order.
Victims then give money to attacker to put in
the fake security van

o Most companies do not prepare employees for this

type of attack
Physical access
Tailgating
Ultimately obtains unauthorized building access
Prevention
Require badges
Employee training
Security officers
No exceptions!
Shoulder surfing
Someone can watch the keys you press when entering your password
Probably less common
Prevention:
Be aware of whos around when entering your password
Dumpster diving
Looking through the trash for sensitive information
Doesnt have to be dumpsters: any trashcan will do
Prevention:
Easy secure document destruction
Lock dumpsters
Erase magnetic media
Stealing important documents
Can take documents off someones desk
Prevention:
Lock your office
If you dont have an office: lock your files securely
Dont leave important information in the open
Fake Software
Fake login screens
The user is aware of the software but thinks its trustworthy
Prevention:
Have a system for making real login screens obvious (personalized key,
image, or phrase)
Education
Antivirus (probably wont catch custom tailored attacks)
Trojans
Appears to be useful and legitimate software before running
Performs malicious actions in the background
Does not require interaction after being run
Prevention:
Dont run programs on someone elses computer
Only open attachments youre expecting
Use an antivirus
Weakest Link?
No matter how strong your:
o Firewalls
o Intrusion Detection Systems
o Cryptography
o Anti-virus software

YOU are the weakest link in computer

security!
o People are more vulnerable than computers

"The weakest link in the security chain is the

human element" -Kevin Mitnick
General Safety

Before transmitting personal information over the

internet, check the connection is secure and check the
url is correct

If unsure if an email message is legitimate, contact the

person or company by another means toverify

Be paranoid and aware when interacting with anything

that needs protected
o The smallest information could compromise what
you're protecting
Ways to Prevent Social Engineering
Training
User Awareness
o User knows that giving out certain information is
frowned upon
o Complete Information Security Training

Policies
Employees are not allowed to divulge private
information
Prevents employees from being socially pressured
or tricked
Ways to Prevent Social Engineering (con)
3rd Party test - Ethical Hacker
o Have a third party come to your company and attempted to
hack into your network
o 3rd party will attempt to glean information from
employees using social engineering
o Helps detect problems people have with security

Be suspicious of unsolicited phone calls, visits, or email

messages from individuals asking about internal information

Do not provide personal information, information about

the company(such as internal network) unless authority of
person is verified
Responding
Youve been attacked: now what?
What damage has been done? What damage can still be done?
Has a crime actually taken place?

Report the incident or event IMMEDIATELY!

Take responsibility and be honest
Contact UTHSC Help Desk
Summary
Be suspicious.
Think about motivation when revealing information.
Verify identity.
Be careful what you click on.
No one will catch everything Be willing to ask for
help.
IMMEDIATELY Contact your UTHSC Information
Security Team!
Security is Everyone's Responsibility See
Something, Say Something!
 UTHSC Information Security Team

Frank Davison Jessica McMorris L. Kevin Watson Ammar Ammar

fdavison@uthsc.edu jmcmorr1@uthsc.edu lwatso20@uthsc.edu aammar@uthsc.edu
(901) 448-1260 (901) 448-1579 (901) 448-7010 (901) 448-2163

Information Security Email: itsecurity@uthsc.edu

Website: security.uthsc.edu

To report phishing and spam email forward it to abuse@uthsc.edu

UTHSC Help Desk: (901) 448-2222 ext. 1 or helpdesk@uthsc.edu