Social Engineering

by

Angela

Allan

Social Engineering

refers to psychological manipulation of people for the purpose of information gathering, fraud or system access.

Techniques

  • Pretexting
  • Diversion theft
  • Phishing
  • IVR or phone phishing
  • Baiting
  • Quid pro quo
  • Tailgating

Pretexting

involves some prior research or setup and the use of this information for impersonation to establish legitimacy in the mind of the target.

Diversion theft

The objective of this technique is to persuade the person responsible for a legitimate delivery that the consignment is requested elsewhere.

Phishing

is a technique of fradulently obtaining private information.

IVR or phone phishing

uses a rogue IVR(Interactive Voice Response) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system.

Baiting

the attacker leaves a malware infected USB in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use  the device.

Quid pro quo

An attacker calls random numbers at a company, claiming to be calling from technical support. Eventually this person will hit someone with a legitimate problem, grateful that someone is calling back to help them.

Tailgating

seeking entry to a restricted area secured by unattended, electronic access control.

Pop Culture

Blackhat (film)

A convicted hacker is released from prison to help the investigation where a Hong Kong nuclear plant and the Mercantile Trade Exchange in Chicago are hacked by unknown perpetrators.

Blackhat Trailer

Countermeasures

Organizations reduce their security risks by:

  • Establishing frameworks of trust

  • Identifying which information is sensitive

  • Establishing security protocols, policies, and procedures for handling sensitive information.

  • Training employees

  • Performing unannounced, periodic tests of the security framework.

  • Using a secure waste management service 

Notable Hackers

JB Synder

One of the world's top experts in banking cybersecurity, developed and proved in over 50 U.S. bank locations "the most efficient social engineering attack in history."

Primarily using email, allows a social engineer to make unauthorized large cash withdrawals from bank branches with an extraordinarily high success rate (over 90%) while enjoying low probabilities of immediate detection or subsequent incarceration. 

Legal Consequences

In common law, pretexting is an invasion of privacy laws. 

In the US, pretexting of bank records is an illegal act punishable under federal statues. The statute states that when someone obtains any personal, non-public information from a financial institution or the consumer, their action is subject to the statute. 

Thank you!..

Made with Slides.com