Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Social Engineering Module XI Page 1471 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module XI Social Engineering Ethical Hacking and Countermeasures Version 6 Ethical Hacking and Countermeasures v6 Module XI: Social Engineering Exam 312-50 Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Social Engineering Module XI Page 1472 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Source: http://www.treasury.gov/  Scenario Source: http://www.treasury.gov/tigta/auditreports/2005reports/200520042fr.pdf The Internal Revenue Service (IRS) annually processes over 222 million tax returns which are converted into electronic records on various IRS systems. This information is protected by law and considered sensitive. Maintaining this type of information could make the IRS a target for computer hackers. In recent years, the IRS has successfully completed significant efforts in securing its computer network perimeters from external cyber threats. Because hackers are unable to gain access through these Internet gateways into the IRS, they are likely to seek other ways to gain access to IRS systems and, ultimately, taxpayer data. One such method is social engineering, which involves exploiting the human aspect of computer security for the purpose of gaining insider information about an organization’s computer resources. One of the most common tactics is to convince an organization’s employees to reveal their passwords. Along with user account names, passwords are needed to identify and authenticate employees before allowing them access to systems and data. In August 2001, with the assistance of a contractor, we conducted social engineering tests on IRS employees as part of our penetration testing efforts. We placed calls to 100 IRS employees, asking them to change their password to one we suggested, and found 71 employees were willing to accommodate our requests.1 This review was conducted from our office in Walnut Creek, California, in December 2004. The audit was conducted in accordance with Government Auditing Standards. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Social Engineering Module XI Page 1473 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Social Engineering • Types of Social Engineering • Behaviors vulnerable to attacks • Social Engineering Threats and Defenses • Countermeasures for Social engineering • Policies and Procedures • Impersonating Orkut, Facebook, and MySpace • Identity Theft • Countermeasures for Identity theft This module will familiarize you with: Module Objective If you have seen the movie “War Games,” you’ve already seen social engineering in action. Arguably one of the best social engineers around, Kevin Mitnick’s story captured on celluloid shows the art of deception. This module will familiarize you with:  Social Engineering  Types of Social Engineering  Behaviors vulnerable to attacks  Social Engineering Threats and Defenses  Countermeasures for Social engineering  Policies and Procedures  Impersonating Orkut, Facebook, MySpace  Identity Theft  Countermeasures for Identity theft It must be noted that the information contained in this chapter is for the purpose of presenting an overview. While this module points out fallacies and advocates effective countermeasures, the possible ways to extract information from another human being are only restricted by the ingenuity of the attacker’s mind. While this aspect makes it an art, and the psychological nature of some of these techniques make it a science, the bottom line is that there is no one defense against social engineering; only constant vigilance can circumvent some of the social engineering techniques that attackers use. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Social Engineering Module XI Page 1474 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Social Engineering Behaviors vulnerable to attacks Types of Social Engineering Social Engineering Threats and Defenses Countermeasures for Social engineering Policies and Procedures Impersonating Orkut, Facebook, and MySpace Identity Theft Countermeasures for Identity theft Module Flow Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Social Engineering Module XI Page 1475 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited There is No Patch to Human Stupidity Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Social Engineering Module XI Page 1476 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited What is Social Engineering Social Engineering is the human side of breaking into a corporate network Companies with authentication processes, firewalls, virtual private networks, and network monitoring software are still open to attacks An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they do not know, or even by talking about a project with coworkers at a local pub after hours EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited What is Social Engineering (cont’d) • Trust • Fear • Desire to Help Social engineering is the tactic or trick of gaining sensitive information by exploiting the basic human nature such as: • Sensitive information • Authorization details • Access details Social engineers attempt to gather information such as:  What is Social Engineering Social engineering is the use of influence and persuasion to deceive people for obtaining sensitive information in order to perform some malicious action. It is used to gathering confidential information, authorization details, and access details. All the security measures that the organization adopts go in vain when employees get “social engineered” by strangers. Some examples of social engineering include unwittingly answering the questions of strangers, replying to spam email, and bragging to co-workers. Most often, people are not even aware of a security lapse on their part. Chances are that they divulge information to a potential hacker inadvertently. Attackers take special interest in developing social engineering skills, and can be so proficient that their victims might not even realize that they have been scammed. Despite having security policies in place, organization can be compromised because social engineering attacks prey on the human tendency to be helpful. Attackers are always looking for new ways to gather information, they ensure that they know the perimeter and the people on the perimeter—security guards, receptionists, and help desk workers—in order to exploit human oversight. People have been conditioned not to be overly suspicious; they associate certain behavior and appearances with known entities. For instance, Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Social Engineering Module XI Page 1477 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. upon seeing a man dressed in a uniform and carrying a stack packages for delivery, any individual would take him to be a delivery person. Companies list their employee IDs, names and email addresses on their official websites. Alternatively, a corporation may put advertisements in the paper for high-tech workers who trained on Oracle databases or UNIX servers. These bits of information help attackers know what kind of system they're tackling. This overlaps with the reconnaissance phase. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Social Engineering Module XI Page 1478 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Human Weakness People are usually the weakest link in the security chain A successful defense depends on having good policies and educating employees to follow them Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone  Human Weakness People are usually the weakest link in the security chain. Every individual with access to system and other information resources are susceptible to social engineering attacks. Access to critical security and financial information is the main motive behind almost all social engineering attempts. Attackers target individuals rather than secured information, to gain network access. Detecting the social engineering attack is difficult, as there is no software or hardware to detect such attempts. In many cases victims themselves are not aware that they have divulged some critical information. The only countermeasures for social engineering attacks are awareness and education. Employees of the organization need to be educated to defend the social engineering attacks. They should be sensitized of social engineering attacks and trained to respond such attacks. Social engineering awareness sessions should be conducted regularly to update employees of different tricks used for extracting information. Customer support executives and front office staff should be made clear which type of information they can give. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Social Engineering Module XI Page 1479 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited “Rebecca” and “Jessica” Hackers use the term “Rebecca” and “Jessica” to denote social engineering attacks Hackers commonly use these terms to social engineer victims Rebecca and Jessica mean a person who is an easy target for social engineering, such as the receptionist of a company • “There was a Rebecca at the bank and I am going to call her to extract the privileged information.” • “I met Ms. Jessica, she was an easy target for social engineering.” • “Do you have any Rebecca in your company?” Example:  “Rebecca” and “Jessica”  Hackers use the terms “Rebecca” and “Jessica” to denote social engineering attacks.  Hackers commonly use these terms in their attempts to “social engineer” victims.  Rebecca or Jessica means a person who is an easy target for social engineering such as the receptionist of a company.  Examples: o “There is this Rebecca at this bank, and I am going to call her to extract privileged information.” o “I met Ms. Jessica; she was an easy target for social engineering.” o “Do you have any Rebecca’s in your company?” Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Social Engineering Module XI Page 1480 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Office Workers Despite having the best firewall, intrusion-detection and antivirus systems, technology has to offer, you are still hit with security breaches One reason for this may be lack of motivation among workers Hackers can attempt social engineering attack on office workers to extract sensitive data such as: • Security policies • Sensitive documents • Office network infrastructure • Passwords  Office Workers Security breaches are common in spite of organizations employing anti-virus systems, intrusion detection systems, and other state-of-the-art security technology. The most important reason for this is employees’ potentially lax attitude regarding maintaining the secrecy of an organization’s sensitive information. Hackers might attempt social engineering attacks on office workers to extract sensitive data such as:  Security policies  Sensitive documents  Office network infrastructure  Passwords