Social engineering - Ingeniería social

50 %
50 %
Information about Social engineering - Ingeniería social

Published on March 11, 2014




Ingeniería social

Social Engineering Training Jan-Willem Bullee

2 Cyber-crime Science Background  Effectiveness of authority on compliance  We can get some of the answers from » Literature (Meta-analysis) » Attacker stories/interviews  But the answers are inconclusive » Different context » Hard to measure human nature » Difficult to standardize behaviour. 2

3 Cyber-crime Science Persuasion Principles  Authority  Conformity  Commitment  Liking  Reciprocity  Scarcity 3

4 Cyber-crime Science Authority  Titles: Professionals vs Lay people  Clothing: Formal vs Casual  Trappings: Status vs Insignificance 4 [Cia01] R. B. Cialdini. The science of persuasion. Scientific American Mind, 284:76-81, Feb 2001.

5 Cyber-crime Science Literature on Authority  Classical Milgram Shock Experiment » 66% full compliance  Nurse-Physician relationship » 95% compliance  Login credentials » 47% compliance 5 [Mil63] S. Milgram. Behavioral study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378.

6 Cyber-crime Science Success factors of Authority  Sense of duty  Obedience to authority 6

7 Cyber-crime Science Attacker Stories  Books about Social Engineering  Six Principles of Persuasion  Provisionally Results: » 4 books » 100 cases. 7 [Mit02] K. Mitnick, W. L. Simon, and S. Wozniak. The Art of Deception: Controlling the Human Element of Security. Wiley, Oct 2002.

8 Cyber-crime Science Mitnick Analysis 8

9 Cyber-crime Science Nurse Study: Design  Attacker: Doctor  Target: Nurse  Goal: Violating policy » Maximum dose of medicine  Interface: Phone  Persuasion Principle: Authority 9 [Hof66] C. Hofling, E. Brotzman, S. Dalrymple, N. Graves, and C. Pierce. An experimental study in Nurse-Physician relationships. J. of Nervous & Mental Disease, 143(2):171-180, Aug 1966.

10 Cyber-crime Science Stealing a key  What is the influence on compliance on a request of: » Social Engineering (e.g. Authority)  You are the researchers! 10

11 Cyber-crime Science Our: Design  Attacker: You (Student)  Target: Employee  Goal: Violating policy » Sharing office key with 3rd party  Interface: Face 2 Face  Persuasion Principle: Authority 11

12 Cyber-crime Science Method : Our design  Dependent and Independent variables  4 experimental conditions » Intervention / No Intervention » Authority / No Authority  Dependent variable » Compliance / No Compliance to request. 12 Request Comply [Fie09] A. Field. Discovering statistics using SPSS. Sage, London, 3rd edition, Jan 2009.

13 Cyber-crime Science Method : Our procedure  Subjects from the Carré building » 14 research groups » 4 conditions  Intervention vs No intervention  Authority: Suite vs Casual  Randomized sample  Attack in 1 day 13

14 Cyber-crime Science Method : Our procedure  Attack targets » Impersonate facility manager, and ask for the key of the employee » Short Questionnaire » Note date, time, location, condition, compliance, difficulty, etc.  More details on the course-site 14

15 Cyber-crime Science What to do on Wed 11 Sep  Attacker training in the morning CR2022  Execute experiment individually (or in duo’s) » One or two attackers per area » Condition and area allocation: Jan-Willem Bullee On the course-site soon » Debrief directly after attack 15

16 Cyber-crime Science What to do on Wed 11 Sep  We have permission to do this only at » UT: Carré  Enter your data in SPSS » Directly after the attack » Come to me ZI4047  Earn 0.5 (out of 10) bonus points 16

17 Cyber-crime Science Ethical issues  Informed consent not possible  Zero risk for the subjects  Approved by facility management  Consistent with data protection (PII form)  Approved by ethical committee, see 17

18 Cyber-crime Science Conclusion  Designing research involves: » Decide what data are needed » Decide how to collect the data » Use validated techniques where possible » Experimental Design, pilot, evaluate and improve » Training, data gathering » Start again... 18

19 Cyber-crime Science Further Reading 19 [Cia09] R. B. Cialdini. Influence: The Psychology of Persuasion. Harper Collins, 2009. [Gre96a] T. Greening. Ask and ye shall receive: a study in 'social engineering'. SIGSAC Rev., 14(2):8-14, Apr 1996.

Add a comment

Related presentations

Related pages

The Official Social Engineering Portal - Security Through ...

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical ...
Read more

Social engineering (security) - Wikipedia

Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging ...
Read more

Social engineering - Wikipedia

Social engineering (security), obtaining confidential information by manipulating and/or deceiving people; This disambiguation page lists articles ...
Read more

Social Engineering (Phishing and Deceptive Sites) - Search ...

Social Engineering (Phishing and Deceptive Sites) ... A social engineering attack is when a web user is tricked into doing something dangerous online.
Read more

What is social engineering? - Definition from

In security, social engineering is a broad term used to describe an information technology attack that relies heavily on human interaction and often ...
Read more

Social Engineering - Securing The Human

Social engineering has existed for thousands of years; the idea of scamming or conning someone is not new. However, cyber attackers have learned that ...
Read more

Social Engineering: Concepts and Solutions

Social engineering is the name given to a category of security attacks in which someone manipulates others into revealing information that can be used to ...
Read more

Social Engineering - CCM

Social Engineering. Unter dem Begriff Social Engineering versteht man die bewusste Manipulation von Personen, um Sicherheitsvorkehrungen zu umgehen.
Read more

Social Engineering Fundamentals, Part I: Hacker Tactics ...

Social Engineering Fundamentals, Part I: Hacker Tactics by Sarah Granger last updated December 18, 2001: A True Story . One morning a few years back, a ...
Read more

Avoiding Social Engineering and Phishing Attacks | US-CERT

Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks Original release date: October 22, 2009 | Last revised: October 01, 2016
Read more