In this lesson I'll discuss social engineering.
By the end of it, you'll be able to understand what social engineering is,
recognize the signs of social engineering and how to
protect yourself and your organization from it.
So my very simple definition of social engineering is,
to gain some advantage through human manipulation.
Now, there are many other definitions out there but this is the simplest form,
to gain some advantage through human manipulation.
So, lying for example.
Typically, it's to obtain confidential information.
Passwords, financial data, confidential, company data,
we can all lie, we can all manipulate in order to get information that we shouldn't.
Other instances it's far more serious.
To steal money for example,
or to install malware.
There are some great examples of this,
and I guarantee you I don't even have to tell you some examples of this,
because you already know them.
You see this every day.
One of the greatest ones and I'm going to have
another lesson where I'll show you actual phishing messages is phishing.
So one of the easiest ways to have someone give up their information is through phishing.
So a user receives an email pretending to be someone that they aren't.
We see this all the time in any company.
You name the company,
there's been some way that their account has been compromised because of phishing.
Generally, the person that falls for the phishing,
doesn't understand that the message is phishing.
So user gives up their password because,
"The IT help desk told me that my account was going to
be shut down unless I logged in to maintain it."
This is a classic example of something that one of the phishers
usually send to users in hopes that they're going to log into
their false website which is lying to the user to log in.
Phonecalls. Phone calls are another example of social engineering.
The IRS for example is never going to call you and tell you,
you're going to go to jail because you haven't paid your taxes.
They will probably send you a letter and then the police will come.
That's neither here nor there.
Microsoft.
Microsoft will never ever tell you that you have a virus on your computer.
Don't believe them if you get a phone call that says,
"This is Microsoft, you have a virus on your computer."
Or, "Your computer has been hacked."
Symantec.
I've heard many of these phone calls that say,
"This is Symantec," they're an anti-virus company and,
"you have another virus on your computer."
Another one that I think is pretty funny is the,
"Your vehicle warranty is about to expire."
I get phone calls for this constantly.
My warranty isn't going to expire.
Or what about, "This is cardmember services,
we have a great option for you to lower your debt."
Well, I know that I don't carry any debt on my credit cards so you're lying to me.
Another example of this and how phishers actually get information
or how we do social engineering is through security questions.
Believe it or not,
it is not difficult to guess your secret questions from an online account.
Most of the accounts out there are going to ask for
very specific information which is very easy to obtain.
"What was your first pet's name?"
You can easily fall for some sweepstakes that asks you for your first pet's information.
"Where were you born?"
That's easy to look up.
"What was your high school mascot?"
That information is very easy to look up because of social media accounts.
You post where you went to high school and they're
automatically going to look up what mascot you had.
What about, "Your mother's maiden name?"
That's very easy to look up on public records.
If you add questions it's better, but not foolproof.
Like, "What is your favorite band?"
Or, "What was your favorite band from 1992?" something like that.
Something that makes it really hard to guess.
Now, what the attackers are going to do with that information,
is they are going to try to reset your password somehow.
So by answering those secret questions,
they can get into your account.
Let's talk about some very well-known attacks to
help illustrate how social engineering works From Ancient Greece,
the Trojan Horse example.
Classic, If you haven't read it or heard about it, look it up.
Prime example of social engineering.
Somebody wants to give somebody something for free,
when in disguise it is really meant to harm or destroy the other party.
Another example of this is, in 2007,
the attack on the ABN AMRO Bank in,
I believe it was Switzerland,
but I'm not actually sure.
Oh, Belgium that's what it was.
They got away with $28 million in gems.
Now, how did they do that?
They didn't do it actually through technology,
they just had charm.
They walked into the bank,
said all the right things,
acted the right way.
The attacker was charming and they walked right out
the front door with $28 million in gems.
Another good example of this is,
2013, the attack on the Associated Press Twitter account.
At the time, there was a tweet that went out that said,
"President Obama is in the hospital.
There was an attack," and instantly within,
and this was during the day when the stock market was trading,
the stock market crashed
150 points within a matter of three minutes because of that news.
Now, what happened was,
an Associated Press employee fell for phishing,
and they use those credentials to get into
the Associated Press' Twitter account and tweet that information out.
Another one that you may have also had phishing experience with
is the Nigerian prince scams.
This is a global epidemic basically,
that costs the world about $12.7 billion annually,
because people fall for this phish and send money to
this supposed Nigerian prince that is willing to
give you a ton of money if you just give him a little bit.
There was actually a county treasurer that was put in
jail because of embezzlement because of this.
The county treasurer stole some of the money from the county to give to
the supposed Nigerian prince and was able
to take that money from that treasure and obviously it's a scam.
The Target breach back a couple of years ago,
is another example of social engineering and phishing.
This actually happened with a third party heating and ventilation company
that fell for phishing and then they were able to get into Target's systems and install
malware that sucked the credit card data from their point of sale terminals.
And another classic example of human social engineering and
technology was the hacktivist group Anonymous versus HBGary federal.
Back when HBGary federal was doing government contracting,
they were about to give or leak the names of the Anonymous hacktivists to the FBI,
and so what happened is,
they were able to break into one of
HBGary federal's sites that stored a bunch of information and they were able
to convince the CEO at the time to give them the actual root credentials
of another system and Anonymous
stole all the emails from HBGary federal and basically collapsed the company.
Now HBGary is still operating but not,
to my knowledge, on the federal side.
I could be wrong.
But unfortunately, this was a bad case for HBGary federal.
Let's talk about ways to protect yourself and to protect your organization.
We need to recognize accurate requests for information.
If we understand how to protect ourselves and look at accurate requests for information,
then any deviation from that could be phishing.
So if we learned to,
for example, log in page.
A log in page should have https://,
your company's address and then Slash.
Any phishers and social engineers love to change
the domain to something that looks almost like it.
So if you're just looking in that first slash before anything,
before the first slash, you're generally safe.
But you need to identify accurate requests for
information before you give up any information.
Chances are, there's never going to be
any deviations technologically through email or through phone calls.
Typically, you are going to be the one that is giving
that information out when they are not asking.
Understand that every link could
potentially be dangerous and look closely at those links.
Education and repeated exposure to
accurate requests are what help identify social engineering or phishing.
Two factor authentication is also a great option if you can do it on certain systems.
Two factor authentication prevents
somebody even if they happened to steal the password for an account.
I always use a password manager.
Password managers are great to store information and keep your information separate.
One unique password for every site.
And remember it is up to you to ensure that you are not
the link that broke the chain in your organization's security plan.
Make sure that you are always responding to
any little thing that you might see that is not accurate.
Make sure that you understand accurate requests for information.