socialengineering-100519023327-phpapp02.pdf
PradmohanSinghTomar1
23 views
12 slides
Aug 28, 2025
Slide 1 of 12
1
2
3
4
5
6
7
8
9
10
11
12
About This Presentation
social engineering
Slide Content
Social
Engineering
Alexander ZhuravlevMSLU 2010
“Amateurs hack computers
Professionals hack people”
Engineering
Alexander ZhuravlevMSLU 2010
“Amateurs hack computers
Professionals hack people”
Contenst
1.Security issues today
2.What is social engineering?
3.Why social engineering?
4.Categories of social engineering
5.How to safeguard against social engineering?
6.Conclusion
1.Security issues today
2.What is social engineering?
3.Why social engineering?
4.Categories of social engineering
5.How to safeguard against social engineering?
6.Conclusion
Security issues today
Security has never been as important as it is today. The essential need
for information security is not only apparent in every country and
organization, but also for the individual. Consequently, victims of these
crimes can be left with debt, bad credit, higher interest rates, and
possibly criminal charges against them until they are able to prove
themselves innocent.As a result, it could take years or even a lifetime,
to recover from these wrongdoings.
According to a survey
released on May 15,
2008 by the United
States Department of
Justice “An estimated
3.6 million--or 3.1
percent-of American
households became
victims of identity theft
in 2007
Security has never been as important as it is today. The essential need
for information security is not only apparent in every country and
organization, but also for the individual. Consequently, victims of these
crimes can be left with debt, bad credit, higher interest rates, and
possibly criminal charges against them until they are able to prove
themselves innocent.As a result, it could take years or even a lifetime,
to recover from these wrongdoings.
According to a survey
released on May 15,
2008 by the United
States Department of
Justice “An estimated
3.6 million--or 3.1
percent-of American
households became
victims of identity theft
in 2007
What is social engineering?
Social Engineering is a collection of techniques used to
manipulate people into performing actions or divulging
confidential information. While similar to a confidence trick or a
simple fraud, the term typically applies to trickery for
information gathering or computer system access. In most of the
cases the attacker never comes face-to-face with the victims and
the latter seldom realize that they have been manipulated.
By this method, social engineers exploit
the natural tendency of a person to
trust his or her word, rather than
exploiting computer security holes. It is
generally agreed upon that “users are
the weak link” in security and this
principle is what makes social
engineering possible.
They prey on human behavior, such as
the desire to be helpful, the attitude to
trust people and the fear of getting in
trouble. The sign of truly successful
social engineers is that they receive the
information without any suspicion.
Social Engineering is a collection of techniques used to
manipulate people into performing actions or divulging
confidential information. While similar to a confidence trick or a
simple fraud, the term typically applies to trickery for
information gathering or computer system access. In most of the
cases the attacker never comes face-to-face with the victims and
the latter seldom realize that they have been manipulated.
By this method, social engineers exploit
the natural tendency of a person to
trust his or her word, rather than
exploiting computer security holes. It is
generally agreed upon that “users are
the weak link” in security and this
principle is what makes social
engineering possible.
They prey on human behavior, such as
the desire to be helpful, the attitude to
trust people and the fear of getting in
trouble. The sign of truly successful
social engineers is that they receive the
information without any suspicion.
Why social engineering?
Social Engineering uses human error or weakness to gain access to any
system despite the layers of defensive security controls that may have
been implemented. A hacker may have to invest a lot of time & effort in
breaking an access control system, but he or she will find it much easier
in persuading a person to allow admittance to a secure area or even to
disclose confidential information. Despite the automation of machines
and networks today, there is no computer system in the world that is not
dependent on human operators at one point in time or another.
Social Engineering uses human error or weakness to gain access to any
system despite the layers of defensive security controls that may have
been implemented. A hacker may have to invest a lot of time & effort in
breaking an access control system, but he or she will find it much easier
in persuading a person to allow admittance to a secure area or even to
disclose confidential information. Despite the automation of machines
and networks today, there is no computer system in the world that is not
dependent on human operators at one point in time or another.
Social Engineering has always been prevailing in some form or the other;
primarily because of the some very natural facets of human behavior. A
social engineer exploits these behavior patterns to drive the target towards
becoming a victim in the attack. Common human behaviors that are
exploited by social engineers are shown in the image provided.
Behaviors Vulnerable to Social
Engineering Attacks
Six tendencies of human nature
Authority -Comply with a request from someone of authority
Liking -Comply with a request from someone we like
Reciprocation -Comply with a request when we are promised or given
something of value
Consistency -Comply after we have committed to a specific Action
social validation -Comply when doing something in line with what others
are doing
Scarcity -Comply when we believe the object sought is in short supply and
others are competing for it, or it is available for a short period of time
Desire to be helpful
Enthusiasm to get free rewards
Desire to be helpful
Attitude to trust
Appeal to authority
Exploitation of human behavior
primarily because of the some very natural facets of human behavior. A
social engineer exploits these behavior patterns to drive the target towards
becoming a victim in the attack. Common human behaviors that are
exploited by social engineers are shown in the image provided.
Behaviors Vulnerable to Social
Engineering Attacks
Six tendencies of human nature
Authority -Comply with a request from someone of authority
Liking -Comply with a request from someone we like
Reciprocation -Comply with a request when we are promised or given
something of value
Consistency -Comply after we have committed to a specific Action
social validation -Comply when doing something in line with what others
are doing
Scarcity -Comply when we believe the object sought is in short supply and
others are competing for it, or it is available for a short period of time
Desire to be helpful
Enthusiasm to get free rewards
Desire to be helpful
Attitude to trust
Appeal to authority
Exploitation of human behavior
There are two main categories under which all social engineering attempts
could be classified :
•The technology-based approach is to deceive the user into
believing that he is interacting with a 'real' application or system and
get him to provide confidential information
•Attacks based on non-technical approach are perpetrated purely
through deception; i.e. by taking advantage of the victim's human
behavior weaknesses (as described earlier).
Categories of Social Engineering
For instance, the user gets a
popup window, informing him
that the computer application
has a problem, and the user
will need to re-authenticate in
order to proceed. Once the
user provides his ID and
password on that pop up
window, the damage is done.
For instance, the attacker
impersonates a person having
a big authority; places a call to
the help desk, and pretends to
be a senior Manager, and says
that he / she has forgotten his
password and needs to get it
reset right away.
could be classified :
•The technology-based approach is to deceive the user into
believing that he is interacting with a 'real' application or system and
get him to provide confidential information
•Attacks based on non-technical approach are perpetrated purely
through deception; i.e. by taking advantage of the victim's human
behavior weaknesses (as described earlier).
Categories of Social Engineering
For instance, the user gets a
popup window, informing him
that the computer application
has a problem, and the user
will need to re-authenticate in
order to proceed. Once the
user provides his ID and
password on that pop up
window, the damage is done.
For instance, the attacker
impersonates a person having
a big authority; places a call to
the help desk, and pretends to
be a senior Manager, and says
that he / she has forgotten his
password and needs to get it
reset right away.
•Phishing
•Vishing
•Spam Mails
•Popup Window
•Interesting Software
Technical
•Impersonation/Pretexting
•Dumpster Diving
•Spying and Eavesdropping
•Support Staff
•Technical Expert
Non-Technical
•Phishing
This term applies to an email appearing to have come from a legitimate business, a bank, or credit card
company requesting "verification" of information and warning of some dire consequences if it is not done.
•Vishing
It is the practice of leveraging Voice over Internet Protocol (VoIP) technology to trick private personal and
financial information from the public for the purpose of financial reward. This term is a combination of
"voice" and phishing. Vishingexploits the public's trust in landline telephone services.
•Spam Mails
E-mails that offer friendships, diversion, gifts and various free pictures and information take advantage of the
anonymity and camaraderie of the Internet to plant malicious code.
•Popup Window
The attacker's rogue program generates a pop up window, saying that the application connectivity was
dropped due to network problems, and now the user needs to reenter his id and password to continue with
his session.
•Interesting Software
In this case the victim is convinced to download and install a very useful program or application which
might be 'window dressed' .
•Vishing
•Spam Mails
•Popup Window
•Interesting Software
Technical
•Impersonation/Pretexting
•Dumpster Diving
•Spying and Eavesdropping
•Support Staff
•Technical Expert
Non-Technical
•Phishing
This term applies to an email appearing to have come from a legitimate business, a bank, or credit card
company requesting "verification" of information and warning of some dire consequences if it is not done.
•Vishing
It is the practice of leveraging Voice over Internet Protocol (VoIP) technology to trick private personal and
financial information from the public for the purpose of financial reward. This term is a combination of
"voice" and phishing. Vishingexploits the public's trust in landline telephone services.
•Spam Mails
E-mails that offer friendships, diversion, gifts and various free pictures and information take advantage of the
anonymity and camaraderie of the Internet to plant malicious code.
•Popup Window
The attacker's rogue program generates a pop up window, saying that the application connectivity was
dropped due to network problems, and now the user needs to reenter his id and password to continue with
his session.
•Interesting Software
In this case the victim is convinced to download and install a very useful program or application which
might be 'window dressed' .
Pretexting/ Impersonation
This is the act of creating and using an invented scenario (the pretext) to persuade a target to release information.
It's more than a simple lie as it most often involves some prior research or set up and makes use of pieces of known
information (e.g. date of birth, mother's maiden name, billing address etc.) to establish legitimacy in the mind.
Dumpster Diving
If the junk mail contains personal identification information, a 'dumpster diver' can use it in
carrying out an identity theft.A hacker can retrieve confidential Information from the hard
disk of a computer as there are numerous ways to retrieve information from disks, even
if the user thinks the data has been 'deleted' from the disk.
Spying and Eavesdropping
A clever spy can determine the id and password by observing a user typing it in (Shoulder Surfing). All that needs
to be done is to be there behind the user and be able to see his fingers on the keyboard.
Acting as a Technical Expert
This is the case where an intruder pretends to be a support technician working
on a network problem requests the user to let him access the workstation and
'fix' the problem.
Support Staff
Here a hacker may pose as a member of a facility support staff and do the trick.
A man dressed like the cleaning crew, walks into the work area, carrying cleaning
equipment. In the process of appearing to clean your desk area, he can snoop
around and get valuable information -such as passwords, or a confidential file
that you have forgotten to lock up.
Non –Technical Approach
This is the act of creating and using an invented scenario (the pretext) to persuade a target to release information.
It's more than a simple lie as it most often involves some prior research or set up and makes use of pieces of known
information (e.g. date of birth, mother's maiden name, billing address etc.) to establish legitimacy in the mind.
Dumpster Diving
If the junk mail contains personal identification information, a 'dumpster diver' can use it in
carrying out an identity theft.A hacker can retrieve confidential Information from the hard
disk of a computer as there are numerous ways to retrieve information from disks, even
if the user thinks the data has been 'deleted' from the disk.
Spying and Eavesdropping
A clever spy can determine the id and password by observing a user typing it in (Shoulder Surfing). All that needs
to be done is to be there behind the user and be able to see his fingers on the keyboard.
Acting as a Technical Expert
This is the case where an intruder pretends to be a support technician working
on a network problem requests the user to let him access the workstation and
'fix' the problem.
Support Staff
Here a hacker may pose as a member of a facility support staff and do the trick.
A man dressed like the cleaning crew, walks into the work area, carrying cleaning
equipment. In the process of appearing to clean your desk area, he can snoop
around and get valuable information -such as passwords, or a confidential file
that you have forgotten to lock up.
Non –Technical Approach
How to safeguard from social
engineering?
Security
policy
Identity
management
Awareness and
education
Insurance
protection
Security
Incident
management
Well Documented Security Policy -associated standards and guidelines form the foundation of a good
security strategy.
•Acceptable usage policy -for acceptable business usage of email, computer systems etc
•Information classification and handling -for identifying critical information assets
•Personnel security -screening prospective employees, contractors to ensure that they do not pose a
security threat to the organization, if employed
•Physical security -to secure the facility from unauthorized physical access with the help of sign in
procedures
•Information access control -password usage and guidelines for generating secure passwords
•Protection from viruses -to secure the systems and information from viruses and similar threats
•Information security awareness training -to ensure that employees are kept informed of threats
•Compliance monitoring -to continually ensure that the security policy is being complied with.
engineering?
Security
policy
Identity
management
Awareness and
education
Insurance
protection
Security
Incident
management
Well Documented Security Policy -associated standards and guidelines form the foundation of a good
security strategy.
•Acceptable usage policy -for acceptable business usage of email, computer systems etc
•Information classification and handling -for identifying critical information assets
•Personnel security -screening prospective employees, contractors to ensure that they do not pose a
security threat to the organization, if employed
•Physical security -to secure the facility from unauthorized physical access with the help of sign in
procedures
•Information access control -password usage and guidelines for generating secure passwords
•Protection from viruses -to secure the systems and information from viruses and similar threats
•Information security awareness training -to ensure that employees are kept informed of threats
•Compliance monitoring -to continually ensure that the security policy is being complied with.
People need
to…
Know what they
need to do
Be able to identify
threats
Have individual
accountability and
sanctions for their
actions
Organisations
need to…
Implement strong
procedures
Provide security
awareness training
Establish a Security
Conscious
Organisational
Culture
Social engineering is a technique used by hackers and other criminals to persuade
people to divulge confidential information for their personal gain or for malicious
purposes. Although social engineering attacks are difficult to defend against because
they involve the human element, it is possible for organizations and individuals to
protect themselves by being trained on the importance of security and gaining
awareness of the possible social engineering attacks that they may encounter.
Conclusion
to…
Know what they
need to do
Be able to identify
threats
Have individual
accountability and
sanctions for their
actions
Organisations
need to…
Implement strong
procedures
Provide security
awareness training
Establish a Security
Conscious
Organisational
Culture
Social engineering is a technique used by hackers and other criminals to persuade
people to divulge confidential information for their personal gain or for malicious
purposes. Although social engineering attacks are difficult to defend against because
they involve the human element, it is possible for organizations and individuals to
protect themselves by being trained on the importance of security and gaining
awareness of the possible social engineering attacks that they may encounter.
Conclusion
Thank you for
attention
Alexander Zhuravlev
MSLU 2010
attention
Alexander Zhuravlev
MSLU 2010
Tags
Categories
MarketingDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 23
- Slides 12
- Age 95 days
Related Slideshows
83
The Ins and Outs of Sports Sponsorship: What Characterizes the Best Deals and Activations
NeilHorowitz
35 views
50
Commerce at the Limit - Marketecture - October 2025_v5.pptx
EricSeufert
369 views
13
Marketing Environment and navigating changes
neetinaag
29 views
34
FAMILY_PLANNING_METHODS available for women
Isaiah47
26 views
8
himani .8.pptx this is about marketing presentation that how marketing control works
sakshi287109
28 views
54
GAT NEW.pptxfgjjkkkbhhhjjjjiiiuuuuuu8uy4rr
SirajudinAkmel1
25 views