...UVT2-RTFT Task 1 Competency 427.2.4: Advanced Social Engineering William J. Lawson MS Information Security & Assurance - 5/1/13 Student ID:000311942 My Mentor: Mary Gordon c: 317-448-3045 Indianapolis, IN - Eastern Time wlawson@my.wgu.edu[->0] A. Create a memo discussing how you believe the intruder gained access to the company's network using social engineering. Incident Memo to Management Recently The Company was a victim of a Social Engineering (SE) attack, perpetrated by an unknown entity. Social Engineering is a method used by confidence men (con-men) to acquire information through human interaction that will be used to support a cyber attack. It often involves some form of trickery. In this case a supervisor assigned to handle customer complaints received an email from a suspected customer claiming that one of the products listed on the website was incorrect. The email also included a URL to the web page in question. I suspect that the attacker acquired the Supervisor's email address by first contacting the customer support desk and posing as disgruntled customer. Once the customer (attacker) stated his/her complaint to the employee and the employee responded the customer pretended that he was not satisfied and stated to the employee that his complaint was not completely satisfied. He then asked the employee for the supervisor's name, and contact information. In order to satisfy the customer the employee provides the...
Words: 1996 - Pages: 8
...TO: Jane Doe, Director Area Office FROM: Daniel Krupka, Division Manager Support Services DATE: November 13, 2011 SUBJECT: Unauthorized Access to Confidential Files It is believed this company is the victim of a deliberate attack from an outside source, with the sole purpose of obtaining access to Confidential Files. On November 11, 2011, a breach of the company’s security measures was detected, and several Confidential Files accessed. An immediate investigation was launched to determine how access was gained. How Access Was Gained It has been determined a combination of Social Engineering, and Malware was used to bypass the company’s security measures. Through the use of dumpster diving, the perpetrator managed to locate files containing client invoices. Posing as a company client, the perpetrator placed a call to the receptionist of the Support Services Division, stating he was trying to send an email to the Supervisor of the Customer Complaints section regarding the upcoming contract renewal. It was further stated the email would not go through. The perpetrator expressed the urgency of the email, and asked the receptionist if she would verify if the address was correct. The receptionist verified the Supervisors company email ending the call. The perpetrator then proceeded to send an email to the Supervisor posing as a client complaining there was an issue with the product list on the Company website. The email contained a hyperlink, which upon clicking redirected...
Words: 921 - Pages: 4
...To: Boss From: Brandon Moore Date: August 1, 2011 Subject: Social Engineering Attack on the Company Recently several of our user's have reported slowness of their computers. Not coincidentally, each of these users had also received a suspicious email reporting a problem with a particular item on the company website. This email contained a URL which, upon clicking, directed the user to a page in which nothing appeared out of the ordinary. It is my conclusion that both these events are intertwined and the users have contracted a computer virus, specifically a Trojan virus, which allows this attacker to gain access to the computer systems it infects. The attacker was able to accomplish this by manipulating our employees into believing they had a legitimate issue to raise with the company. Once they clicked on the link in the email, they were likely directed to a site that appeared to look the same as the company’s website, or they were sent to another site which downloaded the virus and were quickly redirected to a legitimate page before the user would ever notice. Additionally, the email address that contained the malicious URL had a “made-up” email address configured as the “Reply-To” so that when a user attempted to reply the email would not get anywhere. In conclusion, the actions that ultimately took place are as follows: ← User's received an email that appeared to be legitimate, but instead came from an attacker looking to gain access into...
Words: 1096 - Pages: 5
...A. Memo of Case Social engineering is a method of gaining access to information by deception performed against human capital. System penetrators and ‘crackers’ know that people, and their desire to be helpful, or their ability to emote, are the weakest links in any program designed to protect information systems. Attackers can trick or persuade their way into systems in any number of ways via remote and physical means, and convince users to reveal information of interest that can cause harm to an organization. A typical social engineering attack can be segmented into physical and psychological stages. The physical segment of the social engineering operation could include phone calls, or returned phone calls from employees back to the attacker (an example of reverse social engineering) that volunteer information, ‘dumpster diving’ for company specific information that can be used to simulate a rapport or relationship with the company if questioned by an employee or security, emails with surreptitious links requesting unique information such as PIN’s or user names, or physical proximity and entry by impersonating an authorized person. The psychological stage of a social engineering attack takes place after the physical foot printing of the organization by using the bona fides that were learned while gathering physical intelligence to manufacture relationships with persons or the company, or by asserting false authority by impersonating persons or departments within the company...
Words: 1868 - Pages: 8
...Social engineering is one of the most successful types of attacks users can be subjected to. Companies can spend thousands of dollars on top of the line protection for the system, but how do you protect from the user? These type of attacks can happen to the most novice of computer users all the way up to the masters of the IT field. Common social engineering attacks can happen over the phone, in person or even just over the internet without direct social interaction. A lot of people believe they couldn’t possibly be a victim of social engineering attacks . A quote from Joan Goodchild’s article from Chris Roberts, a security consultant, discuses these feelings: “"So many people look at themselves or the companies they work for and think, 'Why would somebody want something from me? I don't have any money or anything anyone would want,'?" he said. "While you may not, if I can assume your identity, you can pay my bills. Or I can commit crimes in your name. I always try to get people to understand that no matter who the heck you are, or who you represent, you have a value to a criminal. " Popular social engineering attacks happen and are successful because of the need for social compliance. Most people want to help others, especially if that is your job (ie customer service representatives or help desk personnel). Being an employee in customer service can prove challenging when it comes to battling these attacks. “Social engineering is essentially...
Words: 1344 - Pages: 6
...equipment which needs to be dealt with since each firm is using different types of network operating systems, servers, case management systems, and how users connect to the network. Currently both firms have separate security policies and these will need to be reviewed, revised and merged to meet the criteria of the new merged network system. One of the biggest challenges will be the case management systems as Bellview Law Group is using a legacy application while Myrtle and Associates is utilizing a more current web-based system. A migration plan will need to be developed to bring the legacy system over to the web-based system. While this migration is taking place both systems will need to run in parallel so that the data will be accessible. Training will be another issue that needs to be addressed since the staff from Bellview Law Group currently access data only from desktop PCs. they will need to be trained not only on the new web-based case management system but also on the new hardware as well. Finally the actual integration itself will be quite challenging. Timing can be an issue and we’ll want to have the least amount of impact on users and ultimately on the business. Since Bellview Law Group is running the older legacy systems the recommendation would be to move the servers over to Myrtle and Associates system and install Terminal Server access for the Bellview Law Group offices....
Words: 1754 - Pages: 8
...Task 1 2012 VUT2- Vulnerability Assessment Task 1 2012 Introduction Social Engineering is the means of acquiring information by deceiving and tricking the human element of an information system. Hackers know that people are the weak link in any Information System. Attackers trick users into revealing valuable information and coerce users into performing tasks that may cause harm to their organization. The social engineering attack can be broken down into two logical stages; the physical settings and psychological methods stages. Physical settings stage would gather information by accessing the work place using impersonation, telephone calls, online chat, or email contact. Attackers then use this information against the organization during the psychological methods stage. (Jones, 2003). In this scenario a supervisor that handles customer complaints received an email that one of the product listings on the organization’s website was incorrect. The link provided in the email redirected the user to a page containing a script, that once run, compromised the supervisor’s computer by downloading and installing a Trojan horse and opening a remote access session for the attacker which allowed him to access and downloaded confidential files from the system. During the first stage, the attacker impersonated a customer from account information perhaps discovered during a reconnaissance attack in the form of dumpster diving in the organization’s garbage. The hacker calls the...
Words: 1821 - Pages: 8
...Guidelines for Secure Use of Social Media by Federal Departments and Agencies Information Security and Identity Management Committee (ISIMC) Network and Infrastructure Security Subcommittee (NISSC) Web 2.0 Security Working Group (W20SWG) Version 1.0 September 2009 This document is publicly releasable Intended Audience This document is intended as guidance for any federal agency that uses social media services to collaborate and communicate among employees, partners, other federal agencies, and the public. Note: The Federal CIO Council does not endorse the use or imply preference for any vendor commercial products or services mentioned in this document. Guidelines for Secure Use of Social Media by Federal Departments and Agencies Page 2 TABLE OF CONTENTS INTENDED AUDIENCE............................................................................................................................................2 REVISION HISTORY ................................................................................................................................................4 ACKNOWLEDGEMENTS ........................................................................................................................................5 EXECUTIVE SUMMARY .........................................................................................................................................6 RISKS ......................................................
Words: 7347 - Pages: 30
...Climate/culture of the organization * Employee training for social engineering attacks * Positive identification of employees when granting role-based access * Vulnerabilities within and without the network, specifically to sniffers and eavesdropping * The ease with which the employee changed his pay rate, indicating a single system used for HR profiles rather than segregated duties & systems * The PKI that was installed only addressed the HR system, rather than the entire organization Honestly, the whole environment at this company needs a complete evaluation and overhaul! 2. Outline the other attacks mentioned in the scenario that were not noticed by the organization. * Social Engineering * Sniffing/Eavesdropping * Unauthorized Privilege Escalation * Network Penetration * Spoofing a. Describe the nature of the attacks not noticed by the organization. By “the nature of the attacks” I interpret this to mean the source of the attacks, or the skillset required to carry out the attacks. I believe this employee was tenured based on their ability to: * Hack into the HR system * Successfully intercept the email from audit to the other individuals * Successfully impersonate the individuals the email from audit was sent to * Successfully identify the company president and other employees whose pay records were modified * Successfully eliminate evidence of the attack, indicated by two paycheck cycles going by before audit caught...
Words: 801 - Pages: 4
...improvement Voting on the Internet using every day PC's offers only weak security, but its main disadvantages are in the areas of anonymity and protection against coercion and/or vote selling. It's such a truly bad idea that there seems to be no credible academic effort to deploy it at all. The Presidential elections of 2000 brought national attention to problems with current American methods of casting and counting votes in public elections. Most people believe that the current system should be changed; there is much disagreement on how such changes should be made. The MIT/Caltech researchers [1] “see a promising future for electronic voting, despite its problems today” (under a few conditions). They advocate using the methods currently in use which result in the lowest average numbers of “uncounted, unmarked, and spoiled ballots,” like in-precinct optical scanning. Their report even proposes a framework for new voting system with a decentralized, modular design. Other researchers have done work in electronic voting; while they may not explicitly mention voting from remote poll sites, their work is nonetheless relevant to any effort at designing or implementing a remote poll site voting system. Lorrie Cranor [2] could be classified, like the Caltech/MIT researchers, as a cautious optimist. She acknowledges the problems inherent in each kind of voting apparatus, but doesn't make an over the recommendation on her site for one technology over the rest. Some other academics...
Words: 4590 - Pages: 19
...remote access backdoor, network and password sniffer, data extractor, ransom hijacker, and so much more) on the user’s computer (keeping in mind the user clicked on the link). In this case, it is likely that a remote access Trojan with keylogger capabilities at minimum, with possible network sniffing capabilities, was installed that captured the keystrokes of the user, thus obtaining user name and password, but also trolled through network activity to obtain potential accounts (username and password) that would have higher level administrative permissions in case this particular user did not have such robust access. Simply stated, the user was a victim of a social engineering attack whereby the user clicks on a compromised (as in malicious in nature) link that can cause serious network, data and information security intrusion to the entire organization, and not just that particular computer, for the remote access and data trolling...
Words: 1895 - Pages: 8
... 2.5 Network penetration testing 2.6 Common tools and applications for peneration testing 7 2.7 Black box testing, grey box testing, Black/grey box testing 2.8 Social engineering testing 7 3. Test Plan 15 3.1 Task 3.1 Reporting 3.1 Schedule 3.2 Limitation of Liability 3.3 End of Testing 3.1 Unanswered Questions 10 3.4 Signatures 8 3.1 Authorization Letter 8 4. Conclusion 11 5. Bibiography 11 Acronyms 22 Appendix A – Test Case Procedures 23 Abstract This document is a proposal with a series of activities undertaken to identify and exploit security vulnerabilities. It helps confirm the effectiveness or ineffectiveness of the security measures that have been implemented. This proposal provides an understanding of penetration testing. It discusses the benefits, the strategies and the mythology of conducting penetration testing. The mythology of penetration testing includes three phases: test preparation, test and test analysis. Key Words: Security Testing, Vulnerability Assessment, Penetration Testing, Web Application Penetration Testing. What is a Penetration test? Penetration tests are a great way to identify vulnerabilities that exists in a system or Network that has an existing security measures in place. A penetration test usually involves the use of attacking methods conducted by trusted individuals that are similarly used by...
Words: 1995 - Pages: 8
...Kudler Fine Foods Frequent Shopper Program Brian Musha, Darrell Jones, David Kress, Matthew DiMare, Jason Longo, Thomas Kunis CMGT/400 February 9, 2015 Robert Quintin Introduction Team C has been tasked to develop a Customer Loyalty Program for frequent shoppers at Kudler Fine Foods. The program will consist of loyalty points that may be used by the frequent shoppers to purchase high value merchandise from the vendors of the loyalty points partner program. The team has also been tasked to insure that the information collected from the frequent shoppers is securely protected from outsiders and others that may make the system vulnerable to threats. Team C will cover each step within the system development life cycle to cover all systems affected and mitigation of risks and will at properly satisfy the needs of Kudler. Outline of Customer Loyalty Program Kudler Fine Foods prides itself on delivering the finest in specialty foods from around the world. In continuing with the tradition of providing the best for their customers Kudler has decided to develop a Customer Loyalty Program. This program will consist of a loyalty points program with said point being accrued from purchases made from Kudler. The customer will have to sign up for the program and after doing so will have their purchases tracked and with each purchase will collect loyalty points that can later be used towards high value items provided by vendors of a loyalty points partner program. The reasoning...
Words: 4127 - Pages: 17
...Kevin Mitnick – Social Engineering and Computer Hacking Mastermind Shelby Descoteaux Professor Kabay IS 340 A Nov. 22, 2013 Table of Contents Introduction 3 Kevin Mitnick 3 Hackers and Their Motives 3 The Early Years 4 Adolescence 5 Kevin in Trouble 6 Kevin’s Final Visit from the FBI 7 Hacker or Engineer? 8 Impact on Computer Security 8 Conclusion 9 Works Cited 10 Introduction Most people today are aware of the detrimental risk that hackers pose to their computers. They might know about identity theft, viruses, Trojans and worms however what they fail to recognize is how these things are accomplished and if they have actually fallen victim to one of these horrible attacks. But what about attacks with even greater impacts…like someone hacking into the computer system of a car that controls the brakes? Perhaps penetrating the systems that control nuclear power plants? Although it seems unlikely that either of these extremely scary scenarios would ever happen, it is most definitely possible. One researcher for IBM’s Internet Security Systems told the owners of a nuclear power station that he could hack into their system through the Internet. The power station took this as a joke, responding to Scott Lunsford, the IBM researcher, with a laugh in his face saying that it was “impossible”. In response, Scott took up the power plant on their words and proved them wrong. In less than twenty-four hours, Scott’s team had infiltrated the system and in...
Words: 4016 - Pages: 17
...Chapter 7: Statutory Authority Chapter Outline 1. Introduction of topics and concepts to be discussed in the chapter. a. Legal basis of modern emergency management in the United States. b. Budget authority. c. Program eligibility. d. Roles and responsibilities. 2. Case Studies a. The National Earthquake Hazard Reduction Program (NEHRP): Legislation to Address a Particular Hazard b. The Homeland Security Act of 2002: A New Emergency Management c. The Disaster Mitigation Act of 2000: A Shift to Pre-Disaster Mitigation 3. Additional Sources of Information 4. Glossary of Terms 5. Acronyms 6. Discussion Questions a. General b. NEHRP c. Homeland Security Act of 2002 d. DMA 2000 7. Suggested Out of Class Exercises Introduction No emergency management system anywhere in the world can properly function without statutory authority and consistent budget appropriations. Statutory authority defines disasters programs, determines who is eligible for these programs, provides the legal support needed to implement disaster programs and establishes the legal foundation for funding the programs and activities of the disaster agency. Without such authority, a government agency is powerless. Legal Basis of Modern Emergency Management in the United States The first recorded emergency management legislation in the United States occurred in 1803 when a Congressional Act was passed to provide financial...
Words: 25108 - Pages: 101