The Rise of Social Engineering -- Anatomy of a Full Scale Attack
In this presentation you will gain insight on how hackers use the human element to increase the success probability of their attacks. It will cover everything from dumpster diving to email phishing and pretexting phone calls. Learn what to look for and how to defend your organization from social engineering attacks.
David Nelson, CISSP, is a Certified Information Systems Security Professional (CISSP) with 20 years of experience and a Fellow with the Information Systems Security Association (ISSA). He has lead technology organizations in both the public and private sector. Prior to founding Integrity, he most recently was the Chief Information Security Officer for a leading health informatics company. He also managed an information security group for a top 5 U.S. banking organization, was the CIO for a higher education institution and served as the information security officer for one of the largest municipal governments on the East Coast.
6. Sociology and Psychology
โข Study of human behavior, interaction and societal norms.
โข Actions can be predicted quite accurately.
โข Actions can also be influenced quite easily.
7. Simple Human Behavior
โข Two Types of Responses
โ Natural
โ Learned
Hackers will craft a scenario for you to enter, in order to elicit a
response which they believe will give them the result they are
looking for.
9. Why talk about social engineering
Social engineering is a component of
the attack in nearly 1 of 3 successful
data breaches, and itโs on the rise.
Source: 2016 Verizon Data Breach Investigation Report
14. Common Bait
โข Sweet Deals
โ Free Stuff
โ Limited Time Offers
โ Package Delivery
โข Help Me, Help You!
โ Tech Support
โข You Gottaโ See This!
19. Putting It All Together
โข Targeted attacks will always use
some form of social engineering.
โข Just like in military operations,
intel makes or breaks a mission
โข Hackers may never even need to
use sophisticated technical attacks
if you provide the information
willingly
21. Donโt Fall for The Long Con
โข Social engineering is nothing more than a con-game.
โข The old โLong Conโ has been ported to the digital world.
โข Good cons are hard to spot.
24. Employee Training
โข Traditional CBT methods donโt work
โข Engage the employee, make a personal plea
โข Use gamification to enhance learning
โข Prepare for different learning styles (audio, visual, hands-
on)
โข Awareness is not training and training is not awareness