NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack
โข
1 likeโข1,801 views
The Rise of Social Engineering -- Anatomy of a Full Scale Attack In this presentation you will gain insight on how hackers use the human element to increase the success probability of their attacks. It will cover everything from dumpster diving to email phishing and pretexting phone calls. Learn what to look for and how to defend your organization from social engineering attacks. David Nelson, CISSP, is a Certified Information Systems Security Professional (CISSP) with 20 years of experience and a Fellow with the Information Systems Security Association (ISSA). He has lead technology organizations in both the public and private sector. Prior to founding Integrity, he most recently was the Chief Information Security Officer for a leading health informatics company. He also managed an information security group for a top 5 U.S. banking organization, was the CIO for a higher education institution and served as the information security officer for one of the largest municipal governments on the East Coast.
Recommended
Recommended
More Related Content
Viewers also liked
Viewers also liked (19)
More from North Texas Chapter of the ISSA
More from North Texas Chapter of the ISSA (20)
Recently uploaded
Recently uploaded (20)
NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack
- 2. Dave Nelson, CISSP โข Certified Information Security Professional (CISSP) โข Over 20 years experience as information security professional โข Fellow with the Information Systems Security Association โข President Emeritus of ISSA Des Moines Iowa Chapter
- 5. Social Engineering โข Using knowledge of human behavior to elicit a defined response. โข Put simplyโฆgetting you to willingly do something for me which is likely not in your best interest.
- 6. Sociology and Psychology โข Study of human behavior, interaction and societal norms. โข Actions can be predicted quite accurately. โข Actions can also be influenced quite easily.
- 7. Simple Human Behavior โข Two Types of Responses โ Natural โ Learned Hackers will craft a scenario for you to enter, in order to elicit a response which they believe will give them the result they are looking for.
- 9. Why talk about social engineering Social engineering is a component of the attack in nearly 1 of 3 successful data breaches, and itโs on the rise. Source: 2016 Verizon Data Breach Investigation Report
- 11. Dumpster Diving โข Scouring through discarded items โ Calendars & Day planners โ Handwritten notes โ Phone & Email Lists โ Operation manuals or procedures โ System diagrams & IP addresses โ Source code
- 12. Pretexting โข Fraudulent phone calls โข Used to extract information โข Also used to setup other attacks such as facility entry or phishing
- 13. Phishing Attempts to get users to provide information or perform an action Tips For Identifying Phishing Attempts โ Asks to update account information via email โ No verification image or varying layout designs โ Provides unfamiliar hyperlinks
- 14. Common Bait โข Sweet Deals โ Free Stuff โ Limited Time Offers โ Package Delivery โข Help Me, Help You! โ Tech Support โข You Gottaโ See This!
- 15. Spear Phishing Example Good Morning Mike, You may or may not know, but Mary (CFO) and I are in Atlanta working to close a deal with our partners XYZ Company and ABC Limited on a $70 million dollar contract with Our Big Payday, Inc. In order to get the contracts signed, I need you to wire $85,620 to XYZ Company and $67,980 to ABC Limited. Mary says this should come from our Bank Name Here account number 123456789. The routing and account number for XYZ is 12345678 โ 7788994455 and for ABC is 98765432 โ 336699774411. Because Our Big Payday, Inc. is a publicly traded company, the terms of this agreement cannot be disclosed until they file their SEC reports for the quarter so your absolute discretion is expected. Under no circumstances are you to discuss this transaction with anyone in the department. A leak could result in SEC fines or prison for both of us for insider trading. If you have any questions about this, please respond to this email with your direct line and Iโll call you when Iโm out of the negotiation meetings. I appreciate all you do for us which is why Iโm trusting you with this key project. Keep up the good work! Sandy (CEO)
- 16. Physical Presence โข Gaining physical access can be easier than virtual access โข May provide additional information โข Comes at a higher risk but with a potentially greater reward
- 17. Physical Presence Examples โข Delivery Drivers โข Employee Tailgating โข Maintenance or Emergency Crews โข The key is to act like you belong. If you believe it so will everyone else.
- 18. Enticement Examples A folder with enticing title/label left on ground outside an employee entrance with a USB thumb drive taped inside. โข USB, CD or DVDs left in conspicuous spaces. โข May be accompanied by fake paper files โข Curiosity beats caution Year-End Bonuses
- 19. Putting It All Together โข Targeted attacks will always use some form of social engineering. โข Just like in military operations, intel makes or breaks a mission โข Hackers may never even need to use sophisticated technical attacks if you provide the information willingly
- 20. Stealth Mode โข Limited social engineering attacks can be hard to detect. โข Relevant information allows attackers to pinpoint their attack which makes their footprint hard to discover.
- 21. Donโt Fall for The Long Con โข Social engineering is nothing more than a con-game. โข The old โLong Conโ has been ported to the digital world. โข Good cons are hard to spot.
- 22. Best Defenses
- 23. Best Defenses โข Strong paper destruction process โข Limiting facility ingress/egress points โข Challenge unknown people in secure areas โข Implement technology to screen email and websites for attacks
- 24. Employee Training โข Traditional CBT methods donโt work โข Engage the employee, make a personal plea โข Use gamification to enhance learning โข Prepare for different learning styles (audio, visual, hands- on) โข Awareness is not training and training is not awareness
- 26. Summary โข Social engineering is here to stay and itโs growing โข Your organization will suffer a data breach due to social engineering โข The study of human behavior has been used by criminals for centuries, cybercriminals are no different โข Employees must be trained to spot social engineering and how to react
- 27. Question & Answer dave.nelson@integritysrc.com www.integritysrc.com/blog DaveNelsonCISSP @IntegrityCEO - @IntegritySRC 515-965-3756