Your SlideShare is downloading. ×
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Issa Vancouver 6 09 Pareto's Revenge

279

Published on

On the importance of Social Engineering and the need to treat user awareness less like training and more like marketing.

On the importance of Social Engineering and the need to treat user awareness less like training and more like marketing.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
279
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The information security world exists on an incredibly short (20 year) timeframe - Even taking a *REALLY* long view, the entire Infosec industry extends only back as far as the mid-80s - AROUND 20 YEARS.Those were the daysSoftware Vulnerabilities weren’t significant - most based on configuration weaknessOnly a handful of people understood how to exploit technologiesSmall Target Surface - Few internet-connected computersFocus was on phone phreaking and academia Social Engineering reigned supremeMost successful attacks involved social engineeringUnsophisticated controls environmentsFew understood the jargonPolicies encouraged trust over security
  • Two Vital DatesOctober 13, 1994Mosaic Netscape 0.9 releasedThe web becomes easy to navigateAugust 24, 1995Windows 95 ReleasedHome computer use proliferates massivelyThe Internet Experiences exponential growthMoney starts to change handsInternet connected computers become a viable targetThis created a target rich environment...Phrack 49 - November 8, 1996.Aleph1 - Smashing the Stack for Fun and ProfitThe first real sophisticated vulnerabilities start to emergeA buffer overflow required knowledge of assembly and coding skillHackers now had to be more technicalReadily available exploit code actually makes breaking in to computers easierThe “golden age” of server hacking begins.1996-2003 - More of the sameMemory attacks become more sophisticatedPolymorphic shell-code designed to evade detective controlsMore advanced use of memory spaces (format strings, integer exploits) Windows XP Service Pack 2 AppearsMicrosoft finally hardens their operating systemsThe world changes overnightSecurity is now baked in to the computer.Server based vulnerabilities disappearAs massive server-based vulnerabilities disappear, client interaction becomes keyThe number of issues continues to increase, but the type of issues starts to change radicallySince 2005No major direct-exploitation worm outbreaksLess than a handful of “remote root” direct exploitation vulnerabilitiesMajor Classes of AttacksDrive-by DownloadExploitation through EmailExploitation through Social Networking SitesPhishing / Pharming / Spear-PhishingWhat’s the similarity?If you said “human interaction”, you get a gold star.
  • Two Vital DatesOctober 13, 1994Mosaic Netscape 0.9 releasedThe web becomes easy to navigateAugust 24, 1995Windows 95 ReleasedHome computer use proliferates massivelyThe Internet Experiences exponential growthMoney starts to change handsInternet connected computers become a viable targetThis created a target rich environment...Phrack 49 - November 8, 1996.Aleph1 - Smashing the Stack for Fun and ProfitThe first real sophisticated vulnerabilities start to emergeA buffer overflow required knowledge of assembly and coding skillHackers now had to be more technicalReadily available exploit code actually makes breaking in to computers easierThe “golden age” of server hacking begins.1996-2003 - More of the sameMemory attacks become more sophisticatedPolymorphic shell-code designed to evade detective controlsMore advanced use of memory spaces (format strings, integer exploits) Windows XP Service Pack 2 AppearsMicrosoft finally hardens their operating systemsThe world changes overnightSecurity is now baked in to the computer.Server based vulnerabilities disappearAs massive server-based vulnerabilities disappear, client interaction becomes keyThe number of issues continues to increase, but the type of issues starts to change radicallySince 2005No major direct-exploitation worm outbreaksLess than a handful of “remote root” direct exploitation vulnerabilitiesMajor Classes of AttacksDrive-by DownloadExploitation through EmailExploitation through Social Networking SitesPhishing / Pharming / Spear-PhishingWhat’s the similarity?If you said “human interaction”, you get a gold star.
  • Decide on how you want them to think about youWho do you want to be in the minds of your customers?Figure out what messages would teach them to think that way about youThe art of positioningDeliver those messagesRepeatedlyThrough many channels where possible
  • Decide on how you want them to think about youWho do you want to be in the minds of your customers?Figure out what messages would teach them to think that way about youThe art of positioningDeliver those messagesRepeatedlyThrough many channels where possible
  • Transcript

    • 1. Pareto’s Revenge
      Everything Old is New Again
      © 2008 – Foreground Security. All rights reserved
    • 2. Only two things are infinite: the universe and human stupidity.
      And I'm not sure about the former.
      - Albert Einstein
      2
    • 3. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Agenda
      The Changing Threat Environment
      What is Social Engineering
      The usual suspects
      What it really looks like
      How does it work?
      The art of exploiting humans
      The 3 Skills of Social Engineering
      How do you protect yourself?
    • 4. A History Lesson....
    • 5. Timeline – The Early Years
      1985
      1990
      1993
      5
    • 6. Interconnecting
      Vulnerability Environment:
      August 24, 1995
      November 8, 1996
      October 13, 1994
      1997
      1994
      6
    • 11. The Internet Era
      Major Vulnerabilities in:
      Major Worms:
      1998
      2000
      2003
      7
    • 25. Human /
      Organization
      Network
      Service /
      Server
      Client
      Application
      The Vulnerability Cycle
      8
    • 26. The human is the main exploit target again.
      Back to that comment about human stupidity...
    • 27. Defined (by Wikipedia):
      “The practice of obtaining confidential information by manipulating users.”
      The Art of Exploiting Human Weakness
      Humans are social creatures
      Human nature makes us vulnerable to each other
      Social engineers exploit weaknesses in human nature to obtain information or access to computer systems.
      A Confidence Trick
      Social Engineering is the age-old art of the “Confidence Man”
      Wikipedia: “For confidence tricks dealing with information theft or computers see social engineering.”
      Studying the con man gives us insight into social engineers
      © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Social Engineering
    • 28. Most people have 3 concepts of social engineering...
      The Technical Social Engineering Attack
      The “Pretext”
      The “Sneakers” Attack
      These only scratch the surface
      What we read in the media only serves to reinforce these perceptions
      Sophisticated social engineering is significantly more dangerous
      Those who get caught are the ones who we hear most about.
      Two examples to expand your mind...
      © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Hollywood Style
    • 29. 12
    • 30. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Hypnotic Robbery
      Humorous example of face-to-face human exploitation
      Convenience store robbery performed by “hypnosis”
      Ideal example of social engineering
      From a news report (http://www.wmur.com/news/14212889/detail.html):
      Police said that two Indian Punjabi men stole more than $1,000 from the Marlborough Country Convenience Store on Monday. The men told the storeowner that they were guruji, a type of Hindu priest, and that they could read his mind, police said....
      Patel said the scam began with a simple mind game. The men asked him what his favorite flower was, and they opened a paper with the correct answer on it: "Rose." They then told him to think of a wild animal, and they again had written down his choice....
      "They also said my wife's name that not too many people know," Patel said. "My mom's name, they told me. And they told me what was my future goal."
    • 31. Not funny at all: ChoicepointOver 163,000 identities compromised.Cost to the company: approx. $40M USDSEC Fines levied: $15M USD
      14
    • 32.
    • 33. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      How it works
      The limit of imagination
      Social engineering takes a huge number of forms
      Common theme: the use of influence and misdirection to obtain inappropriate information and access
      Knowing your enemy
      Generally part of criminal enterprise
      Somewhat risk averse
      Well-developed social skills
    • 34. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      The Basic Skill Set
      3 Parts to Exploiting Humans
      Communication
      Awareness
      Frame Control
      Most think only of the first
      Ears, Eyes and other senses are in proportion
      Most instructors focus on communication and leave the success of the other two elements to chance and natural talent
      Some believe that social engineers can not be taught
      Unfortunately, the bad guys are training on these skills.
    • 35. Language can both represent reality and shape it.
      Chris Keeler and Linda Ferguson
    • 36.
    • 37. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Communication
      The art of communication
      Language is the first skill of the social engineer
      Ability to craft words is first step in influence
      Language is not real
      Incomplete representation of reality
      Incompleteness creates opportunity
      Dual Purpose of Language
      Information Transfer
      Influence
    • 38.
    • 39. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Awareness
      Words are meaningless without awareness of what is working
      Your awareness of others acts as a compass
      You need to see and hear the effect of your words
      Two main types of awareness
      Body language
      Facial expressions
      Creating Rapport
      The feeling of being “in sync” with someone else
      Putting ourselves in the same state as our target
    • 40. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Frame Control
      Cognitive Frames
      Wikipedia: ”the inevitable process of selective influence over the individual's perception of the meanings attributed to words or phrases. Framing defines the packaging of an element of rhetoric in such a way as to encourage certain interpretations and to discourage others”
      The frame is the context in which the content of an interaction occurs
      Frame control
      Transformation
      Extension / Contraction
      Combination
      Amplification / Compression
    • 41. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      The Elements of Influence
      Creating a frame with certain elements can enhance influence
      Reciprocity
      Authority
      Social Proof
      Confirmation
      Emotional / Amygdala hijack
      Confusion
      Inserting these elements within a frame can strengthen influence
      These are natural human responses
      We use these responses to create a context for influence
    • 42.
    • 43. Numerous Studies: Human error and internal threat responsible for more than 80% of Information Security breaches
      BUT
      Only 29% of organizations consider security training as a crucial requirement in preventing security breaches within organizations.
      26
    • 44. 27
      The Security Program
      Risk Management is the Key
      What are your major vulnerabilities?
      What are your top threats?
      How are you mitigating your risk?
      Security Program Fail
      Most Organizations do Not Include Users in that Control Environment
      Information Security focuses on technological controls
      If our users are the top threat…
      We’re missing the boat.
    • 45. Pareto had it right:20% of our efforts will produce 80% of our results.
      28
    • 46. The solution for social engineering
      Train your users on security topics
      Use case-study training and scenarios so that users understand.
      Ensure that users complete at least one multiple-choice test per quarter
      Make sure that users pass, and they are now “aware”.
      Two step process
      Decide what we want the user to know
      Find ways to “train” them on those things.
      This is how most corporations are approaching user protection
      © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Security Awareness Training
    • 47. The Security Awareness Process
      What do we want the users to know?
      Move to Next
      Goal
      Determine ways to teach users and deliver those messages
      30
    • 48. Unfortunately…
      We recently surveyed a number of security pros in orgs with security awareness programs:
      “If you could wake up tomorrow and the users understood 3 things about security, what would they be?”
      We heard answers like:
      Separation of duties / Principle of Least privilege
      Seeing the big picture of enterprise security
      Password Hygiene
      Internet Hygiene
      How to do business WHILE following policy
      That security is their responsibility.
      That there really are bad people who are out to get them.
      Infosecisn’t there to stop you from doing your job.
    • 49. So…Why Don’t They Know Those Things Already?
    • 50. Typical CISO/CIO/General Counsel Response: We Trained Them!!! They should have “Security Awareness”!!!
    • 51. Explanation #1“Users are stupid.”*
      *Amrit Williams said this on his blog at one point.
    • 52. Training Doesn’t Work
      Requires significant funding
      Low uptake level – most users ignore or go through the motions.
      The only way to “rub their noses in it” is through an incident
      Training is the first thing to cut
      When cutting costs, training is viewed as a luxury.
      More importantly, ROI is generally not measured
      “Success” is nebulous at best
      “Training” is the wrong model
      35
      People Aren’t Puppies
    • 53. 36
      Solving the Problem
      We have two main issues in getting users on-board
      Users view security as a braking (breaking?) function
      Users believe security is solved by the Information Security Department and that it’s not their responsibility.
      The biggest problem:
      • NEITHER OF THESE ARE TRUE!
      These are both perception issues
      How do other industries solve perception issues?
    • 54. Explanation #2“Your marketing sucks.”
      Mark Stevens
      37
    • 55. The Marketing Process
      What do we want the users to know?
      Measure:
      How many people already know that?
      Determine ways to teach users and deliver those messages
      Yes – move
      to next goal
      Measure:
      How many people know that now?
      No
      Did we achieve our goals?
      38
    • 56. Measurement Is Key
      Good Marketers Measure their Impact
      This involves understanding how their messages impact their targets
      Goals need to be set based on measurability
      Define your goals based on how you will measure them
      You Need a Baseline
      Measure before you start your “Awareness” efforts
      This lets you know how many of your users are already aware
      Measure at the End
      This gives you an idea of the success of your efforts
      This is called “ROI”.
    • 57. 40
      Perception and Reality
      Positioning is the art of changing reality.
      The technique by which marketers try to create an image or identity in the minds of their target market for its product, brand, or organization. (Wikipedia)
      The key question is: How are we positioned?
      Strong positioning is the key to strong marketing
      What is the position of the following brands?
      Rolls Royce
      Ferrari
      Chevy
      Information Security within Your Organization?
      What position do you want to have?
      What would make you think that?
    • 58. Delivering Your Message
      Caveat: It’s far easier to say it than to do it.
      They have a say in this process too.
      Positioning is a dance between what the users think and what you say
      This means you have to say it often.
      Rule of thumb: a user has to see your message at least 7 times before your message has ANY effect
      This is the main reason that “awareness training” doesn’t work!!!
      Breaking the “Awareness Shield”
      Users are marketed to repeatedly
      We need to break through their “awareness shield”.
    • 59. 42
      The Tool-kit
      Marketing
      The art of creating favorable impressions in your target audience
      3 Tools of Marketing
      PR
      Advertising
      Direct Interaction
      Tactical Use of Tools Support your Strategy
      Need to know what the focus of your security program is
      How do users compromise your current goals?
    • 60. 43
      7 Steps to Security Awareness
      Security Awarenessis an integrated process involving your entire security program
      Identify innovative initiatives that can command the attention of your users
      Integrate all the elements of your security program
      Do not engage in any initiatives that fail to produce positive ROI
      Pick the low hanging fruit first
      Don’t be linear
      Be persistent, relentless, inventive, counterintuitive, challenging, combative, strategic and tactical.
      (Adapted from Your Marketing Sucks, Mark Stevens, )
    • 61. Case Study: Strong Passwords
      44
      Goal
      Client wants to teach their users to select strong passwords where password controls are not enforceable (e.g. cloud services)
      Security Awareness Plan
      Send emails telling people to choose strong passwords
      Ask users to take multiple choice test that confirms that they know to create strong passwords.
    • 62. Case Study: Strong Passwords
      45
      Strategic Goal
      Improve password strength across the enterprise
      Security Marketing Campaign
      Step 1: Measure strength of passwords chosen for baseline
      Tools: survey random set of users, create application and test strength, etc.
      Step 2: Create Marketing Campaign
      Send emails to users – both instructional and examples that offer resources
      Use multiple choice tests
      Newsletters, articles, etc.
      Repeat messages over short period of time
      Step 3: Measure strength of passwords, look for changes.
      Use SAME measurement technique as baseline
      Did we get results? If no, repeat step 2 with different tactics.
    • 63. Questions?
      Feel free to email:
      mike@foregroundsecurity.com

    ×