Your SlideShare is downloading. ×
0
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Issa Vancouver 6 09  Pareto's Revenge
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Issa Vancouver 6 09 Pareto's Revenge

287

Published on

On the importance of Social Engineering and the need to treat user awareness less like training and more like marketing.

On the importance of Social Engineering and the need to treat user awareness less like training and more like marketing.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
287
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The information security world exists on an incredibly short (20 year) timeframe - Even taking a *REALLY* long view, the entire Infosec industry extends only back as far as the mid-80s - AROUND 20 YEARS.Those were the daysSoftware Vulnerabilities weren’t significant - most based on configuration weaknessOnly a handful of people understood how to exploit technologiesSmall Target Surface - Few internet-connected computersFocus was on phone phreaking and academia Social Engineering reigned supremeMost successful attacks involved social engineeringUnsophisticated controls environmentsFew understood the jargonPolicies encouraged trust over security
  • Two Vital DatesOctober 13, 1994Mosaic Netscape 0.9 releasedThe web becomes easy to navigateAugust 24, 1995Windows 95 ReleasedHome computer use proliferates massivelyThe Internet Experiences exponential growthMoney starts to change handsInternet connected computers become a viable targetThis created a target rich environment...Phrack 49 - November 8, 1996.Aleph1 - Smashing the Stack for Fun and ProfitThe first real sophisticated vulnerabilities start to emergeA buffer overflow required knowledge of assembly and coding skillHackers now had to be more technicalReadily available exploit code actually makes breaking in to computers easierThe “golden age” of server hacking begins.1996-2003 - More of the sameMemory attacks become more sophisticatedPolymorphic shell-code designed to evade detective controlsMore advanced use of memory spaces (format strings, integer exploits) Windows XP Service Pack 2 AppearsMicrosoft finally hardens their operating systemsThe world changes overnightSecurity is now baked in to the computer.Server based vulnerabilities disappearAs massive server-based vulnerabilities disappear, client interaction becomes keyThe number of issues continues to increase, but the type of issues starts to change radicallySince 2005No major direct-exploitation worm outbreaksLess than a handful of “remote root” direct exploitation vulnerabilitiesMajor Classes of AttacksDrive-by DownloadExploitation through EmailExploitation through Social Networking SitesPhishing / Pharming / Spear-PhishingWhat’s the similarity?If you said “human interaction”, you get a gold star.
  • Two Vital DatesOctober 13, 1994Mosaic Netscape 0.9 releasedThe web becomes easy to navigateAugust 24, 1995Windows 95 ReleasedHome computer use proliferates massivelyThe Internet Experiences exponential growthMoney starts to change handsInternet connected computers become a viable targetThis created a target rich environment...Phrack 49 - November 8, 1996.Aleph1 - Smashing the Stack for Fun and ProfitThe first real sophisticated vulnerabilities start to emergeA buffer overflow required knowledge of assembly and coding skillHackers now had to be more technicalReadily available exploit code actually makes breaking in to computers easierThe “golden age” of server hacking begins.1996-2003 - More of the sameMemory attacks become more sophisticatedPolymorphic shell-code designed to evade detective controlsMore advanced use of memory spaces (format strings, integer exploits) Windows XP Service Pack 2 AppearsMicrosoft finally hardens their operating systemsThe world changes overnightSecurity is now baked in to the computer.Server based vulnerabilities disappearAs massive server-based vulnerabilities disappear, client interaction becomes keyThe number of issues continues to increase, but the type of issues starts to change radicallySince 2005No major direct-exploitation worm outbreaksLess than a handful of “remote root” direct exploitation vulnerabilitiesMajor Classes of AttacksDrive-by DownloadExploitation through EmailExploitation through Social Networking SitesPhishing / Pharming / Spear-PhishingWhat’s the similarity?If you said “human interaction”, you get a gold star.
  • Decide on how you want them to think about youWho do you want to be in the minds of your customers?Figure out what messages would teach them to think that way about youThe art of positioningDeliver those messagesRepeatedlyThrough many channels where possible
  • Decide on how you want them to think about youWho do you want to be in the minds of your customers?Figure out what messages would teach them to think that way about youThe art of positioningDeliver those messagesRepeatedlyThrough many channels where possible
  • Transcript

    • 1. Pareto’s Revenge<br />Everything Old is New Again<br /> © 2008 – Foreground Security. All rights reserved<br />
    • 2. Only two things are infinite: the universe and human stupidity.<br />And I&apos;m not sure about the former.<br />- Albert Einstein<br />2<br />
    • 3. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />Agenda<br />The Changing Threat Environment<br />What is Social Engineering <br />The usual suspects<br />What it really looks like<br />How does it work?<br />The art of exploiting humans<br />The 3 Skills of Social Engineering<br />How do you protect yourself?<br />
    • 4. A History Lesson....<br />
    • 5. Timeline – The Early Years<br />1985<br />1990<br />1993<br />5<br />
    • 6. Interconnecting<br />Vulnerability Environment:<br /><ul><li>Syn Flooding
    • 7. UDP Denial of Service
    • 8. Smurf attacks
    • 9. Teardrop
    • 10. Land</li></ul>August 24, 1995 <br />November 8, 1996<br />October 13, 1994 <br />1997<br />1994<br />6<br />
    • 11. The Internet Era<br />Major Vulnerabilities in:<br /><ul><li>Bind
    • 12. Sendmail
    • 13. Sadmind
    • 14. Apache
    • 15. IIS
    • 16. Wu-FTPD
    • 17. Tooltalk
    • 18. IMAP
    • 19. POP
    • 20. SQL Server
    • 21. Statd, CDE</li></ul>Major Worms:<br /><ul><li>Cod Red
    • 22. Nimda
    • 23. SQL Slammer
    • 24. MS Blaster</li></ul>1998<br />2000<br />2003<br />7<br />
    • 25. Human /<br />Organization<br />Network<br />Service /<br />Server<br />Client<br />Application<br />The Vulnerability Cycle<br />8<br />
    • 26. The human is the main exploit target again.<br />Back to that comment about human stupidity...<br />
    • 27. Defined (by Wikipedia):<br />“The practice of obtaining confidential information by manipulating users.”<br />The Art of Exploiting Human Weakness<br />Humans are social creatures<br />Human nature makes us vulnerable to each other<br />Social engineers exploit weaknesses in human nature to obtain information or access to computer systems.<br />A Confidence Trick<br />Social Engineering is the age-old art of the “Confidence Man”<br />Wikipedia: “For confidence tricks dealing with information theft or computers see social engineering.”<br />Studying the con man gives us insight into social engineers<br />© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />Social Engineering<br />
    • 28. Most people have 3 concepts of social engineering...<br />The Technical Social Engineering Attack<br />The “Pretext”<br />The “Sneakers” Attack<br />These only scratch the surface<br />What we read in the media only serves to reinforce these perceptions<br />Sophisticated social engineering is significantly more dangerous<br />Those who get caught are the ones who we hear most about.<br />Two examples to expand your mind...<br />© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />Hollywood Style<br />
    • 29. 12<br />
    • 30. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />Hypnotic Robbery<br />Humorous example of face-to-face human exploitation<br />Convenience store robbery performed by “hypnosis”<br />Ideal example of social engineering<br />From a news report (http://www.wmur.com/news/14212889/detail.html):<br />Police said that two Indian Punjabi men stole more than $1,000 from the Marlborough Country Convenience Store on Monday. The men told the storeowner that they were guruji, a type of Hindu priest, and that they could read his mind, police said....<br />Patel said the scam began with a simple mind game. The men asked him what his favorite flower was, and they opened a paper with the correct answer on it: &quot;Rose.&quot; They then told him to think of a wild animal, and they again had written down his choice....<br />&quot;They also said my wife&apos;s name that not too many people know,&quot; Patel said. &quot;My mom&apos;s name, they told me. And they told me what was my future goal.&quot;<br />
    • 31. Not funny at all: ChoicepointOver 163,000 identities compromised.Cost to the company: approx. $40M USDSEC Fines levied: $15M USD<br />14<br />
    • 32.
    • 33. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />How it works<br />The limit of imagination<br />Social engineering takes a huge number of forms<br />Common theme: the use of influence and misdirection to obtain inappropriate information and access<br />Knowing your enemy<br />Generally part of criminal enterprise<br />Somewhat risk averse<br />Well-developed social skills<br />
    • 34. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />The Basic Skill Set<br />3 Parts to Exploiting Humans<br />Communication<br />Awareness<br />Frame Control<br />Most think only of the first<br />Ears, Eyes and other senses are in proportion<br />Most instructors focus on communication and leave the success of the other two elements to chance and natural talent<br />Some believe that social engineers can not be taught<br />Unfortunately, the bad guys are training on these skills.<br />
    • 35. Language can both represent reality and shape it.<br />Chris Keeler and Linda Ferguson<br />
    • 36.
    • 37. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />Communication<br />The art of communication<br />Language is the first skill of the social engineer<br />Ability to craft words is first step in influence<br />Language is not real<br />Incomplete representation of reality<br />Incompleteness creates opportunity<br />Dual Purpose of Language<br />Information Transfer<br />Influence<br />
    • 38.
    • 39. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />Awareness<br />Words are meaningless without awareness of what is working<br />Your awareness of others acts as a compass<br />You need to see and hear the effect of your words<br />Two main types of awareness<br />Body language<br />Facial expressions<br />Creating Rapport<br />The feeling of being “in sync” with someone else<br />Putting ourselves in the same state as our target<br />
    • 40. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />Frame Control<br />Cognitive Frames<br />Wikipedia: ”the inevitable process of selective influence over the individual&apos;s perception of the meanings attributed to words or phrases. Framing defines the packaging of an element of rhetoric in such a way as to encourage certain interpretations and to discourage others”<br />The frame is the context in which the content of an interaction occurs<br />Frame control<br />Transformation<br />Extension / Contraction<br />Combination<br />Amplification / Compression<br />
    • 41. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />The Elements of Influence<br />Creating a frame with certain elements can enhance influence<br />Reciprocity<br />Authority<br />Social Proof<br />Confirmation<br />Emotional / Amygdala hijack<br />Confusion<br />Inserting these elements within a frame can strengthen influence<br />These are natural human responses<br />We use these responses to create a context for influence<br />
    • 42.
    • 43. Numerous Studies: Human error and internal threat responsible for more than 80% of Information Security breaches<br />BUT<br />Only 29% of organizations consider security training as a crucial requirement in preventing security breaches within organizations. <br />26<br />
    • 44. 27<br />The Security Program<br />Risk Management is the Key<br />What are your major vulnerabilities?<br />What are your top threats?<br />How are you mitigating your risk?<br />Security Program Fail<br />Most Organizations do Not Include Users in that Control Environment<br />Information Security focuses on technological controls<br />If our users are the top threat…<br />We’re missing the boat.<br />
    • 45. Pareto had it right:20% of our efforts will produce 80% of our results.<br />28<br />
    • 46. The solution for social engineering<br />Train your users on security topics<br />Use case-study training and scenarios so that users understand.<br />Ensure that users complete at least one multiple-choice test per quarter<br />Make sure that users pass, and they are now “aware”.<br />Two step process<br />Decide what we want the user to know<br />Find ways to “train” them on those things.<br />This is how most corporations are approaching user protection<br />© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved<br />Security Awareness Training<br />
    • 47. The Security Awareness Process<br />What do we want the users to know?<br />Move to Next<br />Goal<br />Determine ways to teach users and deliver those messages<br />30<br />
    • 48. Unfortunately…<br />We recently surveyed a number of security pros in orgs with security awareness programs: <br />“If you could wake up tomorrow and the users understood 3 things about security, what would they be?”<br />We heard answers like:<br />Separation of duties / Principle of Least privilege<br />Seeing the big picture of enterprise security<br />Password Hygiene<br />Internet Hygiene<br />How to do business WHILE following policy<br />That security is their responsibility.<br />That there really are bad people who are out to get them.<br />Infosecisn’t there to stop you from doing your job.<br />
    • 49. So…Why Don’t They Know Those Things Already?<br />
    • 50. Typical CISO/CIO/General Counsel Response: We Trained Them!!! They should have “Security Awareness”!!!<br />
    • 51. Explanation #1“Users are stupid.”*<br />*Amrit Williams said this on his blog at one point.<br />
    • 52. Training Doesn’t Work<br />Requires significant funding<br />Low uptake level – most users ignore or go through the motions.<br />The only way to “rub their noses in it” is through an incident<br />Training is the first thing to cut<br />When cutting costs, training is viewed as a luxury.<br />More importantly, ROI is generally not measured<br />“Success” is nebulous at best<br />“Training” is the wrong model<br />35<br />People Aren’t Puppies<br />
    • 53. 36<br />Solving the Problem<br />We have two main issues in getting users on-board<br />Users view security as a braking (breaking?) function<br />Users believe security is solved by the Information Security Department and that it’s not their responsibility.<br />The biggest problem: <br /><ul><li>NEITHER OF THESE ARE TRUE!</li></ul>These are both perception issues<br />How do other industries solve perception issues?<br />
    • 54. Explanation #2“Your marketing sucks.”<br />Mark Stevens<br />37<br />
    • 55. The Marketing Process<br />What do we want the users to know?<br />Measure: <br />How many people already know that? <br />Determine ways to teach users and deliver those messages<br />Yes – move<br />to next goal<br />Measure: <br />How many people know that now? <br />No<br />Did we achieve our goals?<br />38<br />
    • 56. Measurement Is Key<br />Good Marketers Measure their Impact<br />This involves understanding how their messages impact their targets<br />Goals need to be set based on measurability<br />Define your goals based on how you will measure them<br />You Need a Baseline<br />Measure before you start your “Awareness” efforts<br />This lets you know how many of your users are already aware<br />Measure at the End<br />This gives you an idea of the success of your efforts<br />This is called “ROI”. <br />
    • 57. 40<br />Perception and Reality<br />Positioning is the art of changing reality.<br />The technique by which marketers try to create an image or identity in the minds of their target market for its product, brand, or organization. (Wikipedia)<br />The key question is: How are we positioned?<br />Strong positioning is the key to strong marketing<br />What is the position of the following brands?<br />Rolls Royce<br />Ferrari<br />Chevy<br />Information Security within Your Organization?<br />What position do you want to have?<br />What would make you think that?<br />
    • 58. Delivering Your Message<br />Caveat: It’s far easier to say it than to do it.<br />They have a say in this process too.<br />Positioning is a dance between what the users think and what you say<br />This means you have to say it often.<br />Rule of thumb: a user has to see your message at least 7 times before your message has ANY effect<br />This is the main reason that “awareness training” doesn’t work!!!<br />Breaking the “Awareness Shield”<br />Users are marketed to repeatedly<br />We need to break through their “awareness shield”.<br />
    • 59. 42<br />The Tool-kit<br />Marketing<br />The art of creating favorable impressions in your target audience<br />3 Tools of Marketing<br />PR <br />Advertising<br />Direct Interaction<br />Tactical Use of Tools Support your Strategy<br />Need to know what the focus of your security program is<br />How do users compromise your current goals?<br />
    • 60. 43<br />7 Steps to Security Awareness<br />Security Awarenessis an integrated process involving your entire security program<br />Identify innovative initiatives that can command the attention of your users<br />Integrate all the elements of your security program<br />Do not engage in any initiatives that fail to produce positive ROI<br />Pick the low hanging fruit first<br />Don’t be linear<br />Be persistent, relentless, inventive, counterintuitive, challenging, combative, strategic and tactical.<br />(Adapted from Your Marketing Sucks, Mark Stevens, )<br />
    • 61. Case Study: Strong Passwords<br />44<br />Goal<br />Client wants to teach their users to select strong passwords where password controls are not enforceable (e.g. cloud services)<br />Security Awareness Plan<br />Send emails telling people to choose strong passwords<br />Ask users to take multiple choice test that confirms that they know to create strong passwords.<br />
    • 62. Case Study: Strong Passwords<br />45<br />Strategic Goal<br />Improve password strength across the enterprise<br />Security Marketing Campaign<br />Step 1: Measure strength of passwords chosen for baseline<br />Tools: survey random set of users, create application and test strength, etc.<br />Step 2: Create Marketing Campaign<br />Send emails to users – both instructional and examples that offer resources<br />Use multiple choice tests<br />Newsletters, articles, etc.<br />Repeat messages over short period of time<br />Step 3: Measure strength of passwords, look for changes.<br />Use SAME measurement technique as baseline<br />Did we get results? If no, repeat step 2 with different tactics.<br />
    • 63. Questions?<br />Feel free to email: <br />mike@foregroundsecurity.com<br />

    ×