• Save
Issa Vancouver 6 09  Pareto's Revenge
Upcoming SlideShare
Loading in...5
×
 

Issa Vancouver 6 09 Pareto's Revenge

on

  • 483 views

On the importance of Social Engineering and the need to treat user awareness less like training and more like marketing.

On the importance of Social Engineering and the need to treat user awareness less like training and more like marketing.

Statistics

Views

Total Views
483
Views on SlideShare
481
Embed Views
2

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 2

http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The information security world exists on an incredibly short (20 year) timeframe - Even taking a *REALLY* long view, the entire Infosec industry extends only back as far as the mid-80s - AROUND 20 YEARS.Those were the daysSoftware Vulnerabilities weren’t significant - most based on configuration weaknessOnly a handful of people understood how to exploit technologiesSmall Target Surface - Few internet-connected computersFocus was on phone phreaking and academia Social Engineering reigned supremeMost successful attacks involved social engineeringUnsophisticated controls environmentsFew understood the jargonPolicies encouraged trust over security
  • Two Vital DatesOctober 13, 1994Mosaic Netscape 0.9 releasedThe web becomes easy to navigateAugust 24, 1995Windows 95 ReleasedHome computer use proliferates massivelyThe Internet Experiences exponential growthMoney starts to change handsInternet connected computers become a viable targetThis created a target rich environment...Phrack 49 - November 8, 1996.Aleph1 - Smashing the Stack for Fun and ProfitThe first real sophisticated vulnerabilities start to emergeA buffer overflow required knowledge of assembly and coding skillHackers now had to be more technicalReadily available exploit code actually makes breaking in to computers easierThe “golden age” of server hacking begins.1996-2003 - More of the sameMemory attacks become more sophisticatedPolymorphic shell-code designed to evade detective controlsMore advanced use of memory spaces (format strings, integer exploits) Windows XP Service Pack 2 AppearsMicrosoft finally hardens their operating systemsThe world changes overnightSecurity is now baked in to the computer.Server based vulnerabilities disappearAs massive server-based vulnerabilities disappear, client interaction becomes keyThe number of issues continues to increase, but the type of issues starts to change radicallySince 2005No major direct-exploitation worm outbreaksLess than a handful of “remote root” direct exploitation vulnerabilitiesMajor Classes of AttacksDrive-by DownloadExploitation through EmailExploitation through Social Networking SitesPhishing / Pharming / Spear-PhishingWhat’s the similarity?If you said “human interaction”, you get a gold star.
  • Two Vital DatesOctober 13, 1994Mosaic Netscape 0.9 releasedThe web becomes easy to navigateAugust 24, 1995Windows 95 ReleasedHome computer use proliferates massivelyThe Internet Experiences exponential growthMoney starts to change handsInternet connected computers become a viable targetThis created a target rich environment...Phrack 49 - November 8, 1996.Aleph1 - Smashing the Stack for Fun and ProfitThe first real sophisticated vulnerabilities start to emergeA buffer overflow required knowledge of assembly and coding skillHackers now had to be more technicalReadily available exploit code actually makes breaking in to computers easierThe “golden age” of server hacking begins.1996-2003 - More of the sameMemory attacks become more sophisticatedPolymorphic shell-code designed to evade detective controlsMore advanced use of memory spaces (format strings, integer exploits) Windows XP Service Pack 2 AppearsMicrosoft finally hardens their operating systemsThe world changes overnightSecurity is now baked in to the computer.Server based vulnerabilities disappearAs massive server-based vulnerabilities disappear, client interaction becomes keyThe number of issues continues to increase, but the type of issues starts to change radicallySince 2005No major direct-exploitation worm outbreaksLess than a handful of “remote root” direct exploitation vulnerabilitiesMajor Classes of AttacksDrive-by DownloadExploitation through EmailExploitation through Social Networking SitesPhishing / Pharming / Spear-PhishingWhat’s the similarity?If you said “human interaction”, you get a gold star.
  • Decide on how you want them to think about youWho do you want to be in the minds of your customers?Figure out what messages would teach them to think that way about youThe art of positioningDeliver those messagesRepeatedlyThrough many channels where possible
  • Decide on how you want them to think about youWho do you want to be in the minds of your customers?Figure out what messages would teach them to think that way about youThe art of positioningDeliver those messagesRepeatedlyThrough many channels where possible

Issa Vancouver 6 09  Pareto's Revenge Issa Vancouver 6 09 Pareto's Revenge Presentation Transcript

  • Pareto’s Revenge
    Everything Old is New Again
    © 2008 – Foreground Security. All rights reserved
  • Only two things are infinite: the universe and human stupidity.
    And I'm not sure about the former.
    - Albert Einstein
    2
  • © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    Agenda
    The Changing Threat Environment
    What is Social Engineering
    The usual suspects
    What it really looks like
    How does it work?
    The art of exploiting humans
    The 3 Skills of Social Engineering
    How do you protect yourself?
  • A History Lesson....
  • Timeline – The Early Years
    1985
    1990
    1993
    5
  • Interconnecting
    Vulnerability Environment:
    • Syn Flooding
    • UDP Denial of Service
    • Smurf attacks
    • Teardrop
    • Land
    August 24, 1995
    November 8, 1996
    October 13, 1994
    1997
    1994
    6
  • The Internet Era
    Major Vulnerabilities in:
    • Bind
    • Sendmail
    • Sadmind
    • Apache
    • IIS
    • Wu-FTPD
    • Tooltalk
    • IMAP
    • POP
    • SQL Server
    • Statd, CDE
    Major Worms:
    • Cod Red
    • Nimda
    • SQL Slammer
    • MS Blaster
    1998
    2000
    2003
    7
  • Human /
    Organization
    Network
    Service /
    Server
    Client
    Application
    The Vulnerability Cycle
    8
  • The human is the main exploit target again.
    Back to that comment about human stupidity...
  • Defined (by Wikipedia):
    “The practice of obtaining confidential information by manipulating users.”
    The Art of Exploiting Human Weakness
    Humans are social creatures
    Human nature makes us vulnerable to each other
    Social engineers exploit weaknesses in human nature to obtain information or access to computer systems.
    A Confidence Trick
    Social Engineering is the age-old art of the “Confidence Man”
    Wikipedia: “For confidence tricks dealing with information theft or computers see social engineering.”
    Studying the con man gives us insight into social engineers
    © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    Social Engineering
  • Most people have 3 concepts of social engineering...
    The Technical Social Engineering Attack
    The “Pretext”
    The “Sneakers” Attack
    These only scratch the surface
    What we read in the media only serves to reinforce these perceptions
    Sophisticated social engineering is significantly more dangerous
    Those who get caught are the ones who we hear most about.
    Two examples to expand your mind...
    © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    Hollywood Style
  • 12
  • © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    Hypnotic Robbery
    Humorous example of face-to-face human exploitation
    Convenience store robbery performed by “hypnosis”
    Ideal example of social engineering
    From a news report (http://www.wmur.com/news/14212889/detail.html):
    Police said that two Indian Punjabi men stole more than $1,000 from the Marlborough Country Convenience Store on Monday. The men told the storeowner that they were guruji, a type of Hindu priest, and that they could read his mind, police said....
    Patel said the scam began with a simple mind game. The men asked him what his favorite flower was, and they opened a paper with the correct answer on it: "Rose." They then told him to think of a wild animal, and they again had written down his choice....
    "They also said my wife's name that not too many people know," Patel said. "My mom's name, they told me. And they told me what was my future goal."
  • Not funny at all: ChoicepointOver 163,000 identities compromised.Cost to the company: approx. $40M USDSEC Fines levied: $15M USD
    14
  • © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    How it works
    The limit of imagination
    Social engineering takes a huge number of forms
    Common theme: the use of influence and misdirection to obtain inappropriate information and access
    Knowing your enemy
    Generally part of criminal enterprise
    Somewhat risk averse
    Well-developed social skills
  • © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    The Basic Skill Set
    3 Parts to Exploiting Humans
    Communication
    Awareness
    Frame Control
    Most think only of the first
    Ears, Eyes and other senses are in proportion
    Most instructors focus on communication and leave the success of the other two elements to chance and natural talent
    Some believe that social engineers can not be taught
    Unfortunately, the bad guys are training on these skills.
  • Language can both represent reality and shape it.
    Chris Keeler and Linda Ferguson
  • © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    Communication
    The art of communication
    Language is the first skill of the social engineer
    Ability to craft words is first step in influence
    Language is not real
    Incomplete representation of reality
    Incompleteness creates opportunity
    Dual Purpose of Language
    Information Transfer
    Influence
  • © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    Awareness
    Words are meaningless without awareness of what is working
    Your awareness of others acts as a compass
    You need to see and hear the effect of your words
    Two main types of awareness
    Body language
    Facial expressions
    Creating Rapport
    The feeling of being “in sync” with someone else
    Putting ourselves in the same state as our target
  • © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    Frame Control
    Cognitive Frames
    Wikipedia: ”the inevitable process of selective influence over the individual's perception of the meanings attributed to words or phrases. Framing defines the packaging of an element of rhetoric in such a way as to encourage certain interpretations and to discourage others”
    The frame is the context in which the content of an interaction occurs
    Frame control
    Transformation
    Extension / Contraction
    Combination
    Amplification / Compression
  • © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    The Elements of Influence
    Creating a frame with certain elements can enhance influence
    Reciprocity
    Authority
    Social Proof
    Confirmation
    Emotional / Amygdala hijack
    Confusion
    Inserting these elements within a frame can strengthen influence
    These are natural human responses
    We use these responses to create a context for influence
  • Numerous Studies: Human error and internal threat responsible for more than 80% of Information Security breaches
    BUT
    Only 29% of organizations consider security training as a crucial requirement in preventing security breaches within organizations.
    26
  • 27
    The Security Program
    Risk Management is the Key
    What are your major vulnerabilities?
    What are your top threats?
    How are you mitigating your risk?
    Security Program Fail
    Most Organizations do Not Include Users in that Control Environment
    Information Security focuses on technological controls
    If our users are the top threat…
    We’re missing the boat.
  • Pareto had it right:20% of our efforts will produce 80% of our results.
    28
  • The solution for social engineering
    Train your users on security topics
    Use case-study training and scenarios so that users understand.
    Ensure that users complete at least one multiple-choice test per quarter
    Make sure that users pass, and they are now “aware”.
    Two step process
    Decide what we want the user to know
    Find ways to “train” them on those things.
    This is how most corporations are approaching user protection
    © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
    Security Awareness Training
  • The Security Awareness Process
    What do we want the users to know?
    Move to Next
    Goal
    Determine ways to teach users and deliver those messages
    30
  • Unfortunately…
    We recently surveyed a number of security pros in orgs with security awareness programs:
    “If you could wake up tomorrow and the users understood 3 things about security, what would they be?”
    We heard answers like:
    Separation of duties / Principle of Least privilege
    Seeing the big picture of enterprise security
    Password Hygiene
    Internet Hygiene
    How to do business WHILE following policy
    That security is their responsibility.
    That there really are bad people who are out to get them.
    Infosecisn’t there to stop you from doing your job.
  • So…Why Don’t They Know Those Things Already?
  • Typical CISO/CIO/General Counsel Response: We Trained Them!!! They should have “Security Awareness”!!!
  • Explanation #1“Users are stupid.”*
    *Amrit Williams said this on his blog at one point.
  • Training Doesn’t Work
    Requires significant funding
    Low uptake level – most users ignore or go through the motions.
    The only way to “rub their noses in it” is through an incident
    Training is the first thing to cut
    When cutting costs, training is viewed as a luxury.
    More importantly, ROI is generally not measured
    “Success” is nebulous at best
    “Training” is the wrong model
    35
    People Aren’t Puppies
  • 36
    Solving the Problem
    We have two main issues in getting users on-board
    Users view security as a braking (breaking?) function
    Users believe security is solved by the Information Security Department and that it’s not their responsibility.
    The biggest problem:
    • NEITHER OF THESE ARE TRUE!
    These are both perception issues
    How do other industries solve perception issues?
  • Explanation #2“Your marketing sucks.”
    Mark Stevens
    37
  • The Marketing Process
    What do we want the users to know?
    Measure:
    How many people already know that?
    Determine ways to teach users and deliver those messages
    Yes – move
    to next goal
    Measure:
    How many people know that now?
    No
    Did we achieve our goals?
    38
  • Measurement Is Key
    Good Marketers Measure their Impact
    This involves understanding how their messages impact their targets
    Goals need to be set based on measurability
    Define your goals based on how you will measure them
    You Need a Baseline
    Measure before you start your “Awareness” efforts
    This lets you know how many of your users are already aware
    Measure at the End
    This gives you an idea of the success of your efforts
    This is called “ROI”.
  • 40
    Perception and Reality
    Positioning is the art of changing reality.
    The technique by which marketers try to create an image or identity in the minds of their target market for its product, brand, or organization. (Wikipedia)
    The key question is: How are we positioned?
    Strong positioning is the key to strong marketing
    What is the position of the following brands?
    Rolls Royce
    Ferrari
    Chevy
    Information Security within Your Organization?
    What position do you want to have?
    What would make you think that?
  • Delivering Your Message
    Caveat: It’s far easier to say it than to do it.
    They have a say in this process too.
    Positioning is a dance between what the users think and what you say
    This means you have to say it often.
    Rule of thumb: a user has to see your message at least 7 times before your message has ANY effect
    This is the main reason that “awareness training” doesn’t work!!!
    Breaking the “Awareness Shield”
    Users are marketed to repeatedly
    We need to break through their “awareness shield”.
  • 42
    The Tool-kit
    Marketing
    The art of creating favorable impressions in your target audience
    3 Tools of Marketing
    PR
    Advertising
    Direct Interaction
    Tactical Use of Tools Support your Strategy
    Need to know what the focus of your security program is
    How do users compromise your current goals?
  • 43
    7 Steps to Security Awareness
    Security Awarenessis an integrated process involving your entire security program
    Identify innovative initiatives that can command the attention of your users
    Integrate all the elements of your security program
    Do not engage in any initiatives that fail to produce positive ROI
    Pick the low hanging fruit first
    Don’t be linear
    Be persistent, relentless, inventive, counterintuitive, challenging, combative, strategic and tactical.
    (Adapted from Your Marketing Sucks, Mark Stevens, )
  • Case Study: Strong Passwords
    44
    Goal
    Client wants to teach their users to select strong passwords where password controls are not enforceable (e.g. cloud services)
    Security Awareness Plan
    Send emails telling people to choose strong passwords
    Ask users to take multiple choice test that confirms that they know to create strong passwords.
  • Case Study: Strong Passwords
    45
    Strategic Goal
    Improve password strength across the enterprise
    Security Marketing Campaign
    Step 1: Measure strength of passwords chosen for baseline
    Tools: survey random set of users, create application and test strength, etc.
    Step 2: Create Marketing Campaign
    Send emails to users – both instructional and examples that offer resources
    Use multiple choice tests
    Newsletters, articles, etc.
    Repeat messages over short period of time
    Step 3: Measure strength of passwords, look for changes.
    Use SAME measurement technique as baseline
    Did we get results? If no, repeat step 2 with different tactics.
  • Questions?
    Feel free to email:
    mike@foregroundsecurity.com