Social Engineering, Insider and Cyber Threat

1,579 views

Published on

Presentation with voice over: Discussion of how Social Engineers can target a business as part of preparation for a cyber attack and how this gives us more opportunities to prevent or limit the affect of the attack through proper policy, use of resources and training.

Published in: Business, Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
1,579
On SlideShare
0
From Embeds
0
Number of Embeds
226
Actions
Shares
0
Downloads
24
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide
  • An attack on an organisation can potentially start in unexpected ways that basically have nothing to do with the cyber world. Hackers on a mission for specific information (as opposed to those just trying to cause disruption) will carry out intelligence gathering prior to a targetted attack. This can take many forms. Basically we are saying that the threat is holistic and the targets in the key intelligence gathering phase may never have had any security awareness training whatsoever or perhaps had some IT security training but the dots are not being joined. It may take days, weeks or months for it to come to light that an attack has taken place. It the threat is holistic then the solution and training has to be too.
  • So hackers hack people as well as networks and devices. In targeted attacks there is a lot of preparation and when carrying out threat assessment, rolling up the trousers in the style of the social engineer before diving into cyber threat is vital.
  • There is a myriad of potential weak areas for a social engineer to capitalise upon or for the threat from insiders ( however benign) to be realised. Tailgating into a building to get access Charm offensive on reception or other staff members to get information (pretending to be a legitimate visitor who is lost or pretending to be an IT engineer who needs access to the server, or chatting someone up in order to get the inside track on who goes where or whatever else it is you want) Pretending to be an angry visitor/boss – this may be shouting at receptionist in attempt to be let in or shouting on the phone – pretending you are too busy and important to be bothered by stupid security measure and you are a director of the business anyway – get out of my way! In actual fact any decent director would be delighted if reception shows backbone and demands ID etc) Surveillance – do staff notice someone hanging around watching the comings and goings – do they challenge such behaviour? They could be watching who comes in when or any number of key factors. Gaining access to networks by swiping the passwords people leave lying around on post – it notes….nuff said Stealing ID cards which have become so vital to many businesses, giving car park access, building access, meeting room access, restaurant and lunch access (you can use Bacardi example but don’t mention them by name) chef’s list etc. Remember all of these could be carried out by a regular contractor who has been coerced into it or perhaps became a contractor with this express intention. People gossiping in the office around strangers – all sorts of info available People hanging out together at the great level playing field that is the smoking area. Again you get access to C- level potentially. What people post on social media sites without thinking about their jobs, colleagues or workplace, rich pickings for the social engineer. A bit like going through the bins…. Theft of mobile devices All or any combination may be used in the intelligence gathering phase/ trouser rolling up phase of the attack If none of these things have been scoped into security policies because “IT does security” then the bomb is just waiting to go off for some organisations.
  • There is a myriad of potential weak areas for a social engineer to capitalise upon or for the threat from insiders ( however benign) to be realised. Tailgating into a building to get access Charm offensive on reception or other staff members to get information (pretending to be a legitimate visitor who is lost or pretending to be an IT engineer who needs access to the server, or chatting someone up in order to get the inside track on who goes where or whatever else it is you want) Pretending to be an angry visitor/boss – this may be shouting at receptionist in attempt to be let in or shouting on the phone – pretending you are too busy and important to be bothered by stupid security measure and you are a director of the business anyway – get out of my way! In actual fact any decent director would be delighted if reception shows backbone and demands ID etc) Surveillance – do staff notice someone hanging around watching the comings and goings – do they challenge such behaviour? They could be watching who comes in when or any number of key factors. Gaining access to networks by swiping the passwords people leave lying around on post – it notes….nuff said Stealing ID cards which have become so vital to many businesses, giving car park access, building access, meeting room access, restaurant and lunch access (you can use Bacardi example but don’t mention them by name) chef’s list etc. Remember all of these could be carried out by a regular contractor who has been coerced into it or perhaps became a contractor with this express intention. People gossiping in the office around strangers – all sorts of info available People hanging out together at the great level playing field that is the smoking area. Again you get access to C- level potentially. What people post on social media sites without thinking about their jobs, colleagues or workplace, rich pickings for the social engineer. A bit like going through the bins…. Theft of mobile devices All or any combination may be used in the intelligence gathering phase/ trouser rolling up phase of the attack If none of these things have been scoped into security policies because “IT does security” then the bomb is just waiting to go off for some organisations.
  • So the greater the level of intelligence gathered by these means, the greater chance of a successful cyber attack. It could mean physical access to server rooms or it may be information about who comes in when and what their habits are to enable the theft of an ID card. It may mean regular visits from someone who befriends reception such as a delivery guy. Stealing a company device left lying around. Pulling all of the intelligence together may mean not only can the cyber attack progress, but that all the weakest points are known and potentially the period of discovery time can be extended. It may mean it can be carried out more effectively and that greater levels of information can be found/stolen/ruined. Bottom line, never assume the attack has merely started from the moment the system was breached.
  • An attack on an organisation can potentially start in unexpected ways that basically have nothing to do with the cyber world. Hackers on a mission for specific information (as opposed to those just trying to cause disruption) will carry out intelligence gathering prior to a targeted attack. This can take many forms. Basically we are saying that the threat is holistic and the targets in the key intelligence gathering phase may never have had any security awareness training whatsoever or perhaps had some IT security training but the dots are not being joined. It may take days, weeks or months for it to come to light that an attack has taken place. It the threat is holistic then the solution and training has to be too.
  • Social Engineering, Insider and Cyber Threat

    1. 1. Social Engineering, Insider and Cyber Threat Mike Gillespie – MD Advent IM Ltd The UKs Leading Independent, Holistic Security Consultancy
    2. 2. coming up  what we mean by Social Engineering and Insider Threat  what this means to Cyber Threat  buildings and technology, combined with people, offer cyber terrorists and criminals not only more targets, but more tools  serious cyber crime can start before anyone logs onto anything  people are our weakest link and cross security disciplines  our attitude to security and security awareness training needs to evolve  joining the dots and the holistic approach
    3. 3. preparation is everything – even in cyberspace
    4. 4. Social Engineering & Insider Threat some images courtesy of freedigitalphotos.net
    5. 5. Social Engineering & Insider Threat some images courtesy of freedigitalphotos.net
    6. 6. what does this mean for cyber threat and crime? Intelligence gathering Greater chance of cyber success
    7. 7. what does this mean for cyber threat and crime? Followed target into building or pose as contractor Watched building to select target ‘Bumped into’ target and engaged in conversation – trust gained ‘Borrowed’ their mobile device Researched target and ‘friends’ via social networks …and/or their pass card Gained access to server The cyber attack technically starts here…
    8. 8. Joining the dots and the holistic approach • Realistic holistic Threat and Risk Assessments that don’t isolate ‘cyber’ • Realistic appropriate action and policies • C-level commitment and leadership • Top down security culture health • Holistic Security Awareness Training for all staff • Regular refreshers as part of the virtuous security cycle security evolution
    9. 9. Joining the dots…27001 in words… • Continuous improvement (PDCA) • Ensure and Assure • Confidentiality, Integrity, Availability • Risk based • Proportionate • Governance • Compliance
    10. 10. the standard… • Asset management • HR • Physical security • Communications and Operations • Access Control • System Development • DR, BCM and Incident Management • Compliance
    11. 11. Establish the ISMS Maintain & improve the ISMS Monitor & review the ISMS Implement & operate the ISMS Development, maintenance & improvement cycle plan act check do Informationsecurity requirementsandexpectations ManagedInformationsecurity ISO27001 in pictures…
    12. 12. And so…  people are our weakest link and cross security disciplines  buildings and technology, combined with people, offer cyber terrorists and criminals not only more targets, but more tools  serious cyber crime can start before anyone logs onto anything  our attitude to security and security awareness training needs to evolve
    13. 13. thank you Social Engineering, Insider and Cyber Threat www.advent-im.co.uk www.adventim.wordpress.com @Advent_IM www.linkedin.com/company/advent-im 0121 559 6699 0207 100 1124

    ×