Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The	Rise	of	Social	Engineering
- Anatomy	of	a	Full	Scale	Attack	-
Presenter:	Dave	Nelson,	CISSP	|	President	at	Integrity
Dave	Nelson,	CISSP
• Certified	Information	Security	Professional	(CISSP)
• Over	20	years	experience	as	information	securit...
Overview
What	is	“Social	Engineering”?
Types	of	Attacks	&	Real	World	Examples
Best	Defense
What	is	“Social	Engineering”?
WHAT IS
SOCIAL	ENGINEERING?
Social Engineering
• Using	knowledge	of	human	behavior	to	elicit	
a	defined	response.
• Put	simply…getting	you	to	willingl...
Sociology and Psychology
• Study	of	human	behavior,	interaction	and	societal	norms.
• Actions	can	be	predicted	quite	accur...
Simple Human Behavior
• Two	Types	of	Responses
– Natural
– Learned
Hackers	will	craft	a	scenario	for	you	to	enter,	in	orde...
Types	of	Attacks	
&	Real	World	Examples
Why talk about social engineering
Social	engineering	is	a	component	of	
the	attack	in	nearly	1	of	3	successful	
data	breac...
5	Common	Attack	Methods
Dumpster	Diving
Pretexting
Phishing
Physical	Entry
Enticement
Dumpster Diving
• Scouring	through	discarded	items
– Calendars	&	Day	planners
– Handwritten	notes
– Phone	&	Email	Lists
– ...
Pretexting
• Fraudulent	phone	calls
• Used	to	extract	information
• Also	used	to	setup	other	attacks	such	as	
facility	ent...
Phishing
Attempts	to	get	users	to	provide	information	
or	perform	an	action
Tips	For	Identifying	Phishing	Attempts
– Asks	...
Common Bait
• Sweet	Deals
– Free	Stuff
– Limited	Time	Offers
– Package	Delivery
• Help	Me,	Help	You!
– Tech	Support
• You	...
Spear Phishing Example
Good	Morning	Mike,	
You	may	or	may	not	know,	but	Mary	(CFO)	and	I	are	in	Atlanta	working	to	close	a...
Physical Presence
• Gaining	physical	access	can	be	easier	
than	virtual	access
• May	provide	additional	information
• Come...
Physical Presence
Examples
• Delivery	Drivers
• Employee	Tailgating
• Maintenance	or	
Emergency	Crews
• The	key	is	to	act	...
Enticement Examples
A	folder	with	enticing	title/label	left	on	
ground	outside	an	employee	entrance	
with	a	USB	thumb	driv...
Putting It All Together
• Targeted	attacks	will	always	use	
some	form	of	social	engineering.
• Just	like	in	military	opera...
Stealth Mode
• Limited	social	engineering	attacks	can	be	hard	to	detect.
• Relevant	information	allows	attackers	to	pinpoi...
Don’t Fall for The Long Con
• Social	engineering	is	nothing	more	than	a	con-game.
• The	old	“Long	Con”	has	been	ported	to	...
Best	Defenses
Best Defenses
• Strong	paper	destruction	process
• Limiting	facility	ingress/egress	points
• Challenge	unknown	people	in	s...
Employee Training
• Traditional	CBT	methods	don’t	work
• Engage	the	employee,	make	a	personal	plea
• Use	gamification	to	e...
Program Validation
• Social	engineering	testing	engagements	provide	
assessments	of	how	well	your	people,	process	and	
tec...
Summary
• Social	engineering	is	here	to	stay	and	it’s	growing
• Your	organization	will	suffer	a	data	breach	due	to	social	...
Question & Answer
dave.nelson@integritysrc.com
www.integritysrc.com/blog
DaveNelsonCISSP
@IntegrityCEO	- @IntegritySRC
515...
Upcoming SlideShare
Loading in …5
×

NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

The Rise of Social Engineering -- Anatomy of a Full Scale Attack

In this presentation you will gain insight on how hackers use the human element to increase the success probability of their attacks. It will cover everything from dumpster diving to email phishing and pretexting phone calls. Learn what to look for and how to defend your organization from social engineering attacks.

David Nelson, CISSP, is a Certified Information Systems Security Professional (CISSP) with 20 years of experience and a Fellow with the Information Systems Security Association (ISSA). He has lead technology organizations in both the public and private sector. Prior to founding Integrity, he most recently was the Chief Information Security Officer for a leading health informatics company. He also managed an information security group for a top 5 U.S. banking organization, was the CIO for a higher education institution and served as the information security officer for one of the largest municipal governments on the East Coast.

  • Be the first to comment

  • Be the first to like this

NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

  1. 1. The Rise of Social Engineering - Anatomy of a Full Scale Attack - Presenter: Dave Nelson, CISSP | President at Integrity
  2. 2. Dave Nelson, CISSP • Certified Information Security Professional (CISSP) • Over 20 years experience as information security professional • Fellow with the Information Systems Security Association • President Emeritus of ISSA Des Moines Iowa Chapter
  3. 3. Overview What is “Social Engineering”? Types of Attacks & Real World Examples Best Defense
  4. 4. What is “Social Engineering”? WHAT IS SOCIAL ENGINEERING?
  5. 5. Social Engineering • Using knowledge of human behavior to elicit a defined response. • Put simply…getting you to willingly do something for me which is likely not in your best interest.
  6. 6. Sociology and Psychology • Study of human behavior, interaction and societal norms. • Actions can be predicted quite accurately. • Actions can also be influenced quite easily.
  7. 7. Simple Human Behavior • Two Types of Responses – Natural – Learned Hackers will craft a scenario for you to enter, in order to elicit a response which they believe will give them the result they are looking for.
  8. 8. Types of Attacks & Real World Examples
  9. 9. Why talk about social engineering Social engineering is a component of the attack in nearly 1 of 3 successful data breaches, and it’s on the rise. Source: 2016 Verizon Data Breach Investigation Report
  10. 10. 5 Common Attack Methods Dumpster Diving Pretexting Phishing Physical Entry Enticement
  11. 11. Dumpster Diving • Scouring through discarded items – Calendars & Day planners – Handwritten notes – Phone & Email Lists – Operation manuals or procedures – System diagrams & IP addresses – Source code
  12. 12. Pretexting • Fraudulent phone calls • Used to extract information • Also used to setup other attacks such as facility entry or phishing
  13. 13. Phishing Attempts to get users to provide information or perform an action Tips For Identifying Phishing Attempts – Asks to update account information via email – No verification image or varying layout designs – Provides unfamiliar hyperlinks
  14. 14. Common Bait • Sweet Deals – Free Stuff – Limited Time Offers – Package Delivery • Help Me, Help You! – Tech Support • You Gotta’ See This!
  15. 15. Spear Phishing Example Good Morning Mike, You may or may not know, but Mary (CFO) and I are in Atlanta working to close a deal with our partners XYZ Company and ABC Limited on a $70 million dollar contract with Our Big Payday, Inc. In order to get the contracts signed, I need you to wire $85,620 to XYZ Company and $67,980 to ABC Limited. Mary says this should come from our Bank Name Here account number 123456789. The routing and account number for XYZ is 12345678 – 7788994455 and for ABC is 98765432 – 336699774411. Because Our Big Payday, Inc. is a publicly traded company, the terms of this agreement cannot be disclosed until they file their SEC reports for the quarter so your absolute discretion is expected. Under no circumstances are you to discuss this transaction with anyone in the department. A leak could result in SEC fines or prison for both of us for insider trading. If you have any questions about this, please respond to this email with your direct line and I’ll call you when I’m out of the negotiation meetings. I appreciate all you do for us which is why I’m trusting you with this key project. Keep up the good work! Sandy (CEO)
  16. 16. Physical Presence • Gaining physical access can be easier than virtual access • May provide additional information • Comes at a higher risk but with a potentially greater reward
  17. 17. Physical Presence Examples • Delivery Drivers • Employee Tailgating • Maintenance or Emergency Crews • The key is to act like you belong. If you believe it so will everyone else.
  18. 18. Enticement Examples A folder with enticing title/label left on ground outside an employee entrance with a USB thumb drive taped inside. • USB, CD or DVDs left in conspicuous spaces. • May be accompanied by fake paper files • Curiosity beats caution Year-End Bonuses
  19. 19. Putting It All Together • Targeted attacks will always use some form of social engineering. • Just like in military operations, intel makes or breaks a mission • Hackers may never even need to use sophisticated technical attacks if you provide the information willingly
  20. 20. Stealth Mode • Limited social engineering attacks can be hard to detect. • Relevant information allows attackers to pinpoint their attack which makes their footprint hard to discover.
  21. 21. Don’t Fall for The Long Con • Social engineering is nothing more than a con-game. • The old “Long Con” has been ported to the digital world. • Good cons are hard to spot.
  22. 22. Best Defenses
  23. 23. Best Defenses • Strong paper destruction process • Limiting facility ingress/egress points • Challenge unknown people in secure areas • Implement technology to screen email and websites for attacks
  24. 24. Employee Training • Traditional CBT methods don’t work • Engage the employee, make a personal plea • Use gamification to enhance learning • Prepare for different learning styles (audio, visual, hands- on) • Awareness is not training and training is not awareness
  25. 25. Program Validation • Social engineering testing engagements provide assessments of how well your people, process and technology are functioning.
  26. 26. Summary • Social engineering is here to stay and it’s growing • Your organization will suffer a data breach due to social engineering • The study of human behavior has been used by criminals for centuries, cybercriminals are no different • Employees must be trained to spot social engineering and how to react
  27. 27. Question & Answer dave.nelson@integritysrc.com www.integritysrc.com/blog DaveNelsonCISSP @IntegrityCEO - @IntegritySRC 515-965-3756

×