SlideShare a Scribd company logo

A Salesman's Guide to Social Engineering B-Sides London Edition

Gavin Ewan
Gavin Ewan

Presentation by Gavin 'Jac0byterebel' Ewan at BSIdes London 2012. Uploaded by popular demand!

TechnologyBusiness
1 of 51
Download to read offline
AGENDA ● Introduction and Bio ● What is Social Engineering? ● A Talk about Sales? What the Hell, you said Social Engineering?!? ● Profile? Process? Why not both! ● Defences against Social Engineering ● The Mystery Security Test ● Recap ● Q & A Session
INTRODUCTION Gavin Ewan jac0byterebel@gmail.com www.facebook.com/gavin.ewan @jac0byterebel
BIO 1st Masters Degree comprising of Psychology and Economics Worked as:- ● Regulated Financial Adviser ● Sales Manager ● Sales Trainer Ethical Hacking student at the University of Abertay, Dundee, Scotland..
What is Social Engineering? ● Online definition:- The practice of tricking a user into giving, or giving access to, sensitive information, thereby bypassing most or all protection ● My definition:- Bypassing the human firewall/intrusion detection system. Hacking the human mind.
Part Art, Part Science
Number of Mediums:- Face2Face
Number of Mediums:- Telephone
Number of Mediums:- Online
Technical?
Emotional
What Social Engineering Is Not
Easier, Lazier
Reserved for Gifted Speakers
Governed by Hard, Fast Rules..
Sales? But you said Social Engineering! ● Terms are not mutually exclusive ● Salesman == Social Engineer ● Good salesmen use a degree of Social Engineering Skills ● Bad salesmen don't ● Social Engineers HAVE TO be good salesmen ● Selling Concept ● “I want you to buy the concept I belong here” ● “I want you to buy the concept I need your username and password”.
Sales? But you said Social Engineering! The Master Salesman The Master Social Engineer ● Recognises that each and every customer ● Recognises that each and every social and sale is different engineering attack is different ● Can play different roles ● MUST act out a number of different roles ● Uses a variety of questioning techniques ● Uses a variety of questioning techniques ● Recognises that NO doesn't mean NO. Objections are good ● Isn't phased by objections and can recognise a programmed response ● Is comfortable with awkward silences (Gav's Golden Rule, Know When to Shut ● Is not only comfortable with, but Up) appreciates, awkward silence ● Will ask for repeat business, and ● Knows that one target won over can be referrals to other customers. used to win over other targets, or help provide a 'quick getaway'..
Profile? Process? Why not both! DISCLAIMER ● This is what I use, because it ● Works for me ● Made me plenty cash ● Has transferred smoothly to social engineering YOU MAY NOT AGREE WITH EVERYTHING THAT FOLLOWS ● We are all entitled to our opinion.
Profile? Process? Why not both! Sales Process (1) Prospecting the target (2) Initial Contact and Needs Identification (3) (Sales) Presentation (4) Close (5) Objection Handle Steps 3 to 5 are circular can be repeated as often as necessary.
Profile? Process? Why not both! (1) Prospecting the Target (1) Know your target ● Profile without direct contact ● Google ● Maltego, etc (2) Know your limits (Backward planning) ● Salesman - QUANTITY ● Social Engineer - PERFORMANCE.
Profile? Process? Why not both! Simple Personality Test for a Salesman (or Social Engineer!) ● Based on two of four areas examined by original Myers-Briggs test What we need to know – Sales 101 ● What they'll actually listen to ● How they make decisions based on what you've just said What we don't need to know ● If they are an Introvert or an Extrovert ● How they handle 'issues' DANGER! ● Further apart on the scales – Less likely to be 'compatible'.
Profile? Process? Why not both! But Gav, how do I reel 'em in? What they'll actually listen to Sensor Intuitive ● Needs to try things out first and ● Trust the gut first and look at the pays attention to the finer details. big picture. Detail can wait. Focus on one day at a time. ● Will ask you 'Why?' ● Will ask you 'What?' and 'How?' How they make decisions Thinker Feeler ● Driven by facts, logic and reason. Will go with what the facts suggest ● Driven by their feelings as opposed to just hard evidence even if they don't like it ● Balance pros and cons for them ● Appreciates alternative options and viewpoints ● Very task focussed ● Very relationship focussed.
Profile? Process? Why not both! And this means what exactly? ● Sensor-Thinker (Thinker)– Give them the facts then go though, step by step, why they should buy from/help you ● Facts then Logic ● Sensor-Feeler (Feeler)– Stick to giving them the facts, but show them how what you have told them will affect the people involved (including them) ● Facts then Feelings ● Intuitive-Thinker (Controller)– Will want to know what the bigger picture is, but will expect a range of well thought and presented options to deal with it ● Overview then Logic ● Intuitive-Feeler (Entertainer)– Give 'em the big picture and then show how all the pieces fit together, who will be affected. Loves a story ● Overview then Feelings.
Profile? Process? Why not both! Controller Entertainer Sales Staff Managers Marketing Finance Techies/Researchers Security Staff Thinker Feeler
Profile? Process? Why not both! (2) Initial Contact and Needs Identification (1) Continue profiling (2) Work out needs of customer/target ● Through appropriate questioning (3) WATCH (4) LISTEN.
Profile? Process? Why not both! Questioning Techniques
Profile? Process? Why not both! What to Watch and Listen for Some Basic NLP ● See as a target sees ● 3 basic methods of perceiving the world ● Visual ● Auditory ● Kinaesthetic ● Language is the quickest guide ● Visual – I see what you mean, You'll have to watch that one ● Auditory – That rings a bell, I hear what you are saying ● Kinaesthetic – Lets touch base, I've got a grasp of what you mean.
Profile? Process? Why not both! What to Watch and Listen for WATCH! RIGHT LEFT Creating Images Remembering Images Remembering Creating Words/Sounds Words/Sounds UNFOCUSSED STARE Processing Information Feelings (Usually Visual) Internal Dialogue (Words to Feelings) (Words to Sounds)
Profile? Process? Why not both! What to Watch and Listen for LISTEN! Visuals ● Higher Pitched, quick talkers Auditories ● Low pitch, good rhythm, smooth tone. Concentrating on sounding good Kinaesthetics ● Constant pauses in speech. Tendency to be 'touchy- feely'.
Profile? Process? Why not both! (3) (Sales) Presentation (1) Relay customer/targets needs back to them. ● According to profile ● In their 'language' ● Features Vs Benefits ● Feature = Something the item has ● Benefit = Something the customer/target needs (2) AGREE on needs ● 'Ski downhill' (contrast effect) ● Slight adjustments will not be noticed (heuristics).
Profile? Process? Why not both! The Contrast Effect PRESENTATION ORDER IS VITAL!!!! ● Salesman - EXPENSIVE >>>>> CHEAP ● Social Engineer – BIG request >>>>> REAL request.
Profile? Process? Why not both! Heuristics ● The human brain has an 'auto-correct' facility! ● “Aoccdrnig to rscheearch, it deosn't mttaer in waht oredr the ltteers in a wrod are, olny taht the frist and lsat ltteer be at the rghit pclae. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe” ● Not readable by a computer ● What about..... ● An ID badge with slight variations ● A document with some 'favourable' additions
Profile? Process? Why not both! (4) Closing (1) Interpret buying signals ● Verbal - “So let me get this straight, I can have it in red, or black?” ● Non Verbal -
Profile? Process? Why not both! (4) Closing (1) (2) Use appropriate close ● Assumptive or Command Close – 'Assume' they agree and ask for the business ● Alternative Close – Give them a 'choice', either way, you win IDEAL TIME TO USE SOME EMBEDDED COMMANDS!
Profile? Process? Why not both! Embedded Commands ● Trojans of the human mind ● Subconscious processing is different ● Gav's Guide to embedding (1) Pause before the embedded command (2) Talk louder at the embedded command (3) Adopt a 'command' tonality at the command (down-turn) (4) Pause after the embedded command ● Inject the command into a seemingly innocuous statement ● Add a command verb (Do, get, recall, buy, etc) ● Fire away ● Salesman - “By now, you'll know if you want to place an order”. ● Social Engineer - “I don't expect you to let me in right away”
Profile? Process? Why not both! (5) Objection Handling ● OBJECTION == FREE LOOK AT TARGETS TRAIN OF THOUGHT ● Two main types of objection to deal with ● Sincere ● A genuine concern that must be overcome ● From reasoned consideration Insincere ● Masks unrelated concerns ● Indicator of a far bigger objection.
Profile? Process? Why not both! Dealing with the Objection GAV'S GOLDEN RULE – Never, ever, ever, dismiss an objection out of hand – LISTEN! Understanding statement SPIN/PEGY ● Situation ● Problem ● Problem ● Effect ● Implication ● Give up ● Need ● You FEEL, FELT, FOUND
Defences against Social Engineering WHAT THE BAD GUYS THINK If (Weak Link == Humans) Exploit Humans Else Exploit Other Stuff THEN Y U NO!!!!!!!!!!!!!!!!!!!! Have a set framework for defending against an attack? Stop considering SE tests unethical?
Defences against Social Engineering Defence against tools of a Social Engineer Attack 1 Attack 2 Defence? Defence?
Defences against Social Engineering What about 'Direct' attacks Defence? Problem 3 Golden Rules to enforce ● Calling companies to ensure that a 'visitor' should be here ● Calling the member of staff they are meant to be visiting ● If in doubt, ask for help, don't just assume Too much 'stick' not enough 'carrot'..
The Mystery Security Test ● Mystery Security Test born from personally witnessed disregard for security in financial services ● Banks, and many retail outlets, are assessed under the Mystery Shopper scheme Mystery Shopper ● Secret shopper who will enter a branch or outlet with a predetermined list of objectives. They will not buy, rather they decline politely, leave and submit a report to the company ● Checks that the customer experience is fair across the board and that staff are providing the best service at all times. Money can be LOST based on these results ● Mystery Shoppers can be internal, external and their arrival is never announced ● Considered ethical.
The Mystery Security Test The Mystery Security Test ● Smaller targets chosen ● Secret security tester will enter branch, retail outlet, office or other unit with a list of objectives to achieve. This will include securing valuable information like passwords, key combinations, and details of non-public areas and practices ● Will hold a 'get out of jail' card like a pen-tester ● Security led, this will check that customer data is safe in the hands of your employees. Ask yourself a question. Would your customer be happy with great service, but knowing their data is insecure? ● Could be done internally, or externally ● A key factor in running a financial services company is that customer data is safe. The only security measure in place at the moment is fines when it all goes wrong.
Recap ● Whether you like it or not, Social Engineering is a growing threat and YOU have fallen victim ● We are training people daily to attack our human weaknesses ● Attackers are using psychology to know what buttons to press. Do you know what personality type you are yet? ● We have a false sense of security that current policies will protect us against everything ● Finally we saw that while difficult, Social Engineering attacks can be defended against..
WHOAMI Gavin Ewan jac0byterebel@gmail.com www.facebook.com/gavin.ewan @jac0byterebel
Black Hat Objection Handling The Magical Number Seven ● The human brain has a number of 'buffers' to help process incoming information. What if we could overflow them? ● Miller's Law:- 'We can store around seven SMALL pieces of information in our short term memory buffer' ● In reality, only 3 or 4 pieces of meaningful information ● In order to fill this buffer, we can ● Supply information in awkward chunks ● Open threads of information and not fully close them ● When the buffer is full, requests more likely to be dealt with directly by subconscious.

Recommended

MBTI What's My Type? | Myers-Briggs Type Indicator
MBTI What's My Type? | Myers-Briggs Type IndicatorMBTI What's My Type? | Myers-Briggs Type Indicator
MBTI What's My Type? | Myers-Briggs Type Indicatorsmithculpconsulting
 
Conviérte en vendedor extraordinario con pnl
Conviérte en vendedor extraordinario con pnlConviérte en vendedor extraordinario con pnl
Conviérte en vendedor extraordinario con pnlBiiA Lab
 
Ventas con PNL
Ventas con PNLVentas con PNL
Ventas con PNLJuan Carlos Fernández
 
Neuroventas vendale a la mente y no ala gente
Neuroventas vendale a la mente y no ala genteNeuroventas vendale a la mente y no ala gente
Neuroventas vendale a la mente y no ala genteCarolina Chica Cadavid
 
Orthoapnea - Dental Practice (australasian)
Orthoapnea - Dental Practice (australasian)Orthoapnea - Dental Practice (australasian)
Orthoapnea - Dental Practice (australasian)OrthoApnea
 
Issuesproblems in succession of africa and asian owned business 1
Issuesproblems in succession of africa and asian owned business 1Issuesproblems in succession of africa and asian owned business 1
Issuesproblems in succession of africa and asian owned business 1John Johari
 
Hizli ingilizce-kursu
Hizli ingilizce-kursuHizli ingilizce-kursu
Hizli ingilizce-kursuzeynep_zyn41
 
Filochofando 2
Filochofando 2Filochofando 2
Filochofando 2Miguel Cervera Lleonart
 

Recommended

MBTI What's My Type? | Myers-Briggs Type Indicator
MBTI What's My Type? | Myers-Briggs Type IndicatorMBTI What's My Type? | Myers-Briggs Type Indicator
MBTI What's My Type? | Myers-Briggs Type Indicatorsmithculpconsulting
 
Conviérte en vendedor extraordinario con pnl
Conviérte en vendedor extraordinario con pnlConviérte en vendedor extraordinario con pnl
Conviérte en vendedor extraordinario con pnlBiiA Lab
 
Ventas con PNL
Ventas con PNLVentas con PNL
Ventas con PNLJuan Carlos Fernández
 
Neuroventas vendale a la mente y no ala gente
Neuroventas vendale a la mente y no ala genteNeuroventas vendale a la mente y no ala gente
Neuroventas vendale a la mente y no ala genteCarolina Chica Cadavid
 
Orthoapnea - Dental Practice (australasian)
Orthoapnea - Dental Practice (australasian)Orthoapnea - Dental Practice (australasian)
Orthoapnea - Dental Practice (australasian)OrthoApnea
 
Issuesproblems in succession of africa and asian owned business 1
Issuesproblems in succession of africa and asian owned business 1Issuesproblems in succession of africa and asian owned business 1
Issuesproblems in succession of africa and asian owned business 1John Johari
 
Hizli ingilizce-kursu
Hizli ingilizce-kursuHizli ingilizce-kursu
Hizli ingilizce-kursuzeynep_zyn41
 
Filochofando 2
Filochofando 2Filochofando 2
Filochofando 2Miguel Cervera Lleonart
 
Curriculum 2.0 (basic)
Curriculum 2.0 (basic)Curriculum 2.0 (basic)
Curriculum 2.0 (basic)Informagiovani Ancona
 
Lists4Europe 2016 presentazione
Lists4Europe 2016 presentazioneLists4Europe 2016 presentazione
Lists4Europe 2016 presentazionemls marco merlo
 
List of v type engines
List of v type enginesList of v type engines
List of v type engineskosmosstar
 
Social Network, un nuovo modo di comunicare?
Social Network, un nuovo modo di comunicare?Social Network, un nuovo modo di comunicare?
Social Network, un nuovo modo di comunicare?Francesco Favaro
 
Japanorama (2)
Japanorama (2)Japanorama (2)
Japanorama (2)culturelestudies2012
 
Teaching information skills at UEA
Teaching information skills at UEATeaching information skills at UEA
Teaching information skills at UEACarly Sharples
 
Creation Care Websites and Statements
Creation Care Websites and Statements Creation Care Websites and Statements
Creation Care Websites and Statements P9P
 
Agile в процессной модели
Agile в процессной моделиAgile в процессной модели
Agile в процессной моделиVladimir Kalenov
 
Hizli ogrenme-ders
Hizli ogrenme-dersHizli ogrenme-ders
Hizli ogrenme-derszeynep_zyn41
 
The Geek's Guide to People - GOAT16
The Geek's Guide to People - GOAT16The Geek's Guide to People - GOAT16
The Geek's Guide to People - GOAT16Sue Johnston, MBA + a bunch of other stuff
 
Empathy for Engineers
Empathy for EngineersEmpathy for Engineers
Empathy for EngineersSue Johnston, MBA + a bunch of other stuff
 
Tech survival 101
Tech survival 101Tech survival 101
Tech survival 101Greg Jensen
 
People Stuff for Geeks - Toronto Agile Conference 2016
People Stuff for Geeks - Toronto Agile Conference 2016People Stuff for Geeks - Toronto Agile Conference 2016
People Stuff for Geeks - Toronto Agile Conference 2016Sue Johnston, MBA + a bunch of other stuff
 
The Introvert's Guide to Building Great Teams
The Introvert's Guide to Building Great TeamsThe Introvert's Guide to Building Great Teams
The Introvert's Guide to Building Great TeamsHeather Fleming
 
5 Critical Thinking.pptx
5 Critical Thinking.pptx5 Critical Thinking.pptx
5 Critical Thinking.pptxpawancsk21
 
BDD workshop for JavaScript developers
BDD workshop for JavaScript developersBDD workshop for JavaScript developers
BDD workshop for JavaScript developersCarlos Ble
 
Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...
Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...
Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...David Duffett dCAP
 
Managing expectations
Managing expectationsManaging expectations
Managing expectationsBarry O Sullivan
 
Ux4 indiedevs
Ux4 indiedevsUx4 indiedevs
Ux4 indiedevsJuio Barros
 
How to Enhance Influence and Collaboration with an Executive Mindset
How to Enhance Influence and Collaboration with an Executive MindsetHow to Enhance Influence and Collaboration with an Executive Mindset
How to Enhance Influence and Collaboration with an Executive MindsetCurt Buermeyer
 
QA's lead role in agile transformations
QA's lead role in agile transformationsQA's lead role in agile transformations
QA's lead role in agile transformationsDave Ungar
 
Ron Guttman Speaker Profile
Ron Guttman Speaker ProfileRon Guttman Speaker Profile
Ron Guttman Speaker Profileronguttman
 

More Related Content

Viewers also liked

Lists4Europe 2016 presentazione
Lists4Europe 2016 presentazioneLists4Europe 2016 presentazione
Lists4Europe 2016 presentazionemls marco merlo
 
List of v type engines
List of v type enginesList of v type engines
List of v type engineskosmosstar
 
Social Network, un nuovo modo di comunicare?
Social Network, un nuovo modo di comunicare?Social Network, un nuovo modo di comunicare?
Social Network, un nuovo modo di comunicare?Francesco Favaro
 
Teaching information skills at UEA
Teaching information skills at UEATeaching information skills at UEA
Teaching information skills at UEACarly Sharples
 
Creation Care Websites and Statements
Creation Care Websites and Statements Creation Care Websites and Statements
Creation Care Websites and Statements P9P
 
Agile в процессной модели
Agile в процессной моделиAgile в процессной модели
Agile в процессной моделиVladimir Kalenov
 
Hizli ogrenme-ders
Hizli ogrenme-dersHizli ogrenme-ders
Hizli ogrenme-derszeynep_zyn41
 

Viewers also liked (9)

Curriculum 2.0 (basic)
Curriculum 2.0 (basic)Curriculum 2.0 (basic)
Curriculum 2.0 (basic)
 
Lists4Europe 2016 presentazione
Lists4Europe 2016 presentazioneLists4Europe 2016 presentazione
Lists4Europe 2016 presentazione
 
List of v type engines
List of v type enginesList of v type engines
List of v type engines
 
Social Network, un nuovo modo di comunicare?
Social Network, un nuovo modo di comunicare?Social Network, un nuovo modo di comunicare?
Social Network, un nuovo modo di comunicare?
 
Japanorama (2)
Japanorama (2)Japanorama (2)
Japanorama (2)
 
Teaching information skills at UEA
Teaching information skills at UEATeaching information skills at UEA
Teaching information skills at UEA
 
Creation Care Websites and Statements
Creation Care Websites and Statements Creation Care Websites and Statements
Creation Care Websites and Statements
 
Agile в процессной модели
Agile в процессной моделиAgile в процессной модели
Agile в процессной модели
 
Hizli ogrenme-ders
Hizli ogrenme-dersHizli ogrenme-ders
Hizli ogrenme-ders
 

Similar to A Salesman's Guide to Social Engineering B-Sides London Edition

Tech survival 101
Tech survival 101Tech survival 101
Tech survival 101Greg Jensen
 
The Introvert's Guide to Building Great Teams
The Introvert's Guide to Building Great TeamsThe Introvert's Guide to Building Great Teams
The Introvert's Guide to Building Great TeamsHeather Fleming
 
5 Critical Thinking.pptx
5 Critical Thinking.pptx5 Critical Thinking.pptx
5 Critical Thinking.pptxpawancsk21
 
BDD workshop for JavaScript developers
BDD workshop for JavaScript developersBDD workshop for JavaScript developers
BDD workshop for JavaScript developersCarlos Ble
 
Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...
Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...
Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...David Duffett dCAP
 
How to Enhance Influence and Collaboration with an Executive Mindset
How to Enhance Influence and Collaboration with an Executive MindsetHow to Enhance Influence and Collaboration with an Executive Mindset
How to Enhance Influence and Collaboration with an Executive MindsetCurt Buermeyer
 
QA's lead role in agile transformations
QA's lead role in agile transformationsQA's lead role in agile transformations
QA's lead role in agile transformationsDave Ungar
 
Ron Guttman Speaker Profile
Ron Guttman Speaker ProfileRon Guttman Speaker Profile
Ron Guttman Speaker Profileronguttman
 
How to Break Down PM in Startups vs. Big Companies by WeWork PM
How to Break Down PM in Startups vs. Big Companies by WeWork PMHow to Break Down PM in Startups vs. Big Companies by WeWork PM
How to Break Down PM in Startups vs. Big Companies by WeWork PMProduct School
 
Doing Customer Interviews Right
Doing Customer Interviews RightDoing Customer Interviews Right
Doing Customer Interviews RightJosie Scott
 
Mind the product conference 2015
Mind the product conference 2015Mind the product conference 2015
Mind the product conference 2015Petr Meissner
 
3 tia presentation 'optimizing your venture' 20121103
3 tia presentation 'optimizing your venture' 201211033 tia presentation 'optimizing your venture' 20121103
3 tia presentation 'optimizing your venture' 20121103Thought Into Action
 
Critical Thinking.pptx
Critical Thinking.pptxCritical Thinking.pptx
Critical Thinking.pptxKishoreJohn4
 

Similar to A Salesman's Guide to Social Engineering B-Sides London Edition (20)

The Geek's Guide to People - GOAT16
The Geek's Guide to People - GOAT16The Geek's Guide to People - GOAT16
The Geek's Guide to People - GOAT16
 
Empathy for Engineers
Empathy for EngineersEmpathy for Engineers
Empathy for Engineers
 
Tech survival 101
Tech survival 101Tech survival 101
Tech survival 101
 
People Stuff for Geeks - Toronto Agile Conference 2016
People Stuff for Geeks - Toronto Agile Conference 2016People Stuff for Geeks - Toronto Agile Conference 2016
People Stuff for Geeks - Toronto Agile Conference 2016
 
The Introvert's Guide to Building Great Teams
The Introvert's Guide to Building Great TeamsThe Introvert's Guide to Building Great Teams
The Introvert's Guide to Building Great Teams
 
5 Critical Thinking.pptx
5 Critical Thinking.pptx5 Critical Thinking.pptx
5 Critical Thinking.pptx
 
BDD workshop for JavaScript developers
BDD workshop for JavaScript developersBDD workshop for JavaScript developers
BDD workshop for JavaScript developers
 
Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...
Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...
Why Nerds Aren't Heard! 7 Ways Geeks Sabotage Their Own Presentations - David...
 
Managing expectations
Managing expectationsManaging expectations
Managing expectations
 
Ux4 indiedevs
Ux4 indiedevsUx4 indiedevs
Ux4 indiedevs
 
How to Enhance Influence and Collaboration with an Executive Mindset
How to Enhance Influence and Collaboration with an Executive MindsetHow to Enhance Influence and Collaboration with an Executive Mindset
How to Enhance Influence and Collaboration with an Executive Mindset
 
QA's lead role in agile transformations
QA's lead role in agile transformationsQA's lead role in agile transformations
QA's lead role in agile transformations
 
Ron Guttman Speaker Profile
Ron Guttman Speaker ProfileRon Guttman Speaker Profile
Ron Guttman Speaker Profile
 
How to Break Down PM in Startups vs. Big Companies by WeWork PM
How to Break Down PM in Startups vs. Big Companies by WeWork PMHow to Break Down PM in Startups vs. Big Companies by WeWork PM
How to Break Down PM in Startups vs. Big Companies by WeWork PM
 
Creative Engineering 101
Creative Engineering 101Creative Engineering 101
Creative Engineering 101
 
Doing Customer Interviews Right
Doing Customer Interviews RightDoing Customer Interviews Right
Doing Customer Interviews Right
 
Dark Side of Product Management
Dark Side of Product Management Dark Side of Product Management
Dark Side of Product Management
 
Mind the product conference 2015
Mind the product conference 2015Mind the product conference 2015
Mind the product conference 2015
 
3 tia presentation 'optimizing your venture' 20121103
3 tia presentation 'optimizing your venture' 201211033 tia presentation 'optimizing your venture' 20121103
3 tia presentation 'optimizing your venture' 20121103
 
Critical Thinking.pptx
Critical Thinking.pptxCritical Thinking.pptx
Critical Thinking.pptx
 

Recently uploaded

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

A Salesman's Guide to Social Engineering B-Sides London Edition

  • 1.
  • 2. AGENDA ● Introduction and Bio ● What is Social Engineering? ● A Talk about Sales? What the Hell, you said Social Engineering?!? ● Profile? Process? Why not both! ● Defences against Social Engineering ● The Mystery Security Test ● Recap ● Q & A Session
  • 4. BIO 1st Masters Degree comprising of Psychology and Economics Worked as:- ● Regulated Financial Adviser ● Sales Manager ● Sales Trainer Ethical Hacking student at the University of Abertay, Dundee, Scotland..
  • 5.
  • 6. What is Social Engineering? ● Online definition:- The practice of tricking a user into giving, or giving access to, sensitive information, thereby bypassing most or all protection ● My definition:- Bypassing the human firewall/intrusion detection system. Hacking the human mind.
  • 7. Part Art, Part Science
  • 16. Governed by Hard, Fast Rules..
  • 17.
  • 18. Sales? But you said Social Engineering! ● Terms are not mutually exclusive ● Salesman == Social Engineer ● Good salesmen use a degree of Social Engineering Skills ● Bad salesmen don't ● Social Engineers HAVE TO be good salesmen ● Selling Concept ● “I want you to buy the concept I belong here” ● “I want you to buy the concept I need your username and password”.
  • 19. Sales? But you said Social Engineering! The Master Salesman The Master Social Engineer ● Recognises that each and every customer ● Recognises that each and every social and sale is different engineering attack is different ● Can play different roles ● MUST act out a number of different roles ● Uses a variety of questioning techniques ● Uses a variety of questioning techniques ● Recognises that NO doesn't mean NO. Objections are good ● Isn't phased by objections and can recognise a programmed response ● Is comfortable with awkward silences (Gav's Golden Rule, Know When to Shut ● Is not only comfortable with, but Up) appreciates, awkward silence ● Will ask for repeat business, and ● Knows that one target won over can be referrals to other customers. used to win over other targets, or help provide a 'quick getaway'..
  • 20.
  • 21. Profile? Process? Why not both! DISCLAIMER ● This is what I use, because it ● Works for me ● Made me plenty cash ● Has transferred smoothly to social engineering YOU MAY NOT AGREE WITH EVERYTHING THAT FOLLOWS ● We are all entitled to our opinion.
  • 22. Profile? Process? Why not both! Sales Process (1) Prospecting the target (2) Initial Contact and Needs Identification (3) (Sales) Presentation (4) Close (5) Objection Handle Steps 3 to 5 are circular can be repeated as often as necessary.
  • 23. Profile? Process? Why not both! (1) Prospecting the Target (1) Know your target ● Profile without direct contact ● Google ● Maltego, etc (2) Know your limits (Backward planning) ● Salesman - QUANTITY ● Social Engineer - PERFORMANCE.
  • 24. Profile? Process? Why not both! Simple Personality Test for a Salesman (or Social Engineer!) ● Based on two of four areas examined by original Myers-Briggs test What we need to know – Sales 101 ● What they'll actually listen to ● How they make decisions based on what you've just said What we don't need to know ● If they are an Introvert or an Extrovert ● How they handle 'issues' DANGER! ● Further apart on the scales – Less likely to be 'compatible'.
  • 25. Profile? Process? Why not both! But Gav, how do I reel 'em in? What they'll actually listen to Sensor Intuitive ● Needs to try things out first and ● Trust the gut first and look at the pays attention to the finer details. big picture. Detail can wait. Focus on one day at a time. ● Will ask you 'Why?' ● Will ask you 'What?' and 'How?' How they make decisions Thinker Feeler ● Driven by facts, logic and reason. Will go with what the facts suggest ● Driven by their feelings as opposed to just hard evidence even if they don't like it ● Balance pros and cons for them ● Appreciates alternative options and viewpoints ● Very task focussed ● Very relationship focussed.
  • 26. Profile? Process? Why not both! And this means what exactly? ● Sensor-Thinker (Thinker)– Give them the facts then go though, step by step, why they should buy from/help you ● Facts then Logic ● Sensor-Feeler (Feeler)– Stick to giving them the facts, but show them how what you have told them will affect the people involved (including them) ● Facts then Feelings ● Intuitive-Thinker (Controller)– Will want to know what the bigger picture is, but will expect a range of well thought and presented options to deal with it ● Overview then Logic ● Intuitive-Feeler (Entertainer)– Give 'em the big picture and then show how all the pieces fit together, who will be affected. Loves a story ● Overview then Feelings.
  • 27. Profile? Process? Why not both! Controller Entertainer Sales Staff Managers Marketing Finance Techies/Researchers Security Staff Thinker Feeler
  • 28. Profile? Process? Why not both! (2) Initial Contact and Needs Identification (1) Continue profiling (2) Work out needs of customer/target ● Through appropriate questioning (3) WATCH (4) LISTEN.
  • 29. Profile? Process? Why not both! Questioning Techniques
  • 30. Profile? Process? Why not both! What to Watch and Listen for Some Basic NLP ● See as a target sees ● 3 basic methods of perceiving the world ● Visual ● Auditory ● Kinaesthetic ● Language is the quickest guide ● Visual – I see what you mean, You'll have to watch that one ● Auditory – That rings a bell, I hear what you are saying ● Kinaesthetic – Lets touch base, I've got a grasp of what you mean.
  • 31. Profile? Process? Why not both! What to Watch and Listen for WATCH! RIGHT LEFT Creating Images Remembering Images Remembering Creating Words/Sounds Words/Sounds UNFOCUSSED STARE Processing Information Feelings (Usually Visual) Internal Dialogue (Words to Feelings) (Words to Sounds)
  • 32. Profile? Process? Why not both! What to Watch and Listen for LISTEN! Visuals ● Higher Pitched, quick talkers Auditories ● Low pitch, good rhythm, smooth tone. Concentrating on sounding good Kinaesthetics ● Constant pauses in speech. Tendency to be 'touchy- feely'.
  • 33. Profile? Process? Why not both! (3) (Sales) Presentation (1) Relay customer/targets needs back to them. ● According to profile ● In their 'language' ● Features Vs Benefits ● Feature = Something the item has ● Benefit = Something the customer/target needs (2) AGREE on needs ● 'Ski downhill' (contrast effect) ● Slight adjustments will not be noticed (heuristics).
  • 34. Profile? Process? Why not both! The Contrast Effect PRESENTATION ORDER IS VITAL!!!! ● Salesman - EXPENSIVE >>>>> CHEAP ● Social Engineer – BIG request >>>>> REAL request.
  • 35. Profile? Process? Why not both! Heuristics ● The human brain has an 'auto-correct' facility! ● “Aoccdrnig to rscheearch, it deosn't mttaer in waht oredr the ltteers in a wrod are, olny taht the frist and lsat ltteer be at the rghit pclae. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe” ● Not readable by a computer ● What about..... ● An ID badge with slight variations ● A document with some 'favourable' additions
  • 36. Profile? Process? Why not both! (4) Closing (1) Interpret buying signals ● Verbal - “So let me get this straight, I can have it in red, or black?” ● Non Verbal -
  • 37. Profile? Process? Why not both! (4) Closing (1) (2) Use appropriate close ● Assumptive or Command Close – 'Assume' they agree and ask for the business ● Alternative Close – Give them a 'choice', either way, you win IDEAL TIME TO USE SOME EMBEDDED COMMANDS!
  • 38. Profile? Process? Why not both! Embedded Commands ● Trojans of the human mind ● Subconscious processing is different ● Gav's Guide to embedding (1) Pause before the embedded command (2) Talk louder at the embedded command (3) Adopt a 'command' tonality at the command (down-turn) (4) Pause after the embedded command ● Inject the command into a seemingly innocuous statement ● Add a command verb (Do, get, recall, buy, etc) ● Fire away ● Salesman - “By now, you'll know if you want to place an order”. ● Social Engineer - “I don't expect you to let me in right away”
  • 39. Profile? Process? Why not both! (5) Objection Handling ● OBJECTION == FREE LOOK AT TARGETS TRAIN OF THOUGHT ● Two main types of objection to deal with ● Sincere ● A genuine concern that must be overcome ● From reasoned consideration Insincere ● Masks unrelated concerns ● Indicator of a far bigger objection.
  • 40. Profile? Process? Why not both! Dealing with the Objection GAV'S GOLDEN RULE – Never, ever, ever, dismiss an objection out of hand – LISTEN! Understanding statement SPIN/PEGY ● Situation ● Problem ● Problem ● Effect ● Implication ● Give up ● Need ● You FEEL, FELT, FOUND
  • 41.
  • 42. Defences against Social Engineering WHAT THE BAD GUYS THINK If (Weak Link == Humans) Exploit Humans Else Exploit Other Stuff THEN Y U NO!!!!!!!!!!!!!!!!!!!! Have a set framework for defending against an attack? Stop considering SE tests unethical?
  • 43. Defences against Social Engineering Defence against tools of a Social Engineer Attack 1 Attack 2 Defence? Defence?
  • 44. Defences against Social Engineering What about 'Direct' attacks Defence? Problem 3 Golden Rules to enforce ● Calling companies to ensure that a 'visitor' should be here ● Calling the member of staff they are meant to be visiting ● If in doubt, ask for help, don't just assume Too much 'stick' not enough 'carrot'..
  • 45.
  • 46. The Mystery Security Test ● Mystery Security Test born from personally witnessed disregard for security in financial services ● Banks, and many retail outlets, are assessed under the Mystery Shopper scheme Mystery Shopper ● Secret shopper who will enter a branch or outlet with a predetermined list of objectives. They will not buy, rather they decline politely, leave and submit a report to the company ● Checks that the customer experience is fair across the board and that staff are providing the best service at all times. Money can be LOST based on these results ● Mystery Shoppers can be internal, external and their arrival is never announced ● Considered ethical.
  • 47. The Mystery Security Test The Mystery Security Test ● Smaller targets chosen ● Secret security tester will enter branch, retail outlet, office or other unit with a list of objectives to achieve. This will include securing valuable information like passwords, key combinations, and details of non-public areas and practices ● Will hold a 'get out of jail' card like a pen-tester ● Security led, this will check that customer data is safe in the hands of your employees. Ask yourself a question. Would your customer be happy with great service, but knowing their data is insecure? ● Could be done internally, or externally ● A key factor in running a financial services company is that customer data is safe. The only security measure in place at the moment is fines when it all goes wrong.
  • 48. Recap ● Whether you like it or not, Social Engineering is a growing threat and YOU have fallen victim ● We are training people daily to attack our human weaknesses ● Attackers are using psychology to know what buttons to press. Do you know what personality type you are yet? ● We have a false sense of security that current policies will protect us against everything ● Finally we saw that while difficult, Social Engineering attacks can be defended against..
  • 49.
  • 51. Black Hat Objection Handling The Magical Number Seven ● The human brain has a number of 'buffers' to help process incoming information. What if we could overflow them? ● Miller's Law:- 'We can store around seven SMALL pieces of information in our short term memory buffer' ● In reality, only 3 or 4 pieces of meaningful information ● In order to fill this buffer, we can ● Supply information in awkward chunks ● Open threads of information and not fully close them ● When the buffer is full, requests more likely to be dealt with directly by subconscious.