SlideShare a Scribd company logo

Issa Seattle 5 09 Social Engineering

Mike Murray
Mike Murray

This document discusses the history and evolution of social engineering attacks. It begins by noting that as technical vulnerabilities have decreased due to improvements in software and security, human vulnerabilities have become a larger target. The document then covers historical examples of early social engineering and hacking. It discusses how the rise of the internet created a target-rich environment that shifted the focus to attacks exploiting human interactions like phishing. The document defines social engineering and notes it relies on exploiting human nature through communication, awareness, and frame control. It outlines the basic skill set used and techniques like pretexting. It concludes by emphasizing the need for measurable security awareness training to protect against social engineering.

Technology
1 of 34
Everything Old is New Again Back to the Social Engineering Future © 2008 – Foreground Security. All rights reserved
Only two things are infinite: the universe and human stupidity. And I'm not sure about the former. - Albert Einstein 2
Only two things are infinite: the universe and human stupidity, And I'm not sure about the former. Albert Einstein 3
Agenda • The Changing Threat Environment • What is Social Engineering – The usual suspects – What it really looks like • How does it work? – The art of exploiting humans – The 3 Skills of Social Engineering • How do you protect yourself? © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
A History Lesson....
The History of Security Commercial Vulnerability Assessment Sasser Nimda Commercial Blaster Firewalls Loveletter Slammer Commercial Data Leakage Kevin Vulnerability Management Prevention Mitnick Snort Melissa Spyware Code Red SATAN Commercial Commercial Morris IDS Anti-Spyware Worm Nessus Phishing Kevin Commercial IPS & UTM Poulsen SIM/SEM You Are Here 1985 1995 2005 Human Network Server Web App Client Organization 6
The Vulnerability Cycle Human / Network Organization Service / Client Server Application 7
The Early Years • Those were the days – Software Vulnerabilities weren‟t significant - most based on configuration weakness – Only a handful of people understood how to exploit technologies – Small Target Surface - Few internet-connected computers – Focus was on phone phreaking and academia • Social Engineering reigned supreme – Most successful attacks involved social engineering – Unsophisticated controls environments – Few understood the jargon – Policies encouraged trust over security © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The Kevins 9 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The Internet Era • Two Vital Dates – October 13, 1994 • Mosaic Netscape 0.9 released • The web becomes easy to navigate – August 24, 1995 • Windows 95 Released • Home computer use proliferates massively • The Internet Experiences exponential growth – Money starts to change hands – Internet connected computers become a viable target • This creates a target rich environment... 10 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Attacking Computers Directly • Phrack 49 - November 8, 1996. – Aleph1 - Smashing the Stack for Fun and Profit • Readily available exploit code actually makes breaking in to computers easier – The “golden age” of server hacking begins. • 1996-2003 - More of the same – Memory attacks become more sophisticated – Polymorphic shell-code designed to evade detective controls – More advanced use of memory spaces (format strings, integer exploits) 11 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
August 4, 2004 • Windows XP Service Pack 2 Appears – Microsoft finally hardens their operating systems – The world changes overnight – Security is now baked in to the computer. • Server based vulnerabilities disappear – As massive server-based vulnerabilities disappear, client interaction becomes key – The number of issues continues to increase, but the type of issues starts to Source: IBM/ISS X-Force: http://blogs.iss.net/archive/2007XFReport-Day1.html change radically © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Difficulty of Exploitation Human Vulnerabilities Difficulty of Exploit Technical Vulnerabilities 1985 1995 2005
The New Vulnerable Element • Since 2005 – No major direct-exploitation worm outbreaks – Less than a handful of “remote root” direct exploitation vulnerabilities • Major Classes of Attacks – Drive-by Download – Exploitation through Email, Web and Social Networking Sites – Phishing / Pharming / Spear-Phishing • What‟s the similarity? – If you said “human interaction”, you get a gold star. 14 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The human is the main exploit target again. Back to that comment about human stupidity...
Social Engineering • Defined (by Wikipedia): – “The practice of obtaining confidential information by manipulating users.” • The Art of Exploiting Human Weakness – Humans are social creatures – Human nature makes us vulnerable to each other – Social engineers exploit weaknesses in human nature to obtain information or access to computer systems. • A Confidence Trick – Social Engineering is the age-old art of the “Confidence Man” – Wikipedia: “For confidence tricks dealing with information theft or computers see social engineering.” – Studying the con man gives us insight into social engineers © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
When I say „Social Engineering‟, that‟s not what you think about, is it? I hate movies at this point in the talk.
Hollywood Style • Most people have 3 concepts of social engineering... – The Technical Social Engineering Attack – The “Pretext” – The “Sneakers” Attack • These only scratch the surface – What we read in the media only serves to reinforce these perceptions – Sophisticated social engineering is significantly more dangerous – Those who get caught are the ones who we hear most about. • Two examples to expand your mind... © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
19
Hypnotic Robbery • Humorous example of face-to-face human exploitation – Convenience store robbery performed by “hypnosis” – Ideal example of social engineering • From a news report (http://www.wmur.com/news/14212889/detail.html): Police said that two Indian Punjabi men stole more than $1,000 from the Marlborough Country Convenience Store on Monday. The men told the storeowner that they were guruji, a type of Hindu priest, and that they could read his mind, police said.... Patel said the scam began with a simple mind game. The men asked him what his favorite flower was, and they opened a paper with the correct answer on it: quot;Rose.quot; They then told him to think of a wild animal, and they again had written down his choice.... quot;They also said my wife's name that not too many people know,quot; Patel said. quot;My mom's name, they told me. And they told me what was my future goal.quot; © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Not funny at all: Choicepoint Over 163,000 identities compromised. Cost to the company: approx. $40M USD SEC Fines levied: $15M USD 21
How it works • The limit of imagination – Social engineering takes a huge number of forms – Common theme: the use of influence and misdirection to obtain inappropriate information and access • Knowing your enemy – Generally part of criminal enterprise – Somewhat risk averse – Well-developed social skills © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The Basic Skill Set • 3 Parts to Exploiting Humans – Communication – Awareness – Frame Control • Most think only of the first – Ears, Eyes and other senses are in proportion – Most instructors focus on communication and leave the success of the other two elements to chance and natural talent – Some believe that social engineers can not be taught – Unfortunately, the bad guys are training on these skills. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Language can both represent reality and shape it. Chris Keeler and Linda Ferguson
Communication • The art of communication – Language is the first skill of the social engineer – Ability to craft words is first step in influence • Language is not real – Incomplete representation of reality – Incompleteness creates opportunity • Dual Purpose of Language – Information Transfer – Influence © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Awareness • Words are meaningless without awareness of what is working – Your awareness of others acts as a compass – You need to see and hear the effect of your words • Two main types of awareness – Body language – Facial expressions • Creating Rapport – The feeling of being “in sync” with someone else – Putting ourselves in the same state as our target © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Frame Control • Cognitive Frames – Wikipedia: ”the inevitable process of selective influence over the individual's perception of the meanings attributed to words or phrases. Framing defines the packaging of an element of rhetoric in such a way as to encourage certain interpretations and to discourage others” – The frame is the context in which the content of an interaction occurs • Frame control – Transformation – Extension / Contraction – Combination – Amplification / Compression © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The Elements of Influence • Creating a frame with certain elements can enhance influence – Reciprocity – Authority – Social Proof – Confirmation – Emotional / Amygdala hijack – Confusion • Inserting these elements within a frame can strengthen influence – These are natural human responses – We use these responses to create a context for influence © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Protecting Yourself • Question: How do you protect your organization against social engineering? – Far too often, the answer is a vague “security awareness” – Unfortunately, “awareness” isn‟t easily attained – Most “awareness training” is a complete waste of time • The Key Word: Measurability – How do you know whether your security awareness exercises are getting through to your people? – Is your awareness training tracking against actual metrics? – Do you follow up your awareness exercises with real tests of your people and of the effectiveness of your training cycle? © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Questions? Feel free to email: mike@foregroundsecurity.com

Recommended

Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
Mike Murray
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awareness
COMSATS
 
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
Altoros
 
OS17 Brochure
OS17 BrochureOS17 Brochure
OS17 Brochure
Dominic Vogel
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
Karina Elise
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
whmillerjr
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
Rick Bouter
 

Recommended

Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
Mike Murray
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awareness
COMSATS
 
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
Altoros
 
OS17 Brochure
OS17 BrochureOS17 Brochure
OS17 Brochure
Dominic Vogel
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
Karina Elise
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
whmillerjr
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
Rick Bouter
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
Joseph Schorr
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Fernando Reiser
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
Don Grauel
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Security
inside-BigData.com
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
Dominic Vogel
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
Issa Vancouver 6 09 Pareto's Revenge
Issa Vancouver 6 09 Pareto's RevengeIssa Vancouver 6 09 Pareto's Revenge
Issa Vancouver 6 09 Pareto's Revenge
Mike Murray
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
topseowebmaster
 
HackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingHackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's Clothing
Clare Nelson, CISSP, CIPP-E
 
Research Paper
Research PaperResearch Paper
Research Paper
Brian Kasha
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holt
Roopa Nadkarni
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
GFI Software
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan
 
Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!
Ludmila Morozova-Buss
 
Invitation
InvitationInvitation
Invitation
wendyking63
 
Cyber Secuirty Visualization
Cyber Secuirty VisualizationCyber Secuirty Visualization
Cyber Secuirty Visualization
Doug Cogswell
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
Paul Melson
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
Henry Worth
 
"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity
Dean Iacovelli
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
Alison Gianotto
 
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTMDSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
Andris Soroka
 

More Related Content

What's hot

Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
Joseph Schorr
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Fernando Reiser
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
Don Grauel
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Security
inside-BigData.com
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
Dominic Vogel
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
Issa Vancouver 6 09 Pareto's Revenge
Issa Vancouver 6 09 Pareto's RevengeIssa Vancouver 6 09 Pareto's Revenge
Issa Vancouver 6 09 Pareto's Revenge
Mike Murray
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
topseowebmaster
 
HackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingHackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's Clothing
Clare Nelson, CISSP, CIPP-E
 
Research Paper
Research PaperResearch Paper
Research Paper
Brian Kasha
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holt
Roopa Nadkarni
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
GFI Software
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan
 
Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!
Ludmila Morozova-Buss
 
Invitation
InvitationInvitation
Invitation
wendyking63
 
Cyber Secuirty Visualization
Cyber Secuirty VisualizationCyber Secuirty Visualization
Cyber Secuirty Visualization
Doug Cogswell
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
Paul Melson
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
Henry Worth
 
"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity
Dean Iacovelli
 

What's hot (20)

Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk Assessments
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Security
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Issa Vancouver 6 09 Pareto's Revenge
Issa Vancouver 6 09 Pareto's RevengeIssa Vancouver 6 09 Pareto's Revenge
Issa Vancouver 6 09 Pareto's Revenge
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
 
HackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingHackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's Clothing
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holt
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
 
Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!
 
Invitation
InvitationInvitation
Invitation
 
Cyber Secuirty Visualization
Cyber Secuirty VisualizationCyber Secuirty Visualization
Cyber Secuirty Visualization
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
 
"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity
 

Similar to Issa Seattle 5 09 Social Engineering

Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
Alison Gianotto
 
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTMDSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
Andris Soroka
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018
joshquarrie
 
DLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoDLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés Gallego
Ramsés Gallego
 
Chapter 3 Computer Crimes
Chapter 3 Computer CrimesChapter 3 Computer Crimes
Chapter 3 Computer Crimes
Mar Soriano
 
Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!
Team Sistemi
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
centralohioissa
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
Nicholas Chia
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded Devices
Netop
 
Merit Event - Closing the Back Door in Your Systems
Merit Event - Closing the Back Door in Your SystemsMerit Event - Closing the Back Door in Your Systems
Merit Event - Closing the Back Door in Your Systems
meritnorthwest
 
Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer Symposium
Ed Bellis
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 
Rainer+3e Student Pp Ts Ch03
Rainer+3e Student Pp Ts Ch03Rainer+3e Student Pp Ts Ch03
Rainer+3e Student Pp Ts Ch03
kbzdox ivanovich
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for Investors
OurCrowd
 
Malware mitigation
Malware mitigationMalware mitigation
Malware mitigation
Ramsés Gallego
 
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Andrea Rossetti
 
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
Stefano Maria De' Rossi
 
Information Technology Security for Small Business (.docx
Information Technology Security for Small Business (.docx Information Technology Security for Small Business (.docx
Information Technology Security for Small Business (.docx
MARRY7
 
Is Information Security Worth It?
Is Information Security Worth It?Is Information Security Worth It?
Is Information Security Worth It?
martin_lee1969
 
Cyber Threat Landscape
Cyber Threat LandscapeCyber Threat Landscape
Cyber Threat Landscape
Ernest (E.J.) Hilbert
 

Similar to Issa Seattle 5 09 Social Engineering (20)

Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTMDSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018
 
DLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoDLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés Gallego
 
Chapter 3 Computer Crimes
Chapter 3 Computer CrimesChapter 3 Computer Crimes
Chapter 3 Computer Crimes
 
Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded Devices
 
Merit Event - Closing the Back Door in Your Systems
Merit Event - Closing the Back Door in Your SystemsMerit Event - Closing the Back Door in Your Systems
Merit Event - Closing the Back Door in Your Systems
 
Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer Symposium
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Rainer+3e Student Pp Ts Ch03
Rainer+3e Student Pp Ts Ch03Rainer+3e Student Pp Ts Ch03
Rainer+3e Student Pp Ts Ch03
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for Investors
 
Malware mitigation
Malware mitigationMalware mitigation
Malware mitigation
 
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
 
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
 
Information Technology Security for Small Business (.docx
Information Technology Security for Small Business (.docx Information Technology Security for Small Business (.docx
Information Technology Security for Small Business (.docx
 
Is Information Security Worth It?
Is Information Security Worth It?Is Information Security Worth It?
Is Information Security Worth It?
 
Cyber Threat Landscape
Cyber Threat LandscapeCyber Threat Landscape
Cyber Threat Landscape
 

Recently uploaded

5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 

Recently uploaded (20)

5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 

Issa Seattle 5 09 Social Engineering

  • 1. Everything Old is New Again Back to the Social Engineering Future © 2008 – Foreground Security. All rights reserved
  • 2. Only two things are infinite: the universe and human stupidity. And I'm not sure about the former. - Albert Einstein 2
  • 3. Only two things are infinite: the universe and human stupidity, And I'm not sure about the former. Albert Einstein 3
  • 4. Agenda • The Changing Threat Environment • What is Social Engineering – The usual suspects – What it really looks like • How does it work? – The art of exploiting humans – The 3 Skills of Social Engineering • How do you protect yourself? © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 6. The History of Security Commercial Vulnerability Assessment Sasser Nimda Commercial Blaster Firewalls Loveletter Slammer Commercial Data Leakage Kevin Vulnerability Management Prevention Mitnick Snort Melissa Spyware Code Red SATAN Commercial Commercial Morris IDS Anti-Spyware Worm Nessus Phishing Kevin Commercial IPS & UTM Poulsen SIM/SEM You Are Here 1985 1995 2005 Human Network Server Web App Client Organization 6
  • 7. The Vulnerability Cycle Human / Network Organization Service / Client Server Application 7
  • 8. The Early Years • Those were the days – Software Vulnerabilities weren‟t significant - most based on configuration weakness – Only a handful of people understood how to exploit technologies – Small Target Surface - Few internet-connected computers – Focus was on phone phreaking and academia • Social Engineering reigned supreme – Most successful attacks involved social engineering – Unsophisticated controls environments – Few understood the jargon – Policies encouraged trust over security © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 9. The Kevins 9 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 10. The Internet Era • Two Vital Dates – October 13, 1994 • Mosaic Netscape 0.9 released • The web becomes easy to navigate – August 24, 1995 • Windows 95 Released • Home computer use proliferates massively • The Internet Experiences exponential growth – Money starts to change hands – Internet connected computers become a viable target • This creates a target rich environment... 10 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 11. Attacking Computers Directly • Phrack 49 - November 8, 1996. – Aleph1 - Smashing the Stack for Fun and Profit • Readily available exploit code actually makes breaking in to computers easier – The “golden age” of server hacking begins. • 1996-2003 - More of the same – Memory attacks become more sophisticated – Polymorphic shell-code designed to evade detective controls – More advanced use of memory spaces (format strings, integer exploits) 11 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 12. August 4, 2004 • Windows XP Service Pack 2 Appears – Microsoft finally hardens their operating systems – The world changes overnight – Security is now baked in to the computer. • Server based vulnerabilities disappear – As massive server-based vulnerabilities disappear, client interaction becomes key – The number of issues continues to increase, but the type of issues starts to Source: IBM/ISS X-Force: http://blogs.iss.net/archive/2007XFReport-Day1.html change radically © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 13. Difficulty of Exploitation Human Vulnerabilities Difficulty of Exploit Technical Vulnerabilities 1985 1995 2005
  • 14. The New Vulnerable Element • Since 2005 – No major direct-exploitation worm outbreaks – Less than a handful of “remote root” direct exploitation vulnerabilities • Major Classes of Attacks – Drive-by Download – Exploitation through Email, Web and Social Networking Sites – Phishing / Pharming / Spear-Phishing • What‟s the similarity? – If you said “human interaction”, you get a gold star. 14 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 15. The human is the main exploit target again. Back to that comment about human stupidity...
  • 16. Social Engineering • Defined (by Wikipedia): – “The practice of obtaining confidential information by manipulating users.” • The Art of Exploiting Human Weakness – Humans are social creatures – Human nature makes us vulnerable to each other – Social engineers exploit weaknesses in human nature to obtain information or access to computer systems. • A Confidence Trick – Social Engineering is the age-old art of the “Confidence Man” – Wikipedia: “For confidence tricks dealing with information theft or computers see social engineering.” – Studying the con man gives us insight into social engineers © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 17. When I say „Social Engineering‟, that‟s not what you think about, is it? I hate movies at this point in the talk.
  • 18. Hollywood Style • Most people have 3 concepts of social engineering... – The Technical Social Engineering Attack – The “Pretext” – The “Sneakers” Attack • These only scratch the surface – What we read in the media only serves to reinforce these perceptions – Sophisticated social engineering is significantly more dangerous – Those who get caught are the ones who we hear most about. • Two examples to expand your mind... © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 19. 19
  • 20. Hypnotic Robbery • Humorous example of face-to-face human exploitation – Convenience store robbery performed by “hypnosis” – Ideal example of social engineering • From a news report (http://www.wmur.com/news/14212889/detail.html): Police said that two Indian Punjabi men stole more than $1,000 from the Marlborough Country Convenience Store on Monday. The men told the storeowner that they were guruji, a type of Hindu priest, and that they could read his mind, police said.... Patel said the scam began with a simple mind game. The men asked him what his favorite flower was, and they opened a paper with the correct answer on it: quot;Rose.quot; They then told him to think of a wild animal, and they again had written down his choice.... quot;They also said my wife's name that not too many people know,quot; Patel said. quot;My mom's name, they told me. And they told me what was my future goal.quot; © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 21. Not funny at all: Choicepoint Over 163,000 identities compromised. Cost to the company: approx. $40M USD SEC Fines levied: $15M USD 21
  • 22.
  • 23. How it works • The limit of imagination – Social engineering takes a huge number of forms – Common theme: the use of influence and misdirection to obtain inappropriate information and access • Knowing your enemy – Generally part of criminal enterprise – Somewhat risk averse – Well-developed social skills © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 24. The Basic Skill Set • 3 Parts to Exploiting Humans – Communication – Awareness – Frame Control • Most think only of the first – Ears, Eyes and other senses are in proportion – Most instructors focus on communication and leave the success of the other two elements to chance and natural talent – Some believe that social engineers can not be taught – Unfortunately, the bad guys are training on these skills. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 25. Language can both represent reality and shape it. Chris Keeler and Linda Ferguson
  • 26.
  • 27. Communication • The art of communication – Language is the first skill of the social engineer – Ability to craft words is first step in influence • Language is not real – Incomplete representation of reality – Incompleteness creates opportunity • Dual Purpose of Language – Information Transfer – Influence © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 28.
  • 29. Awareness • Words are meaningless without awareness of what is working – Your awareness of others acts as a compass – You need to see and hear the effect of your words • Two main types of awareness – Body language – Facial expressions • Creating Rapport – The feeling of being “in sync” with someone else – Putting ourselves in the same state as our target © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 30. Frame Control • Cognitive Frames – Wikipedia: ”the inevitable process of selective influence over the individual's perception of the meanings attributed to words or phrases. Framing defines the packaging of an element of rhetoric in such a way as to encourage certain interpretations and to discourage others” – The frame is the context in which the content of an interaction occurs • Frame control – Transformation – Extension / Contraction – Combination – Amplification / Compression © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 31. The Elements of Influence • Creating a frame with certain elements can enhance influence – Reciprocity – Authority – Social Proof – Confirmation – Emotional / Amygdala hijack – Confusion • Inserting these elements within a frame can strengthen influence – These are natural human responses – We use these responses to create a context for influence © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 32.
  • 33. Protecting Yourself • Question: How do you protect your organization against social engineering? – Far too often, the answer is a vague “security awareness” – Unfortunately, “awareness” isn‟t easily attained – Most “awareness training” is a complete waste of time • The Key Word: Measurability – How do you know whether your security awareness exercises are getting through to your people? – Is your awareness training tracking against actual metrics? – Do you follow up your awareness exercises with real tests of your people and of the effectiveness of your training cycle? © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 34. Questions? Feel free to email: mike@foregroundsecurity.com

Editor's Notes

  1. The information security world exists on an incredibly short (20 year) timeframe - Even taking a *REALLY* long view, the entire Infosec industry extends only back as far as the mid-80s - AROUND 20 YEARS.Those were the daysVulnerabilities weren’t significantOnly a handful of people understood how to exploit technologiesMost vulnerabilities were based on weaknesses in configurationFew internet-connected computersFocus was on phone phreaking and academia Social Engineering reigned supremeMost successful attacks involved social engineeringUnsophisticated controls environmentsFew understood the jargonPolicies encouraged trust over securityTwo Vital DatesOctober 13, 1994Mosaic Netscape 0.9 releasedThe web becomes easy to navigateAugust 24, 1995Windows 95 ReleasedHome computer use proliferates massivelyThe Internet Experiences exponential growthMoney starts to change handsInternet connected computers become a viable targetThis created a target rich environment...Phrack 49 - November 8, 1996.Aleph1 - Smashing the Stack for Fun and ProfitThe first real sophisticated vulnerabilities start to emergeA buffer overflow required knowledge of assembly and coding skillHackers now had to be more technicalReadily available exploit code actually makes breaking in to computers easierThe “golden age” of server hacking begins.1996-2003 - More of the sameMemory attacks become more sophisticatedPolymorphic shell-code designed to evade detective controlsMore advanced use of memory spaces (format strings, integer exploits) Windows XP Service Pack 2 AppearsMicrosoft finally hardens their operating systemsThe world changes overnightSecurity is now baked in to the computer.Server based vulnerabilities disappearAs massive server-based vulnerabilities disappear, client interaction becomes keyThe number of issues continues to increase, but the type of issues starts to change radicallySince 2005No major direct-exploitation worm outbreaksLess than a handful of “remote root” direct exploitation vulnerabilitiesMajor Classes of AttacksDrive-by DownloadExploitation through EmailExploitation through Social Networking SitesPhishing / Pharming / Spear-PhishingWhat’s the similarity?If you said “human interaction”, you get a gold star.