This document discusses social engineering techniques used to gain unauthorized access to information systems. It defines social engineering and provides examples of common methods like pretexting, phishing, and exploiting human trust relationships. Specific tactics like establishing credibility through small details and transferring trust between individuals are examined. The importance of security awareness training and careful handling of personal information are emphasized to combat social engineering threats.
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
For many organizations, the human element is often the most overlooked attack vector. Ironically, people are typically one of the easiest vulnerabilities to exploit and an attacker needs little more than a smile or email to completely compromise a company. With targeted attacks on the rise, organizations must understand the risk of social engineering based attacks. The purpose of this presentation is to examine common physical, phone, and Internet based attacks. Real world case studies are included and recommendations are provided that will help mitigate this growing threat.
Praetorian's goal is to help our clients understand minimize their overall security exposure and liability. Through our services, your organization can obtain an accurate, independent security assessment.
NENA 2017 Doxing and Social EngineeringJack Kessler
PSAPs and their personnel are susceptible to cyber-attack techniques like social engineering and doxing, due mainly to the vast amounts of personal data available on the Internet, in addition to the inherently helpful nature of people. This presentation demonstrates how 9-1-1 professionals may be unknowingly broadcasting information that hackers can use to do damage to people and infrastructure and how PSAPs can mitigate these risks.
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
For many organizations, the human element is often the most overlooked attack vector. Ironically, people are typically one of the easiest vulnerabilities to exploit and an attacker needs little more than a smile or email to completely compromise a company. With targeted attacks on the rise, organizations must understand the risk of social engineering based attacks. The purpose of this presentation is to examine common physical, phone, and Internet based attacks. Real world case studies are included and recommendations are provided that will help mitigate this growing threat.
Praetorian's goal is to help our clients understand minimize their overall security exposure and liability. Through our services, your organization can obtain an accurate, independent security assessment.
NENA 2017 Doxing and Social EngineeringJack Kessler
PSAPs and their personnel are susceptible to cyber-attack techniques like social engineering and doxing, due mainly to the vast amounts of personal data available on the Internet, in addition to the inherently helpful nature of people. This presentation demonstrates how 9-1-1 professionals may be unknowingly broadcasting information that hackers can use to do damage to people and infrastructure and how PSAPs can mitigate these risks.
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
Presentation given by Evan Francen at TechPulse 2017. The presentation was about social engineering, including common tactics and basic protections. Topics such as phishing, vishing, and physical access attacks were discussed. Evan also shared some of the real-life stories that he has experienced during his 20+ career.
Our digital society has undergone profound transformations in the way we work, learn, live and participate. Having transformed our world into a great co-creation Wiki challenges many assumptions and models that need to be revisited. Based on several examples in the area of security drawn from the industry and our research, we argue there is an emerging notion of Digital Responsibility paving the way to further significant societal changes. A new world order or incremental changes ? One thing is sure, ICT has and will continue to challenge our historical assumptions requiring major mindset changes and more transparency.
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
Advanced exploitation on social networks. Not a social engineering talk, nor a talk about technological exploitation: the combination of exploits against people and technology all in one place.
Presentation to the Region 10 Library Summit on August 17, 2012. I attempt to persuade and empower school librarians to teach students how to glean good information and discard the bad in the fast-moving environment of Twitter.
Attacker uses human interaction to obtain or compromise information.Attacker my appear unassuming or respectable
Pretend to be a new employee, repair man,
May even offer credentials.
By:Maulik Kotak
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
Presentation given by Evan Francen at TechPulse 2017. The presentation was about social engineering, including common tactics and basic protections. Topics such as phishing, vishing, and physical access attacks were discussed. Evan also shared some of the real-life stories that he has experienced during his 20+ career.
Our digital society has undergone profound transformations in the way we work, learn, live and participate. Having transformed our world into a great co-creation Wiki challenges many assumptions and models that need to be revisited. Based on several examples in the area of security drawn from the industry and our research, we argue there is an emerging notion of Digital Responsibility paving the way to further significant societal changes. A new world order or incremental changes ? One thing is sure, ICT has and will continue to challenge our historical assumptions requiring major mindset changes and more transparency.
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
Advanced exploitation on social networks. Not a social engineering talk, nor a talk about technological exploitation: the combination of exploits against people and technology all in one place.
Presentation to the Region 10 Library Summit on August 17, 2012. I attempt to persuade and empower school librarians to teach students how to glean good information and discard the bad in the fast-moving environment of Twitter.
Attacker uses human interaction to obtain or compromise information.Attacker my appear unassuming or respectable
Pretend to be a new employee, repair man,
May even offer credentials.
By:Maulik Kotak
Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks. By using what’s known as ‘Social Engineering’, hackers exploit unsuspecting people who in good faith open up their doors to unwanted strangers.
Social engineering, or SE, is the art of manipulating people into performing actions or so they give up confidential information. Social Engineering can mean different things to different people.
Understand Social Engineering on a new perspective, beyond the conventional understanding that we have, learn how we use it on social development and securing the weakest link in cybersecurity
DefCamp #5, Bucharest, November 29th
Just as a chain is as weak as its weakest link, computer systems are as vulnerable as their weakest component – and that’s rarely the technology itself, it’s more often the people using it. This is precisely why it’s usually easier to exploit people’s natural inclination to trust than it is to discover ways to hack into computer systems. As the art of manipulating people into them giving up confidential information, Social Engineering has been a hot topic for many years. This session will discuss some of the most common Social Engineering techniques and countermeasures.
Coverage of the following topics: Tech growth, social media, Internet of things, how business are using social media in HR, how people expose their information online, privacy, the ramifications of your online life, how criminals, terrorist, governments and organizations use your online information, cyberbullying, data breaches, and Hacktivisim.
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptxCapitolTechU
Slides from a Webinar presented on Oct. 6, 2022, by Dr. Kellup Charles, Chair of Cybersecurity at Capitol Technology University. Dr. Charles looks at OSINT--Open Source Intelligence, including the Process, Method, and Techniques.
What is Social Engineering? An illustrated presentation.Pratum
Social engineering relies profoundly on human interaction and often involves the misleading of employees into violating their organization’s security procedures. Humans are naturally helpful, but when it comes to protecting an organization’s security, being helpful to an outsider can do more harm than good.
These slides discuss social engineering, the most common attack methods, and the best means for defending against a social engineering attack.
For more helpful cyber security blog articles, visit www.integritysrc.com/blog.
Creating a digital toolkit for users: How to teach our users how to limit the...Justin Denton
Ever wonder what you should or shouldn’t share on the internet? Do you see users who are posting everything thing they possibly could on the internet and wonder how to help educate them to protect themselves?
All of this collective sharing, creates a data gold mine for hackers to do their evil bidding. In this session we will talk about what to post on the internet and what not too. We will also look into what hackers can use from the information you’ve posted on the internet and how they can use it to gain access to your and your users personal lives, accounts, credit cards, and more. During this session, we’ll dive into building a strategy plan to help limit and hopefully eliminate these references from your digital footprint to help ensure you are more secure than you were when you first started this session.
By the end of this webinar, attendees will have a virtual toolkit and strategies to help educate users on protecting themselves while online.
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
My GRRCON 2013 talk on imparting security awareness. This is based on a highly successful and well received awareness program I created and rolled out for both blue collar and white collar users.
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
JavaOne 2016 Talk
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Social Networking - An Ethical Hacker's ViewPeter Wood
People gossip because they like gossiping together. It’s in the make-up of the creature: humans are sociable gossiping animals. We can't change those core characteristics of our natures.
Jax london2016 cybercrime-and-the-developerSteve Poole
In the emerging world of DevOps and the Cloud, most developers are trying to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resiliency and scaling to an application. Still, one critical item consistently overlooked is security.
The world of the Cyber Criminal is closer than you realize. Watch a real man-in-the-middle demonstration and learn just how simple it can be for others to steal your secrets. In this talk you’ll learn about other practical examples of how you can inadvertently leave the doors open and what you can do to keep your system secure. In the end, security is everyone’s concern and this talk will teach you a few of simple actions you can take (and some behaviours you must change) to create a more secure application in the Cloud.
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
In today's ever-evolving cybersecurity landscape, organizations face an increasing number of threats. Conducting a NIST Cybersecurity Framework (CSF) assessment can be a valuable tool to identify, manage, and mitigate these risks. Let's explore how it can benefit your organization.
A NIST CSF assessment is not just about compliance; it's about proactively managing your cybersecurity posture. By identifying and addressing your vulnerabilities, you can reduce the likelihood and impact of cyberattacks. Additionally, the framework can help you communicate your security efforts effectively to internal and external stakeholders.
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
Today, is Information Systems 371, I am lecturing about Decision Support Systems. In addition to covering the basics at a conceptual level, I am trying to get the students to think about the impact of IoT, 5G, and Artificial Intelligence, in terms of how Decision Support Systems are changing and what the new demands placed upon them will be.
During the Spring semester, I teach a 3 credit survey course in software development, at UW-Madison (IS 371), which is the first in the series of courses in the Information Systems major track. As part of this course, I devote an entire lecture to discussing different types of software development (Agile, Waterfall, Extreme, Spiral, etc.) I hope it helps the students better understand the different types of software development styles, as well as the benefits and drawbacks of each. In my opinion, they need to learn early on that there is more than one way to go about a software development challenge, and they need to figure out which style works best for them.
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
Today, in class, I will be covering the topics of Cloud and BYOD Information Security. The intent of the lecture is to introduce students to the general issues surrounding information security in these two areas.
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
A presentation about cyberwar basics, the past, present and future directions of cyberwar and some needed changes in technology and long standing societal attitudes, to combat this escalating threat
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
Last day of lecture, a summary presentation of everything the students learned this semester, in the information security class I teach at the University of Wisconsin-Madison
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
Absorbing information does no good, unless you are able to apply what you have learned. Each semester, I give my information security students a team project, in which they must use all the knowledge acquired during the semester, in combination with their ability to do Internet research, to deliver an overall information security assessment of a company of their choosing. To make it a challenge, I make them grade all the other teams in the class, but only give them enough points to distribute so that the average is 90. In grading their peers, they must make decisions about which presentations are excellent, and which are not.
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
Horrible things happen on the Deep Web. It is important for information security professionals to know about this topic, so that we can help to stop the problem. Silence is acquiescence----If you see something horribly wrong, you have got to speak up and be part of the solution to stop it. Contact the FBI or local law enforcement.
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
The final assignment in the Information Security 365/765 course I teach at UW-Madison, is for teams of students to put together company focused IT security presentations, in which they take the concepts learned in class throughout the entire semester, and apply them to a real company. Here is a sample from Team Netflix! I am proud of the students, and feel that they have gained a solid foundation in the field of information security. Another semester come and gone!
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.
A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
Today's topic in the Information Security 365/765 class, which I teach at the University of Wisconsin-Madison.
Computer crimes and computer laws, Motives and profiles of attackers, Various types of evidence, Laws and acts to fight computer crime, Computer crime investigation process, Incident handling procedures, Ethics and best practices
2. Today’s Chocolate Bar
• Nestle Crunch,
created in 1938
• Current slogan is
“For the kid in
you”….BORING
• Bunch-a-crunch
controversy
• "Betcha Can't
Crunch This!"
4. WARNING
• I use REAL people as
examples in this presentation
• I do this not to mock them, or
intimidate them, but to
impress upon them in the
most real way I know of, the
importance of sharing
information about themselves
only on a “need to know
basis” in public forums
5. Social Engineering
• No matter how many security
measures you introduce, there
is one which proves to be the
most challening…
• How do we secure human
beings?
6. Social Engineering Defined
• The use of psychological tricks
in order to get useful
information about a system
• Using psychological tricks to
build inappropriate trust
relationships with insiders
7. Kevin Mitnick
• World’s most famous Social
Engineer
• “The weakest link in the
security chain is the human
element”
• Half of his exploits involved
using social engineering
• See the master in action!
8. Social Engineering
• Social Engineering goes back
to the first lie ever told and
will continue into the future.
• Social Engineering is
successful because people are
generally helpful, especially to
those who are:
• Nice
• Knowledgeable
• Insistent
9. Three Primary Methods of Social
Engineering
• Flattery
• Authority Impersonation
• Threatening Behavior
10. Helpful By Default
• We don’t see a motive to hack
our network. “If I see it
everyday, it can’t be
important.“
• Industrial Espionage
• Revenge
• Just for fun
11. How Does It Happen?
• “An ounce of prevention is
worth a pound of cure!”
• The Social Engineer uses
simple information found
online, or by making a basic
phone call into the office
• That stuff really isn’t that easy
to get…Don’t be dramatic!
12. Let’s Setup a Case Scenario
Using a Method Called
Pretexting
• Meet Angry Cow
• Computer Science Student at
UW-Madison
• Angry Cow just got an eviction
notice
13. Case Continued – Simple Public
Information is Found
• Angry Cow lives at the
Regent
• The Regent’s website
indicates that it is
owned by Steve Brown
Properties
• Angry Cow wants to
“fix” Steve Brown’s
record keeping
spreadsheet to show
that rent has been paid
14. Next – Finding A Way In…
• Facebook is Angry Cow’s first
weapon of choice because it is an
unofficial source of information
• Poor controls over data sharing
• Lots of important information there
that might not seem important,
but could be his first step in…
• Go to Facebook and search:
“Steve Brown Apartments” to find an
appropriate unknowing accomplice
15.
16. Let’s See – Danielle Treu
• Born July 24, 1988
• Enjoys playing in the rain,
drinking coffee and spending
money
• Works at Subway and as a
Resident Assistant for Steve
Brown Apartments
17. Let’s See – David Klabanoff
• Born April 21, 1979
• Likes Star Wars and
The Muppet Movie
• Is a Concierge for
Steve Brown
Apartments
18. Let’s See – Andrew Baldinger –
I think I might know this guy!
• March 30, 1986
• Likes kayaking,
exploring, and
getting lost
• Lives at the
Regent
• Works as a
Technology
Support Specialist
for Steve Brown
Apartments!
19. Let’s Start with Danielle Treu
• Her Facebook profile is public,
but she is intelligent. She
keeps her contact information
private
• But, her profile does say that
she attends UW-Madison…
• I wonder if they have some
more public information about
her
20. The Research, Phase II
• I’m so thankful for the UW
Whitepages!
• Remember, this is PUBLIC
information!
• I got her email address!
22. Establishing the Trust
• Danielle talks to David, and
since David trusts Danielle as
an “insider”, this trust
transfers to the fake Andrew
• Angry Cow shows up later that
day, David is expecting him
• Angry Cow identifies himself
as Andrew and asks David for
key to server room
23. The Hack
• Angry Cow, gets physical
access to server, uses
Ophcrack (just like we did in
class to get Admin username)
• Angry Cow logs into server
and alters accounting files to
indicate that his rent has been
paid
24. Summary of This Example
• Search for public information
about your target, using both
official and unofficial sources
• Build a trust ladder, Julie
trusts Andrew and David
trusts Julie, therefore David
will trust Andrew—even if
“Andrew” really is Angry Cow!
• Built a credible story
• Based on PRETEXTING
25. Let’s Watch Another Example
• Silence of the Lambs Movie
scene
• Notice how they both establish
trust through the use of
kindness or perceived
kindness
26. How to Keep Social Engineering
From Working
• Administrators need to:
• Establish Policies
• Train Employees
• Run Drills
• Office Workers:
• Need to be aware of Social
Engineering tactics
• Follow policies
27. Let’s Watch the AT@T Internal
Social Engineering Training
Video
• Which Social Engineering
techniques can you identify in
the video? (Flattery,
Authority, Threats)
• How would you CLASSIFY this
video (remember Data
Classification)
• What is going on at AT&T?
28. Pretexting
• Pretexting is the
act of creating
and using an
invented scenario
(the pretext) to
persuade a
targeted victim to
release
information or
perform an action
and is typically
done over the
telephone.
29. Pretexting
• It's more than a simple lie as it
most often involves some prior
research or set up and the use of
pieces of known information (e.g.
for impersonation: date of birth,
Social Security Number, last bill
amount) to establish legitimacy in
the mind of the target.
30. Is This Really a Threat to
Businesses? PRETEXTING
• So far, this just looks
like a technique
employed by angry
individuals.
• Did you know that
Hewlett Packard
regularly engaged in
Social Engineering?
• They used the method
of PRETEXTING in
order to get phone
records
• Let’s watch the
testimony of Patricia
Dunn, Director of HP
31. Pretexting Will Likely Continue
• As most U.S. companies still
authenticate a client by asking
only for a Social Security
Number, date of birth, or
mother's maiden name, the
method is effective in many
criminal situations and will
likely continue to be a security
problem in the future.
• Pretexting is the most
common form of Social
Engineering
32. Phishing
• Phishing is the use of email as a
means to extract personal
information from a user
• A variant is called IVR Phone
Phishing
33. Phishing Continued
• Direct you towards bogus
(fake) websites
• Purpose is to harvest
information
• PayPal example – I don’t even
have a PayPal account!
• Use common sense!
• Don’t click on links directly!
• Phishing Filter!
34. TROJAN HORSE
• Is a virus or malware, disguised in
such as way as to appeal to a
person’s curiosity or greed
• Usually arrives in the form of an
email with an attachment
• ILOVEYOU virus is an example of
a Trojan Horse
• Adware hiding inside downloads is
another example
35. Road Apples
• Road Apples are also known as
Baiting
• Uses physical media and relies on
the curiosity or greed of the
victim
• USB drives or CDs found in the
parking lot, with label: 3M
Executive Salaries
• Autorun on inserted media
36. Quid Pro Quo
• Means “something for
something”
• A person contacts people one
by one, until he/she finds a
person with a problem
• When they find a person, they
“fix” their problem by
introducing malware to their
machine
37. Summary – Today’s Take Aways
• Social Engineering involves
manipulating others to get
access
• Main techniques are: Flattery,
Authority, Threatening
• Main types are: Pretexting,
Phishing, Trojan Horses and
Quid Pro Quo
38. Ways to Combat Social
Enginering
• Good security policy
• Make sure your employees
understand dangers and
threats
• Make sure employees
understand what Data
Classification means and what
type of information you
publicly give away
39. Most Important Gem of Wisdom
in Defeating Social Engineering
• Never, Never give out username,
password, account number, SSN,
etc over the same channel used
to initiate the request
• For example, if a phone call
comes in, asking for a SSN, send
the SSN via email or regular mail