Robert Hood, profile picture
Uploaded byRobert Hood
PDF, PPTX3,119 views

Social engineering

This document discusses social engineering and why organizations should use it. Social engineering involves using psychological manipulation to trick people into revealing confidential information. It works because people are inherently lazy, want to help, and are curious. The document outlines common social engineering techniques like phishing, impersonation, and physical security compromises. It recommends that organizations conduct social engineering assessments of their own employees to identify vulnerabilities and provide ongoing training. Regular social engineering tests can help educate employees and strengthen an organization's security over time.

Internet
Related topics:
Social Engineering

Embed presentation

Download as PDF, PPTX
Social Engineering What it is, and why we should be using it…
Hi… I’m Bob. • Formerly a Network Engineer for over 15 years • Ran the network that processed ~50% of the gene sequencing of the Human Genome Project for the US Government. • Worked in Education (MIT), Government (USDOT), Retail (TJX), Manufacturing, Healthcare, and several other Industries. • Moved to Security Research/Engineering several years ago. • Received Training in Social Engineering and Penetration Testing. • Participated in the DefCon 22 Social Engineering Capture the flag as a volunteer with only 20 hours to gather information on my focus company, one of the top 2 Home improvement retailers. • Participated as a full contestant in the DefCon 23 SECTF, Place 4th overall. Company focus was one of the Top US ISPs
What is Social Engineering What is it What are the different types of SE How does it work How can we make it work for us
What is it? In the context of Information Security, Social Engineering (SE) can be defined as: A combination of Social, Psychological and Information gathering techniques that are used to manipulate people to gain access to information or locations that you are not authorized to access. In other words, SE Targets the weaknesses of Human nature as a bridge to exploit weakness in an organizations security. By exploiting the human element, it’s possible to gain access to vast amounts of sensitive information, often without the victims knowledge. This information can then be used for other nefarious purposes. Social Engineering is not a “New Thing”. Social engineering has been around for Hundreds, if not Thousands of years, quite possibly since the beginnings of civilization itself. It has only been with the advent of Computers and Information Technology that we have given these techniques a new name and description. A Social Engineer was previously known as a Con Artist, Swindler, Scammer, Charlatan, Rogue along with Dozens of other names going back through History…
Types of Social Engineering • Phishing: • Trolling • Spear Phishing • Whaling • Vishing • Vishing • SMSishing • Impersonations • Impersonation • Physical Security Compromise • Baiting
Phishing Trolling A Trolling attack is where the Attacker has “Spammed” the users of the company attempting to get as many “clicks” as possible. Spear-Phishing Spear-Phishing is a method that Attackers use that focuses on specific individuals correlating information found on the web via social sites (Facebook, LinkedIn, etc), and elsewhere on the web to focus the attack. Whaling Whaling is an attack that like Spear- Phishing, but the focus of the attack is the Sr. Management Group (CEO, CFO, CIO, Board of Directors, etc)
Vishing Vishing (Voice Attack) This is a directed call to an individual or group attempting to gain information or some other advantage to allow the attacker to penetrate the company’s defense. SMSishing (Text Attack) in this attack vector, the attacker uses a text to attempt to gain information or perhaps send a link that the receiver could follow that could lead to a compromise of the phone, or their computer.
Impersonation Impersonation: Conning your way into a facility using any methods available. ex, a telecom employee. Physical Security Compromise: Breaking and Entering, Dumpster Diving, jumping fences, modifying/ evading cameras Baiting: Uses physical media as a “Trojan Horse”. Relies on greed/curiosity of the target/victim. Can take the form of an infected USB/CD, perhaps a title on the media could further entice the curiosity factor, ex, “Employee Salaries 2015” or “New Company Acquisitions"
How does it work And Why
People Are Vulnerable • People Are Inherently Lazy • People Want to be Helpful • People are Curious • People Want to be Noticed • Social Engineering IS the path of least resistance! and therefore it should be one of the Biggest issues in Information Security!
• Vulnerabilities in Information System are: • Reviewed • Scanned • Penetration tested • Remediated But how can we Measure and Remediate Vulnerability in People? Vulnerabilities Only through Education, Training and Understanding…
All Of Us! Who is Targeted by Social Engineering?
Things we should NOT do. • Don’t Shame • Don’t Blame • Don’t make your employees feel stupid • Don’t make your employees feel bad for their behavior • Companies, and people, typically avoid testing because it makes them feel Vulnerable, we need to change that mentality to having them feel Empowered.
Things We Should Do: Teach your users: • Don’t open an email from an unknown sender, and even if you know the sender, think about the email and ensure the request is reasonable/expected. • Never click on an emailed links, even from a known source. It’s best practice to open a browser and navigate to a known good website, login manually, and navigate to the page described via the browser. • Exercise care when opening attachments. Never “double click” any attachment even from a known source. If the email is from a known source but unexpected, contact them to confirm that they in fact sent it.
Things We Should Do: Educate your users to: • Begin to recognize the different signs of Phishing emails. Even though the SEs are getting better, most Phishing still exhibits the telltale signs. Misspelling, Incorrect sentence structure and incorrect/spoofed links • Be aware and mindful when on the phone, that all may not be as it seems. If you don’t know the person, and their identity cannot be proven, Maybe you shouldn’t give them the keys to the kingdom…
Things We Should Do: Create Company Policies: • Have Policies and procedures that make it harder for SEs to attack and gain information. • Use Gamification to engage end users to be your “eyes and ears” into social engineering attacks. Maybe offer a day off for a confirmed find. • If your not an easy target, then the SEs and Hackers may move on to an easier one…
How can we make SE work for Us? • Open Source Intelligence (OSINT) is intel that is in the open and exposed to information gathering techniques. Social Engineers use this kind of information in their attacks. • Many of the Tools that social Engineers use are Free or low cost, and are downloadable on the internet. • By either employing an SE firm to test, or do the testing yourself, you can begin to understand the scope of your organizations vulnerability to SE attacks.
OSINT Open Source Intelligence Open-source intelligence (OSINT) is intelligence collected from publicly available sources such as Social Media, and Corporate Public facing servers (DMZ). In the Intelligence Communities, the term "open" refers to overt, publicly available sources, as opposed to covert or clandestine sources. OSINT it is in no way related to open source software.
What are some of the things you can expect to find with OSINT? • IP Address Blocks, DNS Information • Phone Numbers (Internal and external) • Email Addresses and their layout standard • User Names and Passwords • Financial Information • Policies and Procedures • Pictures with actionable Intel • Access control Documentation • “Compliance” type information (PII/PCI/HIPPA, etc) • Information on company hardware, specs/vendors/ quantity • Maps and/or design documentation (Reporting Structure, Network and Facility) • 3rd party vendor information • Company badge information • Network and computer information (OS, Software/ versions, Hardware/Appliances, Geolocation, Metadata)
Tools that SEs use: • SET (TrustedSec’s amazing Social Engineering Toolkit) • Foca (Network Infrastructure mapper and metadata analyzer) • Maltego (Information Visualization and gathering app) • Metasploit (Both Pro and Community) • IconoSquare (An Instagram photo analytics processor) • Recon-NG (Fantastic Recon framework with many integrations to social sites) • Dozens of others: • TheHarvester • Shodan • Veil Framework • Metagoofil • Strings • PDFGrep • ExifTool • ImagePicker • WGET • GeoSetter • Google Hacking-DataBase • Beef • HoneyD • Cree.py • WhoIs • CeWL • DNSRecon • Ninja Phishing Framework • and More being created every hour of every day
Before you Start • If you are Hiring, check references. Many “Pen Testing firms” are now claiming to do Social Engineering. Require documentation on their process and procedures, request proof, and examples of their work… • If you are doing this on your own, Make sure to Learn First. • In either case, As always in Pen-testing, Line up your “Get out of Jail Free cards”. Define Scope, Define procedures, and document EVERYTHING…
Social Engineering Process • Recon and Information Gathering • Pretexting • Exploitation • Post Exploitation
Recon and Information Gathering • Gathering Public records (Google, Wikipedia, City Hall, Etc) • Social Networks (LinkedIn, FaceBook) • Dumpster Diving (At the company and employee’s homes) • Electronic Info gathering (using SE toolsets)
Pretexting • Create Believable Scenarios • Choose Believable personas, or actual persons to imitate • PRACTICE, Practice, Practice! Confidence is the key. If you cannot believe in yourself, how can you expect others to believe you…
Exploitation • Execute your scenarios • Attack!
Post Exploitation Cleanup • Document your compromises • Compile Information • Prepare your Reports • Prepare Remediation efforts • Remediate Systems • Educate Users • Perfect Policies • Rinse and repeat, This should be an ongoing campaign and quarterly is better than yearly.
Summary • There is an astounding amount of OSINT that is leaking from our companies and our employees • Employees are a vulnerability • Physical access to our facilities is in most cases is easily achievable • These things are fixable with effort
What are the Fixes? • Run Social Engineering Campaigns against your company • Educate your Employees on being less Vulnerable to SE attempts • Toughen Access to your facilities • Provide continuous training to your employees, and create and continue a campaign of Social Engineering assessments…
Thank You for your time and attention Bob Hood Principle Security Research Engineer, PTC VP Operations, Principle Social Engineer, BitSafe.Systems Email(s): rhood@ptc.com - bob@bitsafe.systems LinkedIn : http://tinyurl.com/BobHoodLinkedIn Twitter: @RobertLHood

More Related Content

PPTX
Social engineering-Attack of the Human Behavior
byJames Krusic
 
PDF
Social Engineering Basics
byLuke Rusten
 
PPSX
Social Engineering - Are You Protecting Your Data Enough?
byJamRivera1
 
PPTX
Social engineering hacking attack
byPankaj Dubey
 
PPTX
Social Engineering,social engeineering techniques,social engineering protecti...
byABHAY PATHAK
 
PPTX
Social engineering
byAlexander Zhuravlev
 
PDF
Social Engineering.pdf
byMeshalALshammari12
 
PPTX
Social Engineering
byn|u - The Open Security Community
 
Social engineering-Attack of the Human Behavior
byJames Krusic
 
Social Engineering Basics
byLuke Rusten
 
Social Engineering - Are You Protecting Your Data Enough?
byJamRivera1
 
Social engineering hacking attack
byPankaj Dubey
 
Social Engineering,social engeineering techniques,social engineering protecti...
byABHAY PATHAK
 
Social engineering
byAlexander Zhuravlev
 
Social Engineering.pdf
byMeshalALshammari12
 
Social Engineering
byn|u - The Open Security Community
 

What's hot

PDF
What is Social Engineering? An illustrated presentation.
byPratum
 
PPTX
Social engineering
byVîñàý Pãtêl
 
PPTX
Social engineering
byAbdelhamid Limami
 
PPTX
Social engineering
byMaulik Kotak
 
PDF
Social engineering attacks
byRamiro Cid
 
PDF
Social engineering
byankushmohanty
 
PPTX
Social engineering presentation
bypooja_doshi
 
PPT
Social Engineering | #ARMSec2015
byHovhannes Aghajanyan
 
PPTX
Social engineering
byVishal Kumar
 
PPTX
Introduction to Social engineering | Techniques of Social engineering
byPrem Lamsal
 
PDF
Social Engineering
byWilliam Gregorian
 
PPTX
social engineering
byRavi Patel
 
PPTX
Social engineering
byVishal Kumar
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PPTX
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
PPTX
Phishing
bySouganthikaSankaresw
 
PPTX
Phishing awareness
byPhishingBox
 
PPTX
What is Phishing and How can you Avoid it?
byQuick Heal Technologies Ltd.
 
PPT
Phishing
byanjalika sinha
 
PPT
DDOS Attack
byAhmed Salama
 
What is Social Engineering? An illustrated presentation.
byPratum
 
Social engineering
byVîñàý Pãtêl
 
Social engineering
byAbdelhamid Limami
 
Social engineering
byMaulik Kotak
 
Social engineering attacks
byRamiro Cid
 
Social engineering
byankushmohanty
 
Social engineering presentation
bypooja_doshi
 
Social Engineering | #ARMSec2015
byHovhannes Aghajanyan
 
Social engineering
byVishal Kumar
 
Introduction to Social engineering | Techniques of Social engineering
byPrem Lamsal
 
Social Engineering
byWilliam Gregorian
 
social engineering
byRavi Patel
 
Social engineering
byVishal Kumar
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
Phishing
bySouganthikaSankaresw
 
Phishing awareness
byPhishingBox
 
What is Phishing and How can you Avoid it?
byQuick Heal Technologies Ltd.
 
Phishing
byanjalika sinha
 
DDOS Attack
byAhmed Salama
 

Similar to Social engineering

PDF
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
byShah Sheikh
 
PPTX
Social Engineering
byManish Chauhan
 
PDF
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
byRob Ragan
 
PDF
phishing and dumpster diving attacks in socialengineering.pdf
byjayaprasanna10
 
PDF
Airport IT&T 2013 John McCarthy
byRussell Publishing
 
PDF
- Social Engineering Unit- II Part- I.pdf
byRamya Nellutla
 
PDF
Social Engineering, or hacking people
byTudor Damian
 
PDF
02 Intro to Social Engg understanding society
by2961rabbit
 
PPTX
ethical hacking in motion MODULE - II.ppt
byShivaniSingha1
 
PPTX
MHTA Social Engineering Presentation - 050917
byEvan Francen
 
PDF
Insiders Guide to Social Engineering - End-Users are the Weakest Link
byRichard Common
 
PPTX
The art of deceiving humans a.k.a social engineering
bySuraj Khetani
 
PPTX
Social Engineering Attacks in IT World
byAkshay Mittal
 
PDF
DebmallyaManda_18700122148_1_Project.pdf
byPiyushKaloya1
 
PPTX
Conference about Social Engineering (by Wh0s)
byMarta Barrio Marcos
 
PPTX
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
PPTX
What is social engineering & why it is important
byVikram Khanna
 
DOCX
A Review On Adapting Social Engineering Services—Aardwolf Security
byAardwolf Security
 
PPTX
Social engineering
byHHSome
 
PPTX
Social engineering 101 or The Art of How You Got Owned by That Random Stranger
bySteven Hatfield
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
byShah Sheikh
 
Social Engineering
byManish Chauhan
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
byRob Ragan
 
phishing and dumpster diving attacks in socialengineering.pdf
byjayaprasanna10
 
Airport IT&T 2013 John McCarthy
byRussell Publishing
 
- Social Engineering Unit- II Part- I.pdf
byRamya Nellutla
 
Social Engineering, or hacking people
byTudor Damian
 
02 Intro to Social Engg understanding society
by2961rabbit
 
ethical hacking in motion MODULE - II.ppt
byShivaniSingha1
 
MHTA Social Engineering Presentation - 050917
byEvan Francen
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
byRichard Common
 
The art of deceiving humans a.k.a social engineering
bySuraj Khetani
 
Social Engineering Attacks in IT World
byAkshay Mittal
 
DebmallyaManda_18700122148_1_Project.pdf
byPiyushKaloya1
 
Conference about Social Engineering (by Wh0s)
byMarta Barrio Marcos
 
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
What is social engineering & why it is important
byVikram Khanna
 
A Review On Adapting Social Engineering Services—Aardwolf Security
byAardwolf Security
 
Social engineering
byHHSome
 
Social engineering 101 or The Art of How You Got Owned by That Random Stranger
bySteven Hatfield
 

Recently uploaded

PDF
Enshittification and the Current State of UX/Product
byAndrew Turnbull
 
PPT
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 
PDF
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
PDF
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
PDF
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
PDF
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
PPTX
Standards-of-Quality-Improvement-in-Nursing.pptx
byDr.Anjalatchi Muthukumaran
 
PPTX
Quality Assurance in nursing profession pptx
byDr.Anjalatchi Muthukumaran
 
PPTX
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
Enshittification and the Current State of UX/Product
byAndrew Turnbull
 
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
Standards-of-Quality-Improvement-in-Nursing.pptx
byDr.Anjalatchi Muthukumaran
 
Quality Assurance in nursing profession pptx
byDr.Anjalatchi Muthukumaran
 
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 

Social engineering

  • 1.
    Social Engineering What itis, and why we should be using it…
  • 2.
    Hi… I’m Bob. •Formerly a Network Engineer for over 15 years • Ran the network that processed ~50% of the gene sequencing of the Human Genome Project for the US Government. • Worked in Education (MIT), Government (USDOT), Retail (TJX), Manufacturing, Healthcare, and several other Industries. • Moved to Security Research/Engineering several years ago. • Received Training in Social Engineering and Penetration Testing. • Participated in the DefCon 22 Social Engineering Capture the flag as a volunteer with only 20 hours to gather information on my focus company, one of the top 2 Home improvement retailers. • Participated as a full contestant in the DefCon 23 SECTF, Place 4th overall. Company focus was one of the Top US ISPs
  • 3.
    What is SocialEngineering What is it What are the different types of SE How does it work How can we make it work for us
  • 4.
    What is it? Inthe context of Information Security, Social Engineering (SE) can be defined as: A combination of Social, Psychological and Information gathering techniques that are used to manipulate people to gain access to information or locations that you are not authorized to access. In other words, SE Targets the weaknesses of Human nature as a bridge to exploit weakness in an organizations security. By exploiting the human element, it’s possible to gain access to vast amounts of sensitive information, often without the victims knowledge. This information can then be used for other nefarious purposes. Social Engineering is not a “New Thing”. Social engineering has been around for Hundreds, if not Thousands of years, quite possibly since the beginnings of civilization itself. It has only been with the advent of Computers and Information Technology that we have given these techniques a new name and description. A Social Engineer was previously known as a Con Artist, Swindler, Scammer, Charlatan, Rogue along with Dozens of other names going back through History…
  • 5.
    Types of SocialEngineering • Phishing: • Trolling • Spear Phishing • Whaling • Vishing • Vishing • SMSishing • Impersonations • Impersonation • Physical Security Compromise • Baiting
  • 6.
    Phishing Trolling A Trolling attackis where the Attacker has “Spammed” the users of the company attempting to get as many “clicks” as possible. Spear-Phishing Spear-Phishing is a method that Attackers use that focuses on specific individuals correlating information found on the web via social sites (Facebook, LinkedIn, etc), and elsewhere on the web to focus the attack. Whaling Whaling is an attack that like Spear- Phishing, but the focus of the attack is the Sr. Management Group (CEO, CFO, CIO, Board of Directors, etc)
  • 7.
    Vishing Vishing (Voice Attack) Thisis a directed call to an individual or group attempting to gain information or some other advantage to allow the attacker to penetrate the company’s defense. SMSishing (Text Attack) in this attack vector, the attacker uses a text to attempt to gain information or perhaps send a link that the receiver could follow that could lead to a compromise of the phone, or their computer.
  • 8.
    Impersonation Impersonation: Conning your wayinto a facility using any methods available. ex, a telecom employee. Physical Security Compromise: Breaking and Entering, Dumpster Diving, jumping fences, modifying/ evading cameras Baiting: Uses physical media as a “Trojan Horse”. Relies on greed/curiosity of the target/victim. Can take the form of an infected USB/CD, perhaps a title on the media could further entice the curiosity factor, ex, “Employee Salaries 2015” or “New Company Acquisitions"
  • 9.
    How does itwork And Why
  • 10.
    People Are Vulnerable •People Are Inherently Lazy • People Want to be Helpful • People are Curious • People Want to be Noticed • Social Engineering IS the path of least resistance! and therefore it should be one of the Biggest issues in Information Security!
  • 11.
    • Vulnerabilities in InformationSystem are: • Reviewed • Scanned • Penetration tested • Remediated But how can we Measure and Remediate Vulnerability in People? Vulnerabilities Only through Education, Training and Understanding…
  • 12.
    All Of Us! Whois Targeted by Social Engineering?
  • 13.
    Things we shouldNOT do. • Don’t Shame • Don’t Blame • Don’t make your employees feel stupid • Don’t make your employees feel bad for their behavior • Companies, and people, typically avoid testing because it makes them feel Vulnerable, we need to change that mentality to having them feel Empowered.
  • 14.
    Things We ShouldDo: Teach your users: • Don’t open an email from an unknown sender, and even if you know the sender, think about the email and ensure the request is reasonable/expected. • Never click on an emailed links, even from a known source. It’s best practice to open a browser and navigate to a known good website, login manually, and navigate to the page described via the browser. • Exercise care when opening attachments. Never “double click” any attachment even from a known source. If the email is from a known source but unexpected, contact them to confirm that they in fact sent it.
  • 15.
    Things We ShouldDo: Educate your users to: • Begin to recognize the different signs of Phishing emails. Even though the SEs are getting better, most Phishing still exhibits the telltale signs. Misspelling, Incorrect sentence structure and incorrect/spoofed links • Be aware and mindful when on the phone, that all may not be as it seems. If you don’t know the person, and their identity cannot be proven, Maybe you shouldn’t give them the keys to the kingdom…
  • 16.
    Things We ShouldDo: Create Company Policies: • Have Policies and procedures that make it harder for SEs to attack and gain information. • Use Gamification to engage end users to be your “eyes and ears” into social engineering attacks. Maybe offer a day off for a confirmed find. • If your not an easy target, then the SEs and Hackers may move on to an easier one…
  • 17.
    How can wemake SE work for Us? • Open Source Intelligence (OSINT) is intel that is in the open and exposed to information gathering techniques. Social Engineers use this kind of information in their attacks. • Many of the Tools that social Engineers use are Free or low cost, and are downloadable on the internet. • By either employing an SE firm to test, or do the testing yourself, you can begin to understand the scope of your organizations vulnerability to SE attacks.
  • 18.
    OSINT Open Source Intelligence Open-sourceintelligence (OSINT) is intelligence collected from publicly available sources such as Social Media, and Corporate Public facing servers (DMZ). In the Intelligence Communities, the term "open" refers to overt, publicly available sources, as opposed to covert or clandestine sources. OSINT it is in no way related to open source software.
  • 19.
    What are someof the things you can expect to find with OSINT? • IP Address Blocks, DNS Information • Phone Numbers (Internal and external) • Email Addresses and their layout standard • User Names and Passwords • Financial Information • Policies and Procedures • Pictures with actionable Intel • Access control Documentation • “Compliance” type information (PII/PCI/HIPPA, etc) • Information on company hardware, specs/vendors/ quantity • Maps and/or design documentation (Reporting Structure, Network and Facility) • 3rd party vendor information • Company badge information • Network and computer information (OS, Software/ versions, Hardware/Appliances, Geolocation, Metadata)
  • 20.
    Tools that SEsuse: • SET (TrustedSec’s amazing Social Engineering Toolkit) • Foca (Network Infrastructure mapper and metadata analyzer) • Maltego (Information Visualization and gathering app) • Metasploit (Both Pro and Community) • IconoSquare (An Instagram photo analytics processor) • Recon-NG (Fantastic Recon framework with many integrations to social sites) • Dozens of others: • TheHarvester • Shodan • Veil Framework • Metagoofil • Strings • PDFGrep • ExifTool • ImagePicker • WGET • GeoSetter • Google Hacking-DataBase • Beef • HoneyD • Cree.py • WhoIs • CeWL • DNSRecon • Ninja Phishing Framework • and More being created every hour of every day
  • 21.
    Before you Start •If you are Hiring, check references. Many “Pen Testing firms” are now claiming to do Social Engineering. Require documentation on their process and procedures, request proof, and examples of their work… • If you are doing this on your own, Make sure to Learn First. • In either case, As always in Pen-testing, Line up your “Get out of Jail Free cards”. Define Scope, Define procedures, and document EVERYTHING…
  • 22.
    Social Engineering Process •Recon and Information Gathering • Pretexting • Exploitation • Post Exploitation
  • 23.
    Recon and Information Gathering •Gathering Public records (Google, Wikipedia, City Hall, Etc) • Social Networks (LinkedIn, FaceBook) • Dumpster Diving (At the company and employee’s homes) • Electronic Info gathering (using SE toolsets)
  • 24.
    Pretexting • Create BelievableScenarios • Choose Believable personas, or actual persons to imitate • PRACTICE, Practice, Practice! Confidence is the key. If you cannot believe in yourself, how can you expect others to believe you…
  • 25.
    Exploitation • Execute yourscenarios • Attack!
  • 26.
    Post Exploitation Cleanup •Document your compromises • Compile Information • Prepare your Reports • Prepare Remediation efforts • Remediate Systems • Educate Users • Perfect Policies • Rinse and repeat, This should be an ongoing campaign and quarterly is better than yearly.
  • 27.
    Summary • There isan astounding amount of OSINT that is leaking from our companies and our employees • Employees are a vulnerability • Physical access to our facilities is in most cases is easily achievable • These things are fixable with effort
  • 28.
    What are theFixes? • Run Social Engineering Campaigns against your company • Educate your Employees on being less Vulnerable to SE attempts • Toughen Access to your facilities • Provide continuous training to your employees, and create and continue a campaign of Social Engineering assessments…
  • 29.
    Thank You foryour time and attention Bob Hood Principle Security Research Engineer, PTC VP Operations, Principle Social Engineer, BitSafe.Systems Email(s): rhood@ptc.com - bob@bitsafe.systems LinkedIn : http://tinyurl.com/BobHoodLinkedIn Twitter: @RobertLHood