Presentation with voice over: Discussion of how Social Engineers can target a business as part of preparation for a cyber attack and how this gives us more opportunities to prevent or limit the affect of the attack through proper policy, use of resources and training.
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
Social Engineering, Insider Threats and Cyber Risks
1. Social Engineering, Insider and Cyber Threat
Mike Gillespie – MD Advent IM Ltd
The UKs Leading Independent, Holistic Security Consultancy
2. coming up
what we mean by Social Engineering and Insider Threat
what this means to Cyber Threat
buildings and technology, combined with people, offer cyber terrorists
and criminals not only more targets, but more tools
serious cyber crime can start before anyone logs onto anything
people are our weakest link and cross security disciplines
our attitude to security and security awareness training needs to evolve
joining the dots and the holistic approach
4. Social Engineering & Insider Threat
some images courtesy of freedigitalphotos.net
5. Social Engineering & Insider Threat
some images courtesy of freedigitalphotos.net
6. what does this mean for cyber threat
and crime?
Intelligence
gathering
Greater chance
of cyber
success
7. what does this mean for cyber threat
and crime?
Followed
target into
building or
pose as
contractor
Watched
building to
select
target
‘Bumped
into’ target
and engaged
in
conversation
– trust gained
‘Borrowed’
their mobile
device
Researched
target and
‘friends’ via
social
networks
…and/or
their pass
card
Gained
access to
server
The cyber attack technically starts here…
8. Joining the dots and the holistic approach
• Realistic holistic Threat and Risk Assessments that don’t isolate
‘cyber’
• Realistic appropriate action and policies
• C-level commitment and leadership
• Top down security culture health
• Holistic Security Awareness Training for all staff
• Regular refreshers as part of the virtuous security cycle
security evolution
9. Joining the dots…27001 in words…
• Continuous improvement (PDCA)
• Ensure and Assure
• Confidentiality, Integrity, Availability
• Risk based
• Proportionate
• Governance
• Compliance
10. the standard…
• Asset management
• HR
• Physical security
• Communications and Operations
• Access Control
• System Development
• DR, BCM and Incident Management
• Compliance
11. Establish
the ISMS
Maintain &
improve the
ISMS
Monitor &
review the
ISMS
Implement
& operate
the ISMS
Development,
maintenance
&
improvement
cycle
plan
act
check
do
Informationsecurity
requirementsandexpectations
ManagedInformationsecurity
ISO27001 in pictures…
12. And so…
people are our weakest link and cross security disciplines
buildings and technology, combined with people, offer cyber terrorists
and criminals not only more targets, but more tools
serious cyber crime can start before anyone logs onto anything
our attitude to security and security awareness training needs to evolve
13. thank you
Social Engineering, Insider and Cyber Threat
www.advent-im.co.uk
www.adventim.wordpress.com
@Advent_IM
www.linkedin.com/company/advent-im
0121 559 6699
0207 100 1124
Editor's Notes
An attack on an organisation can potentially start in unexpected ways that basically have nothing to do with the cyber world. Hackers on a mission for specific information (as opposed to those just trying to cause disruption) will carry out intelligence gathering prior to a targetted attack. This can take many forms. Basically we are saying that the threat is holistic and the targets in the key intelligence gathering phase may never have had any security awareness training whatsoever or perhaps had some IT security training but the dots are not being joined. It may take days, weeks or months for it to come to light that an attack has taken place. It the threat is holistic then the solution and training has to be too.
So hackers hack people as well as networks and devices. In targeted attacks there is a lot of preparation and when carrying out threat assessment, rolling up the trousers in the style of the social engineer before diving into cyber threat is vital.
There is a myriad of potential weak areas for a social engineer to capitalise upon or for the threat from insiders ( however benign) to be realised. Tailgating into a building to get access Charm offensive on reception or other staff members to get information (pretending to be a legitimate visitor who is lost or pretending to be an IT engineer who needs access to the server, or chatting someone up in order to get the inside track on who goes where or whatever else it is you want) Pretending to be an angry visitor/boss – this may be shouting at receptionist in attempt to be let in or shouting on the phone – pretending you are too busy and important to be bothered by stupid security measure and you are a director of the business anyway – get out of my way! In actual fact any decent director would be delighted if reception shows backbone and demands ID etc) Surveillance – do staff notice someone hanging around watching the comings and goings – do they challenge such behaviour? They could be watching who comes in when or any number of key factors. Gaining access to networks by swiping the passwords people leave lying around on post – it notes….nuff said Stealing ID cards which have become so vital to many businesses, giving car park access, building access, meeting room access, restaurant and lunch access (you can use Bacardi example but don’t mention them by name) chef’s list etc. Remember all of these could be carried out by a regular contractor who has been coerced into it or perhaps became a contractor with this express intention. People gossiping in the office around strangers – all sorts of info available People hanging out together at the great level playing field that is the smoking area. Again you get access to C- level potentially. What people post on social media sites without thinking about their jobs, colleagues or workplace, rich pickings for the social engineer. A bit like going through the bins…. Theft of mobile devices All or any combination may be used in the intelligence gathering phase/ trouser rolling up phase of the attack If none of these things have been scoped into security policies because “IT does security” then the bomb is just waiting to go off for some organisations.
There is a myriad of potential weak areas for a social engineer to capitalise upon or for the threat from insiders ( however benign) to be realised. Tailgating into a building to get access Charm offensive on reception or other staff members to get information (pretending to be a legitimate visitor who is lost or pretending to be an IT engineer who needs access to the server, or chatting someone up in order to get the inside track on who goes where or whatever else it is you want) Pretending to be an angry visitor/boss – this may be shouting at receptionist in attempt to be let in or shouting on the phone – pretending you are too busy and important to be bothered by stupid security measure and you are a director of the business anyway – get out of my way! In actual fact any decent director would be delighted if reception shows backbone and demands ID etc) Surveillance – do staff notice someone hanging around watching the comings and goings – do they challenge such behaviour? They could be watching who comes in when or any number of key factors. Gaining access to networks by swiping the passwords people leave lying around on post – it notes….nuff said Stealing ID cards which have become so vital to many businesses, giving car park access, building access, meeting room access, restaurant and lunch access (you can use Bacardi example but don’t mention them by name) chef’s list etc. Remember all of these could be carried out by a regular contractor who has been coerced into it or perhaps became a contractor with this express intention. People gossiping in the office around strangers – all sorts of info available People hanging out together at the great level playing field that is the smoking area. Again you get access to C- level potentially. What people post on social media sites without thinking about their jobs, colleagues or workplace, rich pickings for the social engineer. A bit like going through the bins…. Theft of mobile devices All or any combination may be used in the intelligence gathering phase/ trouser rolling up phase of the attack If none of these things have been scoped into security policies because “IT does security” then the bomb is just waiting to go off for some organisations.
So the greater the level of intelligence gathered by these means, the greater chance of a successful cyber attack. It could mean physical access to server rooms or it may be information about who comes in when and what their habits are to enable the theft of an ID card. It may mean regular visits from someone who befriends reception such as a delivery guy. Stealing a company device left lying around. Pulling all of the intelligence together may mean not only can the cyber attack progress, but that all the weakest points are known and potentially the period of discovery time can be extended. It may mean it can be carried out more effectively and that greater levels of information can be found/stolen/ruined. Bottom line, never assume the attack has merely started from the moment the system was breached.
An attack on an organisation can potentially start in unexpected ways that basically have nothing to do with the cyber world. Hackers on a mission for specific information (as opposed to those just trying to cause disruption) will carry out intelligence gathering prior to a targeted attack. This can take many forms. Basically we are saying that the threat is holistic and the targets in the key intelligence gathering phase may never have had any security awareness training whatsoever or perhaps had some IT security training but the dots are not being joined. It may take days, weeks or months for it to come to light that an attack has taken place. It the threat is holistic then the solution and training has to be too.