SlideShare a Scribd company logo

- Social Engineering Unit- II Part- I.pdf

R
Ramya Nellutla

Penetration Testing

Engineering
1 of 31
Download to read offline
Faegre Drinker Biddle & Reath LLP Social Engineering How to Identify and Prevent Social Engineering Cyberattacks – Especially in the Age of COVID-19
Presenters bennett.borden@faegredrinker.com +1 202 230 5194 Bennett B. Borden Partner and Chief Data Scientist, Faegre Drinker jason.weiss@faegredrinker.com + 1 310 203 4062 Jason G. Weiss Counsel, Faegre Drinker Art.Ehuan@crypsisgroup.com +1 571 331 7763 Art Ehuan Vice President, The Crypsis Group Stefan_Richards@corvel.com Stefan Richards CISO, CorVel 2
IDENTIFYING SOCIAL ENGINEERING ATTACKS
Why Do You Need Cybersecurity? • Cybersecurity refers, in general terms, to a “body of technology, processes and practices” designed to: • Protect Networks • Protect Devices • Protect Programs • Protect Data from attack, damage or unauthorized access • Cybersecurity is the protection of data and systems within networks that are connected to the Internet, including: • Information Security • Information Technology Disaster Recovery • Information Privacy • In short, Cybersecurity means different things to different people depending on your: • Job Title (C-Suite v. IT Manager, etc.) • Job Position and Responsibilities • What you are required to protect on a computer network 4
What is Cyber Social Awareness Training? • The weakest security part of any business are the EMPLOYEES • (See Hack, Twitter) in July of 2020 – all initialed through social engineering techniques to infiltrate their network and take over about 130 high profile accounts • The FBI had a saying they would drum into us almost daily  The only safe network is a network with no users! • Two very important questions that lead to the genesis of a Social Engineering Attack: • How do we identify an effective social engineering attack? • How do we defend ourselves, especially in the age of telecommuting and COVID-19? ○ COVID-19 has added a dangerous new twist to Social Engineering attacks since people are working more from home and are less likely to identify these types of attacks when isolated from other staff and IT personnel 5
What is Social Engineering? • Social Engineering is the term used for a BROAD range of malicious activities accomplished through simple human interaction and a fair share of “trickery” • Social Engineering uses “psychological manipulation” to basically trick employees into making security mistakes or giving away sensitive information • No one is immune: Many smart and careful people can fall victim to a social engineering attack without even realizing it until it is too late. • Vigilance and common sense are the keys to protection 6
Foundations of a Social Engineering Attack • According to www.terranovasecurity.com, Social Engineering relies on these five basic emotional traits for its success, including: 7 Social Engineering “MOTIVIATIONS” How it Affects People that Fall for these Social Engineering Techniques FEAR Example: You receive a voice mail that you’re under investigation for tax fraud and you must call and pay an immediate fee to the “IRS” GREED Example: Someone convinces you that a mere $10.00 investment will pocket you $10,000 or more CURIOUSITY Example: Cybercriminals convince you that some event you see on the news affects you and they have evidence that they send you for review and it is in fact Malware HELPFULNESS Example: Playing on the basic desire of humans to trust and help one another – collecting charity and donations for a false cause URGENCY Example: You receive a fake or spoofed email from a vendor you use indicating that they need to confirm your credit card information ASAP
How Does Social Engineering Work? • Social Engineering is a multi-faceted attack and includes: • The perpetrator first investigates the intended victim and gathers necessary background information, such as potential points of entry and weak security protocol needed to proceed with the attack • The attacker then moves to gain the victim’s trust and provides a stimuli for subsequent action that breaks established security practices, such as revealing sensitive information and granting access to critical resources (www.imperva.com) • Social Engineering is simply the most efficient, cost-effective and capable tool used by cyber-criminals in so many different types of crimes • The original master of social engineering was one of the most famous hackers our generation, Kevin Mitnick. They have literally written books about him and how he used social engineering to effectuate his attacks. 8
Additional Common Social Engineering Attacks Attack Type What Happens in the Attack 1) Phishing Targeting people through social media ruse 2) Spear Phishing Targeting specific group of people 3) Whaling Targeting business executives 4) Watering Hole Injecting malicious script in public websites 5) Pretexting Faking your identity 6) Tailgating Piggy backing into a restricted site 7) Dumpster Diving Going through garbage bins for sensitive info 8) Quid Pro Quo Hacker offers service in benefit for an exchange 9) Business Email Compromises (BEC) Faking fraudulent wire transfers - BEC has become the single largest damages claim today for Cyber Insurance - There are multiple types of BEC claims that have cost consumers well over one billion dollars ($1,000,000,000) 9
Some Additional Common Social Engineering Attacks Attack Type What Happens in the Attack 10) Smishing Smishing is the fraudulent practice of sending text messages to trick people to reveal personal information 11) Vishing Vishing is the fraudulent practice of making phone calls or leaving voice messages to trick people into revealing personal information 12) Baiting Baiting attacks use a false promise to pique a victim’s greed or curiosity 13) Scareware Scareware involves victims being bombarded with false alarms and fictitious threats 14) Malware Victims are tricked into believing that malware is installed on their computer and, if they pay, the malware will be removed 15) Doxxing When someone threatens to publish private or identifying information about you on the internet, typically with malicious intent 16) Catfishing When someone uses a stolen online identity for the purpose of creating a fake or deceptive relationship 17) Gaslighting When someone tries to manipulate you into questioning your own sanity as a means to trick you into providing something of value 18) SIM Swapping SIM swap is when someone convinces your cell phone carrier to switch your phone number over to a SIM card they own 10
Common Social Engineering Attacks • Cyber Social Engineering attacks can lead to many different problems for many businesses, financial institutions and the population as a whole • Disruptionware • Ransomware • Cyber Wipers • Malware • Business Email Compromise • Economic Espionage • Data Sniffers • Keyboard Stroke Monitors • Back Doors Into Your Network • Theft Of Business Email • Theft Of Intellectual Property • Theft Of Employee PII 11
Consequences for Poor Employee Training • There can be numerous consequences for poor social awareness employee training, including but not limited to: • External breach of internal business networks • Loss of business or customer data • Introduction of ransomware, malware or other cyberattack techniques into your network • New Consumer “Private Right of Action” for lost data damages under the GDPR and/or the CCPA • Permanent loss of intellectual property • Public embarrassment and loss of business trust in the community • Bad publicity in the media • Loss of customers - both current and future • Regulatory fines by the government • Extensive costs to remediate breaches and repair networks to re-establish customer trust 12
Technical Defenses to Social Engineering Attacks • Most companies have very astute IT departments to keep their hardware and their networks safe…. • There is not time here to discuss all the intricacies of technical IT defense, so I want to discuss the REALLY IMPORTANT way to defend your data…. • Which leads to the most critical question of the day: • What is the WEAKEST part of any organization’s data security plan? • Does the company have a current and up to date Incident Response Plan to react quickly? • What has the IT department done to “harden” its network from both • External Attack? • Internal Infiltration? 13
TECHNICAL SOCIAL ENGINEERING DEFENSES
Things Social Engineering Attackers Know • A LOT of company information is out there, more than you might think • A LOT of personal information is out there, more than you might think • Security is very vulnerable at connection points • Security is very vulnerable in exception processes • It’s easy to send (a lot of) email as anyone • It’s easy to call someone appearing to come from any number • In bigger companies, most people don’t know each other, but everyone wants to help • Social engineering approaches: go big or go targeted • Most people avoid advanced security because “it’s hard” 15
Social Engineering Attack Overview 16
Technical Defenses – Multi-Factor Authentication (MFA) • Generally, passwords are not good enough • If you have to use: length is the most important factor • MFA = the most effective mitigation • MFA can’t be given away in clever social engineering • MFA Tips: 17 • Avoid text (SMS) or email • Best option: authentication apps (e.g. Google Authenticator) • Consider the recovery process: • Social Engineers can probably answer your security questions
Technical Defenses – Inbound Filtering (Email Gateways) • Stops or ‘cleans’ trouble emails before they reach you • Leverages reputation and collective threat intelligence • Learns from other users that flag dangerous email • Authenticating senders – DMARC 18
Technical Defenses – Email Banners 19
Technical Defenses – Outbound Filtering (Firewalls, Proxies) • Block that click! • Stops traffic to Internet “bad neighborhoods” • Looks for and stops malware call home (Command and Control) • Watches outbound traffic for likely exfiltration • Leverages reputation and collective threat intelligence 20
Technical Defenses – Automated Phish Tests • Automate for scale • Test multiple times per year • Tune to current threats • Test all employees, especially risky departments • Automatically refer to training on click • Collect metrics to inform continued awareness efforts 21
Technical Defenses – Cyber Hygiene • Use currently supported software only • Patch early and often • Remove unneeded software and services • Don’t run as administrator • Implement and test regular backups • Regularly scan and test your security posture • Consider advanced anti-malware protection 22
SOCIAL AWARENESS SOCIAL ENGINEERING DEFENSES
Social Engineering Statistics 2019 – 2020 Industries 1. Healthcare (16%) 2. Financial Services (14%) The top target industries disproportionately attract threat actors due to storing, transmitting, and processing high volumes of monetizable sensitive information. 24
Social Engineering Statistics 2019 – 2020 Phishing • Initial Attack Vectors for Ransomware • RDP Attack • Phishing (Social Engineering) • Web Attack 25
Social Engineering Prevention (Awareness) • Create a “security awareness” culture in the organization • Management should regularly conduct awareness campaigns on importance of protecting data from social engineering attacks • Post visual reminders (posters, etc.) throughout office space • Send regular email reminders on vigilance against social engineer attacks • Publicly reward staff who embody good security awareness 26 https://www.dni.gov/files/PE/Documents/6---2017-AEP_The-Future-of-Ransomware-and-Social-Engineering.pdf
Social Engineering Prevention (Awareness) • Management should regularly conduct awareness campaigns on importance of protecting data from social engineering attacks • Management vocalization on criticality of protecting data during staff meetings on a scheduled basis • Support and promote richer cyber training programs, and emphasize security in company communications • Management should identify opportunities for measuring performance of staff in protecting data 27 https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent- it.html
Social Engineering Prevention (Awareness) • Post visual reminders (posters, etc.) throughout office space • Internal media campaigns provide a reminder of the importance of employee awareness • Post reminders in offices, cubicles, shared space (kitchen, conference rooms, etc.) • Tailor web-based modules customized to individual groups pertinent to their roles and how they may be specifically targeted so employees can better spot and avoid tactics that may be used against them. 28 https://www.biola.edu/information-technology/information-security/dont-be-manipulated-by-social-engineering
Social Engineering Prevention (Awareness) • Send regular email reminders on vigilance against social engineer attacks • Send management and HR email coordinated campaigns to staff to maintain awareness • Develop comprehensive training that includes, and goes beyond, phishing and spear phishing; include other social engineering concerns that involve physical security, industry best practices against device loss, insider threat indicators, etc. 29 https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent- it.html
Social Engineering Prevention (Awareness) • Publicly reward staff who embody good security awareness • Provide incentives (gift certificates, etc.) for staff who identify a social engineering attack and notify management • Identify staff who have been vigilant against social engineering attacks and highlight their examples during all-hands/staff meetings 30 https://www.dni.gov/files/NCSC/documents/campaign/Poster_Social-Engineering_6April2017_FINAL.jpg
QUESTIONS

Recommended

Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering BasicsLuke Rusten
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxAkshayKhade21
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxMBRoman1
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxANIKETKUMARSHARMA3
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx56ushodayareddy
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Cysec.pptx
Cysec.pptxCysec.pptx
Cysec.pptxjondon17
 

Recommended

Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering BasicsLuke Rusten
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxAkshayKhade21
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxMBRoman1
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxANIKETKUMARSHARMA3
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx56ushodayareddy
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Cysec.pptx
Cysec.pptxCysec.pptx
Cysec.pptxjondon17
 
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptxPradeeshSAI
 
Hacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering RisksHacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering RisksCraig Clark ITIL, CIS LI,EU GDPR P
 
Hacking the Helpdesk, Craig Clark
Hacking the Helpdesk, Craig ClarkHacking the Helpdesk, Craig Clark
Hacking the Helpdesk, Craig ClarkService Desk Institute
 
What is social engineering.pdf
What is social engineering.pdfWhat is social engineering.pdf
What is social engineering.pdfuzair
 
Rishabhcyber security.pptx
Rishabhcyber security.pptxRishabhcyber security.pptx
Rishabhcyber security.pptxRishabhDwivedi70
 
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSIMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSPreetiDevidas
 
Asset slide-show-identifying-it-security-threats (1)
Asset slide-show-identifying-it-security-threats (1)Asset slide-show-identifying-it-security-threats (1)
Asset slide-show-identifying-it-security-threats (1)David Robinson
 
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdfUnit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdfSujanTimalsina5
 
220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?Spire Research and Consulting
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"abercius24
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxAbhishekDas794104
 
Introduction to cyber security
Introduction to cyber security Introduction to cyber security
Introduction to cyber security RaviPrashant5
 
introduction to cyber security
introduction to cyber securityintroduction to cyber security
introduction to cyber securitySlamet Ar Rokhim
 
CyberSecurity.pdf
CyberSecurity.pdfCyberSecurity.pdf
CyberSecurity.pdfSuleiman55
 
Cysecc.pptx
Cysecc.pptxCysecc.pptx
Cysecc.pptxjondon17
 
Ch01 Introduction to Security
Ch01 Introduction to SecurityCh01 Introduction to Security
Ch01 Introduction to SecurityInformation Technology
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
Learn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityLearn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityAardwolf Security
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptxssusera5ade5
 
artificial Intelligence unit1 ppt (1).ppt
artificial Intelligence unit1 ppt (1).pptartificial Intelligence unit1 ppt (1).ppt
artificial Intelligence unit1 ppt (1).pptRamya Nellutla
 
Deep network notes.pdf
Deep network notes.pdfDeep network notes.pdf
Deep network notes.pdfRamya Nellutla
 

More Related Content

Similar to - Social Engineering Unit- II Part- I.pdf

43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptxPradeeshSAI
 
What is social engineering.pdf
What is social engineering.pdfWhat is social engineering.pdf
What is social engineering.pdfuzair
 
Rishabhcyber security.pptx
Rishabhcyber security.pptxRishabhcyber security.pptx
Rishabhcyber security.pptxRishabhDwivedi70
 
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSIMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSPreetiDevidas
 
Asset slide-show-identifying-it-security-threats (1)
Asset slide-show-identifying-it-security-threats (1)Asset slide-show-identifying-it-security-threats (1)
Asset slide-show-identifying-it-security-threats (1)David Robinson
 
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdfUnit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdfSujanTimalsina5
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"abercius24
 
Introduction to cyber security
Introduction to cyber security Introduction to cyber security
Introduction to cyber security RaviPrashant5
 
introduction to cyber security
introduction to cyber securityintroduction to cyber security
introduction to cyber securitySlamet Ar Rokhim
 
CyberSecurity.pdf
CyberSecurity.pdfCyberSecurity.pdf
CyberSecurity.pdfSuleiman55
 
Cysecc.pptx
Cysecc.pptxCysecc.pptx
Cysecc.pptxjondon17
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
Learn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityLearn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityAardwolf Security
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
 

Similar to - Social Engineering Unit- II Part- I.pdf (20)

43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
 
Hacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering RisksHacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering Risks
 
Hacking the Helpdesk, Craig Clark
Hacking the Helpdesk, Craig ClarkHacking the Helpdesk, Craig Clark
Hacking the Helpdesk, Craig Clark
 
What is social engineering.pdf
What is social engineering.pdfWhat is social engineering.pdf
What is social engineering.pdf
 
Rishabhcyber security.pptx
Rishabhcyber security.pptxRishabhcyber security.pptx
Rishabhcyber security.pptx
 
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSIMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
 
Asset slide-show-identifying-it-security-threats (1)
Asset slide-show-identifying-it-security-threats (1)Asset slide-show-identifying-it-security-threats (1)
Asset slide-show-identifying-it-security-threats (1)
 
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdfUnit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
 
220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
Introduction to cyber security
Introduction to cyber security Introduction to cyber security
Introduction to cyber security
 
introduction to cyber security
introduction to cyber securityintroduction to cyber security
introduction to cyber security
 
CyberSecurity.pdf
CyberSecurity.pdfCyberSecurity.pdf
CyberSecurity.pdf
 
Cysecc.pptx
Cysecc.pptxCysecc.pptx
Cysecc.pptx
 
Ch01 Introduction to Security
Ch01 Introduction to SecurityCh01 Introduction to Security
Ch01 Introduction to Security
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
Learn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityLearn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf Security
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study Jams
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptx
 

More from Ramya Nellutla

artificial Intelligence unit1 ppt (1).ppt
artificial Intelligence unit1 ppt (1).pptartificial Intelligence unit1 ppt (1).ppt
artificial Intelligence unit1 ppt (1).pptRamya Nellutla
 
Deep network notes.pdf
Deep network notes.pdfDeep network notes.pdf
Deep network notes.pdfRamya Nellutla
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdfRamya Nellutla
 
Unit-3-Part-1 [Autosaved].ppt
Unit-3-Part-1 [Autosaved].pptUnit-3-Part-1 [Autosaved].ppt
Unit-3-Part-1 [Autosaved].pptRamya Nellutla
 
E5-roughsets unit-V.pdf
E5-roughsets unit-V.pdfE5-roughsets unit-V.pdf
E5-roughsets unit-V.pdfRamya Nellutla
 
Unit-II -Soft Computing.pdf
Unit-II -Soft Computing.pdfUnit-II -Soft Computing.pdf
Unit-II -Soft Computing.pdfRamya Nellutla
 
SC01_IntroductionSC-Unit-I.ppt
SC01_IntroductionSC-Unit-I.pptSC01_IntroductionSC-Unit-I.ppt
SC01_IntroductionSC-Unit-I.pptRamya Nellutla
 
- Fuzzy Systems -II.pptx
- Fuzzy Systems -II.pptx- Fuzzy Systems -II.pptx
- Fuzzy Systems -II.pptxRamya Nellutla
 

More from Ramya Nellutla (12)

artificial Intelligence unit1 ppt (1).ppt
artificial Intelligence unit1 ppt (1).pptartificial Intelligence unit1 ppt (1).ppt
artificial Intelligence unit1 ppt (1).ppt
 
Deep network notes.pdf
Deep network notes.pdfDeep network notes.pdf
Deep network notes.pdf
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdf
 
Deep Learning.pptx
Deep Learning.pptxDeep Learning.pptx
Deep Learning.pptx
 
Unit-I PPT.pdf
Unit-I PPT.pdfUnit-I PPT.pdf
Unit-I PPT.pdf
 
Datamodels.pptx
Datamodels.pptxDatamodels.pptx
Datamodels.pptx
 
Unit-3-Part-1 [Autosaved].ppt
Unit-3-Part-1 [Autosaved].pptUnit-3-Part-1 [Autosaved].ppt
Unit-3-Part-1 [Autosaved].ppt
 
E5-roughsets unit-V.pdf
E5-roughsets unit-V.pdfE5-roughsets unit-V.pdf
E5-roughsets unit-V.pdf
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
Unit-II -Soft Computing.pdf
Unit-II -Soft Computing.pdfUnit-II -Soft Computing.pdf
Unit-II -Soft Computing.pdf
 
SC01_IntroductionSC-Unit-I.ppt
SC01_IntroductionSC-Unit-I.pptSC01_IntroductionSC-Unit-I.ppt
SC01_IntroductionSC-Unit-I.ppt
 
- Fuzzy Systems -II.pptx
- Fuzzy Systems -II.pptx- Fuzzy Systems -II.pptx
- Fuzzy Systems -II.pptx
 

Recently uploaded

chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningmisbanausheenparvam
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 

Recently uploaded (20)

chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learning
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 

- Social Engineering Unit- II Part- I.pdf

  • 1. Faegre Drinker Biddle & Reath LLP Social Engineering How to Identify and Prevent Social Engineering Cyberattacks – Especially in the Age of COVID-19
  • 2. Presenters bennett.borden@faegredrinker.com +1 202 230 5194 Bennett B. Borden Partner and Chief Data Scientist, Faegre Drinker jason.weiss@faegredrinker.com + 1 310 203 4062 Jason G. Weiss Counsel, Faegre Drinker Art.Ehuan@crypsisgroup.com +1 571 331 7763 Art Ehuan Vice President, The Crypsis Group Stefan_Richards@corvel.com Stefan Richards CISO, CorVel 2
  • 4. Why Do You Need Cybersecurity? • Cybersecurity refers, in general terms, to a “body of technology, processes and practices” designed to: • Protect Networks • Protect Devices • Protect Programs • Protect Data from attack, damage or unauthorized access • Cybersecurity is the protection of data and systems within networks that are connected to the Internet, including: • Information Security • Information Technology Disaster Recovery • Information Privacy • In short, Cybersecurity means different things to different people depending on your: • Job Title (C-Suite v. IT Manager, etc.) • Job Position and Responsibilities • What you are required to protect on a computer network 4
  • 5. What is Cyber Social Awareness Training? • The weakest security part of any business are the EMPLOYEES • (See Hack, Twitter) in July of 2020 – all initialed through social engineering techniques to infiltrate their network and take over about 130 high profile accounts • The FBI had a saying they would drum into us almost daily  The only safe network is a network with no users! • Two very important questions that lead to the genesis of a Social Engineering Attack: • How do we identify an effective social engineering attack? • How do we defend ourselves, especially in the age of telecommuting and COVID-19? ○ COVID-19 has added a dangerous new twist to Social Engineering attacks since people are working more from home and are less likely to identify these types of attacks when isolated from other staff and IT personnel 5
  • 6. What is Social Engineering? • Social Engineering is the term used for a BROAD range of malicious activities accomplished through simple human interaction and a fair share of “trickery” • Social Engineering uses “psychological manipulation” to basically trick employees into making security mistakes or giving away sensitive information • No one is immune: Many smart and careful people can fall victim to a social engineering attack without even realizing it until it is too late. • Vigilance and common sense are the keys to protection 6
  • 7. Foundations of a Social Engineering Attack • According to www.terranovasecurity.com, Social Engineering relies on these five basic emotional traits for its success, including: 7 Social Engineering “MOTIVIATIONS” How it Affects People that Fall for these Social Engineering Techniques FEAR Example: You receive a voice mail that you’re under investigation for tax fraud and you must call and pay an immediate fee to the “IRS” GREED Example: Someone convinces you that a mere $10.00 investment will pocket you $10,000 or more CURIOUSITY Example: Cybercriminals convince you that some event you see on the news affects you and they have evidence that they send you for review and it is in fact Malware HELPFULNESS Example: Playing on the basic desire of humans to trust and help one another – collecting charity and donations for a false cause URGENCY Example: You receive a fake or spoofed email from a vendor you use indicating that they need to confirm your credit card information ASAP
  • 8. How Does Social Engineering Work? • Social Engineering is a multi-faceted attack and includes: • The perpetrator first investigates the intended victim and gathers necessary background information, such as potential points of entry and weak security protocol needed to proceed with the attack • The attacker then moves to gain the victim’s trust and provides a stimuli for subsequent action that breaks established security practices, such as revealing sensitive information and granting access to critical resources (www.imperva.com) • Social Engineering is simply the most efficient, cost-effective and capable tool used by cyber-criminals in so many different types of crimes • The original master of social engineering was one of the most famous hackers our generation, Kevin Mitnick. They have literally written books about him and how he used social engineering to effectuate his attacks. 8
  • 9. Additional Common Social Engineering Attacks Attack Type What Happens in the Attack 1) Phishing Targeting people through social media ruse 2) Spear Phishing Targeting specific group of people 3) Whaling Targeting business executives 4) Watering Hole Injecting malicious script in public websites 5) Pretexting Faking your identity 6) Tailgating Piggy backing into a restricted site 7) Dumpster Diving Going through garbage bins for sensitive info 8) Quid Pro Quo Hacker offers service in benefit for an exchange 9) Business Email Compromises (BEC) Faking fraudulent wire transfers - BEC has become the single largest damages claim today for Cyber Insurance - There are multiple types of BEC claims that have cost consumers well over one billion dollars ($1,000,000,000) 9
  • 10. Some Additional Common Social Engineering Attacks Attack Type What Happens in the Attack 10) Smishing Smishing is the fraudulent practice of sending text messages to trick people to reveal personal information 11) Vishing Vishing is the fraudulent practice of making phone calls or leaving voice messages to trick people into revealing personal information 12) Baiting Baiting attacks use a false promise to pique a victim’s greed or curiosity 13) Scareware Scareware involves victims being bombarded with false alarms and fictitious threats 14) Malware Victims are tricked into believing that malware is installed on their computer and, if they pay, the malware will be removed 15) Doxxing When someone threatens to publish private or identifying information about you on the internet, typically with malicious intent 16) Catfishing When someone uses a stolen online identity for the purpose of creating a fake or deceptive relationship 17) Gaslighting When someone tries to manipulate you into questioning your own sanity as a means to trick you into providing something of value 18) SIM Swapping SIM swap is when someone convinces your cell phone carrier to switch your phone number over to a SIM card they own 10
  • 11. Common Social Engineering Attacks • Cyber Social Engineering attacks can lead to many different problems for many businesses, financial institutions and the population as a whole • Disruptionware • Ransomware • Cyber Wipers • Malware • Business Email Compromise • Economic Espionage • Data Sniffers • Keyboard Stroke Monitors • Back Doors Into Your Network • Theft Of Business Email • Theft Of Intellectual Property • Theft Of Employee PII 11
  • 12. Consequences for Poor Employee Training • There can be numerous consequences for poor social awareness employee training, including but not limited to: • External breach of internal business networks • Loss of business or customer data • Introduction of ransomware, malware or other cyberattack techniques into your network • New Consumer “Private Right of Action” for lost data damages under the GDPR and/or the CCPA • Permanent loss of intellectual property • Public embarrassment and loss of business trust in the community • Bad publicity in the media • Loss of customers - both current and future • Regulatory fines by the government • Extensive costs to remediate breaches and repair networks to re-establish customer trust 12
  • 13. Technical Defenses to Social Engineering Attacks • Most companies have very astute IT departments to keep their hardware and their networks safe…. • There is not time here to discuss all the intricacies of technical IT defense, so I want to discuss the REALLY IMPORTANT way to defend your data…. • Which leads to the most critical question of the day: • What is the WEAKEST part of any organization’s data security plan? • Does the company have a current and up to date Incident Response Plan to react quickly? • What has the IT department done to “harden” its network from both • External Attack? • Internal Infiltration? 13
  • 15. Things Social Engineering Attackers Know • A LOT of company information is out there, more than you might think • A LOT of personal information is out there, more than you might think • Security is very vulnerable at connection points • Security is very vulnerable in exception processes • It’s easy to send (a lot of) email as anyone • It’s easy to call someone appearing to come from any number • In bigger companies, most people don’t know each other, but everyone wants to help • Social engineering approaches: go big or go targeted • Most people avoid advanced security because “it’s hard” 15
  • 17. Technical Defenses – Multi-Factor Authentication (MFA) • Generally, passwords are not good enough • If you have to use: length is the most important factor • MFA = the most effective mitigation • MFA can’t be given away in clever social engineering • MFA Tips: 17 • Avoid text (SMS) or email • Best option: authentication apps (e.g. Google Authenticator) • Consider the recovery process: • Social Engineers can probably answer your security questions
  • 18. Technical Defenses – Inbound Filtering (Email Gateways) • Stops or ‘cleans’ trouble emails before they reach you • Leverages reputation and collective threat intelligence • Learns from other users that flag dangerous email • Authenticating senders – DMARC 18
  • 19. Technical Defenses – Email Banners 19
  • 20. Technical Defenses – Outbound Filtering (Firewalls, Proxies) • Block that click! • Stops traffic to Internet “bad neighborhoods” • Looks for and stops malware call home (Command and Control) • Watches outbound traffic for likely exfiltration • Leverages reputation and collective threat intelligence 20
  • 21. Technical Defenses – Automated Phish Tests • Automate for scale • Test multiple times per year • Tune to current threats • Test all employees, especially risky departments • Automatically refer to training on click • Collect metrics to inform continued awareness efforts 21
  • 22. Technical Defenses – Cyber Hygiene • Use currently supported software only • Patch early and often • Remove unneeded software and services • Don’t run as administrator • Implement and test regular backups • Regularly scan and test your security posture • Consider advanced anti-malware protection 22
  • 24. Social Engineering Statistics 2019 – 2020 Industries 1. Healthcare (16%) 2. Financial Services (14%) The top target industries disproportionately attract threat actors due to storing, transmitting, and processing high volumes of monetizable sensitive information. 24
  • 25. Social Engineering Statistics 2019 – 2020 Phishing • Initial Attack Vectors for Ransomware • RDP Attack • Phishing (Social Engineering) • Web Attack 25
  • 26. Social Engineering Prevention (Awareness) • Create a “security awareness” culture in the organization • Management should regularly conduct awareness campaigns on importance of protecting data from social engineering attacks • Post visual reminders (posters, etc.) throughout office space • Send regular email reminders on vigilance against social engineer attacks • Publicly reward staff who embody good security awareness 26 https://www.dni.gov/files/PE/Documents/6---2017-AEP_The-Future-of-Ransomware-and-Social-Engineering.pdf
  • 27. Social Engineering Prevention (Awareness) • Management should regularly conduct awareness campaigns on importance of protecting data from social engineering attacks • Management vocalization on criticality of protecting data during staff meetings on a scheduled basis • Support and promote richer cyber training programs, and emphasize security in company communications • Management should identify opportunities for measuring performance of staff in protecting data 27 https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent- it.html
  • 28. Social Engineering Prevention (Awareness) • Post visual reminders (posters, etc.) throughout office space • Internal media campaigns provide a reminder of the importance of employee awareness • Post reminders in offices, cubicles, shared space (kitchen, conference rooms, etc.) • Tailor web-based modules customized to individual groups pertinent to their roles and how they may be specifically targeted so employees can better spot and avoid tactics that may be used against them. 28 https://www.biola.edu/information-technology/information-security/dont-be-manipulated-by-social-engineering
  • 29. Social Engineering Prevention (Awareness) • Send regular email reminders on vigilance against social engineer attacks • Send management and HR email coordinated campaigns to staff to maintain awareness • Develop comprehensive training that includes, and goes beyond, phishing and spear phishing; include other social engineering concerns that involve physical security, industry best practices against device loss, insider threat indicators, etc. 29 https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent- it.html
  • 30. Social Engineering Prevention (Awareness) • Publicly reward staff who embody good security awareness • Provide incentives (gift certificates, etc.) for staff who identify a social engineering attack and notify management • Identify staff who have been vigilant against social engineering attacks and highlight their examples during all-hands/staff meetings 30 https://www.dni.gov/files/NCSC/documents/campaign/Poster_Social-Engineering_6April2017_FINAL.jpg