Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Does Cultural Differences Become a
Barrier for Social Engineering?
TOMOHISA ISHIKAWA
scientia.admin@gmail.com
www.scientia...
>> WHO AM I ?
 Tomo (Tomohisa Ishikawa)
• Japanese Security Consultant (7 years experience)
• ESL (English as a Second La...
Background
 Social Engineering is remarkable attack vectors now
• HBGary hacked by Anonymous
• CloudFlare hacked by UGNaz...
My Research Questions:
 Does Cultural Difference become a barrier for SE?
• If culture works as the barrier, “Cultural De...
Additional Notes:
 Why is the idea of “cultural defense” so important?
https://isc.sans.edu/diary/Managing+CVE-0/10933
Additional Notes:
 Why is the idea of “cultural defense” so important?
• CVE-0 ( No patch Tuesday for Human Being )
Disclaimer
 I AM NOT …
• A Cultural anthropologist, Sociologist, Psychologist, Philosopher, etc…
 Any opinions offered a...
Disclaimer
 I DO NOT want to discuss the advantage or disadvantage of
each culture
• I would like to respect both culture...
1. What is Culture? Cultural Difference?
Cultural Difference?
 The Size
Cultural Difference?
 The Size
US S-Size JP L-Size
Cultural Difference?
 The Punctuality
Cultural Difference?
 The Pokemon Go indicator
FYI : Steve’s POV
Again, What is Culture? Cultural Difference?
Wikipedia say…
What is Culture?
 A lot of Definition is available
 The Definition of E.B.Tylor
• “that complex whole which includes kno...
What is Culture?
 A lot of Definition is available
 The Definition of E.B.Tylor
• “that complex whole which includes kno...
What is Cultural Difference?
 Hofstede's cultural dimensions theory
• He had comprehensive analysis for IBM employees, an...
Hofstede's cultural dimensions theory
INDEX DETAILS
PDI Power Distance Index
IDV Individualism vs. collectivism
MAS Mascul...
Hofstede's cultural dimensions theory
 From this Data
Item Diff Japan U.S.A
LTO 62 Long Term Oriented Short Term Oriented...
2. Social Engineering and Cultural Difference
If you are NOT familiar with SE
Today we are discussing…
 OSINT
 Tailgating
 Vishing
 Remittance Scam (Supplementary)
2. Social Engineering and Cultural Difference
~2-1 : OSINT~
OSINT
 Open Source Intelligence
• Collecting necessary information by using public resource for SE
 Cultural Defense Wor...
OSINT – Cultural Defense
 MIC 2014 Research
• The US tend to use Real Name, but JP prefers to use false name
10.1
12.6
30...
OSINT – Cultural Defense
 MIC 2014 Research
• 66.3% of JP have antipathy against disclosing real name (US: 35.9%)
15.9
41...
OSINT – Cultural Defense
 MIC 2014 Research
• Approximately 60% of JP and US people feel the risk of being identified
eve...
2. Social Engineering and Cultural Difference
~2-2 : Tailgating~
Tailgating
 Tailgating
• Breaking physical access control by using pretexting
• Ex) Pretending to be a “FedEx guy” or “pe...
Tailgating – Cultural Defense
 Office Layout
• US : Cubicle
• JP : Flat Desk
Tailgating – Cultural Defense
 Why does it work as a defense?
• Easy to identify the stranger or attackers
• Know the usu...
Tailgating – Cultural Defense
 Working Style Culture
• Before that, let’s look at the working style difference
U.S.A Japa...
Company Welcoming Ceremony @ April 1st
Tailgating – Cultural Defense
 Working Style Culture
• Let’s look at the working style difference
U.S.A Japan
Working Sty...
Tailgating – Cultural Defense
 Why does it work as a defense?
• New guys or stranger = easy to identify
• Informal connec...
2. Social Engineering and Cultural Difference
~2-3 : Vishing~
Vishing
 Vishing
• Phishing attack by using Phone Call
• Ex) pretending to be a “computer support” guy
• Ex) pretending t...
Vishing – Cultural Defense
 Working Style
• WFH is not popular
• Outsourcing is not so popular
• The employee have strong...
Vishing – Cultural Defense
 Phone Call Handling
• When your colleague get the phone call...
• In Japan, freshman or admin...
Vishing – Cultural Defense
 Decision Making Process
• US If boss said Yes, it is done
• JP prefer the consensus (many esc...
2. Social Engineering and Cultural Difference
~2-5 : Remittance Scam~
I give the couple of examples about
Japanese (business) cultures & it’s workability.
I give the couple of examples about
Japanese (business) cultures & it’s workability.
However, it does not necessarily mean...
Scams to elderly people are serious
problems in Japan and we see a lot of SE
techniques.
Scenarios:
 Step 1
Victim Attacker
(Police Officer A)
Scenarios:
 Step 1
Victim Attacker
(Police Officer A)
• We arrest the scam group.
Scenarios:
 Step 1
Victim Attacker
(Police Officer A)
• We arrest the scam group.
• They have the name list for a future
...
Scenarios:
 Step 1
Victim Attacker
(Police Officer A)
• We arrest the scam group.
• They have the name list for a future
...
Scenarios:
 Step 1
Victim Attacker
(Police Officer A)
• We arrest the scam group.
• They have the name list for a future
...
Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
Attacker
(Police Officer A)
Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
• You got the phone call from
police office...
Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
• You got the phone call from
police office...
Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
• You got the phone call from
police office...
Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
• You got the phone call from
police office...
Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
• You got the phone call from
police office...
Scenarios:
 Step 3
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
Attacker
(Police Officer A)
Attacker
(FSA S...
3. Wrap -Up
Wrap-Up
 Does Cultural Difference become a barrier for SE?
• I think YES.
• But it is the beginning of my first thought, ...
Thank You!!
 If you have any questions, please feel free to contact me
Contact Info
• Email scientia.admin@gmail.com
• J...
The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?
The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?
Upcoming SlideShare
Loading in …5
×

The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?

1,345 views

Published on

Talk in The Social-Engineer Village at DEF CON 24
http://www.social-engineer.org/social-engineer-village/

[Overview]
As a Japanese security consultant, one of my research questions in social engineering is whether or not cultural difference becomes the barrier for social engineering. It is because the malicious practice of social engineering is different between in Japan and the U.S. I think it is true. Since I have the both experience of being the company in Japan and the U.S., I would like to consider various technique of social engineering from both cultural glasses, such as tailgating, phishing or vishing method. In my talk, I would like to discuss the workability of several social engineering techniques from both Japanese and U.S. culture. It will support the cultural difference can become the barrier or vulnerable weakness.

Published in: Technology
  • STOP GETTING RIPPED OFF! LEARN THE SHOCKING TRUTH ABOUT ACNE, DRUGS, CREAMS AND THE ONLY PATH TO LASTING ACNE FREEDOM... To get the FACTS on exactly how to eliminate your Acne from the root 100% naturally and Permanently and achieve LASTING clear skin without spending your hard-earned money on drugs and over the counters... ▲▲▲ https://tinyurl.com/ybbtmvh8
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Secrets To Making Up, These secrets will help you get back together with your ex. ♣♣♣ http://scamcb.com/exback123/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • //DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... //DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?

  1. 1. Does Cultural Differences Become a Barrier for Social Engineering? TOMOHISA ISHIKAWA scientia.admin@gmail.com www.scientia-security.org
  2. 2. >> WHO AM I ?  Tomo (Tomohisa Ishikawa) • Japanese Security Consultant (7 years experience) • ESL (English as a Second Language) • A Doctoral Program Student • Currently in insurance company in Philadelphia • CISSP, CISA, CISM, CFE, QSA, GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, GCIH  Specialized Area • Penetration Test • Incident Response • Vulnerability Management • Security Awareness & Education
  3. 3. Background  Social Engineering is remarkable attack vectors now • HBGary hacked by Anonymous • CloudFlare hacked by UGNazi • Mat Honan (WIRED Journalist) • Naoki Hiroshima (Stealing Twitter Username “@N”) • CIA Director hacked by CWA (Crackas with Attitude) • BEC (Business Email Compromise)  Is it popular in Japan ?? • Spear phishing email attack is popular • but…not so active compared with U.S. such as BEC
  4. 4. My Research Questions:  Does Cultural Difference become a barrier for SE? • If culture works as the barrier, “Cultural Defense” will be one of the solutions. • The design of organization, corporate culture, business process will be the effective method against SE.
  5. 5. Additional Notes:  Why is the idea of “cultural defense” so important?
  6. 6. https://isc.sans.edu/diary/Managing+CVE-0/10933
  7. 7. Additional Notes:  Why is the idea of “cultural defense” so important? • CVE-0 ( No patch Tuesday for Human Being )
  8. 8. Disclaimer  I AM NOT … • A Cultural anthropologist, Sociologist, Psychologist, Philosopher, etc…  Any opinions offered are … • my opinion, hypothesis and thought based on a few my examples • NOT those of my employers.  Focus on the difference between Japan and U.S  I may be biased because… • 28 yrs experience in Japanese Culture (Guru) • 8 months experience in U.S. culture (Beginner or Intermediate)  It is NOT conclusion, and I would like to start the discussion • Welcome constructive criticism and opinion
  9. 9. Disclaimer  I DO NOT want to discuss the advantage or disadvantage of each culture • I would like to respect both cultures • Only discuss the defensive workability against SE attack  I welcome the question and comment, but • PLEASE PLEASE speak slowly and easily
  10. 10. 1. What is Culture? Cultural Difference?
  11. 11. Cultural Difference?  The Size
  12. 12. Cultural Difference?  The Size US S-Size JP L-Size
  13. 13. Cultural Difference?  The Punctuality
  14. 14. Cultural Difference?  The Pokemon Go indicator
  15. 15. FYI : Steve’s POV
  16. 16. Again, What is Culture? Cultural Difference?
  17. 17. Wikipedia say…
  18. 18. What is Culture?  A lot of Definition is available  The Definition of E.B.Tylor • “that complex whole which includes knowledge, belief, art, morals, law, custom and any other capabilities and habits acquired by man as a member of society”
  19. 19. What is Culture?  A lot of Definition is available  The Definition of E.B.Tylor • “that complex whole which includes knowledge, belief, art, morals, law, custom and any other capabilities and habits acquired by man as a member of society”
  20. 20. What is Cultural Difference?  Hofstede's cultural dimensions theory • He had comprehensive analysis for IBM employees, and he proposed six dimensions to characterize the culture • DataSet : http://www.geerthofstede.nl/dimension-data-matrix
  21. 21. Hofstede's cultural dimensions theory INDEX DETAILS PDI Power Distance Index IDV Individualism vs. collectivism MAS Masculinity vs. femininity UAI Uncertainty avoidance index LTO Long-term orientation IVR Indulgence versus restraint 0 10 20 30 40 50 60 70 80 90 100 PDI IDV MAS UAI LTO IVR Cultural Differences by Hofstede Indicator Japan U.S.A. JPN USA DIFF PDI 54 40 14 IDV 46 91 45 MAS 95 62 33 UAI 92 46 46 LTO 88 26 62 IVR 42 68 26
  22. 22. Hofstede's cultural dimensions theory  From this Data Item Diff Japan U.S.A LTO 62 Long Term Oriented Short Term Oriented UAI 46 Hate uncertainly Accept Risk IDV 45 Collectivism Individualism
  23. 23. 2. Social Engineering and Cultural Difference
  24. 24. If you are NOT familiar with SE
  25. 25. Today we are discussing…  OSINT  Tailgating  Vishing  Remittance Scam (Supplementary)
  26. 26. 2. Social Engineering and Cultural Difference ~2-1 : OSINT~
  27. 27. OSINT  Open Source Intelligence • Collecting necessary information by using public resource for SE  Cultural Defense Workability of JP Culture: • Japan prefer anonymity in the Internet • It means that the difficulty of OSINT in JP is high.  MIC 2014 Research (MIC : Ministry of Internal Affairs and Communications) • 6 countries (JP, US, UK, FR, SK, SGP) comparison • http://www.soumu.go.jp/johotsusintokei/whitepaper/eng/WP2014/chapter-4.pdf
  28. 28. OSINT – Cultural Defense  MIC 2014 Research • The US tend to use Real Name, but JP prefers to use false name 10.1 12.6 30.2 17.8 20.8 15.5 22 24.3 26.7 19.7 29.8 67 7.8 28.1 18.1 25.3 1.5 16.6 2.5 18.1 1.2 3.9 2.2 3.9 2.7 5.4 2 6 2.3 4.6 58.9 16.5 59.8 50.2 58.4 53.8 74.5 53.1 68.5 57.6 0 10 20 30 40 50 60 70 80 90 100 JP US JP US JP US JP US JP US FBTwitterChatSNSBBSBlog Use of false names versus real names on SNS Use False Name Use Real Name Use Both (multiple acount) Not User
  29. 29. OSINT – Cultural Defense  MIC 2014 Research • 66.3% of JP have antipathy against disclosing real name (US: 35.9%) 15.9 41.7 13.1 23.2 24.6 22.8 24.8 13.7 28.3 22.4 12.7 22.2 13.7 7.3 13.6 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 Total JP U.S. The Antipathy against disclosing real name Strong Moderate Nuetral/Neither Not much No
  30. 30. OSINT – Cultural Defense  MIC 2014 Research • Approximately 60% of JP and US people feel the risk of being identified even though they use false name 20.2 16.5 24.4 39.1 43.7 36.9 29.9 26.5 27.4 10.8 13.3 11.3 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 Total JP US Awareness of The Risk of Being Identified with Anonymous Use High Possiblity Some Possiblity Low Possiblity Almost No Possiblity
  31. 31. 2. Social Engineering and Cultural Difference ~2-2 : Tailgating~
  32. 32. Tailgating  Tailgating • Breaking physical access control by using pretexting • Ex) Pretending to be a “FedEx guy” or “pest control guy” • Ex) Pretending to be a freshman, WFH employee, employee in different branch  Cultural Defense Workability of JP Culture: • Japanese culture is detective environment • Office Layout • Working Style Culture
  33. 33. Tailgating – Cultural Defense  Office Layout • US : Cubicle • JP : Flat Desk
  34. 34. Tailgating – Cultural Defense  Why does it work as a defense? • Easy to identify the stranger or attackers • Know the usual behavior (baseline) of colleagues and other vendors
  35. 35. Tailgating – Cultural Defense  Working Style Culture • Before that, let’s look at the working style difference U.S.A Japan Working Style • WFH is popular • WFH is NOT popular Employment Mobility • High Mobility • Join frequently, leave frequently • Low Mobility • JP company do not like mid-carrier recruiting • Stay one companies +10 years New Graduate Job Hunting • Apply to “Job” • Specialist Oriented • Apply to “Company” • Generalist Oriented • Join into the company on April 1st • 2-4 month Bootcamp Training (Project works) • Company assigned the division (=Job) • Job rotation is popular
  36. 36. Company Welcoming Ceremony @ April 1st
  37. 37. Tailgating – Cultural Defense  Working Style Culture • Let’s look at the working style difference U.S.A Japan Working Style • WFH is popular • WFH is NOT popular Employment Mobility • High Mobility • Join frequently, leave frequently • Low Mobility • JP company do not like mid-carrier recruiting • Stay one companies +10 years New Graduate Job Hunting • Apply to “Job” • Specialist Oriented • Apply to “Company” • Generalist Oriented • Join into the company on April 1st • 2-4 month Bootcamp Training (Project works) • Company assigned the division (=Job) • Job rotation is popular It creates strong informal connection btw colleagues.
  38. 38. Tailgating – Cultural Defense  Why does it work as a defense? • New guys or stranger = easy to identify • Informal connection will work as the verification method • It may be difficult to create workable pretexting
  39. 39. 2. Social Engineering and Cultural Difference ~2-3 : Vishing~
  40. 40. Vishing  Vishing • Phishing attack by using Phone Call • Ex) pretending to be a “computer support” guy • Ex) pretending to be people in WFH / another branches  Cultural Defense Workability of JP Culture: • Working Style • Decision Making Process
  41. 41. Vishing – Cultural Defense  Working Style • WFH is not popular • Outsourcing is not so popular • The employee have strong informal connection  Why does it work as a defense? • Pretexting may be hard • If the phone call is suspicious, it is possible to ask the question by using the informal network of colleague. (validation function)
  42. 42. Vishing – Cultural Defense  Phone Call Handling • When your colleague get the phone call... • In Japan, freshman or administrative staff take the phone within 3 ringing  Why does it work as a defense? • Share the contents through the process (flat desk will be helpful) • Freshman or administrative staff can create the baseline
  43. 43. Vishing – Cultural Defense  Decision Making Process • US If boss said Yes, it is done • JP prefer the consensus (many escalation flow to decide)  Why does it work as a defense? • Various validation function by the process, especially for financial settlement
  44. 44. 2. Social Engineering and Cultural Difference ~2-5 : Remittance Scam~
  45. 45. I give the couple of examples about Japanese (business) cultures & it’s workability.
  46. 46. I give the couple of examples about Japanese (business) cultures & it’s workability. However, it does not necessarily means Japanese cultures and people are tolerant for social engineering.
  47. 47. Scams to elderly people are serious problems in Japan and we see a lot of SE techniques.
  48. 48. Scenarios:  Step 1 Victim Attacker (Police Officer A)
  49. 49. Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group.
  50. 50. Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name.
  51. 51. Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name. • They also committed cloning of credit card, and your credit card has the possibility of abusing.
  52. 52. Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name. • They also committed cloning of credit card, and your credit card has the possibility of abusing. • We investigate this case with FSA and FSA staff will contact you. FSA : Financial Service Agency
  53. 53. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) Attacker (Police Officer A)
  54. 54. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A Attacker (Police Officer A)
  55. 55. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card Attacker (Police Officer A)
  56. 56. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. Attacker (Police Officer A)
  57. 57. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. • Umm…abused Attacker (Police Officer A)
  58. 58. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. • Umm…abused • We will start the process to issue new card and FSA staff go to your home to pick up it. Attacker (Police Officer A)
  59. 59. Scenarios:  Step 3 Victim FSA : Financial Service Agency Attacker (FSA Staff) Attacker (Police Officer A) Attacker (FSA Staff) • Pick Up
  60. 60. 3. Wrap -Up
  61. 61. Wrap-Up  Does Cultural Difference become a barrier for SE? • I think YES. • But it is the beginning of my first thought, and I think I need further discussion • Also, from attacker’s perspectives, the adjustment of pretexting to specific culture will be effective.  The design consideration of culture, business process may help to avoid the social engineering
  62. 62. Thank You!!  If you have any questions, please feel free to contact me Contact Info • Email scientia.admin@gmail.com • JP Blog www.scientia-security.org • EN Blog blog.scientia-security.org (Coming Soon)

×