BSidesPGH - Never Surrender - Reducing Social Engineering Risk

•

72 recomendaciones•30,542 vistas

This document discusses reducing social engineering risk through a strategic approach. It recommends tracking successful social engineering incidents rather than failures, using positive rather than negative reinforcement for awareness training, and taking a multi-phased approach of social engineering testing, penetration testing, incident response, policies/procedures, education, and repeating. Specific next steps proposed include implementing email spoofing protection, disabling HTML emails, sandboxing browsers and email, using browser plugins, and regularly simulating social engineering attacks to better prepare incident responders.

Ingeniería Tecnología

NEVER SURRENDER
Reducing social engineering risk
Rob ragAn
@sweepthatleg
Christina Camilleri
@0xkitty

Shower Foo
What if I say I’m not like the others
What if I say I’m not just another one
of your plays
You’re the pretender
What if I say I will
never surrender

An exploitation of TRUST
Someone who can leverage the trust of their
victim to gain access to sensitive information or
resources or to elicit information about those
resources

People are Vulnerable
And WE are lazy
and we want to be helpful
and we WANT to be noticed.

And social engineering is
the path of least resistance.

We are the root of all evil, and the
reason for all security issues.

People – psychology
Computers – Technology
When it comes to security, We are unreliable.

Technical systems are:
reviewed
scanned
penetration tested

How do we measure
vulnerability in people?

We don’t.
We SHAME and Blame.
We make them feel bad for their behavior.
We are Ignorant.
*And we’re not doing anything to effectively change this.

We avoid testing because it makes us
feel vulnerable.

We fall victim to basic psychological and
physical needs:

Cialdini 6
Authority
Liking
Social Proof
Scarcity
Reciprocity
Commitment and Consistency

Information gathering
Developing a relationship
exploitation
execution

We watch videos
We do e-learning modules
We tick boxes
We make posters
And generally feel good about ourselves.

Tracking.
Stop tracking clicks
Stop tracking by department
Don’t track failed attempts
track successes

Track successful reported incidents.
The graph should ideally go up
not down.

Awareness training should feed a
strong SE specific IR plan

Frequency.
Stop shoving awareness training down
people’s throats.

Conditioning.
Stop using negative reinforcement.
Use positive reinforcement.

A multi-phased cyclical approach:
SE > PT > IR > PPP > ES >
SE > PT > ...
Rinse, repeat

Strategic Next Steps
1.  Alias for reporting incidents
2.  Implement anti-email spoofing (SPF, DKIM, DMARC)
3.  Disable HTML in SMTP (plaintext emails FTW)
4.  Sandbox the browser and the email client

Questions?
Special Thanks
@lady_nerd @CandySaur @lunarca_ @tastic007 @Napordie
Rob ragAn
@sweepthatleg
Christina Camilleri
@0xkitty

BSidesPGH - Never Surrender - Reducing Social Engineering Risk

Más contenido relacionado

La actualidad más candente

Ethical Hacking Powerpoint

Application security

Phishing Attacks

Social engineering

Penetration Testing Basics

Rick Wanner

Basics of Cyber Security

Nikunj Thakkar

Intrusion detection

CAS

Ethical hacking presentation

Suryansh Srivastava

Social engineering hacking attack

Pankaj Dubey

Most organization’s Security Awareness Programs suck. They involved ‘canned’ video presentations or someone is HR explaining computer use policies. Others are extremely expensive and beyond the reach of the budgets of smaller organizations. This talk will show you how to build a Security Awareness Program from scratch for little or no money, and how to engage your users so that they get the most out of the program.

Building An Information Security Awareness Program

Bill Gardner

Social engineering

Robert Hood

Note: There is an updated version of this slide deck available on SlideShare at https://www.slideshare.net/DallasHaselhorst/cybersecurity-awareness-training-presentation-v11 -- Do you want an cybersecurity awareness training you can present at *your* business or in *your* community? Awesome! We spent months putting together this training presentation on cybersecurity awareness. We then presented it multiple times and continued modifying the presentation based on feedback from attendees as well as feedback from those in the information security community. We are now releasing this in the hope it is a call to action for others in their communities. The slides are available for download on our website. Download it and please present it in your own communities, e.g. at your local library, business events, co-working spaces, schools, etc. We also have a free cybersecurity quiz available on the site that is also based on the material. Download the latest version as a Microsoft PowerPoint presentation (.pptx) or 'Make a Copy' in Google Slides. https://www.treetopsecurity.com/slides

Cybersecurity Awareness Training Presentation v1.0

DallasHaselhorst

Brute force attack

Jamil Ali Ahmed

Cyber security presentation

sweetpeace1

Social Engineering Basics

Luke Rusten

Implementing cybersecurity best practices and new technology ppt (1).pptx

damilolasunmola

Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks. By using what’s known as ‘Social Engineering’, hackers exploit unsuspecting people who in good faith open up their doors to unwanted strangers. Social engineering, or SE, is the art of manipulating people into performing actions or so they give up confidential information. Social Engineering can mean different things to different people.

The Art of Human Hacking : Social Engineering

OWASP Foundation

** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training ** This Edureka PPT on "Cybersecurity Fundamentals" will introduce you to the world of cybersecurity and talks about its basic concepts. Below is the list of topics covered in this session: Need for cybersecurity What is cybersecurity Fundamentals of cybersecurity Cyberattack Incident Follow us to never miss an update in the future. Instagram: https://www.instagram.com/edureka_learning/ Facebook: https://www.facebook.com/edurekaIN/ Twitter: https://twitter.com/edurekain LinkedIn: https://www.linkedin.com/company/edureka

Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...

Edureka!

Social Engineering

Paul Devassy, CPP

Social Engineering and What to do About it

Aleksandr Yampolskiy

La actualidad más candente (20)

Ethical Hacking Powerpoint

Application security

Phishing Attacks

Social engineering

Penetration Testing Basics

Basics of Cyber Security

Intrusion detection

Ethical hacking presentation

Social engineering hacking attack

Building An Information Security Awareness Program

Social engineering

Cybersecurity Awareness Training Presentation v1.0

Brute force attack

Cyber security presentation

Social Engineering Basics

Implementing cybersecurity best practices and new technology ppt (1).pptx

The Art of Human Hacking : Social Engineering

Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...

Social Engineering

Social Engineering and What to do About it

Destacado

One of today's most challenging security issues is social engineering defense. Despite evidence proving the impact of a social engineering attack, we often see inadequate incident response plans in place. In this talk, we will share our experiences about what organizations are doing when (or, more commonly, if) they detect an attack, steps to strengthen the social engineering defensive strategy, and what best practices to enforce for the strongest possible security posture.

Social Engineering: the Bad, Better, and Best Incident Response Plans

Rob Ragan

Social Engineering: The Human Element of Sourcing and Recruiting | Glen Cathey

nwrecruit

Social Engineering

Cyber Agency

Social engineering for security attacks

masoud khademi

For years security professionals have been telling us not to follow links or open attachments from untrusted sources, not to click “Ignore” on your browser’s security pop-ups, and not to insert untrusted thumb drives into your USB ports. Do you want to see what can happen with your own eyes? This lunch hour session will show you how to download, install, configure, and use the basic features of Dave Kennedy’s open source hacker tool, the Social Engineering Toolkit.

Hacker tooltalk: Social Engineering Toolkit (SET)

Chris Hammond-Thrasher

Talk in The Social-Engineer Village at DEF CON 24 http://www.social-engineer.org/social-engineer-village/ [Overview] As a Japanese security consultant, one of my research questions in social engineering is whether or not cultural difference becomes the barrier for social engineering. It is because the malicious practice of social engineering is different between in Japan and the U.S. I think it is true. Since I have the both experience of being the company in Japan and the U.S., I would like to consider various technique of social engineering from both cultural glasses, such as tailgating, phishing or vishing method. In my talk, I would like to discuss the workability of several social engineering techniques from both Japanese and U.S. culture. It will support the cultural difference can become the barrier or vulnerable weakness.

The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become ...

Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE

Intro to Web Application Security

Rob Ragan

All brand new tool additions to the Google Hacking Diggity Project - The Next Generation Search Engine Hacking Arsenal. As always, all tools are free for download and use. When last we saw our heroes, the Diggity Duo had demonstrated how search engine hacking could be used to take over someone’s Amazon cloud in less than 30 seconds, build out an attack profile of the Chinese government’s external networks, and even download all of an organization’s Internet facing documents and mine them for passwords and secrets. Google and Bing were forced to hug it out, as their services were seamlessly combined to identify which of the most popular websites on the Internet were unwittingly being used as malware distribution platforms against their own end-users. Now, we've traveled through space and time, my friend, to rock this house again... True to form, the legendary duo have toiled night and day in the studio (a one room apartment with no air conditioning) to bring you an entirely new search engine hacking tool arsenal that’s packed with so much tiger blood and awesome-sauce, that it’s banned on 6 continents. Many of these new Diggity tools are also fueled by the power of the cloud and provide you with vulnerability data faster and easier than ever thanks to the convenience of mobile applications.Just a few highlights of new tools to be unveiled are: * AlertDiggityDB – For several years, we’ve collected vulnerability details and sensitive information disclosures from thousands of real-time RSS feeds setup to monitor Google, Bing, SHODAN, and various other search engines. We consolidated this information into a single database, the AlertDiggityDB, forming the largest consolidated repository of live vulnerabilities on the Internet. Now it’s available to you. * Diggity Dashboard – An executive dashboard of all of our vulnerability data collected from search engines. Customize charts and graphs to create tailored views of the data, giving you the insight necessary to secure your own systems. This web portal provides users with direct access to the most current version of the AlertDiggityDB. * Bing Hacking Database (BHDB) 2.0 – Exploiting recent API changes and undocumented features within Bing, we’ve been able to completely overcome the previous Bing hacking limitations to create an entirely new BHDB that will make Bing hacking just as effective as Google hacking (if not more so) for uncovering vulnerabilities and data leaks on the web. This also will include an entirely new SharePoint Bing Hacking database, containing attack strings targeting Microsoft SharePoint deployments via Bing. * NotInMyBackYardDiggity – Don’t be the last to know if LulzSec or Anonymous post data dumps of your company’s passwords on PasteBin.com, or if a reckless employee shares an Excel spreadsheet with all of your customer data on a public website. This tool leverages both Google and Bing, and comes with pre-built queries that make i

Tenacious Diggity - Skinny Dippin in a Sea of Bing

Rob Ragan

Beyond the Virtual World- Physical security and its importance

Saumya Vishnoi

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

Attack Chaining: Advanced Maneuvers for Hack Fu

Rob Ragan

Last year's Lord of the Bing presentation stabbed Google Hacking in the heart with a syringe full of adrenaline and injected life back into a dying art form. New attack tools and modern defensive techniques redefined the way people thought about Google Hacking. Among these were the first ever Bing Hacking tool and the Google/Bing Hacking Alert RSS feeds, which have grown to become the world's single largest repository of live vulnerabilities on the web. And it was only the beginning… This year, we once again tear down the basic assumptions about what Google/Bing Hacking is and the extent to which it can be exploited to target organizations and even governments. In our secret underground laboratory, we've been busy creating an entirely new arsenal of Diggity Hacking tools that we'll be unveiling for the first time and releasing for free at Black Hat USA 2011. Just a few highlights of new tools to be unveiled are: BaiduDiggity:first ever Baidu hacking tool, which targets vulnerabilities disclosed by China's dominant search engine. DEMO: Live targeting of vulnerabilities in Chinese government websites exposed via Baidu. DroidDiggity:fully functional GoogleDiggity and BingDiggity application for Android phones. GoogleCodeSearchDiggity:identifying vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 40 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. FlashDiggity:automated Google searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and info disclosures. SHODAN Hacking Alerts:new live vulnerability RSS feeds based on results from the popular SHODAN hacking search engine. MalwareDiggity and MalwareDiggity Alerts:leveraging Bing API and the Google SafeBrowsing API together to provide an answer to a simple question, "Am I being used as a platform to distribute malware to people who visit my website?" AlertDiggity:Windows systray application that filters the results of the various Google/Bing/Shodan Hacking Alerts RSS feeds and notifies the user if any new alerts match a domain belong to them. DiggityDLP:Data loss prevention tool that leverages Google/Bing to identify exposures of sensitive info (e.g. SSNs, credit card numbers, etc.) via common document formats such as .doc, .xls, and .pdf. Also utilizes Google APIs for searching across Google Docs/Spreadsheets for data leaks. That is just a taste of the new tools that will be explored in this DEMO rich presentation. So come ready to engage us as we re-define Google Hacking once again. http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...

Rob Ragan

Customer Acquisition Through Social Media

Mariana Rodriguez

Babelfish Articles Nov 2011

Brian Crotty

The Cloud: Background & Best Practices for Small Law Firms

Network 1 Consulting

Joakim Dahl IT Verksamhet

Joakim Dahl

Tutorial net beans

Maria Fernanda Campos Granja

FESC.PPT

Forat Electronic systems

Presentación taller de equipo de medición

HiokiMex

Publicidad diario la nación del 3 de junio de 1978.

AndrinoJuan

Fuente de voltaje 12 v,12v-04_ing_ite_pit_e

Amilkar Lafayette Muñoz

Destacado (20)

Social Engineering: the Bad, Better, and Best Incident Response Plans

Social Engineering: The Human Element of Sourcing and Recruiting | Glen Cathey

Social Engineering

Social engineering for security attacks

Hacker tooltalk: Social Engineering Toolkit (SET)

The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become ...

Intro to Web Application Security

Tenacious Diggity - Skinny Dippin in a Sea of Bing

Beyond the Virtual World- Physical security and its importance

Attack Chaining: Advanced Maneuvers for Hack Fu

Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...

Customer Acquisition Through Social Media

Babelfish Articles Nov 2011

The Cloud: Background & Best Practices for Small Law Firms

Joakim Dahl IT Verksamhet

Tutorial net beans

FESC.PPT

Presentación taller de equipo de medición

Publicidad diario la nación del 3 de junio de 1978.

Fuente de voltaje 12 v,12v-04_ing_ite_pit_e

Similar a BSidesPGH - Never Surrender - Reducing Social Engineering Risk

Corporate cybercrime is usually blamed on outsiders, but sometimes, your employees can represent the biggest threat to your organization’s IT security. In this presentation, Kaspersky Lab’s Mark Villinski, will provide practical advice for educating your employees about cybersecurity. Attend to learn: • How to create efficient and effective security policies • Overview and statistics of the current threat landscape • The importance of keeping your employees updated about the latest threats and scams • Security solutions that can help keep your systems updated and protected

Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity

centralohioissa

Cyber Security

Ncell

Opsec for security researchers

vicenteDiaz_KL

Integrated Security, Safety and Surveillance Solution i3S

Edgevalue

Risk management is a strategic security activity and is a cornerstone of security governance. The management of risk not only requires that we effectively measure it but also understand what effect vulnerability has on the level of risk. Both risk and vulnerability constantly change and not only in response to threats but also business initiatives. Does your organization have a mature risk and vulnerability identification, measurement and management process? The discussion will identify how risk responds to changes in vulnerability and how we might maximize our risk management activities to enhance the resilience of the organization and its assets. Presentation by: Philip Banks, P. Eng., CPP, Director, The Banks Group

Relating Risk to Vulnerability

Resolver Inc.

BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

11 19-2015 - iasaca membership conference - the state of security

Matthew Pascucci

Companies have AI projects. Security products use AI to keep attackers out and insiders at bay. But what is this "AI" that everyone talks about? In this talk we will explore what artificial intelligence in cyber security is, where the limitations and dangers are, and in what areas we should invest more in AI. We will talk about some of the recent failures of AI in security and invite a conversation about how we verify artificially intelligent systems to understand how much trust we can place in them. Alongside the AI conversation, we will discover that we need to make a shift in our traditional approach to cyber security. We need to augment our reactive approaches of studying adversary behaviors to understanding behaviors of users and machines to inform a risk-driven approach to security that prevents even zero day attacks.

Artificial Intelligence – Time Bomb or The Promised Land?

Raffael Marty

DeltaV Security - Don’t Let Your Business Be Caught Without It

Emerson Exchange

Cyber security is a big problem for small business. Small business is the target of 43% of all cybercrimes. • 60% of small businesses who experience a significant cyber breach go out of business within the following 6 months. • 22% of small businesses that were breached by the 2017 Ransomware attacks were so affected they could not continue operating. • 33% of businesses with fewer than 100 employees don’t take proactive measures against cyber security breaches. • 87% of small businesses believe their business is safe from cyberattacks because they use antivirus software alone. • Cybercrime costs the Australian economy more than $1bn annually.

The Small Business Cyber Security Best Practice Guide

Inspiring Women

Data Security for Nonprofits

NPowerCR

Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...

Rishi Singh

2022 Rea & Associates' Cybersecurity Conference

Rea & Associates

www.thinair.com Concern about insider threats are rampant. Disgruntled employees that have access to sensitive data are common. When a breach does occur how do you identify which computers were involved in the breach? This session, originally held at Techno Security & Digital Forensics Conference, will discuss some of the major pain points of an insider threat investigation and how to mitigate them. We’ll also review three different case studies that occurred at Google, Palantir and the DOD.

How to Catch a Wolf in Sheep's Clothing

ThinAir

Unlocking the Hidden Potential

EricaCiko

Airport IT&T 2013 John McCarthy

Russell Publishing

When you are responding to severe intrusions, it has been gospel for the past years to observe, learn and plan before your start cleaning up. This is very sound advice, and probably the only way you can successfully evict a determined and mission driven adversary from your networks. But when is the right time? When do you actually know enough to evict, and more importantly, resist immediate re-entry? Enter the Cyber Threat Intelligence Matrix.

The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill

Frode Hommedal

Breach: When Bad Things Happen to Good Governments

Paul W. Taylor

ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business

ConnXus

R af d

William L. McGill

Similar a BSidesPGH - Never Surrender - Reducing Social Engineering Risk (20)

Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity

Cyber Security

Opsec for security researchers

Integrated Security, Safety and Surveillance Solution i3S

Relating Risk to Vulnerability

Why isn't infosec working? Did you turn it off and back on again?

11 19-2015 - iasaca membership conference - the state of security

Artificial Intelligence – Time Bomb or The Promised Land?

DeltaV Security - Don’t Let Your Business Be Caught Without It

The Small Business Cyber Security Best Practice Guide

Data Security for Nonprofits

Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...

2022 Rea & Associates' Cybersecurity Conference

How to Catch a Wolf in Sheep's Clothing

Unlocking the Hidden Potential

Airport IT&T 2013 John McCarthy

The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill

Breach: When Bad Things Happen to Good Governments

ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business

R af d

Más de Rob Ragan

Nbt hacker fight

Rob Ragan

Cloud providers continue to increase in usage for the next generation of internet services. Dynamic and ephemeral exposures are being created on an unprecedented level and your old generation of internet scanners can’t find them. Let us show you how they can be found and what it means for the future of unwanted internet exposures. Right now, at the click of a button, can you answer the question “What in my cloud environments is internet-facing?”. For most security teams the answer to this question would be a sigh and then “No.” We know that complexity is the enemy of security. We also know a comprehensive asset inventory is step one to any capable security program. How can we monitor for unnecessary exposures without knowing what’s on the internet? In this presentation we will look at the most pragmatic ways to continuously analyze your cloud environments and operationalize that information to identify vulnerabilities. Through examination of exposure patterns and analysis of passive DNS data, we explore real-world examples of global cloud breaches waiting to happen. There are thousands of vulnerable systems for the commonly used services (e.g. ElasticSearch) and more from the up and coming services you may not even know your organization is using yet. Main Takeaways: * Most security orgs are maintaining their inventory the old way (i.e. IP ranges) which doesn’t cut it in a dynamic cloud world * IPv4 scanners can’t find virtual host services that are ephemeral or require specific paths in the request to function properly * Global exposures are only going to increase unless we look at the solution differently and understand the patterns for these breaches waiting to happen

Expose Yourself Without Insecurity: Cloud Breach Patterns

Rob Ragan

Tools, techniques, and war stories from the security researchers at Bishop Fox. Feel the power to brute-force subdomains, with accuracy, at the rate of the entire English dictionary in less than 90 seconds. Learn to fly the DangerDrone, a pentesting quadcopter that takes wireless hacking and remote code execution to the sky. And, most importantly, learn advanced red team techniques from the dark side. In this talk, we’ll share a few of our favorite stories from the frontlines as well as our choice of tools for reconnaissance, physical attacks, and evasion techniques. We’ll also demonstrate tools such as GoGoDNS, the Tastic RFID Thief, and, yes, even the Danger Drone. You’ll walk away with insight into how to be a better security professional and how to ensure you’re enabled to simulate the latest emerging threats.

DeadDropSF - Better Red Than Dead

Rob Ragan

Over 90 percent of cyber attacks start the same way: with a phishing message. Attackers slip all manner of malware into your organization just by convincing users -- even admin-level users in the IT department -- to click on a link. Fraudsters carrying out business email compromise attacks are even more clever, forgoing malware and malicious links altogether, and scamming companies out of $47 million, $75 million and more, simply by asking for it the right way. Social engineering is, at the very least, how attackers get their foot in the door, and at worst, how they get away with your crown jewels. In this session, learn about attackers' new twists on the oldest tricks in the book, and how to protect your organization against them.

Interop 2017 - Defeating Social Engineering, BEC, and Phishing

Rob Ragan

What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation, we explore how to (ab)use free trials to get access to vast amounts of computing power, storage, and pre-made hacking environments. Oh! Also, we violate the hell out of some terms of service. We explore just how easy it is to generate massive amounts of unique email addresses; in order to register free trial accounts, deploy code, and distribute commands (C2). We managed to build this cloud-based botnet all for the low cost of $0 and semi-legally. This botnet doesn't get flagged as malware, blocked by web filters, or get taken over. This is the stuff of nightmares! While riding on the fluffy Kumobot (kumo means cloud in Japanese), it was discovered that we were not the only ones doing this! With the rise of crypto currency we now face the impending rise of botnets that mine for digital gold on someone else's systems with someone else's dime footing the electric bill. Through our efforts in building a cloud-based botnet we built enough tools to share a framework for penetration testers and security researchers. The anti-anti-automation framework will show those tasked with defense exactly what it looks like when their free trial gets assaulted.

CloudBots - Harvesting Crypto Currency Like a Botnet Farmer

Rob Ragan

During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the team’s resourcefulness was the ability to determine whether Allied forces had successfully bombed bridges leading into Paris based on increasing orange prices. Since then OSINT sources have surged in number and diversity, but none can compare to the wealth of information provided by the Internet. Attackers have been clever enough in the past to take advantage of search engines to filter this information to identify vulnerabilities. However, current search hacking techniques have been stymied by search provider efforts to curb this type of behavior. Not anymore - our demonstration-heavy presentation picks up the subtle art of search engine hacking at the current state and discusses why these techniques fail. We will then reveal several new search engine hacking techniques that have resulted in remarkable breakthroughs against both Google and Bing. Come ready to engage with us as we release two new tools, GoogleDiggity and BingDiggity, which take full advantage of the new hacking techniques. We’ll also be releasing the first ever “live vulnerability feed”, which will quickly become the new standard on how to detect and protect yourself against these types of attacks. This presentation will change the way you've previously thought about search engine hacking, so put on your helmets. We don't want a mess when we blow your minds.

Lord of the Bing - Black Hat USA 2010

Rob Ragan

Today security filters can be found on our network perimeter, on our servers, in our frameworks and applications. As our network perimeter becomes more secure, applications become more of a target. Security filters such as IDS and WAF are relied upon to protect applications. Intrusion detection evasion techniques were pioneered over a decade ago. How are today's filters withstanding ever evolving evasion tactics? The presentation will examine how evasion techniques worked in the past and provide insight into how these techniques can still work today; with a focus on HTTP attacks. A practical new way to bypass Snort will be demonstrated. A tool to test other IDS for the vulnerability in Snort will be demonstrated. (Outerz0ne 2009) Video of this presentation at Outerz0ne 5: http://www.irongeek.com/i.php?page=videos/rob-ragan-filter-evasion-houdini-on-the-wire

Filter Evasion: Houdini on the Wire

Rob Ragan

Static Analysis: The Art of Fighting without Fighting

Rob Ragan

Más de Rob Ragan (8)

Nbt hacker fight

Expose Yourself Without Insecurity: Cloud Breach Patterns

DeadDropSF - Better Red Than Dead

Interop 2017 - Defeating Social Engineering, BEC, and Phishing

CloudBots - Harvesting Crypto Currency Like a Botnet Farmer

Lord of the Bing - Black Hat USA 2010

Filter Evasion: Houdini on the Wire

Static Analysis: The Art of Fighting without Fighting

Último

Java Programming :Event Handling(Types of Events)

simmis5

Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Indian Girls Waiting For You To Fuck Booking Contact Details WhatsApp Chat: +91-6297143586 pune Escort Service includes providing maximum physical satisfaction to their clients as well as engaging conversation that keeps your time enjoyable and entertaining. Plus they look fabulously elegant; making an impressionable. Independent Escorts pune understands the value of confidentiality and discretion - they will go the extra mile to meet your needs. Simply contact them via text messaging or through their online profiles; they'd be more than delighted to accommodate any request or arrange a romantic date or fun-filled night together. We provide - 01-may-2024(v.n)

Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...

Call Girls in Nagpur High Profile

Increased aeration of the soil; Stabilized soil structure; Higher and more diversified crop production; Better workability of the land; Earlier planting dates; Reduction of peak discharges by an increased temporary storage of water in the soil decomposition of organic matter; soil subsidence; reduced irrigation efficiency; increased risk of drought. excessive leaching of valuable nutrients from the soil; downstream environmental damage by salty or otherwise polluted drainage water; the presence of ditches, canals, and structures impending accessibility and interfering with other infrastructural elements of the land.

chapter 5.pptx: drainage and irrigation engineering

mulugeta48

UNIT - IV - Air Compressors and its Performance

sivaprakash250

STEAM NOZZLES AND TURBINES Flow of steam through nozzles, shapes of nozzles, effect of friction, critical pressure ratio, supersaturated flow - impulse and reaction principles, velocity diagram, work done and efficiency – types of compounding - governors. AIR COMPRESSORS Classification - working principle - type of compressors, work of compression with and without clearance - volumetric efficiency - isothermal and isentropic efficiency of reciprocating compressors - multistage air compressor with inter cooling.

Thermal Engineering -unit - III & IV.ppt

DineshKumar4165

VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking Escorts Service Available Whatsapp SABANA ☎️ : [+91-7001035870] Escorts Service are always ready to make their clients happy. Their exotic looks and sexy personalities are sure to turn heads. You can enjoy with them, including massages and erotic encounters. Our area Escorts are young and sexy, so you can expect to have an exotic time with them. They are trained to satiate your naughty nerves and they can handle anything that you want. They are also intelligent, so they know how to make you feel comfortable and relaxed Independent Escorts Service They know all the sex positions and can satisfy you in any way that you desire. They can even give you erotic massages to help you relax before your session. This is essential, because a man who is stressed won’t be receptive to the pleasures of sex. They also know how to play with your sexy organs, so you’ll have plenty of foreplay and cuddling. P252024SS SERVICE ✅ ❣️ ⭐➡️HOT & SEXY MODELS // COLLEGE GIRLS HOUSE WIFE RUSSIAN , AIR HOSTES ,VIP MODELS . AVAILABLE FOR COMPLETE ENJOYMENT WITH HIGH PROFILE INDIAN MODEL AVAILABLE HOTEL & HOME ★ SAFE AND SECURE HIGH CLASS SERVICE AFFORDABLE RATE ★ SATISFACTION,UNLIMITED ENJOYMENT. ★ All Meetings are confidential and no information is provided to any one at any cost. ★ EXCLUSIVE PROFILes Are Safe and Consensual with Most Limits Respected ★ Service Available In: - HOME & HOTEL Star Hotel Service .In Call & Out call SeRvIcEs : ★ A-Level (star escort) ★ Strip-tease ★ BBBJ (Bareback Blowjob)Receive advanced sexual techniques in different mode make their life more pleasurable. ★ Spending time in hotel rooms ★ BJ (Blowjob Without a Condom) ★ Completion (Oral to completion) ★ Covered (Covered blowjob Without condom ★ANAL SERVICES.

VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking

dharasingh5698

Unleashing the Power of the SORA AI lastest leap

RishantSharmaFr

Online banking management system project.pdf

Kamal Acharya

The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Chance Of Getting Into My Sexy Boobs? Booking Contact Details WhatsApp Chat: +91-8250192130 pune Escort Service includes providing maximum physical satisfaction to their clients as well as engaging conversation that keeps your time enjoyable and entertaining. Plus they look fabulously elegant; making an impressionable. Independent Escorts pune understands the value of confidentiality and discretion - they will go the extra mile to meet your needs. Simply contact them via text messaging or through their online profiles; they'd be more than delighted to accommodate any request or arrange a romantic date or fun-filled night together. We provide - 30-april-2024(v.n)

The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...

ranjana rawat

Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Girls Waiting For You To Fuck Booking Contact Details WhatsApp Chat: +91-6297143586 pune Escort Service includes providing maximum physical satisfaction to their clients as well as engaging conversation that keeps your time enjoyable and entertaining. Plus they look fabulously elegant; making an impressionable. Independent Escorts pune understands the value of confidentiality and discretion - they will go the extra mile to meet your needs. Simply contact them via text messaging or through their online profiles; they'd be more than delighted to accommodate any request or arrange a romantic date or fun-filled night together. We provide - 01-may-2024(v.n)

Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...

Call Girls in Nagpur High Profile

KubeKraft presentation @CloudNativeHooghly

sanyuktamishra911

NFPA 5000 2024 standard .

DerechoLaboralIndivi

The Educational Administration: Theory and Practice publishes prominent empirical and conceptual articles focused on timely and critical leadership and policy issues of educational organizations. The journal embraces traditional and emergent research paradigms, methods, and issues. The journal particularly promotes the publication of rigorous and relevant scholarly work that enhances linkages among and utility for educational policy, practice, and research arenas. The goal of the editorial team and the journal’s editorial board is to promote sound scholarship and a clear and continuing dialogue among scholars and practitioners from a broad spectrum of education. Educational Administration: Theory and Practice presents prominent empirical and conceptual articles focused on timely and critical leadership and policy issues facing educational organizations. As an editorial team, we embrace traditional and emergent theoretical frameworks, research methods, and topics. We particularly promote the publication of rigorous and relevant scholarly work with utility for educational policy, practice, and research. The journal’s primary focus is on studies of educational leadership, organizations, leadership development, and policy as they relate to elementary and secondary levels of education. Examinations of leadership and policy that fall outside K-12 are considered insofar as there are meaningful connections to the K-12 arena (e.g., college pipeline). International comparative investigations are welcome to the extent they have implications for a broad audience.s.

Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...

Christo Ananth

International Journal of Intelligent Systems and Applications in Engineering (IJISAE) is an international and interdisciplinary journal for both invited and contributed peer reviewed articles that intelligent systems and applications in engineering at all levels. The journal publishes a broad range of papers covering theory and practice in order to facilitate future efforts of individuals and groups involved in the field. IJISAE, a peer-reviewed double-blind refereed journal, publishes original papers featuring innovative and practical technologies related to the design and development of intelligent systems in engineering. Its coverage also includes papers on intelligent systems applications in areas such as nanotechnology, renewable energy, medicine engineering, Aeronautics and Astronautics, mechatronics, industrial manufacturing, bioengineering, agriculture, services, intelligence based automation and appliances, medical robots and robotic rehabilitations, space exploration and etc.

Call for Papers - International Journal of Intelligent Systems and Applicatio...

Christo Ananth

The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss This Chance Of Getting Into My Sexy Boobs? Booking Contact Details WhatsApp Chat: +91-8250192130 pune Escort Service includes providing maximum physical satisfaction to their clients as well as engaging conversation that keeps your time enjoyable and entertaining. Plus they look fabulously elegant; making an impressionable. Independent Escorts pune understands the value of confidentiality and discretion - they will go the extra mile to meet your needs. Simply contact them via text messaging or through their online profiles; they'd be more than delighted to accommodate any request or arrange a romantic date or fun-filled night together. We provide - 30-april-2024(v.n)

The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...

ranjana rawat

Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking Booking Now open +91- 7737669865 Why you Choose Us- +91- 7737669865 HOT⇄ 7737669865 Mr ashu ji Call Mr ashu Ji +91- 7737669865 (V020524]N) 𝐇𝐨𝐭𝐞𝐥 𝐑𝐨𝐨𝐦𝐬 𝐈𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐑𝐚𝐭𝐞 𝐒𝐡𝐨𝐭𝐬/𝐇𝐨𝐮𝐫𝐲🆓 .█▬█⓿▀█▀ 𝐈𝐍𝐃𝐄𝐏𝐄𝐍𝐃𝐄𝐍𝐓 𝐆𝐈𝐑𝐋 𝐕𝐈𝐏 𝐄𝐒𝐂𝐎𝐑𝐓 Hello Guys ! High Profiles young Beauties and Good Looking standard Profiles Available , Enquire Now if you are interested in Hifi Service and want to get connect with someone who can understand your needs. Service offers you the most beautiful High Profile sexy independent female Escorts in genuine ✔✔✔ To enjoy with hot and sexy girls ✔✔✔ ★providing:- • Models • vip Models • Russian Models

Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking

roncy bisnoi

Call Girl Bhosari Indira Call Now: 8617697112 Bhosari Escorts Booking Contact Details WhatsApp Chat: +91-8617697112 Bhosari Escort Service includes providing maximum physical satisfaction to their clients as well as engaging conversation that keeps your time enjoyable and entertaining. Plus they look fabulously elegant; making an impressionable. Independent Escorts Bhosari understands the value of confidentiality and discretion - they will go the extra mile to meet your needs. Simply contact them via text messaging or through their online profiles; they'd be more than delighted to accommodate any request or arrange a romantic date or fun-filled night together. We provide –

(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7

Call Girls in Nagpur High Profile Call Girls

Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking Booking Now open +91- 7737669865 Why you Choose Us- +91- 7737669865 HOT⇄ 7737669865 Mr ashu ji Call Mr ashu Ji +91- 7737669865 (V020524]N) 𝐇𝐨𝐭𝐞𝐥 𝐑𝐨𝐨𝐦𝐬 𝐈𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐑𝐚𝐭𝐞 𝐒𝐡𝐨𝐭𝐬/𝐇𝐨𝐮𝐫𝐲🆓 .█▬█⓿▀█▀ 𝐈𝐍𝐃𝐄𝐏𝐄𝐍𝐃𝐄𝐍𝐓 𝐆𝐈𝐑𝐋 𝐕𝐈𝐏 𝐄𝐒𝐂𝐎𝐑𝐓 Hello Guys ! High Profiles young Beauties and Good Looking standard Profiles Available , Enquire Now if you are interested in Hifi Service and want to get connect with someone who can understand your needs. Service offers you the most beautiful High Profile sexy independent female Escorts in genuine ✔✔✔ To enjoy with hot and sexy girls ✔✔✔ ★providing:- • Models • vip Models • Russian Models

Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking

roncy bisnoi

Generative AI or GenAI technology based PPT

bhaskargani46

VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to 25K High Profile Escorts In Pune Booking Now open +91- 8005736733 Why you Choose Us- +91- 8005736733 HOT⇄ 8005736733 Mr ashu ji Call Mr ashu Ji +91- 8005736733 (V030524]N) 𝐇𝐨𝐭𝐞𝐥 𝐑𝐨𝐨𝐦𝐬 𝐈𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐑𝐚𝐭𝐞 𝐒𝐡𝐨𝐭𝐬/𝐇𝐨𝐮𝐫𝐲🆓 .█▬█⓿▀█▀ 𝐈𝐍𝐃𝐄𝐏𝐄𝐍𝐃𝐄𝐍𝐓 𝐆𝐈𝐑𝐋 𝐕𝐈𝐏 𝐄𝐒𝐂𝐎𝐑𝐓 Hello Guys ! High Profiles young Beauties and Good Looking standard Profiles Available , Enquire Now if you are interested in Hifi Service and want to get connect with someone who can understand your needs. Service offers you the most beautiful High Profile sexy independent female Escorts in genuine ✔✔✔ To enjoy with hot and sexy girls ✔✔✔ ★providing:- • Models • vip Models • Russian Models • Foreigner Models • TV Actress and Celebrities • Receptionist • Air Hostess • Call Center Working Girls/Women • Hi-Tech Co. Girls/Women • Housewife

VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...

SUHANI PANDEY

BSidesPGH - Never Surrender - Reducing Social Engineering Risk

1. NEVER SURRENDER Reducing social engineering risk Rob ragAn @sweepthatleg Christina Camilleri @0xkitty

2. Shower Foo What if I say I’m not like the others What if I say I’m not just another one of your plays You’re the pretender What if I say I will never surrender

3. Who The…

4. Let’s get our hands dirty

5. What is social engineering?

6. An exploitation of TRUST Someone who can leverage the trust of their victim to gain access to sensitive information or resources or to elicit information about those resources

7. We are professional liars.

8. People are Vulnerable And WE are lazy and we want to be helpful and we WANT to be noticed.

9. And social engineering is the path of least resistance.

10. the biggest issue we face in infosec.

11. We are the root of all evil, and the reason for all security issues.

12. There is no patch for human stupidity.

13. People – psychology Computers – Technology When it comes to security, We are unreliable.

14. Technical systems are: reviewed scanned penetration tested

15. But…

16. How do we measure vulnerability in people?

17. We don’t. We SHAME and Blame. We make them feel bad for their behavior. We are Ignorant. *And we’re not doing anything to effectively change this.

18. We avoid testing because it makes us feel vulnerable.

19. And we don’t like to feel vulnerable.

20. psychology + Technology =

21. We fall victim to basic psychological and physical needs:

22. Cialdini 6 Authority Liking Social Proof Scarcity Reciprocity Commitment and Consistency

23. Let me Tell you a story.

24. Let me Show you how.

25. Information gathering Developing a relationship exploitation execution

26. What are we doing wrong?

27.

28. Almost everything.

29. We watch videos We do e-learning modules We tick boxes We make posters And generally feel good about ourselves.

30. No. You’re doing it wrong too.

31. Tracking. Frequency. Conditioning.

32. Tracking. Stop tracking clicks Stop tracking by department Don’t track failed attempts track successes

33. Track successful reported incidents. The graph should ideally go up not down.

34. Awareness training should feed a strong SE specific IR plan

35. Frequency. Stop shoving awareness training down people’s throats.

36. Conditioning. Stop using negative reinforcement. Use positive reinforcement.

37. Let me Tell you another story.

38. How do we plan to fix this?

39. A multi-phased cyclical approach: SE > PT > IR > PPP > ES > SE > PT > ... Rinse, repeat

40. How do we plan to fix this?

41. Strategic Next Steps 1.  Alias for reporting incidents 2.  Implement anti-email spoofing (SPF, DKIM, DMARC) 3.  Disable HTML in SMTP (plaintext emails FTW) 4.  Sandbox the browser and the email client

42. Strategic Next Steps 1.  Alias for reporting incidents 2.  Implement anti-email spoofing (SPF, DKIM, DMARC) 3.  Disable HTML in SMTP (plaintext emails FTW) 4.  Sandbox the browser and the email client 5.  Browser plugins 6.  Org wide web proxy 7.  Alert on org relevant [phishing] domains 8.  Customization of authN to mitigate cloning

43. Strategic Next Steps 1.  Alias for reporting incidents 2.  Implement anti-email spoofing (SPF, DKIM, DMARC) 3.  Disable HTML in SMTP (plaintext emails FTW) 4.  Sandbox the browser and the email client 5.  Browser plugins 6.  Org wide web proxy 7.  Alert on org relevant [phishing] domains 8.  Customization of authN to mitigate cloning 9.  Application whitelisting 10.  Encrypt sensitive data (in transit & at rest) 11.  Enforce a VPN when not on internal network 12.  Perform regular simulated SE for a more prepared IR team

44. Questions? Special Thanks @lady_nerd @CandySaur @lunarca_ @tastic007 @Napordie Rob ragAn @sweepthatleg Christina Camilleri @0xkitty

Notas del editor

Who has performed social engineering assessments? Who has been a victim of social engineering? Are you sure? Who has a concern that their organization may be or may have already been a victim of a successful social engineering attack?
The inspiration for this talk came from a few experiences during social engineering engagements. Also from listening to the Foo Fighters in the shower. Also from the pleasure and opportunity to work with one of the best social engineering talents in the industry. Why don’t most organization want to perform regular SE assessments? Have they given up? NEVER SURRENDER TO THE PRETENDERS
Christina – Aussie. First time in Pittsburgh. Already saw her first large pine cone, first white tailed deer, first lightening bug. DEFCON SE CTF CHAMP! Going for as many rings as the Pittsburgh Steelers  Rob – Pittsburgher. Born and raised here. Lives in ATL now. Started his hobby and now profession in security right here at PA2600 in the Pitt Student Union ~12 years ago. Lots of familiar faces here. Come ask me about my IRC handle and fun times at Summercon 2004.
DO IT!
As always, I’ll start with a definition of Social Engineering. Taken from social-engineer.org, it’s defined as “The act of manipulating people into performing actions or divulging confidential information..” It’s a blend of science, psychology and art and it taps into basic human emotions and looks at why we react the way we do. Social engineers study people. Truly committed social engineers will study a lot about body language, voice control, vocal indicators and group dynamics. It’s also a study of individual personality types that come out through body language and vocal cues.
A more simple definition of Social Engineering would be “an exploitation of TRUST” – someone who can leverage the trust of their victim to gain access to sensitive information or resources or to elicit information about those resources. The use of social engineering is successful because it preys not on technology, but on the inherent weaknesses of the human component. This is done by manipulating the human victim with messages that exploit your trust, pique your interests and desires, and evoke a range of strong human emotions such as fear, anxiety, trust, human interest and reward.
To make this simple – we are professional liars.
And people are vulnerable, lazy, and we want to be helpful and be noticed., making people an especially enticing target. As a really simple example.. we can spend hours, weeks or months trying to brute force our way to a password… when a phone call with the right pretext and right questions can get you the same password or more in a few minutes.
And that’s exactly it. SE is the path of least resistance. So.. utilising techniques such as planning the right pretext (which is creating and using a contrived scenario), exploiting trust, and appealing to someone’s emotions often results in obtaining the same piece of information - it is almost unbelievable what you can achieve by simply asking, looking or posing as someone. And as software vendors get more and more secure and their products get harder to crack, the role of social engineering becomes greater. And so, we need to understand what it is a social engineer will try, how they will try it and what methodology they may use.
But let me tell you why I care. Social engineering is undoubtedly one of the weakest links in the domain of information security, simply because it is beyond technological control and subject to human nature. We can’t necessarily control the way each individual thinks and reacts, which makes it much more challenging aspect of security to handle.
To keep it simple, people are the root of all evil, and we are the reason for all security issues.
And this is because there is NO patch for human stupidity.
When you combine people with technology, you will encounter problems. People are unreliable.
Technical systems are reviewed, scanned and pentested.
But…. How about people? How do we measure vulnerabilities in people?
We don’t. At least we don’t do it effectively. We like to make people feel shameful. We like to pass blame. We like to IGNORE the problem while not doing anything to help the situation. I once had a client tell me that they did not want to do a social engineering test simply because they KNEW that they would be vulnerable.
We don’t. At least we don’t do it effectively. We like to make people feel shameful. We like to pass blame. We like to IGNORE the problem while not doing anything to help the situation. I once had a client tell me that they did not want to do a social engineering test simply because they KNEW that they would be vulnerable.
We don’t. At least we don’t do it effectively. We like to make people feel shameful. We like to pass blame. We like to IGNORE the problem while not doing anything to help the situation. I once had a client tell me that they did not want to do a social engineering test simply because they KNEW that they would be vulnerable.
And when you combine people with technology, you get this big blob of mess.
People are unreliable. People fall victim to basic psychological and emotional needs, and people can be manipulated and persuaded.
To break this down, there’s 6 useful frames called the Cialdini 6 when it comes to SE and effectual persuasion, and those are: Authority- we tend to be influenced by authority positions Liking – We’re influenced by those we like Social Proof – We look at others to determine good behaviour Scarcity – Value is tied to availability Reciprocation – We feel like we have an obligation to return what others provide (favours) Commitment and Consistency – We are pressured to remain consistent with prior engagements
With one engagement at my old job, I had posed as an internal employee for a law enforcement agency and after doing some recon and finding out that the target I had chosen was on holidays – I crafted a pretext on the information that I knew… and that was that I had to come back early from my holiday in Hawaii (which I found posted on her Facebook) to urgently finish a report for my manager. And when you create that sense of urgency, they were naturally inclined to help.. And from there I had managed to get ahold of the IT department using the same sense of urgency and praising them for being so helpful. I said – “I really need to finish this report but oh no.. I’ve forgotten my both my domain and email password because I’ve been on holidays – I’m so sorry! – Can you please help me out?” And what was most surprising is that I got exactly what I wanted which were both passwords read to me over the phone with absolutely NO cross checking that I was who I actually said I was – other than me also being the same gender as my target.. And what was amusing is the guy, let’s call him Mike said “I’m not supposed to do this, but….” and gave me both passwords. He had also asked me what I wanted to set it to, and I said “something simple..” and he said “Ok, sure, I’ll set it to ‘Password1’ but put a dollar sign in front just to be a bit more secure” Thank you Mike! But the point of this is.. this works because most people trust others by default and respond well to social rewards. Many people, especially customer service agents, help desk receptionists, and business assistants or secretaries who are trained to assist people and not to question the validity of each request, tend to trust others and are naturally helpful. + Naomi Wolf story/Robin Safe. There’s this inherit trust we put into social media and it’s absolutely terrifying what you can pull out of this.
And so to demonstrate this in a simple attack model, we really just need to gather the right information, develop a relationship with whoever your target is (be it through small talk or a common interest), exploiting that trust and executing your attack.
Enough about the fluffy stuff. What are we doing wrong? Why is this still such a big issue?
Since everyone loves statistics, a rough estimate of almost 50% of enterprises have been victim to SE attacks, even when most IT and security professionals are aware of this risk.. but aren’t doing enough to prevent or defend this risk. And regardless, SE still has a high success rate through simple means like phishing phone calls. But it is also important to point out that due to human factors, “knowing better but not doing better” is one of the key issues that has not been fully addressed, particularly in the IS domain.
The answer to that question is everything. We are doing a lot wrong.
We like to….. But is this really helping?
Stop using negative reinforcement. Rubbing their nose in it like a dog is demeaning and degrading. Use positive reinforcement. If a person at the organization reported an incident, track that, reward them, and make them a good example for others to follow. How do you get folks on the defensive? Make it easy. Make it default. Make it rewarding.
An organization comes to us and wants to develop SE defense for their customer support representatives (CSRs). They have 4000 CSRs and some are in the US, some are offshore, some are in-house, some are external third-parties. Currently training and simulated SE scenarios are performed ad hoc. They have had some incidents recently. Attackers are calling in and coercing CSRs into giving them access to PII and/or access to customer accounts. (Risk #1) On top of that, the CSRs are regularly receiving emails that are actually phishing scams. An email that prompts them to reset their email password is a regular occurrence. (Risk #2) Occasionally the CSRs get malware infections on their terminal, the source is not always clear but it causes downtime when we have to re-image their machine (Risk #3)
http://www.darkreading.com/social-engineering-defenses-reducing-the-human-element/a/d-id/1320223
http://www.darkreading.com/social-engineering-defenses-reducing-the-human-element/a/d-id/1320223
http://www.darkreading.com/social-engineering-defenses-reducing-the-human-element/a/d-id/1320223

BSidesPGH - Never Surrender - Reducing Social Engineering Risk

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a BSidesPGH - Never Surrender - Reducing Social Engineering Risk

Similar a BSidesPGH - Never Surrender - Reducing Social Engineering Risk (20)

Más de Rob Ragan

Más de Rob Ragan (8)

Último

Último (20)

BSidesPGH - Never Surrender - Reducing Social Engineering Risk

Notas del editor