Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

The Rise of Social Engineering -- Anatomy of a Full Scale Attack

In this presentation you will gain insight on how hackers use the human element to increase the success probability of their attacks. It will cover everything from dumpster diving to email phishing and pretexting phone calls. Learn what to look for and how to defend your organization from social engineering attacks.

David Nelson, CISSP, is a Certified Information Systems Security Professional (CISSP) with 20 years of experience and a Fellow with the Information Systems Security Association (ISSA). He has lead technology organizations in both the public and private sector. Prior to founding Integrity, he most recently was the Chief Information Security Officer for a leading health informatics company. He also managed an information security group for a top 5 U.S. banking organization, was the CIO for a higher education institution and served as the information security officer for one of the largest municipal governments on the East Coast.

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

  1. 1. The Rise of Social Engineering - Anatomy of a Full Scale Attack - Presenter: Dave Nelson, CISSP | President at Integrity
  2. 2. Dave Nelson, CISSP • Certified Information Security Professional (CISSP) • Over 20 years experience as information security professional • Fellow with the Information Systems Security Association • President Emeritus of ISSA Des Moines Iowa Chapter
  3. 3. Overview What is “Social Engineering”? Types of Attacks & Real World Examples Best Defense
  4. 4. What is “Social Engineering”? WHAT IS SOCIAL ENGINEERING?
  5. 5. Social Engineering • Using knowledge of human behavior to elicit a defined response. • Put simply…getting you to willingly do something for me which is likely not in your best interest.
  6. 6. Sociology and Psychology • Study of human behavior, interaction and societal norms. • Actions can be predicted quite accurately. • Actions can also be influenced quite easily.
  7. 7. Simple Human Behavior • Two Types of Responses – Natural – Learned Hackers will craft a scenario for you to enter, in order to elicit a response which they believe will give them the result they are looking for.
  8. 8. Types of Attacks & Real World Examples
  9. 9. Why talk about social engineering Social engineering is a component of the attack in nearly 1 of 3 successful data breaches, and it’s on the rise. Source: 2016 Verizon Data Breach Investigation Report
  10. 10. 5 Common Attack Methods Dumpster Diving Pretexting Phishing Physical Entry Enticement
  11. 11. Dumpster Diving • Scouring through discarded items – Calendars & Day planners – Handwritten notes – Phone & Email Lists – Operation manuals or procedures – System diagrams & IP addresses – Source code
  12. 12. Pretexting • Fraudulent phone calls • Used to extract information • Also used to setup other attacks such as facility entry or phishing
  13. 13. Phishing Attempts to get users to provide information or perform an action Tips For Identifying Phishing Attempts – Asks to update account information via email – No verification image or varying layout designs – Provides unfamiliar hyperlinks
  14. 14. Common Bait • Sweet Deals – Free Stuff – Limited Time Offers – Package Delivery • Help Me, Help You! – Tech Support • You Gotta’ See This!
  15. 15. Spear Phishing Example Good Morning Mike, You may or may not know, but Mary (CFO) and I are in Atlanta working to close a deal with our partners XYZ Company and ABC Limited on a $70 million dollar contract with Our Big Payday, Inc. In order to get the contracts signed, I need you to wire $85,620 to XYZ Company and $67,980 to ABC Limited. Mary says this should come from our Bank Name Here account number 123456789. The routing and account number for XYZ is 12345678 – 7788994455 and for ABC is 98765432 – 336699774411. Because Our Big Payday, Inc. is a publicly traded company, the terms of this agreement cannot be disclosed until they file their SEC reports for the quarter so your absolute discretion is expected. Under no circumstances are you to discuss this transaction with anyone in the department. A leak could result in SEC fines or prison for both of us for insider trading. If you have any questions about this, please respond to this email with your direct line and I’ll call you when I’m out of the negotiation meetings. I appreciate all you do for us which is why I’m trusting you with this key project. Keep up the good work! Sandy (CEO)
  16. 16. Physical Presence • Gaining physical access can be easier than virtual access • May provide additional information • Comes at a higher risk but with a potentially greater reward
  17. 17. Physical Presence Examples • Delivery Drivers • Employee Tailgating • Maintenance or Emergency Crews • The key is to act like you belong. If you believe it so will everyone else.
  18. 18. Enticement Examples A folder with enticing title/label left on ground outside an employee entrance with a USB thumb drive taped inside. • USB, CD or DVDs left in conspicuous spaces. • May be accompanied by fake paper files • Curiosity beats caution Year-End Bonuses
  19. 19. Putting It All Together • Targeted attacks will always use some form of social engineering. • Just like in military operations, intel makes or breaks a mission • Hackers may never even need to use sophisticated technical attacks if you provide the information willingly
  20. 20. Stealth Mode • Limited social engineering attacks can be hard to detect. • Relevant information allows attackers to pinpoint their attack which makes their footprint hard to discover.
  21. 21. Don’t Fall for The Long Con • Social engineering is nothing more than a con-game. • The old “Long Con” has been ported to the digital world. • Good cons are hard to spot.
  22. 22. Best Defenses
  23. 23. Best Defenses • Strong paper destruction process • Limiting facility ingress/egress points • Challenge unknown people in secure areas • Implement technology to screen email and websites for attacks
  24. 24. Employee Training • Traditional CBT methods don’t work • Engage the employee, make a personal plea • Use gamification to enhance learning • Prepare for different learning styles (audio, visual, hands- on) • Awareness is not training and training is not awareness
  25. 25. Program Validation • Social engineering testing engagements provide assessments of how well your people, process and technology are functioning.
  26. 26. Summary • Social engineering is here to stay and it’s growing • Your organization will suffer a data breach due to social engineering • The study of human behavior has been used by criminals for centuries, cybercriminals are no different • Employees must be trained to spot social engineering and how to react
  27. 27. Question & Answer DaveNelsonCISSP @IntegrityCEO - @IntegritySRC 515-965-3756