People Security and Social Engineering

PEOPLE
SECURITY
&
SOCIAL
ENGINEERING
Chris
Cooper

View Slide

SENIOR SECURITY CONSULTANT
Chris
Cooper

View Slide

Understand why social engineering is a prevalent
form of attack against organisations
1
Know some of the most common techniques
employed by attackers and why they work
3
Be able to identify the challenges involved in
resisting these types of attack
2
Understand the importance of awareness as a key
defence mechanism
4
Gain a knowledge of other security controls that can
hinder social engineering attacks
5
OBJECTIVES

View Slide

SOCIAL ENGINEERING
MEANS
MANIPULATING SOMEONE
INTO PERFORMING ACTIONS
OR DIVULGING INFORMATION

View Slide

SOCIAL ENGINEERING
IS ASSOCIATED WITH HACKING
WHEN YOU CAN’T BREACH THE
FIREWALL
HACK A PERSON ALREADY INSIDE

View Slide

SOCIAL ENGINEERING
BECOMES THE EASIER OPTION
AS COMPUTER
SECURITY MATURES

View Slide

SOCIAL ENGINEERING
IS SPECIALLY CRAFTED
CHALLENGE:
TO ABUSE HOW OUR
BRAINS WORK

View Slide

IS HANDS-DOWN
AWARENESS
THE MOST EFFECTIVE
STRATEGY FOR AN
INDIVIDUAL

View Slide

MANIPULATION

View Slide

LEGITIMACY
PRETEXTING
+ EMOTION
SYMPATHY TRUST
LIKING
SCARCITY
AUTHORITY

View Slide

“
“
PRESUPPOSE THAT PEOPLE
PRESUPPOSITIONS
WHERE DO I SIGN IN
ARE GOING TO DO WHAT YOU ASK
PRESUPPOSES THAT THE
RECEPTIONIST WILL LET YOU IN

View Slide

GET TARGETS TO MAKE
COMMITMENT &
THEY WILL FEEL PRESSURE
CONSISTENCY
SMALL COMMITMENTS
TO HONOUR FURTHER REQUESTS
IF THEY ARE CONSISTENT

View Slide

HELPING PEOPLE
RECIPROCITY
QUID PRO QUO
CONCSESSIONS
COMPLEMENTS

View Slide

GIVING YOU INFORMATION
SOCIAL PROOF
CAN BECOME THE SOCIAL NORM
IF STAFF SEE THEIR COLLEAGUES
COOPERATING WITH YOU

View Slide

CLEAR POLICIES ON
RESISTANCE
INFORMATION SHARING
TRYING TO BE AWARE OF
UNDUE PRESSURE TO SUBVERT

View Slide

IF YOU ARE CONFIDENT
CHALLENGE THEM
ALWAYS
REPORT THEM

View Slide

METHODS

View Slide

OSINT
OPEN SOURCE INTELLIGENCE
PUBLICLY AVAILABLE INFORMATION
CORP WEBSITE, GOOGLE, SOCIAL NETWORKS

View Slide

OSINT
OPEN SOURCE INTELLIGENCE
INFORMATION THAT SEEMS
PRIVILEGED MIGHT NOT BE

View Slide

DUMPSTER DIVING
AND STICKING SHREDDED
PAPER BACK TOGETHER
SECURE BINS
CROSS-CUT SHREDDING
SECURE TRANSPORT

View Slide

INTRUSION
& TAILGATING
& SHOULDER-SURFING

View Slide

INTRUSION
CULTURE

EVERYONE WEARS ID

EVERYONE ‘SWIPES’ THROUGH EVERY DOOR,  
EVEN IF IT’S OPEN

IT’S OKAY TO CHALLENGE

REDIRECT TO RECEPTION

ALWAYS REPORT

View Slide

PHISHING
& VISHING
VOICE PHISHING
VIA TELEPHONE

View Slide

EMAIL PHISHING
• DO YOU TRUST THE EMAIL - WERE YOU
EXPECTING IT?

• REMEMBER THAT EMAIL ADDRESSES CAN
OFTEN BE SPOOFED

• DON’T FOLLOW LINKS AND BROWSE DIRECTLY
IF POSSIBLE

• CHECK WHERE LINKS ARE REALLY POINTING

• DON’T OPEN ATTACHMENTS UNLESS YOU ARE
CONFIDENT REGARDING THEIR SOURCE

View Slide

BAITING
REMOVABLE MEDIA THAT
WILL RUN MALICIOUS CODE
IF YOU PLUG IT IN

View Slide

Understand why social engineering is a prevalent
form of attack against organisations
1
Know some of the most common techniques
employed by attackers and why they work
3
Be able to identify the challenges involved in
resisting these types of attack
2
Understand the importance of awareness as a key
defence mechanism
4
Gain a knowledge of other security controls that can
hinder social engineering attacks
5
OBJECTIVES

View Slide

speakerdeck.com/itscooper
Chris
Cooper
Thank You

View Slide

People Security and Social Engineering

People Security and Social Engineering

Chris Cooper

More Decks by Chris Cooper

Other Decks in Technology

Featured

Transcript