Upgrade to Pro — share decks privately, control downloads, hide ads and more …

People Security and Social Engineering

Chris Cooper
September 27, 2016

People Security and Social Engineering

A talk on social engineering as a means of attacking and compromising an organisation's information security, directed towards the self-employed, small businesses and staff at larger organisations. Tackles concepts such as manipulation, physical intrusion, phishing, vishing and baiting. Emphasises staff awareness as the most effective form of defence.

Presented to The Insurance Institute of Sussex (a local section of the Chartered Insurance Institute) on 27th September 2016.

http://www.ciibrighton.org.uk/

Chris Cooper

September 27, 2016
Tweet

More Decks by Chris Cooper

Other Decks in Technology

Transcript

  1. PEOPLE
    SECURITY
    &
    SOCIAL
    ENGINEERING
    Chris
    Cooper

    View full-size slide

  2. SENIOR SECURITY CONSULTANT
    Chris
    Cooper

    View full-size slide

  3. Understand why social engineering is a prevalent
    form of attack against organisations
    1
    Know some of the most common techniques
    employed by attackers and why they work
    3
    Be able to identify the challenges involved in
    resisting these types of attack
    2
    Understand the importance of awareness as a key
    defence mechanism
    4
    Gain a knowledge of other security controls that can
    hinder social engineering attacks
    5
    OBJECTIVES

    View full-size slide

  4. SOCIAL ENGINEERING
    MEANS
    MANIPULATING SOMEONE
    INTO PERFORMING ACTIONS
    OR DIVULGING INFORMATION

    View full-size slide

  5. SOCIAL ENGINEERING
    IS ASSOCIATED WITH HACKING
    WHEN YOU CAN’T BREACH THE
    FIREWALL
    HACK A PERSON ALREADY INSIDE

    View full-size slide

  6. SOCIAL ENGINEERING
    BECOMES THE EASIER OPTION
    AS COMPUTER
    SECURITY MATURES

    View full-size slide

  7. SOCIAL ENGINEERING
    IS SPECIALLY CRAFTED
    CHALLENGE:
    TO ABUSE HOW OUR
    BRAINS WORK

    View full-size slide

  8. IS HANDS-DOWN
    AWARENESS
    THE MOST EFFECTIVE
    STRATEGY FOR AN
    INDIVIDUAL

    View full-size slide

  9. MANIPULATION

    View full-size slide

  10. LEGITIMACY
    PRETEXTING
    + EMOTION
    SYMPATHY TRUST
    LIKING
    SCARCITY
    AUTHORITY

    View full-size slide



  11. PRESUPPOSE THAT PEOPLE
    PRESUPPOSITIONS
    WHERE DO I SIGN IN
    ARE GOING TO DO WHAT YOU ASK
    PRESUPPOSES THAT THE
    RECEPTIONIST WILL LET YOU IN

    View full-size slide

  12. GET TARGETS TO MAKE
    COMMITMENT &
    THEY WILL FEEL PRESSURE
    CONSISTENCY
    SMALL COMMITMENTS
    TO HONOUR FURTHER REQUESTS
    IF THEY ARE CONSISTENT

    View full-size slide

  13. HELPING PEOPLE
    RECIPROCITY
    QUID PRO QUO
    CONCSESSIONS
    COMPLEMENTS

    View full-size slide

  14. GIVING YOU INFORMATION
    SOCIAL PROOF
    CAN BECOME THE SOCIAL NORM
    IF STAFF SEE THEIR COLLEAGUES
    COOPERATING WITH YOU

    View full-size slide

  15. CLEAR POLICIES ON
    RESISTANCE
    INFORMATION SHARING
    TRYING TO BE AWARE OF
    UNDUE PRESSURE TO SUBVERT

    View full-size slide

  16. IF YOU ARE CONFIDENT
    CHALLENGE THEM
    ALWAYS
    REPORT THEM

    View full-size slide

  17. OSINT
    OPEN SOURCE INTELLIGENCE
    PUBLICLY AVAILABLE INFORMATION
    CORP WEBSITE, GOOGLE, SOCIAL NETWORKS

    View full-size slide

  18. OSINT
    OPEN SOURCE INTELLIGENCE
    INFORMATION THAT SEEMS
    PRIVILEGED MIGHT NOT BE

    View full-size slide

  19. DUMPSTER DIVING
    AND STICKING SHREDDED
    PAPER BACK TOGETHER
    SECURE BINS
    CROSS-CUT SHREDDING
    SECURE TRANSPORT

    View full-size slide

  20. INTRUSION
    & TAILGATING
    & SHOULDER-SURFING

    View full-size slide

  21. INTRUSION
    CULTURE

    EVERYONE WEARS ID

    EVERYONE ‘SWIPES’ THROUGH EVERY DOOR, 

    EVEN IF IT’S OPEN

    IT’S OKAY TO CHALLENGE

    REDIRECT TO RECEPTION

    ALWAYS REPORT

    View full-size slide

  22. PHISHING
    & VISHING
    VOICE PHISHING
    VIA TELEPHONE

    View full-size slide

  23. EMAIL PHISHING
    • DO YOU TRUST THE EMAIL - WERE YOU
    EXPECTING IT?

    • REMEMBER THAT EMAIL ADDRESSES CAN
    OFTEN BE SPOOFED

    • DON’T FOLLOW LINKS AND BROWSE DIRECTLY
    IF POSSIBLE

    • CHECK WHERE LINKS ARE REALLY POINTING

    • DON’T OPEN ATTACHMENTS UNLESS YOU ARE
    CONFIDENT REGARDING THEIR SOURCE

    View full-size slide

  24. BAITING
    REMOVABLE MEDIA THAT
    WILL RUN MALICIOUS CODE
    IF YOU PLUG IT IN

    View full-size slide

  25. Understand why social engineering is a prevalent
    form of attack against organisations
    1
    Know some of the most common techniques
    employed by attackers and why they work
    3
    Be able to identify the challenges involved in
    resisting these types of attack
    2
    Understand the importance of awareness as a key
    defence mechanism
    4
    Gain a knowledge of other security controls that can
    hinder social engineering attacks
    5
    OBJECTIVES

    View full-size slide

  26. speakerdeck.com/itscooper
    Chris
    Cooper
    Thank You

    View full-size slide