People Security and Social Engineering

295de4550871dd9a2fbdb7b8539b7797?s=47 Chris Cooper
September 27, 2016

People Security and Social Engineering

A talk on social engineering as a means of attacking and compromising an organisation's information security, directed towards the self-employed, small businesses and staff at larger organisations. Tackles concepts such as manipulation, physical intrusion, phishing, vishing and baiting. Emphasises staff awareness as the most effective form of defence.

Presented to The Insurance Institute of Sussex (a local section of the Chartered Insurance Institute) on 27th September 2016.

http://www.ciibrighton.org.uk/

295de4550871dd9a2fbdb7b8539b7797?s=128

Chris Cooper

September 27, 2016
Tweet

Transcript

  1. PEOPLE SECURITY & SOCIAL ENGINEERING Chris Cooper

  2. SENIOR SECURITY CONSULTANT Chris Cooper

  3. Understand why social engineering is a prevalent form of attack

    against organisations 1 Know some of the most common techniques employed by attackers and why they work 3 Be able to identify the challenges involved in resisting these types of attack 2 Understand the importance of awareness as a key defence mechanism 4 Gain a knowledge of other security controls that can hinder social engineering attacks 5 OBJECTIVES
  4. SOCIAL ENGINEERING MEANS MANIPULATING SOMEONE INTO PERFORMING ACTIONS OR DIVULGING

    INFORMATION
  5. SOCIAL ENGINEERING IS ASSOCIATED WITH HACKING WHEN YOU CAN’T BREACH

    THE FIREWALL HACK A PERSON ALREADY INSIDE
  6. SOCIAL ENGINEERING BECOMES THE EASIER OPTION AS COMPUTER SECURITY MATURES

  7. SOCIAL ENGINEERING IS SPECIALLY CRAFTED CHALLENGE: TO ABUSE HOW OUR

    BRAINS WORK
  8. IS HANDS-DOWN AWARENESS THE MOST EFFECTIVE STRATEGY FOR AN INDIVIDUAL

  9. MANIPULATION

  10. LEGITIMACY PRETEXTING + EMOTION SYMPATHY TRUST LIKING SCARCITY AUTHORITY

  11. “ “ PRESUPPOSE THAT PEOPLE PRESUPPOSITIONS WHERE DO I SIGN

    IN ARE GOING TO DO WHAT YOU ASK PRESUPPOSES THAT THE RECEPTIONIST WILL LET YOU IN
  12. GET TARGETS TO MAKE COMMITMENT & THEY WILL FEEL PRESSURE

    CONSISTENCY SMALL COMMITMENTS TO HONOUR FURTHER REQUESTS IF THEY ARE CONSISTENT
  13. HELPING PEOPLE RECIPROCITY QUID PRO QUO CONCSESSIONS COMPLEMENTS

  14. GIVING YOU INFORMATION SOCIAL PROOF CAN BECOME THE SOCIAL NORM

    IF STAFF SEE THEIR COLLEAGUES COOPERATING WITH YOU
  15. CLEAR POLICIES ON RESISTANCE INFORMATION SHARING TRYING TO BE AWARE

    OF UNDUE PRESSURE TO SUBVERT
  16. IF YOU ARE CONFIDENT CHALLENGE THEM ALWAYS REPORT THEM

  17. METHODS

  18. OSINT OPEN SOURCE INTELLIGENCE PUBLICLY AVAILABLE INFORMATION CORP WEBSITE, GOOGLE,

    SOCIAL NETWORKS
  19. OSINT OPEN SOURCE INTELLIGENCE INFORMATION THAT SEEMS PRIVILEGED MIGHT NOT

    BE
  20. DUMPSTER DIVING AND STICKING SHREDDED PAPER BACK TOGETHER SECURE BINS

    CROSS-CUT SHREDDING SECURE TRANSPORT
  21. INTRUSION & TAILGATING & SHOULDER-SURFING

  22. INTRUSION CULTURE EVERYONE WEARS ID EVERYONE ‘SWIPES’ THROUGH EVERY DOOR,

    
 EVEN IF IT’S OPEN IT’S OKAY TO CHALLENGE REDIRECT TO RECEPTION ALWAYS REPORT
  23. PHISHING & VISHING VOICE PHISHING VIA TELEPHONE

  24. EMAIL PHISHING • DO YOU TRUST THE EMAIL - WERE

    YOU EXPECTING IT? • REMEMBER THAT EMAIL ADDRESSES CAN OFTEN BE SPOOFED • DON’T FOLLOW LINKS AND BROWSE DIRECTLY IF POSSIBLE • CHECK WHERE LINKS ARE REALLY POINTING • DON’T OPEN ATTACHMENTS UNLESS YOU ARE CONFIDENT REGARDING THEIR SOURCE
  25. BAITING REMOVABLE MEDIA THAT WILL RUN MALICIOUS CODE IF YOU

    PLUG IT IN
  26. Understand why social engineering is a prevalent form of attack

    against organisations 1 Know some of the most common techniques employed by attackers and why they work 3 Be able to identify the challenges involved in resisting these types of attack 2 Understand the importance of awareness as a key defence mechanism 4 Gain a knowledge of other security controls that can hinder social engineering attacks 5 OBJECTIVES
  27. speakerdeck.com/itscooper Chris Cooper Thank You