BSidesPGH - Never Surrender - Reducing Social Engineering Risk
-
Upload
rob-ragan -
Category
Engineering
-
view
2.803 -
download
2
Transcript of BSidesPGH - Never Surrender - Reducing Social Engineering Risk
![Page 1: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/1.jpg)
NEVER SURRENDER Reducing social engineering risk Rob ragAn @sweepthatleg
Christina Camilleri @0xkitty
![Page 2: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/2.jpg)
Shower Foo What if I say I’m not like the others
What if I say I’m not just another one of your plays
You’re the pretender
What if I say I will
never surrender
![Page 3: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/3.jpg)
Who The…
![Page 4: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/4.jpg)
Let’s get our hands dirty
![Page 5: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/5.jpg)
What is social engineering?
![Page 6: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/6.jpg)
An exploitation of TRUST Someone who can leverage the trust of their victim to gain access to sensitive information or resources or to elicit information about those resources
![Page 7: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/7.jpg)
We are professional liars.
![Page 8: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/8.jpg)
People are Vulnerable And WE are lazy and we want to be helpful and we WANT to be noticed.
![Page 9: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/9.jpg)
And social engineering is the path of least resistance.
![Page 10: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/10.jpg)
the biggest issue we face in infosec.
![Page 11: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/11.jpg)
We are the root of all evil, and the reason for all security issues.
![Page 12: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/12.jpg)
There is no patch for human stupidity.
![Page 13: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/13.jpg)
People – psychology Computers – Technology
When it comes to security, We are unreliable.
![Page 14: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/14.jpg)
Technical systems are: reviewed scanned penetration tested
![Page 15: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/15.jpg)
But…
![Page 16: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/16.jpg)
How do we measure vulnerability in people?
![Page 17: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/17.jpg)
We don’t. We SHAME and Blame. We make them feel bad for their behavior. We are Ignorant. *And we’re not doing anything to effectively change this.
![Page 18: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/18.jpg)
We avoid testing because it makes us feel vulnerable.
![Page 19: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/19.jpg)
And we don’t like to feel vulnerable.
![Page 20: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/20.jpg)
psychology + Technology =
![Page 21: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/21.jpg)
We fall victim to basic psychological and physical needs:
![Page 22: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/22.jpg)
Cialdini 6 Authority Liking Social Proof Scarcity Reciprocity Commitment and Consistency
![Page 23: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/23.jpg)
Let me Tell you a story.
![Page 24: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/24.jpg)
Let me Show you how.
![Page 25: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/25.jpg)
Information gathering
Developing a relationship
exploitation
execution
![Page 26: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/26.jpg)
What are we doing wrong?
![Page 27: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/27.jpg)
![Page 28: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/28.jpg)
Almost everything.
![Page 29: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/29.jpg)
We watch videos We do e-learning modulesWe tick boxesWe make posters
And generally feel good about ourselves.
![Page 30: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/30.jpg)
No. You’re doing it wrong too.
![Page 31: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/31.jpg)
Tracking. Frequency. Conditioning.
![Page 32: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/32.jpg)
Tracking. Stop tracking clicks Stop tracking by department Don’t track failed attempts track successes
![Page 33: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/33.jpg)
Track successful reported incidents. The graph should ideally go up not down.
![Page 34: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/34.jpg)
Awareness training should feed a strong SE specific IR plan
![Page 35: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/35.jpg)
Frequency. Stop shoving awareness training down people’s throats.
![Page 36: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/36.jpg)
Conditioning. Stop using negative reinforcement. Use positive reinforcement.
![Page 37: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/37.jpg)
Let me Tell you another story.
![Page 38: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/38.jpg)
How do we plan to fix this?
![Page 39: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/39.jpg)
A multi-phased cyclical approach:
SE > PT > IR > PPP > ES >
SE > PT > ... Rinse, repeat
![Page 40: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/40.jpg)
How do we plan to fix this?
![Page 41: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/41.jpg)
Strategic Next Steps1. Alias for reporting incidents2. Implement anti-email spoofing (SPF, DKIM, DMARC)3. Disable HTML in SMTP (plaintext emails FTW)4. Sandbox the browser and the email client
![Page 42: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/42.jpg)
Strategic Next Steps1. Alias for reporting incidents2. Implement anti-email spoofing (SPF, DKIM, DMARC)3. Disable HTML in SMTP (plaintext emails FTW)4. Sandbox the browser and the email client5. Browser plugins6. Org wide web proxy7. Alert on org relevant [phishing] domains8. Customization of authN to mitigate cloning
![Page 43: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/43.jpg)
Strategic Next Steps1. Alias for reporting incidents2. Implement anti-email spoofing (SPF, DKIM, DMARC)3. Disable HTML in SMTP (plaintext emails FTW)4. Sandbox the browser and the email client5. Browser plugins6. Org wide web proxy7. Alert on org relevant [phishing] domains8. Customization of authN to mitigate cloning 9. Application whitelisting10. Encrypt sensitive data (in transit & at rest)11. Enforce a VPN when not on internal network12. Perform regular simulated SE for a more prepared IR team
![Page 44: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/44.jpg)
Questions? Special Thanks @lady_nerd @CandySaur @lunarca_ @tastic007 @Napordie
Rob ragAn @sweepthatleg
Christina Camilleri @0xkitty
![Page 45: BSidesPGH - Never Surrender - Reducing Social Engineering Risk](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b9e371bb61eb7d4e8b481e/html5/thumbnails/45.jpg)