SlideShare ist ein Scribd-Unternehmen logo

Social Engineering 101 or The Art of How You Got Owned by That Random Stranger

•Als PPTX, PDF herunterladen•
•
Steven Hatfield
Steven Hatfield

My presentation that was given at North Texas ISSA Second Annual Cyber Security Conference on 4/25/2015. This presentation covers the basics of Social Engineering and provides a good base of knowledge for anyone looking to understand more about this skill, along with where to learn more.

Technologie
1 von 25
@NTXISSA Social Engineering 101 or The Art of How You Got Owned by That Random Stranger Steven Hatfield Security Systems Senior Advisor Dell 4/25/2015
@NTXISSA About Me • 8 year Army veteran • Currently studying for Bachelors of Science in CyberSecurity at UMUC • 4 year Security Goon at DEF CON • 3 year Social Engineer Village volunteer at DEF CON • 1 year Security staff at Derbycon NTX ISSA Cyber Security Conference – April 24-25, 2015 2
@NTXISSA LEGAL DISCLAIMER NTX ISSA Cyber Security Conference – April 24-25, 2015 3
@NTXISSA Social Engineering 101 • Definitions • History • Social Engineering Framework • SET – Social Engineering Toolkit • Categories • Examples • Protection • Resources • Questions NTX ISSA Cyber Security Conference – April 24-25, 2015 4
@NTXISSA Definition • Social Engineering (SE) is a blend of science, psychology and art. While it is amazing and complex, it is also very simple. • We define it as, “Any act that influences a person to take an action that may or may not be in their best interest.” We have defined it in very broad and general terms because we feel that social engineering is not always negative, but encompasses how we communicate with our parents, therapists, children, spouses and others. NTX ISSA Cyber Security Conference – April 24-25, 2015 5 http://www.social-engineer.org/
@NTXISSA Definition • Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer. NTX ISSA Cyber Security Conference – April 24-25, 2015 6 http://www.webroot.com/us/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 7
@NTXISSA History • The term sociale ingenieurs was introduced in an essay by the Dutch industrialist J.C. Van Marken in 1894. The idea was that modern employers needed the assistance of specialists—"social engineers"—in handling the human problems of the planet, just as they needed technical expertise (ordinary engineers) to deal with the problems of dead matter (materials, machines, processes). … NTX ISSA Cyber Security Conference – April 24-25, 2015 8
@NTXISSA Social Engineering Framework • Social Engineering Defined • Categories of Social Engineers • Hackers • Penetration Testers • Spies or Espionage • Identity Thieves • Disgruntled Employees • Information Brokers • Scam Artists • Executive Recruiters • Sales People • Governments • Everyday People NTX ISSA Cyber Security Conference – April 24-25, 2015 9 • Why Attackers Might Use Social Engineering • Typical Goals • The Attack Cycle • Common Attacks • Customer Service • Delivery Person • Phone • Tech Support • Real World Examples • Con Men • Crime Victims • Phishing • Politicians
@NTXISSA • The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open- source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community. • The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social- engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 12 months since its release, “Metasploit: The Penetrations Tester’s Guide” written by TrustedSec’s founder as well as Devon Kearns, Jim O’Gorman, and Mati Aharoni. NTX ISSA Cyber Security Conference – April 24-25, 2015 10 SET – Social Engineer Toolkit
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 11
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 12
@NTXISSA Examples - Common • Customer Service • Delivery Person • Phone • Tech Support • Con Men • Crime Victims • Phishing • Politicians NTX ISSA Cyber Security Conference – April 24-25, 2015 13
@NTXISSA Examples - Real World • The Overconfident CEO In one case study, Hadnagy outlines how he was hired as an SE auditor to gain access to the servers of a printing company which had some proprietary processes and vendors that competitors were after. In a phone meeting with Hadnagy's business partner, the CEO informed him that "hacking him would be next to impossible" because he "guarded his secrets with his life.” "He was the guy who was never going to fall for this," said Hadnagy. "He was thinking someone would probably call and ask for his password and he was ready for an approach like that.” … NTX ISSA Cyber Security Conference – April 24-25, 2015 14 http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
@NTXISSA Examples - Real World • The theme-park scandal The target in this next case study was a theme park client that was concerned about potential compromise of its ticketing system. The computers used to check-in patrons also contained links to servers, client information and financial records. The client was concerned that if a check-in computer was compromised, a serious data breach might occur. Hadnagy started his test by calling the park, posing as a software salesperson. He was offering a new type of PDF-reading software, which he wanted the park to try through a trial offer. He asked what version they were currently using, got the information easily, and was ready for step two. … NTX ISSA Cyber Security Conference – April 24-25, 2015 15 http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
@NTXISSA Examples - Real World • The hacker is hacked Hadnagy gives a third example showing how social engineering was used for defensive purposes. He profiles 'John,' a penetration tester hired to conduct a standard network pen test for a client. He ran scan using Metasploit, which revealed an open VNC (virtual network computing) server, a server that allows control of other machines on the network. He was documenting the find with the VNC session open when, suddenly, in the background, a mouse began to move across the screen. John new it was a red flag because at the time of day this was happening, no user would be connected to the network for a legitimate reason. He suspected an intruder was on the network. … NTX ISSA Cyber Security Conference – April 24-25, 2015 16 http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
@NTXISSA Examples - Real World • Price-Matching Scam NTX ISSA Cyber Security Conference – April 24-25, 2015 17
@NTXISSA Examples - Real World • Evil Maid attacks NTX ISSA Cyber Security Conference – April 24-25, 2015 18
@NTXISSA Examples - Real World • Stuxnet … Stuxnet – delivered via USB sticks left around the Iranian site in a classic "social engineering" attack – used unpatched Windows vulnerabilities to get inside the SCADA at Iran's Natanz enrichment plant. It then injected code to make a PLC speed up and slow down centrifuge motors – wrecking more than 400 machines. Siemens made both the SCADA (WinCC) and the PLC (S7-300) attacked by Stuxnet. … NTX ISSA Cyber Security Conference – April 24-25, 2015 19 http://www.newscientist.com/article/dn20298-stuxnet-analysis-finds-more-holes-in-critical-software.html
@NTXISSA Examples - Real World • Sing-o-gram - Michelle from SE crew … Next, Chris and I packed our dark glasses and super-spy cameras and headed to the client’s locations. Four buildings, three days, two states, no sleep. This particular client faces some big challenges when it comes to physical plant security, not the least of which is sharing buildings with other companies and retailers open to the general public. Despite having a great physical security team and RFID badging, we were able to gain access to most of their secured locations pretexting as inspectors and yes, a singing telegram (I’ll let you guess who got to do that one). We didn’t really need to do a lot of sneaky stuff; we took advantage of high traffic times and locations, acted like we belonged there, and exploited people’s general helpfulness. Using these principles, we accessed areas such their corporate mailroom, NOC, and executive offices and roamed freely without ever being stopped. … NTX ISSA Cyber Security Conference – April 24-25, 2015 20 http://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-05-issue-57/
@NTXISSA Examples - Real World • News Reporter - “Bob” “I've gotten myself into a building by claiming to be interviewing them for a blog and then spending all day taking pictures and plugging flashdrives in to “print stuff“” NTX ISSA Cyber Security Conference – April 24-25, 2015 21
@NTXISSA Protection • Obviously, never give out confidential information. • Safeguard even inconsequential information about yourself. • Lie to security questions, and remember your lies. • View every password reset email with skepticism. • Watch your accounts and account activity. • Diversify passwords, critical services, and security questions. NTX ISSA Cyber Security Conference – April 24-25, 2015 22
@NTXISSA Resources • http://www.social-engineer.org/ • https://www.social-engineer.com/ • https://www.trustedsec.com/social-engineer- toolkit/ • http://www.amazon.com/Christopher-Hadnagy/ • http://www.social-engineer.org/category/podcast/ • DEFCON 23 CTF • http://www.derbycon.com/ • http://defcon.org/ • http://www.amazon.com/Joe-Navarro/ NTX ISSA Cyber Security Conference – April 24-25, 2015 23
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 24
@NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – April 24-25, 2015 25 Thank you

Empfohlen

Social engineering 101 or The Art of How You Got Owned by That Random Stranger
Social engineering 101 or The Art of How You Got Owned by That Random StrangerSocial engineering 101 or The Art of How You Got Owned by That Random Stranger
Social engineering 101 or The Art of How You Got Owned by That Random StrangerSteven Hatfield
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringPaul Devassy, CPP
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and BadTzar Umang
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attackPankaj Dubey
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkRichard Common
 
Social engineering
Social engineering Social engineering
Social engineering Abdelhamid Limami
 
Social engineering
Social engineeringSocial engineering
Social engineeringAlexander Zhuravlev
 

Empfohlen

Social engineering 101 or The Art of How You Got Owned by That Random Stranger
Social engineering 101 or The Art of How You Got Owned by That Random StrangerSocial engineering 101 or The Art of How You Got Owned by That Random Stranger
Social engineering 101 or The Art of How You Got Owned by That Random StrangerSteven Hatfield
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringPaul Devassy, CPP
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and BadTzar Umang
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attackPankaj Dubey
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkRichard Common
 
Social engineering
Social engineering Social engineering
Social engineering Abdelhamid Limami
 
Social engineering
Social engineeringSocial engineering
Social engineeringAlexander Zhuravlev
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering BasicsLuke Rusten
 
Social engineering
Social engineeringSocial engineering
Social engineeringankushmohanty
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Social engineering
Social engineering Social engineering
Social engineering Vîñàý Pãtêl
 
Hacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guideHacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guidePankaj Dubey
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917Evan Francen
 
Social engineering by-rakesh-nagekar
Social engineering by-rakesh-nagekarSocial engineering by-rakesh-nagekar
Social engineering by-rakesh-nagekarRaghunath G
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...ABHAY PATHAK
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineeringprimeteacher32
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringWilliam Gregorian
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineeringn|u - The Open Security Community
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?JamRivera1
 
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...North Texas Chapter of the ISSA
 
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...North Texas Chapter of the ISSA
 

Weitere ähnliche Inhalte

Was ist angesagt?

Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering BasicsLuke Rusten
 
Social engineering
Social engineeringSocial engineering
Social engineeringankushmohanty
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Hacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guideHacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guidePankaj Dubey
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917Evan Francen
 
Social engineering by-rakesh-nagekar
Social engineering by-rakesh-nagekarSocial engineering by-rakesh-nagekar
Social engineering by-rakesh-nagekarRaghunath G
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...ABHAY PATHAK
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineeringprimeteacher32
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?JamRivera1
 

Was ist angesagt? (20)

Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering Basics
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking Framework
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering
Social engineering Social engineering
Social engineering
 
Hacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guideHacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guide
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 
Social engineering by-rakesh-nagekar
Social engineering by-rakesh-nagekarSocial engineering by-rakesh-nagekar
Social engineering by-rakesh-nagekar
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About it
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?
 

Ă„hnlich wie Social Engineering 101 or The Art of How You Got Owned by That Random Stranger

NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...North Texas Chapter of the ISSA
 
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...North Texas Chapter of the ISSA
 
NTXISSACSC3 - Security at the Point of Storage by Todd Barton
NTXISSACSC3 - Security at the Point of Storage by Todd BartonNTXISSACSC3 - Security at the Point of Storage by Todd Barton
NTXISSACSC3 - Security at the Point of Storage by Todd BartonNorth Texas Chapter of the ISSA
 
Cyber crime &_info_security
Cyber crime &_info_securityCyber crime &_info_security
Cyber crime &_info_securityEr Mahendra Yadav
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...TI Safe
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...North Texas Chapter of the ISSA
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source toolsterriert
 
Bagesh_Data Privacy and Security.pdf
Bagesh_Data Privacy and Security.pdfBagesh_Data Privacy and Security.pdf
Bagesh_Data Privacy and Security.pdfAyushSingh224545
 
Civilian OPSEC in cyberspace
Civilian OPSEC in cyberspaceCivilian OPSEC in cyberspace
Civilian OPSEC in cyberspacezapp0
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceInderjeet Singh
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015Security Innovation
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNorth Texas Chapter of the ISSA
 
This week were hired consultants working on one of the many atta
This week were hired consultants working on one of the many attaThis week were hired consultants working on one of the many atta
This week were hired consultants working on one of the many attarochellwa9f
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresNothing Nowhere
 
A Brief History of Cryptographic Failures - Mork
A Brief History of Cryptographic Failures - MorkA Brief History of Cryptographic Failures - Mork
A Brief History of Cryptographic Failures - MorkNothing Nowhere
 
Ohm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshareOhm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slidesharePeter HJ van Eijk
 
Why do women love chasing down bad guys?
Why do women love chasing down bad guys? Why do women love chasing down bad guys?
Why do women love chasing down bad guys? SITA
 

Ă„hnlich wie Social Engineering 101 or The Art of How You Got Owned by That Random Stranger (20)

NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
 
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
 
NTXISSACSC3 - Security at the Point of Storage by Todd Barton
NTXISSACSC3 - Security at the Point of Storage by Todd BartonNTXISSACSC3 - Security at the Point of Storage by Todd Barton
NTXISSACSC3 - Security at the Point of Storage by Todd Barton
 
Cyber crime &_info_security
Cyber crime &_info_securityCyber crime &_info_security
Cyber crime &_info_security
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug LandollNTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source tools
 
Bagesh_Data Privacy and Security.pdf
Bagesh_Data Privacy and Security.pdfBagesh_Data Privacy and Security.pdf
Bagesh_Data Privacy and Security.pdf
 
Civilian OPSEC in cyberspace
Civilian OPSEC in cyberspaceCivilian OPSEC in cyberspace
Civilian OPSEC in cyberspace
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial Intelligence
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic Failures
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
This week were hired consultants working on one of the many atta
This week were hired consultants working on one of the many attaThis week were hired consultants working on one of the many atta
This week were hired consultants working on one of the many atta
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic Failures
 
A Brief History of Cryptographic Failures - Mork
A Brief History of Cryptographic Failures - MorkA Brief History of Cryptographic Failures - Mork
A Brief History of Cryptographic Failures - Mork
 
Ohm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshareOhm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshare
 
Why do women love chasing down bad guys?
Why do women love chasing down bad guys? Why do women love chasing down bad guys?
Why do women love chasing down bad guys?
 

KĂĽrzlich hochgeladen

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

KĂĽrzlich hochgeladen (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Social Engineering 101 or The Art of How You Got Owned by That Random Stranger

  • 1. @NTXISSA Social Engineering 101 or The Art of How You Got Owned by That Random Stranger Steven Hatfield Security Systems Senior Advisor Dell 4/25/2015
  • 2. @NTXISSA About Me • 8 year Army veteran • Currently studying for Bachelors of Science in CyberSecurity at UMUC • 4 year Security Goon at DEF CON • 3 year Social Engineer Village volunteer at DEF CON • 1 year Security staff at Derbycon NTX ISSA Cyber Security Conference – April 24-25, 2015 2
  • 3. @NTXISSA LEGAL DISCLAIMER NTX ISSA Cyber Security Conference – April 24-25, 2015 3
  • 4. @NTXISSA Social Engineering 101 • Definitions • History • Social Engineering Framework • SET – Social Engineering Toolkit • Categories • Examples • Protection • Resources • Questions NTX ISSA Cyber Security Conference – April 24-25, 2015 4
  • 5. @NTXISSA Definition • Social Engineering (SE) is a blend of science, psychology and art. While it is amazing and complex, it is also very simple. • We define it as, “Any act that influences a person to take an action that may or may not be in their best interest.” We have defined it in very broad and general terms because we feel that social engineering is not always negative, but encompasses how we communicate with our parents, therapists, children, spouses and others. NTX ISSA Cyber Security Conference – April 24-25, 2015 5 http://www.social-engineer.org/
  • 6. @NTXISSA Definition • Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer. NTX ISSA Cyber Security Conference – April 24-25, 2015 6 http://www.webroot.com/us/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering
  • 7. @NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 7
  • 8. @NTXISSA History • The term sociale ingenieurs was introduced in an essay by the Dutch industrialist J.C. Van Marken in 1894. The idea was that modern employers needed the assistance of specialists—"social engineers"—in handling the human problems of the planet, just as they needed technical expertise (ordinary engineers) to deal with the problems of dead matter (materials, machines, processes). … NTX ISSA Cyber Security Conference – April 24-25, 2015 8
  • 9. @NTXISSA Social Engineering Framework • Social Engineering Defined • Categories of Social Engineers • Hackers • Penetration Testers • Spies or Espionage • Identity Thieves • Disgruntled Employees • Information Brokers • Scam Artists • Executive Recruiters • Sales People • Governments • Everyday People NTX ISSA Cyber Security Conference – April 24-25, 2015 9 • Why Attackers Might Use Social Engineering • Typical Goals • The Attack Cycle • Common Attacks • Customer Service • Delivery Person • Phone • Tech Support • Real World Examples • Con Men • Crime Victims • Phishing • Politicians
  • 10. @NTXISSA • The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open- source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community. • The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social- engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 12 months since its release, “Metasploit: The Penetrations Tester’s Guide” written by TrustedSec’s founder as well as Devon Kearns, Jim O’Gorman, and Mati Aharoni. NTX ISSA Cyber Security Conference – April 24-25, 2015 10 SET – Social Engineer Toolkit
  • 11. @NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 11
  • 12. @NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 12
  • 13. @NTXISSA Examples - Common • Customer Service • Delivery Person • Phone • Tech Support • Con Men • Crime Victims • Phishing • Politicians NTX ISSA Cyber Security Conference – April 24-25, 2015 13
  • 14. @NTXISSA Examples - Real World • The Overconfident CEO In one case study, Hadnagy outlines how he was hired as an SE auditor to gain access to the servers of a printing company which had some proprietary processes and vendors that competitors were after. In a phone meeting with Hadnagy's business partner, the CEO informed him that "hacking him would be next to impossible" because he "guarded his secrets with his life.” "He was the guy who was never going to fall for this," said Hadnagy. "He was thinking someone would probably call and ask for his password and he was ready for an approach like that.” … NTX ISSA Cyber Security Conference – April 24-25, 2015 14 http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
  • 15. @NTXISSA Examples - Real World • The theme-park scandal The target in this next case study was a theme park client that was concerned about potential compromise of its ticketing system. The computers used to check-in patrons also contained links to servers, client information and financial records. The client was concerned that if a check-in computer was compromised, a serious data breach might occur. Hadnagy started his test by calling the park, posing as a software salesperson. He was offering a new type of PDF-reading software, which he wanted the park to try through a trial offer. He asked what version they were currently using, got the information easily, and was ready for step two. … NTX ISSA Cyber Security Conference – April 24-25, 2015 15 http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
  • 16. @NTXISSA Examples - Real World • The hacker is hacked Hadnagy gives a third example showing how social engineering was used for defensive purposes. He profiles 'John,' a penetration tester hired to conduct a standard network pen test for a client. He ran scan using Metasploit, which revealed an open VNC (virtual network computing) server, a server that allows control of other machines on the network. He was documenting the find with the VNC session open when, suddenly, in the background, a mouse began to move across the screen. John new it was a red flag because at the time of day this was happening, no user would be connected to the network for a legitimate reason. He suspected an intruder was on the network. … NTX ISSA Cyber Security Conference – April 24-25, 2015 16 http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
  • 17. @NTXISSA Examples - Real World • Price-Matching Scam NTX ISSA Cyber Security Conference – April 24-25, 2015 17
  • 18. @NTXISSA Examples - Real World • Evil Maid attacks NTX ISSA Cyber Security Conference – April 24-25, 2015 18
  • 19. @NTXISSA Examples - Real World • Stuxnet … Stuxnet – delivered via USB sticks left around the Iranian site in a classic "social engineering" attack – used unpatched Windows vulnerabilities to get inside the SCADA at Iran's Natanz enrichment plant. It then injected code to make a PLC speed up and slow down centrifuge motors – wrecking more than 400 machines. Siemens made both the SCADA (WinCC) and the PLC (S7-300) attacked by Stuxnet. … NTX ISSA Cyber Security Conference – April 24-25, 2015 19 http://www.newscientist.com/article/dn20298-stuxnet-analysis-finds-more-holes-in-critical-software.html
  • 20. @NTXISSA Examples - Real World • Sing-o-gram - Michelle from SE crew … Next, Chris and I packed our dark glasses and super-spy cameras and headed to the client’s locations. Four buildings, three days, two states, no sleep. This particular client faces some big challenges when it comes to physical plant security, not the least of which is sharing buildings with other companies and retailers open to the general public. Despite having a great physical security team and RFID badging, we were able to gain access to most of their secured locations pretexting as inspectors and yes, a singing telegram (I’ll let you guess who got to do that one). We didn’t really need to do a lot of sneaky stuff; we took advantage of high traffic times and locations, acted like we belonged there, and exploited people’s general helpfulness. Using these principles, we accessed areas such their corporate mailroom, NOC, and executive offices and roamed freely without ever being stopped. … NTX ISSA Cyber Security Conference – April 24-25, 2015 20 http://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-05-issue-57/
  • 21. @NTXISSA Examples - Real World • News Reporter - “Bob” “I've gotten myself into a building by claiming to be interviewing them for a blog and then spending all day taking pictures and plugging flashdrives in to “print stuff“” NTX ISSA Cyber Security Conference – April 24-25, 2015 21
  • 22. @NTXISSA Protection • Obviously, never give out confidential information. • Safeguard even inconsequential information about yourself. • Lie to security questions, and remember your lies. • View every password reset email with skepticism. • Watch your accounts and account activity. • Diversify passwords, critical services, and security questions. NTX ISSA Cyber Security Conference – April 24-25, 2015 22
  • 23. @NTXISSA Resources • http://www.social-engineer.org/ • https://www.social-engineer.com/ • https://www.trustedsec.com/social-engineer- toolkit/ • http://www.amazon.com/Christopher-Hadnagy/ • http://www.social-engineer.org/category/podcast/ • DEFCON 23 CTF • http://www.derbycon.com/ • http://defcon.org/ • http://www.amazon.com/Joe-Navarro/ NTX ISSA Cyber Security Conference – April 24-25, 2015 23
  • 24. @NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 24
  • 25. @NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – April 24-25, 2015 25 Thank you