Observations on Social Engineering presentation by Warren Finch for LkNOG 6
•
0 gefällt mir•155 views
Observations on Social Engineering presentation by Warren Finch for LkNOG 6, held in Colombo, Sri Lanka from 18 to 23 November 2022
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie Observations on Social Engineering presentation by Warren Finch for LkNOG 6
Ähnlich wie Observations on Social Engineering presentation by Warren Finch for LkNOG 6 (20)
Mehr von APNIC
Mehr von APNIC (20)
Observations on Social Engineering presentation by Warren Finch for LkNOG 6
- 1. 1 Evolution of Social Engineering
- 2. 4 4 Social Engineering Definition • “… uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.” Imperva (Oct 2022) https://www.imperva.com/learn/application-security/social-engineering-attack/ • “… the art of manipulating people so they give up confidential information." Webroot (Oct 2022) https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering • “… a manipulation technique that exploits human error to gain private information, access, or valuables ... Once an attacker understands what motivates a user’s actions, they can deceive and manipulate the user effectively." Kaspersky (Oct 2022) https://www.kaspersky.com/resource-center/definitions/what-is-social- engineering
- 4. 8
- 5. 9 Social Engineering Principles Social Engineering Principles (Reasons for Effectiveness) Authority and Trust Intimidation Consensus and Social Proof Scarcity Urgency Familiarity and Liking https://xmind.app/embed/ERb5/
- 6. 10 Model for Social Engineering Attacks Wang, Z., Zhu, H., & Sun, L. (2021). Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods. IEEE Access, 9, 11895–11910. https://doi.org/10.1109/ACCESS.2021.3051633
- 7. 11 Model for Social Engineering Attacks Wang, Z., Zhu, H., & Sun, L. (2021). Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods. IEEE Access, 9, 11895–11910. https://doi.org/10.1109/ACCESS.2021.3051633
- 8. 12 12 Why does it work? Human Attributes Social Engineering Technique Trust – People are trustworthy where it is easy to gain trust with victims • Direct approach • Technical expert The desire to be ‘helpful’ – Most people are kind • Direct Approach • Technical expert • Voice of Authority The wish to get something for nothing • Chain email • SMS Curiosity • Open email attachments from unknown senders • Spam Fear of the unknown, or of losing something • Popup window Ignorance • Direct Approach • Dumpster diving https://www.academia.edu/8216745/Social_Engineering_it_s_impact_on_organization
- 9. 13 13 Doesn’t matter who you are https://www.cert.gov.lk/2?lang=en&id=3
- 10. 14 Doesn’t matter who you are Australian Statistics for 2022
- 11. 15 Doesn’t matter who you are https://www.scamwatch.gov.au/scam-statistics Australian Statistics for 2022
- 12. 16 Doesn’t matter who you are
- 13. 18 The art of the con (Demo)
- 14. 19 The Psychic Card Trick
- 15. 21 Pick a card - any card
- 16. 22 Is your card here?
- 18. 25 25 Social Engineering Attack Framework Mouton, F., Leenen, L., & Venter, H. S. (2016). Social engineering attack examples, templates and scenarios. Computers & Security, 59, 186–209. https://doi.org/10.1016/j.cose.2016.03.004
- 19. 26 26 Life cycle of attack https://www.imperva.com/learn/application-security/social-engineering-attack/
- 20. 27 Type of attacks • Pre-texting • Baiting • Quid Pro Quo • Scareware • Phishing, Smishing, Vishing, Whaling • Telephone-oriented Attack Delivery (TOAD) • Tailgating Mouton, F., Leenen, L., & Venter, H. S. (2016). Social engineering attack examples, templates and scenarios. Computers & Security, 59, 186–209. https://doi.org/10.1016/j.cose.2016.03.004
- 21. 28 28 Phishing statistics • 18-39yr old's average click rate of 29%, drops to 19% among older age groups. • 23% of male participants opened a phishing email compared to 10% for woman. • Public sector organizations were the most vulnerable to phishing attacks (with an average click rate of 36%) https://betanews.com/2022/10/13/older-generations-are- less-likely-to-click-phishing-emails/
- 24. 31 31 Attack vectors / infection points • QRLJacking https://www.owasp.org/index.php/Qrljacking
- 25. 32 Fake profiles
- 30. 37 37 How to Detect a Fake Profile • Profile photo – Do a search using the image – https://support.google.com/websearch/answer/1325808 • Username • The Biography • Profile content • Number of followers
- 31. 38 38 How to Report a Fake Profile • Twitter – https://help.twitter.com/en/forms/authenticity/impersonation • Instagram – https://help.instagram.com/contact/636276399721841 • Facebook (Meta) – https://www.facebook.com/help/306643639690823 • LinkedIn – Click the More icon on the member’s profile. – Click Report or block. • TikTok – Go to the profile of the account you want to report. – Tap the Settings icon – Tap “Report” and follow the steps in the app.
- 32. 39 39 How to Report a Fake Profile https://www.cert.gov.lk/view?lang=en&articleID=267
- 33. 40 Deep Fakes
- 35. 42 Deep Fakes • Deepfake technology allows users to impersonate others with startling accuracy. – Deep Video Fakes (https://youtu.be/kOIMXt8KK8M) – Deep Voice Fakes (https://youtu.be/0ybLCfVeFL4) • Anyone can find deepfake software and services on the internet and have a relatively convincing representation of another person within minutes. – https://github.com/iperov/DeepFaceLab – https://github.com/sibozhang/Text2Video • Synthetic Identities are created by applying for credit using a combination of real and fake, or sometimes entirely fake, information.
- 37. 44 44 Deep Fakes https://youtu.be/0ybLCfVeFL4?t=83 Text-based Editing of Talking-head Video
- 38. 45 Deep Fakes • … with the help of deepfakes, fraudsters can orchestrate social engineering attacks that appear to come from a friend or colleague, that is, someone we know and trust and whose motives do not need to be questioned.
- 39. 46 Deep Fakes
- 40. 47 Questions?