SlideShare ist ein Scribd-Unternehmen logo

Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015

Als PPTX, PDF herunterladen
n|u - The Open Security Community
n|u - The Open Security Community

Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015

Technologie
1 von 27
Panel Discussion: Understanding Social Engineering attacks and thwarting them Null Meet – 20th June, 2015 Manasdeep SISA Information Security Pvt. Ltd.
www.sisainfosec.com About Me • Consultant @ SISA Information Security Pvt. Ltd. • PCI QSA, CISA, ISO 27001:2013 • Regular contributor to information security magazines such as ClubHack Mag, Pentestmag. • Interested in PCI DSS, Compliance and Penetration Testing • Like to learn and demonstrate latest security attack vectors and technologies.
www.sisainfosec.com Discussion Agenda • What is Social Engineering (SE) ? • Why is Social Engineering SO successful? • Achieving maximum efficiency : Social engineering tests • Thwarting social engineering attacks • Macroexpressions & Body Language • Microexpressions • Demo
www.sisainfosec.com What is Social Engineering? “Act of influencing a person to take action that may or may not be in target’s interest”
www.sisainfosec.com Is Social Engineering always bad? Good Social Engineers: Parents, Doctors, Criminal Psychologists, Negotiators, Salespersons, Diplomats, Whistle-blowers, Magicians Bad Social Engineers: Fraudsters, Confidence tricksters Malicious Insiders, Espionage Agents, Double-Agents, Blackmailers, Human Traffickers, Terrorists
www.sisainfosec.com Why is Social Engineering SO successful? We are hard-wired to respond to a favor, often not in direct proportion to the size of the favor done to us. Principle 1 - Reciprocation:
www.sisainfosec.com Why is Social Engineering SO successful? Once we have made a choice or taken a stand, we will encounter personal and inter-personal pressures to behave consistently with that commitment. Principle 2 - Commitment and Consistency
www.sisainfosec.com Why is Social Engineering SO successful? One means we use to determine what is correct is to find out what other people think is correct. The principle applies especially to the way we decide what constitutes correct behavior. Principle 3 - Social Proof:
www.sisainfosec.com Why is Social Engineering SO successful? As a rule, we prefer to say yes to the requests of someone we know and like Principle 4 - Liking
www.sisainfosec.com Why is Social Engineering SO successful? The real culprit is our inability to resist the psychological power wielded by the person in authority. Principle 5 - Authority
www.sisainfosec.com Why is Social Engineering SO successful? The influence of the scarcity principle in determining the worth of an item. Principle 6 - Scarcity:
www.sisainfosec.com Example: Scarcity of an item
www.sisainfosec.com Example: Liking
www.sisainfosec.com Macro-expressions / Body language Macro-expression / Body language is a form of mental and physical ability of human non-verbal communication, which consists of body posture, gestures, facial expressions, and eye movements. Humans send and interpret such signals almost entirely subconsciously. Communication consists of : • 7% of what we say • 38% vocal(tone, accent, dialect) • 55% Non Verbal
www.sisainfosec.com Macro-expressions / Body language Non Verbal behavior is depicted fundamentally by some body parts and how they act: • Feet/Legs (Most Accurate) • Torso • Hands • Neck • Mouth • Face (Least Accurate)
www.sisainfosec.com Macro-expressions: An Analysis
www.sisainfosec.com Pop Quiz: Identify this expression?
www.sisainfosec.com Micro-expressions A micro-expression is a brief, involuntary facial expression shown on the face of humans according to emotions experienced.
www.sisainfosec.com Characteristics of micro-expressions: • They are very brief in duration, lasting only 1/25 to 1/15 of a second. • Highly Accurate in depicting the "actual" thought of the person. • Almost involuntary reflexes barely felt by the subject • Express the seven universal emotions: disgust, anger, fear, sadness, happiness, surprise, and contempt • It is difficult to hide micro-expression reactions
www.sisainfosec.com Puppy Dog Eyes Expression Animals too…..are able to Social engineer us successfully !!  With whom you’d rather share your biscuit with?? Can you give me a biscuit? Please…… May I join in too? Please…… Where is MY biscuit? GIVE IT TO ME NOW !! Or else…….
www.sisainfosec.com Achieving maximum efficiency : Social engineering tests • On confronting an anti social or angry person; frown a bit and tilt your head by relaxing your shoulders. This indicates you are interested to hear him/her out and are not confronting directly. •If you enter with a sad expression, the subject will involuntary feel sympathetic for you and will offer to help in most cases.
www.sisainfosec.com Achieving maximum efficiency : Social engineering tests • A friendly and warm reception always has higher chances of information retrieval than a rash or unfriendly behavior you know you are trapped. • Dress up nicely (as per occasion) and walk in short sure steps. It gives an impression of authority and people are much likely to yield under this charismatic effect.
www.sisainfosec.com Thwarting social engineering attacks TRUST,BUT VERIFY
www.sisainfosec.com Thwarting social engineering attacks • Gather and DEMAND more data • Corroborate with evidences • Check body language • Defense in Depth • Security by Design
www.sisainfosec.com Resources Books: • Social Engineering: The Art of Human Hacking by Christopher Hadnagy • The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick • Influence: The Psychology of Persuasion by Robert B. Cialdini
www.sisainfosec.com Resources Links: Body Language – Expressions on Google Android App Store: • https://play.google.com/store/apps/details?id=com.Mazuzu.Expression Training&hl=en Video: Nonverbal Human Hacking Derbycon 2012 • http://www.irongeek.com/i.php?page=videos/derbycon2/2-1-2-chris- hadnagy-nonverbal-human-hacking
www.sisainfosec.com THANK YOU !!! - Manasdeep http://reflect-infosec.blogspot.in/ https://twitter.com/manasdeep https://in.linkedin.com/in/manasdeep

Empfohlen

5 Ways to Boost Your Networking Skills
5 Ways to Boost Your Networking Skills5 Ways to Boost Your Networking Skills
5 Ways to Boost Your Networking Skills
Nando Rodriguez
 
Social Media Strategy 社交媒體策略 (2010.08.25 @ GNCI 真証傳播)
Social Media Strategy 社交媒體策略 (2010.08.25 @ GNCI 真証傳播)Social Media Strategy 社交媒體策略 (2010.08.25 @ GNCI 真証傳播)
Social Media Strategy 社交媒體策略 (2010.08.25 @ GNCI 真証傳播)
Calvin C. Yu
 
Social Networking x Pastoral Care 社交網絡 x 堂會牧養 (2010.09.17@Network Mission 網絡使命)
Social Networking x Pastoral Care 社交網絡 x 堂會牧養 (2010.09.17@Network Mission 網絡使命)Social Networking x Pastoral Care 社交網絡 x 堂會牧養 (2010.09.17@Network Mission 網絡使命)
Social Networking x Pastoral Care 社交網絡 x 堂會牧養 (2010.09.17@Network Mission 網絡使命)
Calvin C. Yu
 
privacy and security
privacy and securityprivacy and security
privacy and security
ronit_jadhav
 
Deep loc.us slides
Deep loc.us slidesDeep loc.us slides
Deep loc.us slides
URLoved.com
 
Can we be faster than disaster bill boyd
Can we be faster than disaster bill boydCan we be faster than disaster bill boyd
Can we be faster than disaster bill boyd
Meg Weber
 
5 Key Decisions that Shape Your Infosec Carreer | Ladies in Cybersecurity 2019
5 Key Decisions that Shape Your Infosec Carreer | Ladies in Cybersecurity 20195 Key Decisions that Shape Your Infosec Carreer | Ladies in Cybersecurity 2019
5 Key Decisions that Shape Your Infosec Carreer | Ladies in Cybersecurity 2019
Andra Zaharia
 
Unconscious Influence
Unconscious InfluenceUnconscious Influence
Unconscious Influence
Brian Duvall
 

Empfohlen

5 Ways to Boost Your Networking Skills
5 Ways to Boost Your Networking Skills5 Ways to Boost Your Networking Skills
5 Ways to Boost Your Networking Skills
Nando Rodriguez
 
Social Media Strategy 社交媒體策略 (2010.08.25 @ GNCI 真証傳播)
Social Media Strategy 社交媒體策略 (2010.08.25 @ GNCI 真証傳播)Social Media Strategy 社交媒體策略 (2010.08.25 @ GNCI 真証傳播)
Social Media Strategy 社交媒體策略 (2010.08.25 @ GNCI 真証傳播)
Calvin C. Yu
 
Social Networking x Pastoral Care 社交網絡 x 堂會牧養 (2010.09.17@Network Mission 網絡使命)
Social Networking x Pastoral Care 社交網絡 x 堂會牧養 (2010.09.17@Network Mission 網絡使命)Social Networking x Pastoral Care 社交網絡 x 堂會牧養 (2010.09.17@Network Mission 網絡使命)
Social Networking x Pastoral Care 社交網絡 x 堂會牧養 (2010.09.17@Network Mission 網絡使命)
Calvin C. Yu
 
privacy and security
privacy and securityprivacy and security
privacy and security
ronit_jadhav
 
Deep loc.us slides
Deep loc.us slidesDeep loc.us slides
Deep loc.us slides
URLoved.com
 
Can we be faster than disaster bill boyd
Can we be faster than disaster bill boydCan we be faster than disaster bill boyd
Can we be faster than disaster bill boyd
Meg Weber
 
5 Key Decisions that Shape Your Infosec Carreer | Ladies in Cybersecurity 2019
5 Key Decisions that Shape Your Infosec Carreer | Ladies in Cybersecurity 20195 Key Decisions that Shape Your Infosec Carreer | Ladies in Cybersecurity 2019
5 Key Decisions that Shape Your Infosec Carreer | Ladies in Cybersecurity 2019
Andra Zaharia
 
Unconscious Influence
Unconscious InfluenceUnconscious Influence
Unconscious Influence
Brian Duvall
 
Grinder talk
Grinder talk Grinder talk
Grinder talk
n|u - The Open Security Community
 
Threat intelligence - nullmeetblr 21st June 2015
Threat intelligence - nullmeetblr 21st June 2015Threat intelligence - nullmeetblr 21st June 2015
Threat intelligence - nullmeetblr 21st June 2015
n|u - The Open Security Community
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto Joseph
Anthony Jose
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
n|u - The Open Security Community
 
IOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetIOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H Meet
Anthony Jose
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
Chandrapal Badshah
 
Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015
n|u - The Open Security Community
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social Engineering
Nutan Kumar Panda
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
Null bufferoverflow
Null bufferoverflowNull bufferoverflow
Null bufferoverflow
Abhinav Chourasia, GMOB
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
veerababu penugonda(Mr-IoT)
 
What is a VLAN and DMZ
What is a VLAN and DMZWhat is a VLAN and DMZ
What is a VLAN and DMZ
Avradeep Bhattacharya
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015
n|u - The Open Security Community
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control System
Anant Shrivastava
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basics
Anant Shrivastava
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
Social engineering and indian jugaad
Social engineering and indian jugaadSocial engineering and indian jugaad
Social engineering and indian jugaad
n|u - The Open Security Community
 
Social Engineering and importance in pentesting null OWASP G4H september meet
Social Engineering and importance in pentesting null OWASP G4H september meetSocial Engineering and importance in pentesting null OWASP G4H september meet
Social Engineering and importance in pentesting null OWASP G4H september meet
prashsiv
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seduction
b coatesworth
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (18)

Grinder talk
Grinder talk Grinder talk
Grinder talk
 
Threat intelligence - nullmeetblr 21st June 2015
Threat intelligence - nullmeetblr 21st June 2015Threat intelligence - nullmeetblr 21st June 2015
Threat intelligence - nullmeetblr 21st June 2015
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto Joseph
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
 
IOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetIOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H Meet
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social Engineering
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Null bufferoverflow
Null bufferoverflowNull bufferoverflow
Null bufferoverflow
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
What is a VLAN and DMZ
What is a VLAN and DMZWhat is a VLAN and DMZ
What is a VLAN and DMZ
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control System
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basics
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 

Ähnlich wie Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015

Master's Presentation to Intel Security
Master's Presentation to Intel Security Master's Presentation to Intel Security
Master's Presentation to Intel Security
Andrea Wong
 
The Hidden Persuaders of the Digital Age
The Hidden Persuaders of the Digital AgeThe Hidden Persuaders of the Digital Age
The Hidden Persuaders of the Digital Age
Per Axbom
 
Social Intelligence for Event Marketers
Social Intelligence for Event MarketersSocial Intelligence for Event Marketers
Social Intelligence for Event Marketers
Jason A. Metz
 
Tyler Starrine - What Brands Enjoying Success in Social Media are Doing That ...
Tyler Starrine - What Brands Enjoying Success in Social Media are Doing That ...Tyler Starrine - What Brands Enjoying Success in Social Media are Doing That ...
Tyler Starrine - What Brands Enjoying Success in Social Media are Doing That ...
Garik Arzumanyan
 
How Not to Destroy the World: Ethics in Design and Technology
How Not to Destroy the World: Ethics in Design and TechnologyHow Not to Destroy the World: Ethics in Design and Technology
How Not to Destroy the World: Ethics in Design and Technology
Morten Rand-Hendriksen
 
How to Thoughtfully Prepare for #BlackLivesMatter & #AllLivesMatter in the Wo...
How to Thoughtfully Prepare for #BlackLivesMatter & #AllLivesMatter in the Wo...How to Thoughtfully Prepare for #BlackLivesMatter & #AllLivesMatter in the Wo...
How to Thoughtfully Prepare for #BlackLivesMatter & #AllLivesMatter in the Wo...
Anisa Aven, BCC, NLPC: 281-469-4244
 

Ähnlich wie Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015 (20)

Social engineering and indian jugaad
Social engineering and indian jugaadSocial engineering and indian jugaad
Social engineering and indian jugaad
 
Social Engineering and importance in pentesting null OWASP G4H september meet
Social Engineering and importance in pentesting null OWASP G4H september meetSocial Engineering and importance in pentesting null OWASP G4H september meet
Social Engineering and importance in pentesting null OWASP G4H september meet
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seduction
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Master's Presentation to Intel Security
Master's Presentation to Intel Security Master's Presentation to Intel Security
Master's Presentation to Intel Security
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 
The Hidden Persuaders of the Digital Age
The Hidden Persuaders of the Digital AgeThe Hidden Persuaders of the Digital Age
The Hidden Persuaders of the Digital Age
 
Digital citizen activism
Digital citizen activism Digital citizen activism
Digital citizen activism
 
#JTSMAsocial - a social media workshop
#JTSMAsocial - a social media workshop#JTSMAsocial - a social media workshop
#JTSMAsocial - a social media workshop
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden Potential
 
SMCFW - SXSW Downloaded
SMCFW - SXSW DownloadedSMCFW - SXSW Downloaded
SMCFW - SXSW Downloaded
 
Social Intelligence for Event Marketers
Social Intelligence for Event MarketersSocial Intelligence for Event Marketers
Social Intelligence for Event Marketers
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
 
Tyler Starrine - What Brands Enjoying Success in Social Media are Doing That ...
Tyler Starrine - What Brands Enjoying Success in Social Media are Doing That ...Tyler Starrine - What Brands Enjoying Success in Social Media are Doing That ...
Tyler Starrine - What Brands Enjoying Success in Social Media are Doing That ...
 
How Not to Destroy the World: Ethics in Design and Technology
How Not to Destroy the World: Ethics in Design and TechnologyHow Not to Destroy the World: Ethics in Design and Technology
How Not to Destroy the World: Ethics in Design and Technology
 
Conclusion For A Persuasive Essay
Conclusion For A Persuasive EssayConclusion For A Persuasive Essay
Conclusion For A Persuasive Essay
 
How to Thoughtfully Prepare for #BlackLivesMatter & #AllLivesMatter in the Wo...
How to Thoughtfully Prepare for #BlackLivesMatter & #AllLivesMatter in the Wo...How to Thoughtfully Prepare for #BlackLivesMatter & #AllLivesMatter in the Wo...
How to Thoughtfully Prepare for #BlackLivesMatter & #AllLivesMatter in the Wo...
 
Being A Public Sector Professional Online
Being A Public Sector Professional OnlineBeing A Public Sector Professional Online
Being A Public Sector Professional Online
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and Bad
 
Lanier Jaron_Ten Arguments for Deleting All Your Social Media Accounts Right ...
Lanier Jaron_Ten Arguments for Deleting All Your Social Media Accounts Right ...Lanier Jaron_Ten Arguments for Deleting All Your Social Media Accounts Right ...
Lanier Jaron_Ten Arguments for Deleting All Your Social Media Accounts Right ...
 

Mehr von n|u - The Open Security Community

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015

  • 1. Panel Discussion: Understanding Social Engineering attacks and thwarting them Null Meet – 20th June, 2015 Manasdeep SISA Information Security Pvt. Ltd.
  • 2. www.sisainfosec.com About Me • Consultant @ SISA Information Security Pvt. Ltd. • PCI QSA, CISA, ISO 27001:2013 • Regular contributor to information security magazines such as ClubHack Mag, Pentestmag. • Interested in PCI DSS, Compliance and Penetration Testing • Like to learn and demonstrate latest security attack vectors and technologies.
  • 3. www.sisainfosec.com Discussion Agenda • What is Social Engineering (SE) ? • Why is Social Engineering SO successful? • Achieving maximum efficiency : Social engineering tests • Thwarting social engineering attacks • Macroexpressions & Body Language • Microexpressions • Demo
  • 4. www.sisainfosec.com What is Social Engineering? “Act of influencing a person to take action that may or may not be in target’s interest”
  • 5. www.sisainfosec.com Is Social Engineering always bad? Good Social Engineers: Parents, Doctors, Criminal Psychologists, Negotiators, Salespersons, Diplomats, Whistle-blowers, Magicians Bad Social Engineers: Fraudsters, Confidence tricksters Malicious Insiders, Espionage Agents, Double-Agents, Blackmailers, Human Traffickers, Terrorists
  • 6. www.sisainfosec.com Why is Social Engineering SO successful? We are hard-wired to respond to a favor, often not in direct proportion to the size of the favor done to us. Principle 1 - Reciprocation:
  • 7. www.sisainfosec.com Why is Social Engineering SO successful? Once we have made a choice or taken a stand, we will encounter personal and inter-personal pressures to behave consistently with that commitment. Principle 2 - Commitment and Consistency
  • 8. www.sisainfosec.com Why is Social Engineering SO successful? One means we use to determine what is correct is to find out what other people think is correct. The principle applies especially to the way we decide what constitutes correct behavior. Principle 3 - Social Proof:
  • 9. www.sisainfosec.com Why is Social Engineering SO successful? As a rule, we prefer to say yes to the requests of someone we know and like Principle 4 - Liking
  • 10. www.sisainfosec.com Why is Social Engineering SO successful? The real culprit is our inability to resist the psychological power wielded by the person in authority. Principle 5 - Authority
  • 11. www.sisainfosec.com Why is Social Engineering SO successful? The influence of the scarcity principle in determining the worth of an item. Principle 6 - Scarcity:
  • 14. www.sisainfosec.com Macro-expressions / Body language Macro-expression / Body language is a form of mental and physical ability of human non-verbal communication, which consists of body posture, gestures, facial expressions, and eye movements. Humans send and interpret such signals almost entirely subconsciously. Communication consists of : • 7% of what we say • 38% vocal(tone, accent, dialect) • 55% Non Verbal
  • 15. www.sisainfosec.com Macro-expressions / Body language Non Verbal behavior is depicted fundamentally by some body parts and how they act: • Feet/Legs (Most Accurate) • Torso • Hands • Neck • Mouth • Face (Least Accurate)
  • 18. www.sisainfosec.com Micro-expressions A micro-expression is a brief, involuntary facial expression shown on the face of humans according to emotions experienced.
  • 19. www.sisainfosec.com Characteristics of micro-expressions: • They are very brief in duration, lasting only 1/25 to 1/15 of a second. • Highly Accurate in depicting the "actual" thought of the person. • Almost involuntary reflexes barely felt by the subject • Express the seven universal emotions: disgust, anger, fear, sadness, happiness, surprise, and contempt • It is difficult to hide micro-expression reactions
  • 20. www.sisainfosec.com Puppy Dog Eyes Expression Animals too…..are able to Social engineer us successfully !!  With whom you’d rather share your biscuit with?? Can you give me a biscuit? Please…… May I join in too? Please…… Where is MY biscuit? GIVE IT TO ME NOW !! Or else…….
  • 21. www.sisainfosec.com Achieving maximum efficiency : Social engineering tests • On confronting an anti social or angry person; frown a bit and tilt your head by relaxing your shoulders. This indicates you are interested to hear him/her out and are not confronting directly. •If you enter with a sad expression, the subject will involuntary feel sympathetic for you and will offer to help in most cases.
  • 22. www.sisainfosec.com Achieving maximum efficiency : Social engineering tests • A friendly and warm reception always has higher chances of information retrieval than a rash or unfriendly behavior you know you are trapped. • Dress up nicely (as per occasion) and walk in short sure steps. It gives an impression of authority and people are much likely to yield under this charismatic effect.
  • 24. www.sisainfosec.com Thwarting social engineering attacks • Gather and DEMAND more data • Corroborate with evidences • Check body language • Defense in Depth • Security by Design
  • 25. www.sisainfosec.com Resources Books: • Social Engineering: The Art of Human Hacking by Christopher Hadnagy • The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick • Influence: The Psychology of Persuasion by Robert B. Cialdini
  • 26. www.sisainfosec.com Resources Links: Body Language – Expressions on Google Android App Store: • https://play.google.com/store/apps/details?id=com.Mazuzu.Expression Training&hl=en Video: Nonverbal Human Hacking Derbycon 2012 • http://www.irongeek.com/i.php?page=videos/derbycon2/2-1-2-chris- hadnagy-nonverbal-human-hacking
  • 27. www.sisainfosec.com THANK YOU !!! - Manasdeep http://reflect-infosec.blogspot.in/ https://twitter.com/manasdeep https://in.linkedin.com/in/manasdeep