Talk in The Social-Engineer Village at DEF CON 24 http://www.social-engineer.org/social-engineer-village/ [Overview] As a Japanese security consultant, one of my research questions in social engineering is whether or not cultural difference becomes the barrier for social engineering. It is because the malicious practice of social engineering is different between in Japan and the U.S. I think it is true. Since I have the both experience of being the company in Japan and the U.S., I would like to consider various technique of social engineering from both cultural glasses, such as tailgating, phishing or vishing method. In my talk, I would like to discuss the workability of several social engineering techniques from both Japanese and U.S. culture. It will support the cultural difference can become the barrier or vulnerable weakness.

1. Does Cultural Differences Become a
Barrier for Social Engineering?
TOMOHISA ISHIKAWA
scientia.admin@gmail.com
www.scientia-security.org

4. >> WHO AM I ?
 Tomo (Tomohisa Ishikawa)
• Japanese Security Consultant (7 years experience)
• ESL (English as a Second Language)
• A Doctoral Program Student
• Currently in insurance company in Philadelphia
• CISSP, CISA, CISM, CFE, QSA, GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, GCIH
 Specialized Area
• Penetration Test
• Incident Response
• Vulnerability Management
• Security Awareness & Education

5. Background
 Social Engineering is remarkable attack vectors now
• HBGary hacked by Anonymous
• CloudFlare hacked by UGNazi
• Mat Honan (WIRED Journalist)
• Naoki Hiroshima (Stealing Twitter Username “@N”)
• CIA Director hacked by CWA (Crackas with Attitude)
• BEC (Business Email Compromise)
 Is it popular in Japan ??
• Spear phishing email attack is popular
• but…not so active compared with U.S. such as BEC

6. My Research Questions:
 Does Cultural Difference become a barrier for SE?
• If culture works as the barrier, “Cultural Defense” will be one of the
solutions.
• The design of organization, corporate culture, business process will be the
effective method against SE.

7. Additional Notes:
 Why is the idea of “cultural defense” so important?

8. https://isc.sans.edu/diary/Managing+CVE-0/10933

9. Additional Notes:
 Why is the idea of “cultural defense” so important?
• CVE-0 ( No patch Tuesday for Human Being )

10. Disclaimer
 I AM NOT …
• A Cultural anthropologist, Sociologist, Psychologist, Philosopher, etc…
 Any opinions offered are …
• my opinion, hypothesis and thought based on a few my examples
• NOT those of my employers.
 Focus on the difference between Japan and U.S
 I may be biased because…
• 28 yrs experience in Japanese Culture (Guru)
• 8 months experience in U.S. culture (Beginner or Intermediate)
 It is NOT conclusion, and I would like to start the discussion
• Welcome constructive criticism and opinion

11. Disclaimer
 I DO NOT want to discuss the advantage or disadvantage of
each culture
• I would like to respect both cultures
• Only discuss the defensive workability against SE attack
 I welcome the question and comment, but
• PLEASE PLEASE speak slowly and easily

12. 1. What is Culture? Cultural Difference?

13. Cultural Difference?
 The Size

14. Cultural Difference?
 The Size
US S-Size JP L-Size

15. Cultural Difference?
 The Punctuality

16. Cultural Difference?
 The Pokemon Go indicator

17. FYI : Steve’s POV

18. Again, What is Culture? Cultural Difference?

19. Wikipedia say…

20. What is Culture?
 A lot of Definition is available
 The Definition of E.B.Tylor
• “that complex whole which includes knowledge, belief, art,
morals, law, custom and any other capabilities and habits
acquired by man as a member of society”

21. What is Culture?
 A lot of Definition is available
 The Definition of E.B.Tylor
• “that complex whole which includes knowledge, belief, art,
morals, law, custom and any other capabilities and habits
acquired by man as a member of society”

22. What is Cultural Difference?
 Hofstede's cultural dimensions theory
• He had comprehensive analysis for IBM employees, and he proposed six
dimensions to characterize the culture
• DataSet : http://www.geerthofstede.nl/dimension-data-matrix

23. Hofstede's cultural dimensions theory
INDEX DETAILS
PDI Power Distance Index
IDV Individualism vs. collectivism
MAS Masculinity vs. femininity
UAI Uncertainty avoidance index
LTO Long-term orientation
IVR Indulgence versus restraint
0
10
20
30
40
50
60
70
80
90
100
PDI
IDV
MAS
UAI
LTO
IVR
Cultural Differences by Hofstede Indicator
Japan U.S.A.
JPN USA DIFF
PDI 54 40 14
IDV 46 91 45
MAS 95 62 33
UAI 92 46 46
LTO 88 26 62
IVR 42 68 26

24. Hofstede's cultural dimensions theory
 From this Data
Item Diff Japan U.S.A
LTO 62 Long Term Oriented Short Term Oriented
UAI 46 Hate uncertainly Accept Risk
IDV 45 Collectivism Individualism

25. 2. Social Engineering and Cultural Difference

26. If you are NOT familiar with SE

27. Today we are discussing…
 OSINT
 Tailgating
 Vishing
 Remittance Scam (Supplementary)

28. 2. Social Engineering and Cultural Difference
~2-1 : OSINT~

29. OSINT
 Open Source Intelligence
• Collecting necessary information by using public resource for SE
 Cultural Defense Workability of JP Culture:
• Japan prefer anonymity in the Internet
• It means that the difficulty of OSINT in JP is high.
 MIC 2014 Research (MIC : Ministry of Internal Affairs and Communications)
• 6 countries (JP, US, UK, FR, SK, SGP) comparison
• http://www.soumu.go.jp/johotsusintokei/whitepaper/eng/WP2014/chapter-4.pdf

30. OSINT – Cultural Defense
 MIC 2014 Research
• The US tend to use Real Name, but JP prefers to use false name
10.1
12.6
30.2
17.8
20.8
15.5
22
24.3
26.7
19.7
29.8
67
7.8
28.1
18.1
25.3
1.5
16.6
2.5
18.1
1.2
3.9
2.2
3.9
2.7
5.4
2
6
2.3
4.6
58.9
16.5
59.8
50.2
58.4
53.8
74.5
53.1
68.5
57.6
0 10 20 30 40 50 60 70 80 90 100
JP
US
JP
US
JP
US
JP
US
JP
US
FBTwitterChatSNSBBSBlog
Use of false names versus real names on SNS
Use False Name Use Real Name Use Both (multiple acount) Not User

31. OSINT – Cultural Defense
 MIC 2014 Research
• 66.3% of JP have antipathy against disclosing real name (US: 35.9%)
15.9
41.7
13.1
23.2
24.6
22.8
24.8
13.7
28.3
22.4
12.7
22.2
13.7
7.3
13.6
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Total
JP
U.S.
The Antipathy against disclosing real name
Strong Moderate Nuetral/Neither Not much No

32. OSINT – Cultural Defense
 MIC 2014 Research
• Approximately 60% of JP and US people feel the risk of being identified
even though they use false name
20.2
16.5
24.4
39.1
43.7
36.9
29.9
26.5
27.4
10.8
13.3
11.3
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Total
JP
US
Awareness of The Risk of Being Identified with Anonymous Use
High Possiblity Some Possiblity Low Possiblity Almost No Possiblity

33. 2. Social Engineering and Cultural Difference
~2-2 : Tailgating~

34. Tailgating
 Tailgating
• Breaking physical access control by using pretexting
• Ex) Pretending to be a “FedEx guy” or “pest control guy”
• Ex) Pretending to be a freshman, WFH employee, employee in different
branch
 Cultural Defense Workability of JP Culture:
• Japanese culture is detective environment
• Office Layout
• Working Style Culture

35. Tailgating – Cultural Defense
 Office Layout
• US : Cubicle
• JP : Flat Desk

36. Tailgating – Cultural Defense
 Why does it work as a defense?
• Easy to identify the stranger or attackers
• Know the usual behavior (baseline) of colleagues and other vendors

37. Tailgating – Cultural Defense
 Working Style Culture
• Before that, let’s look at the working style difference
U.S.A Japan
Working Style • WFH is popular • WFH is NOT popular
Employment
Mobility
• High Mobility
• Join frequently, leave
frequently
• Low Mobility
• JP company do not like mid-carrier recruiting
• Stay one companies +10 years
New Graduate
Job Hunting
• Apply to “Job”
• Specialist Oriented
• Apply to “Company”
• Generalist Oriented
• Join into the company on April 1st
• 2-4 month Bootcamp Training (Project works)
• Company assigned the division (=Job)
• Job rotation is popular

38. Company Welcoming Ceremony @ April 1st

39. Tailgating – Cultural Defense
 Working Style Culture
• Let’s look at the working style difference
U.S.A Japan
Working Style • WFH is popular • WFH is NOT popular
Employment
Mobility
• High Mobility
• Join frequently, leave
frequently
• Low Mobility
• JP company do not like mid-carrier recruiting
• Stay one companies +10 years
New Graduate
Job Hunting
• Apply to “Job”
• Specialist Oriented
• Apply to “Company”
• Generalist Oriented
• Join into the company on April 1st
• 2-4 month Bootcamp Training (Project works)
• Company assigned the division (=Job)
• Job rotation is popular
It creates strong informal connection btw colleagues.

40. Tailgating – Cultural Defense
 Why does it work as a defense?
• New guys or stranger = easy to identify
• Informal connection will work as the verification method
• It may be difficult to create workable pretexting

41. 2. Social Engineering and Cultural Difference
~2-3 : Vishing~

42. Vishing
 Vishing
• Phishing attack by using Phone Call
• Ex) pretending to be a “computer support” guy
• Ex) pretending to be people in WFH / another branches
 Cultural Defense Workability of JP Culture:
• Working Style
• Decision Making Process

43. Vishing – Cultural Defense
 Working Style
• WFH is not popular
• Outsourcing is not so popular
• The employee have strong informal connection
 Why does it work as a defense?
• Pretexting may be hard
• If the phone call is suspicious, it is possible to ask the question by using
the informal network of colleague. (validation function)

44. Vishing – Cultural Defense
 Phone Call Handling
• When your colleague get the phone call...
• In Japan, freshman or administrative staff take the phone within 3 ringing
 Why does it work as a defense?
• Share the contents through the process (flat desk will be helpful)
• Freshman or administrative staff can create the baseline

45. Vishing – Cultural Defense
 Decision Making Process
• US If boss said Yes, it is done
• JP prefer the consensus (many escalation flow to decide)
 Why does it work as a defense?
• Various validation function by the process, especially for financial
settlement

46. 2. Social Engineering and Cultural Difference
~2-5 : Remittance Scam~

47. I give the couple of examples about
Japanese (business) cultures & it’s workability.

48. I give the couple of examples about
Japanese (business) cultures & it’s workability.
However, it does not necessarily means
Japanese cultures and people are tolerant for
social engineering.

49. Scams to elderly people are serious
problems in Japan and we see a lot of SE
techniques.

50. Scenarios:
 Step 1
Victim Attacker
（Police Officer A）

51. Scenarios:
 Step 1
Victim Attacker
（Police Officer A）
• We arrest the scam group.

52. Scenarios:
 Step 1
Victim Attacker
（Police Officer A）
• We arrest the scam group.
• They have the name list for a future
attack, and it include your name.

53. Scenarios:
 Step 1
Victim Attacker
（Police Officer A）
• We arrest the scam group.
• They have the name list for a future
attack, and it include your name.
• They also committed cloning of credit
card, and your credit card has the
possibility of abusing.

54. Scenarios:
 Step 1
Victim Attacker
（Police Officer A）
• We arrest the scam group.
• They have the name list for a future
attack, and it include your name.
• They also committed cloning of credit
card, and your credit card has the
possibility of abusing.
• We investigate this case with FSA and
FSA staff will contact you.
FSA : Financial Service Agency

55. Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
（FSA Staff）
Attacker
（Police Officer A）

56. Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
（FSA Staff）
• You got the phone call from
police officer A
Attacker
（Police Officer A）

57. Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
（FSA Staff）
• You got the phone call from
police officer A
• We investigate the malicious
usage of your credit card
Attacker
（Police Officer A）

58. Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
（FSA Staff）
• You got the phone call from
police officer A
• We investigate the malicious
usage of your credit card
• Please tell me last 4 digits and
expired date. We will match up
with our database.
Attacker
（Police Officer A）

59. Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
（FSA Staff）
• You got the phone call from
police officer A
• We investigate the malicious
usage of your credit card
• Please tell me last 4 digits and
expired date. We will match up
with our database.
• Umm…abused
Attacker
（Police Officer A）

60. Scenarios:
 Step 2
Victim
FSA : Financial Service Agency
Attacker
（FSA Staff）
• You got the phone call from
police officer A
• We investigate the malicious
usage of your credit card
• Please tell me last 4 digits and
expired date. We will match up
with our database.
• Umm…abused
• We will start the process to
issue new card and FSA staff go
to your home to pick up it.
Attacker
（Police Officer A）

61. Scenarios:
 Step 3
Victim
FSA : Financial Service Agency
Attacker
（FSA Staff）
Attacker
（Police Officer A）
Attacker
（FSA Staff）
• Pick Up

62. 3. Wrap -Up

63. Wrap-Up
 Does Cultural Difference become a barrier for SE?
• I think YES.
• But it is the beginning of my first thought, and I think I need further
discussion
• Also, from attacker’s perspectives, the adjustment of pretexting to specific
culture will be effective.
 The design consideration of culture, business process may
help to avoid the social engineering

64. Thank You!!
 If you have any questions, please feel free to contact me
Contact Info
• Email scientia.admin@gmail.com
• JP Blog www.scientia-security.org
• EN Blog blog.scientia-security.org (Coming Soon)