Social Engineering & How to Counteract Advanced Attacks. Joe Ferrara, President and CEO Wombat Security Technologies, Inc.

Similar documents

Exploits in Wetware: How the Defcon 2017 SE CTF experience can help organizations defend against social engineering.

FEATURES AND FUNCTIONALITY GUIDE

Information Privacy and Security

The creative sourcing solution that finds, tracks, and manages talent to keep you ahead of the game.

Corey wants to learn how to use the computer to look for jobs online.

2018 NASS IDEAS Award Application State of Colorado

Android Guide January 2017

Talk IN THIS EDITION. Fall 2017

Privacy and Security For Teammates

SECURITY CULTURE HACKING: DISRUPTING THE SECURITY STATUS QUO

ebook How to Recruit for Local Government in the Digital Age

2. Pitch your Startup in 7 words * Avoid slogans / Use Keywords. Ex (based on Slack:) "Team communication tool with persistent chat rooms".

2014 Edition FUNDRAISING WITH ARTEZ INTERACTIVE WHITE PAPER FACEBOOK ARTEZ.COM FACEBOOK.COM/ARTEZINTERACTIVE

GLOBALMEET GLOBALMEET WEB & AUDIO USER GUIDE

Notre Dame College Website Terms of Use

Leverage Employee Reviews to Promote Your Employment Brand. 5 Steps to Influence Candidates Where They Make Career Decisions

Hacking Bootcamp: Learning The Basics Of Hacking By C.J. McAllister, David Maxwell

Incubator Program Application

GLOBALMEET FOR ANDROID GLOBALMEET FOR ANDROID USER GUIDE

YOUR ELEVATOR PITCH & PITCH DECK

GOOD MORNING I D LIKE TO UNDERSCORE THREE OF ITS KEY POINTS:

Six Degrees of Networking Small Group Activity

Space Apps Pre-Event Meetup Planning Guide

Recruiting Game- Changing Talent

GLOBALMEET FOR BLACKBERRY GLOBALMEET FOR BLACKBERRY USER GUIDE

Joint Base Lewis-McChord (JBLM), WA Network Enterprise Center (NEC) COMPUTER-USER AGREEMENT Change 1 (30 Jun 2008)

FREQUENTLY ASKED QUESTIONS (FAQS) DOCTOR ON DEMAND ANNOUNCEMENT External Revised

A Deep Dive into the Privacy Landscape

Acadian Care Telemedicine

CoActiveSoft Caregiver Portal and Time Tracking User Manual

TELEHEALTH FOR HEALTH SYSTEMS: GUIDE TO BEST PRACTICES

Rethinking Payroll Performance

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Top 10 Considerations For Incident Response. By: Tom Brennan, ProactiveRISK

Job Search 2.0. Finding Work Through the World Wide Web

What is Social Networking?

What is Social Networking?

Blackjacking 0wning the Enterprise via Blackberry. Jesse x30n D Aguanno

Therapist Disclosure Statement & Client Informed Consent

OREGON HIPAA NOTICE FORM

Introduction. Rules February 24, Submission Requirements

NSF IUCRC Lean Entrepreneurship at Your Center Workshop NSF IUCRC BIENNIAL CONFERENCE JULY neilsheridan.com/u.zip 7/27/2017.

Great Expectations: The Evolving Landscape of Technology in Meetings 1

Guidebook. Act now. Act with purpose. Act for the University of North Dakota.

FY 2014 OPSEC Training for Contractors. What You Need to Know

GLOBALMEET USER GUIDE

Recruitment and Social Media: What We Have Learned

Goodwill of Greater Washington s Data Driven Website Redesign

8/11/2015. Navigation in the Meeting Room. Cyber Enabled Threats to Cleared Industry. Host: Rebecca Morgan Counterintelligence Instructor CDSE

Crowdfunding. An introduction to the basics of raising money for a project through online platforms. Introduction. Background

In This Issue ~~~~~~~~~~~~~~~~ Administration & Finance September 2013 Issue No. 2. A Word from our Vice President

Office of Clinical Research. CTMS Reference Guide Patient Entry & Visit Tracking

Sanilac County Community Mental Health Authority

HIPAA Privacy and Security Training for Researchers

Compliance and Privacy/Security Training Academic Year

Sponsorship Prospectus

LotusLive. Working together just got easier Online collaboration solutions for the working world

2018 Employee HIPAA Orientation (EHO) Handbook

Casa Pacifica Giving Tuesday Challenge Toolkit

Hacking Bootcamp: Learning The Basics Of Hacking By C.J. McAllister, David Maxwell

It s time to search with your eyes wide open. Friends, we are that somebody.

Impact 2018 Award Rules & Regulations

Mobile App Process Guide

Case3:12-cv CRB Document270 Filed06/26/15 Page1 of 7 UNITED STATES DISTRICT COURT

NORTHWEST TERRITORIES INFORMATION AND PRIVACY COMMISSIONER Review Recommendation File: July 13, 2015

Deliver Secure Quality In-Home Patient Care Using the Simplicity of NFC

Cybersecurity of Voting Machines

Advanced HIPAA Communications and University Relations

E-MARKETING WITH GOOGLE ANALYTICS. Peter Lo

SEVEN SEVEN. Credentialing tips designed to help keep costs down and ensure a healthier bottom line.

Available at :

Downloading Application Viewer

POWER ASAE THE. ...access to more than 39,000 ASAE members... Budgets of Associations Represented by Association Executive Members

Acls Ems Guide READ ONLINE

Deployment Guide. GlobalMeet 5 June 27, 2018

Walsall Healthcare NHS Trust School Nursing Service

Telemedicine and Business Efficiency: Improving Patient Outcomes. White Paper April 2011

Day of Caring 2018 VOLUNTEER GUIDE

End-to-end infusion safety. Safely manage infusions from order to administration

Accelerate the success of your practice GROW SUSTAINABLY, OPERATE MORE EFFICIENTLY AND ENGAGE WITH PATIENTS LIKE NEVER BEFORE

U.S. Coast Guard Social Media Handbook

Healthgrades Patient Satisfaction Toolkit

ADVANCES IN Telehealth: The best ways to engage with patients using different mediums

The Jetsons Meet Mayberry Scott Morelli City Manager, Gardiner, Maine

Twitter How Recruiters are Using Tech to Source Top Talent

Social Media IUSM-GME-PO-0031

HOW ONE HOSPITAL EMBRACED PATIENT SATISFACTION TRANSPARENCY

JFHQ DODIN Update. The overall classification of this briefing is: UNCLASSIFIED Lt Col Patrick Daniel JFHQ-DODIN J5 As of: 21 April 2016 UNCLASSIFIED

Spring2ACTion Checklist for Success

Tips and Tricks for Facebook, Twitter and LinkedIn

LAB4-W12: Nation Under Attack: Live Cyber- Exercise

The future of patient care. 6 ways workflow automation will transform the healthcare experience

GP online services for carers, including young carers Patient Guide

Running a Bug Bounty Program

Grants Ontario - Frequently Asked Questions (FAQ s)

1. When will physicians who are not "meaningful" EHR users start to see a reduction in payments?

Courtesy of Mark F. Weiss

RECRUIT RELEASE Table of Contents

Technology Standards of Practice

Transcription:

Social Engineering & How to Counteract Advanced Attacks Joe Ferrara, President and CEO Wombat Security Technologies, Inc.

Agenda Social Engineering DEFCON Competition Recent Examples Countermeasures

What is Social Engineering? The art of manipulating people into performing actions or divulging confidential information An act of psychological manipulation Originally was engineering society to cause a favorable change

How Large is the Problem? 91% of targeted attacks involve spearphishing emails (1) 29% of breaches in 2012 leveraged social tactics (2) 31% of mobile users received a text from someone they didn t know requesting that they click a link or dial an unknown number (3) 1 Trend Micro, November 2012 2 Verizon Data Breach Investigations Report 2013 3 Cloudmark, September 2012

Social Engineering Scenarios Email In-person Smartphone Social networking Snail mail Fixed phone

DEFCON 20 Competition 20 social engineers 10 target companies Research & phone calls only Points for data captured Strict rules in place http://social- engineer.org/resources/sectf/social- EngineerDefcon20SECTFResultsRepo rt-final.pdf 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

Competition Process Target industries freight, telecom, oil, retail & technology Upfront research publicly available only Google, Twitter, Facebook, Linkedin, Craigslist, Foursquare, Whois, Wikipedia, Vimeo, etc, etc, etc Phone calls at DEFCON spoofed or not Points range from 3 to 25 3 for Do you block sites? 25 for getting target to go to URL 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

What were they looking for? Get them to visit a fake URL 25 points What browser do they use? 10 points What version of that browser? 15 points What anti-virus system is used? - 10 points What operating system is in use? - 10 points What service pack/version? 15 points What program to open PDFs and what version? 10 points What mail client is used? 10 points What version of the mail client? 10 points Who is their 3 rd party security company? 10 points When was the last time they had security awareness training? 10 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

What did they find through research? Cafeteria? Food Service AV OS Browser 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

What else did they get on the phone? Disk Encryption OS Security Co. AV Browser Fake URL 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

Success Rates in High Value Targets Get them to visit a fake URL 30% What browser do they use? 70% What version of that browser? 25% What anti-virus system is used? 65% What operating system is in use? 120% What service pack/version? 40% What program to open PDFs and what version? - 70% What mail client is used? - 55% What version of the mail client? - 25% Who is their 3 rd party security company? - 50% When was the last time they had security awareness training? - 25% 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

Pretexts Used Student Vendor Survey Taker Employee 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

Scores by Industry 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

Scores by Company 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

Recent Attacks Email Smartphone Social networking

Would you fall for this? Someone You Know Generic Title Link Looks Legitimate 1 Source: Slate.com Would you click the link in this email that tricked the AP? April 23, 2013

Phishing led to AP Twitter Hack April 23 rd Attack Phishing on corporate network first AP's Twitter & Mobile Twitter accounts compromised False tweet about White House attack (1pm) Dow immediately fell by 1% 1 Source: Slate.com Would you click the link in this email that tricked the AP? April 23, 2013

Increasingly Sophisticated Attacks Spear-phishing targeting specific groups or individuals Leveraging information about your organization, group or you No more misspellings or easy red flags Social phishing 4 to 5 times more effective Bob Smith is retiring next week, click here to say whether you can attend his retirement party Email subpoena from the US District Court in San Diego with your name, company and phone number, and your lawyers name, company & phone number

Mobility Adds New Challenges App downloads (1) Lack of understanding of permissions Relying on word of mouth and ratings Email Phishing (2) Worse on mobile phones Mobile phones first to arrive at phishing websites 3x more likely to submit credentials SMS attacks Smishing, links, calls 1 P. Gage Kelley, S. Consolvo, L. Cranor, J. Jung, N. Sadeh, D. Wetherall, A Conundrum of Permissions: Installing Applications on an Android Smartphone, USEC2012. 2 Trusteer, Jan. 2011 similar

Android Trojan Creates SMS Botnet Random SMS invitation to download a free Android game Unknowingly loading malicious software Turns handset into a simple botnet Sending SMS malware based on instructions from a command and control server 1 Cloudmark, December 2012

SMS/Text-based Attacks September 2012-913% increase in the volume of SMS phishing attempts Surge appears to be the result of a single set of attacks with over 500 unique phishing pitches Simplistic attack message: Fwd: Good Afternoon. Attention Required. Call (xxx)xxx-xxxx 1 Cloudmark, September 2012

Q1 2013 Text-Based Attacks 1 Cloudmark / GSMA, April 2013

Social Networking Attacks 15% users had profile hacked & impersonated (1) 10% of users fell victim to scam or fake link (1) Recent Login & Malware Scams: Facebook You were violating policies Twitter Someone saying nasty things about you LinkedIn: Fake employee event invitations 1 Norton, September 2012

Social Engineering Roads Converge The end user is the target Exploits human weakness The end user is the problem Technology can t solve the issues Countermeasures must be taken

Technology Alone Won t Work Tempting to just buy software or hardware that promises to solve these problems Many social engineering scenarios are not impacted by technology Attackers are very resourceful, constantly looking to circumvent defenses Security controls lag behind technology adoption

Mitigation Recommendations Social Media Policies If you don t have one, get one Clear definitions of what is allowed and not allowed Business use versus personal use Consistent, Real World Education Quality, meaningful, security awareness education Consistent & frequent to keep topics top of mind Regular Risk Assessments and Penetration Tests Social engineering risk assessments & penetration tests Results to develop & target training and prepare for attacks

Mitigation Steps Social Media Policies Research, create & distribute new policy Consistent, Real World Education What if you combine Lunch & learn, classroom training, email messages Use examples from industry or from your company Vendors solutions Regular Risk Assessment and Penetration Test Download tools for internal use Security consulting companies Vendor solutions education & assessments?

Training via Simulated Attacks Training as part of daily routine Just-in-time training for those that fall for attack Creates a unique teachable moment Significantly increases training penetration Provides detailed reporting & metrics Select Target Employees Customize Fake Attack Select Training Initiate Mock Attack Monitor & Analyze Employee Response

Social Engineering Assessments Links education & assessments Automates much of the process with do-it-yourself capabilities Detailed reports to develop & target training Attack services covering: email phishing attacks memory device attacks SMS/text message attacks

Results of Continuous Training Mock Phishing Attack Phishing Email Campaigns Over 80% Reduction Training Modules Repeat Just In Time Training 35% Failure 1 st Campaign 6% Failure 2 nd Campaign Auto- Training Enrollment Email Security URL Training

Conclusions Social engineering is a large & growing risk Your end users are the target Mitigation strategy is through policies and ongoing education & assessments There is a direct correlation between companies that provide frequent awareness training and the amount of information a company gives up. (1) 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback