People: The Social Engineer’s Dream ----------- John Harmon – VP of Operations at FRSecure May 21, 2018
People: The Social Engineer’s Dream Introduction People: The Social Engineer’s Dream Topics/Agenda Introduction Social Engineering Defined Famous Social Engineers Types of Social Engineering Real Stories WHAT TO DO?! Questions
People: The Social Engineer’s Dream Introduction People: The Social Engineer’s Dream Speaker: John Harmon, VP of Operations Lead the security and project management teams at FRSecure Business background 6th team member at FRSecure Wife, 2 teenaged boys Classically-trained singer Concordia (Moorhead) Alumn Very happy to be here!
People: The Social Engineer’s Dream Introduction People: The Social Engineer’s Dream FRSecure Information Security Consulting and Management company. It’s all we do. Our core services include: Security Risk Analysis – using FISASCORE® Social Engineering Services Penetration Testing Services PCI QSA Services Incident Management Services HITRUST Services Information Security Training & Awareness vServices (vCISO, vISO, and vISA) Methodology fanatics, mentoring champions, and product agnostic.
People: The Social Engineer’s Dream Social Engineering Defined People: The Social Engineer’s Dream Social engineering is hacking human trust. It’s convincing someone that it’s in their best interests to give you something. That something could be credentials, access to a computer system, personal information, physical access, or any number of things. - Evan Francen, FRSecure
People: The Social Engineer’s Dream Famous Social Engineers People: The Social Engineer’s Dream (in)Famous Social Engineers Some of my favorites
People: The Social Engineer’s Dream Types of social Engineering People: The Social Engineer’s Dream Types of Social Engineering DON’T FORGET: the best way to protect yourself against a social engineer is to know their techniques and be aware. There are four main types of social engineering attacks and a bunch of variations: Electronic: Phishing is the #1 variation of electronic social engineering. In-person: Physical attacks that typically focus on gaining physical access to something. Physical drop: Most often flash drives loaded with something bad. Telephone: Call and ask. Get somebody to give you something over the phone. All of these types of attacks give GREAT results. We have a saying: “It’s easier to go through your assistant than it is your firewall.”
People: The Social Engineer’s Dream Real Stories (People Like Stories) People: The Social Engineer’s Dream Electronic - Phishing What would you guess is the success rate for a phishing attack against a typical bank? ~50% of users give us credentials/100% of banks
People: The Social Engineer’s Dream Real Stories (People Like Stories) People: The Social Engineer’s Dream Electronic - Phishing
People: The Social Engineer’s Dream Real Stories (People Like Stories) People: The Social Engineer’s Dream Electronic - Phishing
People: The Social Engineer’s Dream Real Stories (People Like Stories) People: The Social Engineer’s Dream In Person
People: The Social Engineer’s Dream Real Stories (People Like Stories) People: The Social Engineer’s Dream In Person What do you get when you mix Gatorade, a dead spider, and a fake ID?
People: The Social Engineer’s Dream Real Stories (People Like Stories) People: The Social Engineer’s Dream In Person KIND HELPFUL INNOCENT TRUSTWORTHY
People: The Social Engineer’s Dream Real Stories (People Like Stories) People: The Social Engineer’s Dream Telephone
People: The Social Engineer’s Dream Real Stories (People Like Stories) People: The Social Engineer’s Dream Telephone (almost had him)
People: The Social Engineer’s Dream Real Stories (people love stories) People: The Social Engineer’s Dream Think it couldn’t happen to you? Things that a social engineer loves: People who don’t think it can happen to them. People who are too busy to notice. 100 / 10 / 3 – Verizon Stats
People: The Social Engineer’s Dream WHAT TO DO?! People: The Social Engineer’s Dream The best way to protect yourself against a social engineer is to know their techniques and be aware. Phishing – NEVER click on a link in an email that leads to a login page and login. Phishing – NEVER clink on a link in an email and download a file. Physical – ALWAYS question somebody that you don’t know who seems out of place. Physical – ALWAYS ask for identification. Physical – ALWAYS know where your access card and/or keys are. Physical – NEVER allow someone to follow behind you through an access controlled door. Phone – NEVER give out sensitive information on a phone call you didn’t initiate. Phone – NEVER give someone access to anything on a phone call you didn’t initiate. NOTHING can guarantee that you won’t be tricked or taken advantage of, so be prepared for what you will do if when it happens.
People: The Social Engineer’s Dream Questions? People: The Social Engineer’s Dream Questions? Hopefully about security. Thank you! For a copy of this presentation, text MCOCE18 to 44222 John Harmon FRSecure jharmon@frsecure.com