Social Engineering & How to Counteract Advanced Attacks. Ralph Massaro, VP of Sales Wombat Security Technologies, Inc.



Similar documents
Developing a Successful Security Awareness Training Program. Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc.

Training Employees to Recognise & Avoid Advanced Threats

TEN COMMANDMENTS OF EFFECTIVE SECURITY AWARENESS TRAINING

5 Reasons Why Your Security Education Program isn t Working (and how to fix it)

Understanding Security Threats in the Cyber World. Beth Chancellor, Chief Information Security Officer

SIMULATED ATTACKS. Evaluate Susceptibility Using PhishGuru, SmishGuru, and USBGuru MEASURE ASSESS

Anti-Phishing Training Modules Teach employees to recognize and avoid phishing and spear phishing attacks

5 Reasons Why Your Security Education Program isn t Working (and how to fix it)

State of the Phish 2015

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Security Awareness Training Solutions

CHAPTER 2: CASE STUDY SPEAR-PHISHING CAMPAIGN GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

The SMB Cyber Security Survival Guide

Jumpstarting Your Security Awareness Program

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Social Media and Cyber Safety

Targeted attacks: Tools and techniques

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

Cyber Security. Maintaining Your Identity on the Net

Loophole+ with Ethical Hacking and Penetration Testing

Pushing the Envelope on Data-Driven Security Awareness Mark T. Chapman CFE CISSP CISM CRISC

Fighting Advanced Threats

Cyber Crime: You Are the Target

CSUF Tech Day Security Awareness Overview Dale Coddington, Information Security Office

How to Protect against the Threat of Spearphishing Attacks

Top Fraud Trends Facing Financial Institutions

Why The Security You Bought Yesterday, Won t Save You Today

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

Global Manufacturing Company Reduces Malware Infections by 46%

Cyber Security Management

You are the weakest link! Presented by Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit & Security O Connor & Drew P.C. mhammond@ocd.

How To Help Protect Yourself From Identity Theft

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

Top Ten Fraud Risks That Impact Your Financial Institution. Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC.

PENETRATION TESTING GUIDE. 1

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Information Security Attack Tree Modeling for Enhancing Student Learning

How-To Guide: Cyber Security. Content Provided by

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

A Small Business Approach to Big Business Cyber Security. Brent Bettis, CISSP 23 September, 2014

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

Simplifying Security & Compliance Innovating IT Managed Services. Data Security Threat Landscape and IT General Controls

Exactly the Same, but Different

How To Protect Yourself From Cyber Threats

2013 State of The Phish

Security Intelligence Services. Cybersecurity training.

How to Spot and Combat a Phishing Attack Webinar

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

OCIE Technology Controls Program

Security Awareness Program Learning Objectives. By Aron Warren Last Update 6/29/2012

SOCIAL MEDIA: LEVERAGING VALUE WHILE MITIGATING RISK

Government Entity located in St. Louis Serving Government for over 40 Years

Cybersecurity Governance Update on New FFIEC Requirements

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Conducting an Phishing Campaign

FORBIDDEN - Ethical Hacking Workshop Duration

Common Cyber Threats. Common cyber threats include:

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Information Security It s Everyone s Responsibility

WRITTEN TESTIMONY OF

10 Best Practices to Protect Your Network presented by Saalex Information Technology and Citadel Group

WHITEPAPER. V12 Group West Front Street, Suite 410 Red Bank, NJ

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

PUBLIC SAFETY CYBER SECURITY

Information Security Field Guide to Identifying Phishing and Scams

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Social Media Single Sign-On: Could You Be Sharing More than Your Password?

NATIONAL CYBER SECURITY AWARENESS MONTH

5 Video Marketing Ideas with Exceptional ROI. Marcus Seeger. Video Profit Strategist

Feeling safe? Try attending Internet security conference 22 April 2015, by By Brandon Bailey

Security Bank of California Internet Banking Security Awareness

From Data Breaches and Information Hacks, to Unsecure Computing - Know Your Defense

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Application Security in the Software Development Lifecycle

The New Reality of Synthetic ID Fraud How to Battle the Leading Identity Fraud Tactic in The Digital Age

Don t Fall Victim to Cybercrime:

December 2010 Report #48

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 MIKE.ZUSMAN@CARVESYSTEMS.COM

Why is a strong password important?

Cyber Security. Securing Your Mobile and Online Banking Transactions

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

SHS Annual Information Security Training

Combating Identity Theft: Tips to Reduce Your Cybersecurity Risks. September 16, 2015

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Practical Steps To Securing Process Control Networks

You ll learn about our roadmap across the Symantec and gateway security offerings.

10 Ways to Better Secure Your Agency Data

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

Technical Testing. Network Testing DATA SHEET

Introduction to Marketing

How To Deal With A Converged Threat From A Cloud And Mobile Device To A Business Or A Customer'S Computer Or Network To A Cloud Device

The objective setting phase will then help you define other aspects of the project including:

Cyber Security for your Connected Health Device

Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security

Transcription:

Social Engineering & How to Counteract Advanced Attacks Ralph Massaro, VP of Sales Wombat Security Technologies, Inc.

Agenda Social Engineering DEFCON Competition Source of Problem Countermeasures

Social Engineering Scenarios Email In-person Smartphone Social networking Snail mail Fixed phone

Def Con Hacking Conference Held in Las Vegas Social Engineer Capture the Flag (SECTF) Social-Engineering.org Raise Awareness of social engineering threats and to demonstrate how damaging information is freely available http://social-engineer.org/resources/sectf/social- EngineerDefcon20SECTFResultsReport-Final.pdf

SECTF Contest where participants collect information called Flags (37) Flags are assigned a point value Participant with the highest # of points wins

SECTF Contestants: 20 participants out of 198 candidates 10 Women and 10 Men First time participants Backgrounds Security Experts Red Team Marketing Researchers Sales Students

SECTF Target Companies: Fortune 500 Diverse Industries Common Brands Contest unknown to target companies Apple, Boeing, Chevron, Exxon, General Dynamics, General Electric, General Motors, Home Depot, J&J, Disney

Competition Process Target industries transportation, telecom, oil, retail, entertainment & technology Upfront research publicly available only Google, Twitter, Facebook, Linkedin, Craigslist, Foursquare, Whois, Wikipedia, Vimeo, etc, etc, etc Phone calls at DEFCON spoofed or not Points range from 3 to 25 3 for Do you block sites? 25 for getting target to go to URL

SECTF What were they looking for? Get them to visit a fake URL 25 points What browser do they use? 10 points What version of that browser? 15 points What anti-virus system is used? - 10 points What operating system is in use? - 10 points What service pack/version? 15 points What program to open PDFs and what version? 10 points What mail client is used? 10 points What version of the mail client? 10 points Who is their 3 rd party security company? 10 points When was the last time they had security awareness training? 10

Success Rates in High Value Targets Get them to visit a fake URL 30% What browser do they use? 70% What version of that browser? 25% What anti-virus system is used? 65% What operating system is in use? 120% What service pack/version? 40% What program to open PDFs and what version? - 70% What mail client is used? - 55% What version of the mail client? - 25% Who is their 3 rd party security company? - 50% When was the last time they had security awareness training? - 25% 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

What did they find through research? Cafeteria? Food Service AV OS Browser

What else did they get on the phone? Disk Encryption OS Security Co. AV Browser Fake URL

Pretexts Used Student Vendor Survey Taker Employee

Who is the most susceptible?

Results Improvement in contestants perparation Higher number of unskilled or inexperienced callers More advanced pretenses More information available on line No improvement by companies to better educate or prepare for social engineering attacks

Social Engineering Scenarios Email In-person Smartphone Social networking Snail mail Fixed phone

Social Engineering Roads Converge The end user is the target Exploits human weakness The end user is the problem Technology can t solve the issues Countermeasures must be taken

Increasingly Sophisticated Attacks Spear-phishing targeting specific groups or individuals Leveraging information about your organization, group or you No more misspellings or easy red flags Social phishing 4 to 5 times more effective Bob Smith is retiring next week, click here to say whether you can attend his retirement party Email subpoena from the US District Court in San Diego with your name, company and phone number, and your lawyers name, company & phone number

Would you fall for this? Someone You Know Generic Title Link Looks Legitimate 1 Source: Slate.com Would you click the link in this email that tricked the AP? April 23, 2013

Technology Alone Won t Work Tempting to just buy software or hardware that promises to solve these problems Many social engineering scenarios are not impacted by technology Attackers are very resourceful, constantly looking to circumvent defenses Security controls lag behind technology adoption

Training has a Big Role to Play Lack of understanding of risks Wide range of scenarios What if you combine Required knowledge is vast & growing Delivery methods must be compelling education & Security is a secondary task assessments? Root cause is often a failure to invest in educating staff about security risks PWC Information Security Breaches Survey (April 2012)

Continuous Training Methodology Assessment Assessment Across All or Some Topics Cyber Knowledge Scheduled Training for Everyone Education Analyze & Repeat Simulated Attacks Simulated Attacks Email, Smish, Memory Device

Social Engineering Assessments Links education & assessments Automates much of the process with do-it-yourself capabilities Detailed reports to develop & target training Attack services covering: email phishing attacks memory device attacks SMS/text message attacks

Wombat s Definition of Effective Training Present concepts and procedures together Bite-sized lessons Learn by doing Story-based environment Create teachable moments Provide immediate feedback Use conversational content Collect valuable data

Results of Continuous Training Mock Phishing Attack Phishing Email Campaigns Over 80% Reduction Training Modules Repeat Just In Time Training 35% Failure 1 st Campaign 6% Failure 2 nd Campaign Auto- Training Enrollment Email Security URL Training

SECTF Winners Target Companies 10 Number of Contestants 20 Completed calls 51 Possible flags 37 Men vs Women 10/10 Points for Men 2991 Points for Women 3579

Conclusions Social engineering is a large & growing risk Your end users are the target Mitigation strategy is through policies and ongoing education & assessments There is a direct correlation between companies that provide frequent awareness training and the amount of information a company gives up. (1) 1 Social-Engineering.org, DEFCON 20 Social Engineering CTF 2012

Ralph Massaro r.massaro@wombatsecurity.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information