Presentation given by Evan Francen at TechPulse 2017. The presentation was about social engineering, including common tactics and basic protections. Topics such as phishing, vishing, and physical access attacks were discussed. Evan also shared some of the real-life stories that he has experienced during his 20+ career.
People. The Social Engineer's Dream - TechPulse 2017
1. People… the social engineer’s dream
Presented by Evan Francen, CISSP CISM (and some other stuff)
FRSecure President & CEO
duh
2. Topics/Agenda
• Introduction
• Social Engineering Defined
• Famous Social Engineers
• Types of Social Engineering
• Real Stories
• WHAT TO DO?!
• Questions
3. Introduction
• Speaker – Evan Francen
• 20+ years of information security experience
• Information security evangelist
• President & Co-founder of FRSecure
• Social Engineer.
4. FRSecure
• Information Security Consulting and Management company. It’s all we do.
• Our core services include:
• HIPAA Risk Analysis – using FISA™
• Social Engineering Services
• Penetration Testing Services
• PCI QSA Services
• Incident Management Services
• HITRUST Services
• SOC Preparation Services
• Information Security Training & Awareness
• vServices (vCISO, vISO, and vISA)
• Methodology fanatics, mentoring champions, and product agnostic.
5. Social Engineering Defined…
Social engineering is hacking human trust.
It’s convincing someone that it’s in their best
interests to give you something. That
something could be credentials, access to a
computer system, personal information,
physical access, or any number of things. –
Evan Francen, FRSecure
6. Social Engineering Defined…
• The best way to protect yourself against a social engineer is to know their techniques
and be aware.
• This is exactly what we’re going to cover today…
8. Types of Social Engineering
• DON’T FORGET - The best way to protect yourself against a social
engineer is to know their techniques and be aware.
• There are four main types of social engineering attacks and a bunch of
variations:
• Electronic – Phishing is the #1 variation of electronic social engineering.
• In-person – Physical attacks that typically focus on gaining physical access to something.
• Physical drop – Most often flash drives loaded with something bad.
• Telephone – Call and ask. Get somebody to give you something over the phone.
All of these types of attacks give GREAT results.
We have a saying… “It’s easier to go through your secretary than it is your firewall.”
9. Real Stories (people like stories)
Electronic – Phishing
What would you guess is the success rate for a phishing attack against a typical bank?
Up to 50% of users give us credentials/100% of banks
16. Think it couldn’t happen to you?
There are two things that a social engineer loves:
1. People who don’t think it can happen to them.
2. People who are too busy to notice.
17.
18. WHAT TO DO?!
The best way to protect yourself against a social engineer is to know their techniques and be
aware.
• Phishing – NEVER click on a link in an email that leads to a login page and login.
• Phishing – NEVER clink on a link in an email and download a file.
• Physical – ALWAYS question somebody that you don’t know who seems out of
place.
• Physical – ALWAYS ask for identification.
• Physical – ALWAYS know where your access card and/or keys are.
• Physical – NEVER allow someone to follow behind you through an access
controlled door.
• Phone – NEVER give out sensitive information on a phone call you didn’t initiate.
• Phone – NEVER give someone access to anything on a phone call you didn’t
initiate.
NOTHING can guarantee that you won’t be tricked or taken advantage of, so be prepared for what
you will do if when it happens?
20. Complete a Survey for a Raffle Ticket
In the App*
• Select the session you are in
• Tap the survey button
• Take survey
• Show the screen at the right to the
breakout attendant as you leave the
room
Paper Survey
• Fill out the paper survey at your seat
• Hand your completed survey to the
breakout attendant as you leave the
room
*You will also receive 4 points in the app that will contribute to your Leaderboard standings