Time
3 hours 55 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

In this lesson, Subject Matter Expert Dean Pompilio discusses ways to detect and prevent Social Engineering. Not everything about Social Engineering is in offensive mode; some of it is defensive -- if you are the victim, you need to know how to take defensive measures. SME Pompilio explains that while effective Social Engineers do not want their target to feel suspicious, potential Social Engineering victims need to be suspicious of anything out of the ordinary, especially when their gut tells them something is not right. Victims need to perform due diligence, trust but verify, and become digitally quiet – adhering to the Kali slogan that the quieter you are the more you are able to hear. In this lesson, you will learn techniques to lessen your exposure to Social Engineering (such as enabling privacy settings on all social networking sites), and you will learn:

  • that becoming unpredictable can benefit the Social Engineer and the target
  • the kind of physical security controls that can thwart the Soc Eng
  • how User Awareness training should be required for everyone in an organization
  • that Advanced Security Awareness training is necessary for some employees
  • that it is important to pay attention to the legal aspects of ethical Social Engineering
  • that proper documentation is necessary for carrying out ethical Social Engineering
  • how Search Engine Optimization can elicit good clues for the Social Engineer
  • the definitions of and the differences between all of the "—bie" (eg: newbie, koolbie, maturbie) classifications of Social Engineers

Concluding this course on Social Engineering, SME Pompilio reiterates that Social Engineering is an art and a science. He reminds us that our use of language maps to our experiences that can be manipulated by a Social Engineer. He suggests that to not be a victim of Social Engineering it is necessary to learn the thresholds for a Human Buffer Overflow and to practice becoming vague in a deliberate way.

Video Transcription

00:04
all right For our next section, we're gonna talk about ways that you can detect and prevent social engineering.
00:10
So not everything that we talked about in this in this course is going to be
00:15
offensive. Some things are defensive, and it's good to understand both sides of that because
00:21
if you're the victim of a social engineer, you want to be able to notice what they're doing and be able to take evasive maneuvers if you want or or shut them down in some other way.
00:32
11 way to think about this is just being
00:36
suspicious of anything that seems to be out of the ordinary,
00:41
right?
00:41
You don't want to become paranoid, of course, but if someone's doing something and someone saying something, they're acting a certain way. If your gut is telling you that that that doesn't seem right, it probably isn't.
00:53
And of course,
00:54
if we flip that around you, the last thing you want to do is to introduce those feelings into your target. If your social engineering them,
01:02
you don't want to give given away by doing something or saying something or behaving in a way that indicates that your behavior is not genuine.
01:08
That's a big, big factor
01:11
performing due diligence. Checking things out. Three old Russian proverb. Trust but verify right, that's that applies here in a huge way.
01:23
I mentioned this before becoming digitally quiet.
01:26
One thing you'll notice when you use Callie is that they have a nice
01:30
slogan in the background of their desktop,
01:33
it says. Basically, the gist of it is that the quiet, eerie you become, the more you are able to hear.
01:40
That's good advice for just having conversations, right?
01:42
It's very difficult to listen to somebody if you're talking at the same time. So the quieter you become, the more you can hear it's a good idea.
01:49
And then becoming unpredictable can also be a big benefit for the engineer and for the potential target.
01:57
If you don't fall into patterns of behavior that you do the same thing every every day, the same way or you or your safe things the same way,
02:06
this can kind of keep your target off balance or if you, if you are the target, it keeps your social engineer or the attacker off balance.
02:15
So not not being predictable was a good thing
02:17
offensively and defensively in this case, other things to think about. What what kind of physical security controls
02:24
might be in place that would thwart the attempts of a social engineer?
02:30
I mentioned having a dumpster in a gated area
02:32
or having
02:35
appropriate
02:37
authorization or identity checking at entrances to a building all entrances right, not just the front door. The side door with smokers hang out is equally important because that might be a weak spot that the social engineer could try to exploit.
02:52
You want to also think about user awareness training
02:55
in a general sense. Everyone in an organization should have used our awareness training, although that doesn't always happen.
03:01
Some people in the organization require advanced user wears trained or security awareness training because
03:07
they have more responsibility. They might be in a role where they're more vulnerable,
03:13
so they need to be even more aware of social engineering attempts or identity theft attempts, phishing attempts and so on.
03:20
Beyond this, we need to consider legal aspect.
03:23
Obviously, if you're being hired to do a social engineering pen test or an audit, you get permission from your client.
03:30
You have ah, various legal documents showing your rules of engagement, the scope of the engagement.
03:36
This is your get out of jail free card, right? If you're if you're doing things that would normally be considered illegal
03:43
your pen testing agreement your document
03:46
proves that you have been given permission to do these things by your client.
03:50
In some cases, that may still not prevent you from getting in trouble, so you have to be careful.
03:53
You can't just assume because you got permission to do something that the laws don't apply. They still do. Apply. Don't assume otherwise.
04:01
If you're new to pen testing, you may even want to consult with a lawyer to have them review the contract to make sure that it makes sense. Make sure that it's legally sound and that you're not going to open yourself up to prosecution or lawsuit because you,
04:16
because you do something which wasn't properly protector, wasn't properly identified in your contract.
04:23
This is a very important step.
04:26
What about search engine on optimization? As CEO,
04:30
this could elicit lots of good clues for the social engineer.
04:33
They can look at how you're
04:36
website appears, or how the organization's website appears and search engine results
04:42
they might be able to make certain educated guesses or, in first, certain facts based on the metadata that your site contains and how it could be used for their purposes. That goes back to the cool tool because it can crawl. Meta data.
04:57
Many other tools could do these things as well, but these are ones that I chose for the introductory course.
05:02
These air useful because they're simple, and they produced great results with a fair, fairly little amount of effort.
05:11
Let's look at some other social engineering detection and prevention ideas.
05:15
Um, you're sent items folder, your email a pliant
05:20
you might want to maintain this and when I mean by maintaining it is understanding
05:27
where you sent messages to and maybe organizing those. If you're conducting a social engineering audio, you wantto be very meticulous about keeping records of what you did and when you did it, how you did it.
05:39
There are lots of tools you can use to record your activities on the desktop tools like Bandy Cam or Camp Tasia.
05:46
These are the same tools that I use to create the demos that you're going to be that you've been watching.
05:50
So these air terrific tools to use while you're doing your pen testing
05:56
and your other social engineering activities because now you can record that as a movie and then go back later and review that and make your documentation and so on. From that result,
06:08
other things to think about more from a protective point of view or preventive point of view is to think about changing all of your privacy settings for any social engineering or sorry social networking
06:20
sides that you use Facebook.
06:23
Twitter linked in all of these have some privacy settings, which can reduce your attack surface from a social engineering or hackers point of view.
06:33
Antagonist self from photos. Deleting Blawg postings
06:39
trying to reduce your digital footprint, becoming digitally quiet. These air good concepts to remain
06:46
less vulnerable to social engineering.
06:48
And, of course, from an offensive point of view, you want to try to find targets that do not do these things. They don't know they're supposed to. Maybe they're lazy. Maybe they haven't gotten around to it yet.
06:59
That gives the advantage to the social engineer because that information is out there waiting to be discovered.
07:04
You can also consider using anonymous Isar websites. First doing you're searching.
07:10
I used Google as an example because they created the advanced operators.
07:15
But you can easily use Ah, search engine like start page.
07:18
This is a great search engine. It's SS al. It doesn't save yours your I P addresses and basically it acts as a proxy to Google,
07:27
so you can still do your
07:29
use your Google advanced operators, but you're not using Google's website directly. Your identity, your I P address is being insulated from that
07:36
also, with with Starr Page in particular
07:41
the results that you get from a search. You can usually view those through the start page proxy called X Quick.
07:47
Now your search is anonymous and you're visiting of the website is anonymous. That could be important if you're trying to remain digitally quiet,
07:56
Doctor, go off is very similar features that start page does.
08:01
You could also use anonymous, your websites or proxy websites
08:05
that'll change your i P address and you can make proxy changes. All kinds of advanced techniques that will cover in linger videos that show you howto remain more hidden as you're doing some of this activity.
08:16
This course is more about introduction to the techniques and methodology that you can use to get started.
08:22
So I got some terminology here which you might find interesting or maybe even humorous.
08:26
We start off with the newbie.
08:28
This is someone that's brand new to this type of work. They're just starting to explore some of the tools they're trying to figure out what's what. Maybe they're watching videos like this one trying to get get themselves motivated to get excited, get started, But they're not really knowledgeable yet, so
08:46
they're not much of a danger to themselves or anyone else. At that point, you might also refer to someone as a cool B. This is someone who's maybe got a little bit introduced into the community. They made some friends. They might have established relationships, trying to build trust,
09:01
trying to become one of the one of the hackers, one of the social engineering guys.
09:05
The next step would be someone who's maybe curious, curious beat
09:09
right there, trying to elevate their their their reputation and their profile little bit by
09:16
by trying to dig a little deeper, looking at what the tools really do. Maybe they're looking at the script, seeing how they work.
09:22
They're tinkering, they're changing things. This indicates that more of a slightly more advanced level of interaction with the tools
09:31
and people that are at this stage sometimes decide that they want to create their own tools. Maybe they've got some programming skills, and they want to head off in that direction, the real being. On the other hand, this person
09:43
is becoming more involved. They're doing research there, perhaps
09:48
building things like a Cali distribution. There may be building some different tools, trying to do things
09:54
at a more advanced level,
09:56
and they were
09:58
previously
10:00
tryingto join blog's or join discussion boards,
10:03
putting their opinion out there a little bit and also at same time trying to elevate their position within that community.
10:11
The true B
10:11
someone who's taking the real beach to the next level.
10:15
They've got well informed opinions and viewpoints on different topics.
10:20
They're getting more involved in the community, maybe
10:24
doing some some posts, asking questions, stating opinions, trying to get responses, trying to grow and become more useful
10:35
in the social engineering pan testing world.
10:37
It could be that you are a student, and even though you're doing this kind of work,
10:41
you decide that you you want to go get a job in the security industry.
10:48
So this this is kind of like the black hat person trying to become a white hat.
10:52
They're going from the perhaps the bad side of hacking
10:56
in order to do use their skills for good, to get a legitimate position and a security firm.
11:03
And of course, those people are trying to keep their past hidden as best they can because they don't want
11:09
potential embarrassment or they don't want to lose their job because they have
11:13
maybe a past where they get some things that might not have been completely legal.
11:18
We go to the probie.
11:20
This is someone that does try to get a job in that field, but maybe they're not good enough yet. Maybe they end up working at a gas station or they're flipping burgers
11:28
because they can't seem to get ah, foot into the door for a real social engineering or security professional type of situation.
11:37
It does take many years of experience in I T. Before you can even really become qualified to work in the security field.
11:43
It's not something that you jump into right away.
11:46
It takes time to grow and mature into the the tools and the techniques, even the technology in general,
11:54
in order to become truly useful as a contributing member of of the environment,
12:01
a job he is that someone who is
12:05
perhaps already working as a security professional, and they've got the credentials to prove it.
12:09
They are contributing. They're creating tools, maybe their programming. They're part of the product team,
12:15
and they're doing this kind of work in order to advance the field and in order to provide better tools for people that are perhaps doing social engineering pen testing,
12:26
then you've got someone that's mature. They've already been around for a while.
12:28
They might be considered an expert.
12:31
They might even have their own form, their own blawg discussion. They started themselves
12:37
to try to bring more people into the into the field or more people into the fold,
12:41
and they want to share their philosophy. They want to share their tools and promote the idea that social engineering fantastic is valuable and useful.
12:50
An organization should be doing it
12:52
toe, identify their weaknesses and be able to
12:56
re mediate or improve their security overall.
12:58
So in conclusion,
13:01
I'll repeat again that social engineering is an art and science.
13:05
It's not all technology. Some of it's right here between your ears. You need to think and act and behave and train yourself in order to become convincing to your targets. You can get them to do what you want to say, something that you want or get them to give you information.
13:22
It's not something that is Ah,
13:24
a skill set that's acquired easily can be for some people.
13:28
But for most people they have to practice. They have to
13:31
perfect their craft over some period of time.
13:35
We know that language maps to our experience, as I say,
13:39
uh,
13:41
people that are very skilled with language they can detect,
13:45
uh, the nuances in what people say and how they move and what facial expressions they use and that gives them clues on how to adapt their techniques in order. Get the best possible result.
13:58
We know that there's a concept,
14:01
um, human buffer overflow, right?
14:03
I used the example earlier of trying to back somebody into a corner emotionally in order to get them to do the desired behavior or to take the desired action.
14:13
If you feel somebody's head with enough information and then you're able to change course quickly. They might do what you're expecting them to do because they're not
14:22
able to switch contacts quickly enough. That sort of a human buffalo airflow similar to a computer buffer overflow. It's an interesting idea.
14:30
And then, lastly, we have to try to think about ways to become
14:35
artfully vague. You're giving information. You're getting information. Sometimes you leave details out, and that becomes useful because if you if you constantly give all the detail that you know about, you might tip off the target. The target might become suspicious, so leaving certain things out, leaving certain things unsaid,
14:52
can produce better results. Overall,
14:56
it's an art and a science again difficult thing to master.

Up Next

Social Engineering and Manipulation

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor