all right For our next section, we're gonna talk about ways that you can detect and prevent social engineering.
So not everything that we talked about in this in this course is going to be
offensive. Some things are defensive, and it's good to understand both sides of that because
if you're the victim of a social engineer, you want to be able to notice what they're doing and be able to take evasive maneuvers if you want or or shut them down in some other way.
11 way to think about this is just being
suspicious of anything that seems to be out of the ordinary,
You don't want to become paranoid, of course, but if someone's doing something and someone saying something, they're acting a certain way. If your gut is telling you that that that doesn't seem right, it probably isn't.
if we flip that around you, the last thing you want to do is to introduce those feelings into your target. If your social engineering them,
you don't want to give given away by doing something or saying something or behaving in a way that indicates that your behavior is not genuine.
That's a big, big factor
performing due diligence. Checking things out. Three old Russian proverb. Trust but verify right, that's that applies here in a huge way.
I mentioned this before becoming digitally quiet.
One thing you'll notice when you use Callie is that they have a nice
slogan in the background of their desktop,
it says. Basically, the gist of it is that the quiet, eerie you become, the more you are able to hear.
That's good advice for just having conversations, right?
It's very difficult to listen to somebody if you're talking at the same time. So the quieter you become, the more you can hear it's a good idea.
And then becoming unpredictable can also be a big benefit for the engineer and for the potential target.
If you don't fall into patterns of behavior that you do the same thing every every day, the same way or you or your safe things the same way,
this can kind of keep your target off balance or if you, if you are the target, it keeps your social engineer or the attacker off balance.
So not not being predictable was a good thing
offensively and defensively in this case, other things to think about. What what kind of physical security controls
might be in place that would thwart the attempts of a social engineer?
I mentioned having a dumpster in a gated area
authorization or identity checking at entrances to a building all entrances right, not just the front door. The side door with smokers hang out is equally important because that might be a weak spot that the social engineer could try to exploit.
You want to also think about user awareness training
in a general sense. Everyone in an organization should have used our awareness training, although that doesn't always happen.
Some people in the organization require advanced user wears trained or security awareness training because
they have more responsibility. They might be in a role where they're more vulnerable,
so they need to be even more aware of social engineering attempts or identity theft attempts, phishing attempts and so on.
Beyond this, we need to consider legal aspect.
Obviously, if you're being hired to do a social engineering pen test or an audit, you get permission from your client.
You have ah, various legal documents showing your rules of engagement, the scope of the engagement.
This is your get out of jail free card, right? If you're if you're doing things that would normally be considered illegal
your pen testing agreement your document
proves that you have been given permission to do these things by your client.
In some cases, that may still not prevent you from getting in trouble, so you have to be careful.
You can't just assume because you got permission to do something that the laws don't apply. They still do. Apply. Don't assume otherwise.
If you're new to pen testing, you may even want to consult with a lawyer to have them review the contract to make sure that it makes sense. Make sure that it's legally sound and that you're not going to open yourself up to prosecution or lawsuit because you,
because you do something which wasn't properly protector, wasn't properly identified in your contract.
This is a very important step.
What about search engine on optimization? As CEO,
this could elicit lots of good clues for the social engineer.
They can look at how you're
website appears, or how the organization's website appears and search engine results
they might be able to make certain educated guesses or, in first, certain facts based on the metadata that your site contains and how it could be used for their purposes. That goes back to the cool tool because it can crawl. Meta data.
Many other tools could do these things as well, but these are ones that I chose for the introductory course.
These air useful because they're simple, and they produced great results with a fair, fairly little amount of effort.
Let's look at some other social engineering detection and prevention ideas.
Um, you're sent items folder, your email a pliant
you might want to maintain this and when I mean by maintaining it is understanding
where you sent messages to and maybe organizing those. If you're conducting a social engineering audio, you wantto be very meticulous about keeping records of what you did and when you did it, how you did it.
There are lots of tools you can use to record your activities on the desktop tools like Bandy Cam or Camp Tasia.
These are the same tools that I use to create the demos that you're going to be that you've been watching.
So these air terrific tools to use while you're doing your pen testing
and your other social engineering activities because now you can record that as a movie and then go back later and review that and make your documentation and so on. From that result,
other things to think about more from a protective point of view or preventive point of view is to think about changing all of your privacy settings for any social engineering or sorry social networking
sides that you use Facebook.
Twitter linked in all of these have some privacy settings, which can reduce your attack surface from a social engineering or hackers point of view.
Antagonist self from photos. Deleting Blawg postings
trying to reduce your digital footprint, becoming digitally quiet. These air good concepts to remain
less vulnerable to social engineering.
And, of course, from an offensive point of view, you want to try to find targets that do not do these things. They don't know they're supposed to. Maybe they're lazy. Maybe they haven't gotten around to it yet.
That gives the advantage to the social engineer because that information is out there waiting to be discovered.
You can also consider using anonymous Isar websites. First doing you're searching.
I used Google as an example because they created the advanced operators.
But you can easily use Ah, search engine like start page.
This is a great search engine. It's SS al. It doesn't save yours your I P addresses and basically it acts as a proxy to Google,
so you can still do your
use your Google advanced operators, but you're not using Google's website directly. Your identity, your I P address is being insulated from that
also, with with Starr Page in particular
the results that you get from a search. You can usually view those through the start page proxy called X Quick.
Now your search is anonymous and you're visiting of the website is anonymous. That could be important if you're trying to remain digitally quiet,
Doctor, go off is very similar features that start page does.
You could also use anonymous, your websites or proxy websites
that'll change your i P address and you can make proxy changes. All kinds of advanced techniques that will cover in linger videos that show you howto remain more hidden as you're doing some of this activity.
This course is more about introduction to the techniques and methodology that you can use to get started.
So I got some terminology here which you might find interesting or maybe even humorous.
We start off with the newbie.
This is someone that's brand new to this type of work. They're just starting to explore some of the tools they're trying to figure out what's what. Maybe they're watching videos like this one trying to get get themselves motivated to get excited, get started, But they're not really knowledgeable yet, so
they're not much of a danger to themselves or anyone else. At that point, you might also refer to someone as a cool B. This is someone who's maybe got a little bit introduced into the community. They made some friends. They might have established relationships, trying to build trust,
trying to become one of the one of the hackers, one of the social engineering guys.
The next step would be someone who's maybe curious, curious beat
right there, trying to elevate their their their reputation and their profile little bit by
by trying to dig a little deeper, looking at what the tools really do. Maybe they're looking at the script, seeing how they work.
They're tinkering, they're changing things. This indicates that more of a slightly more advanced level of interaction with the tools
and people that are at this stage sometimes decide that they want to create their own tools. Maybe they've got some programming skills, and they want to head off in that direction, the real being. On the other hand, this person
is becoming more involved. They're doing research there, perhaps
building things like a Cali distribution. There may be building some different tools, trying to do things
at a more advanced level,
tryingto join blog's or join discussion boards,
putting their opinion out there a little bit and also at same time trying to elevate their position within that community.
someone who's taking the real beach to the next level.
They've got well informed opinions and viewpoints on different topics.
They're getting more involved in the community, maybe
doing some some posts, asking questions, stating opinions, trying to get responses, trying to grow and become more useful
in the social engineering pan testing world.
It could be that you are a student, and even though you're doing this kind of work,
you decide that you you want to go get a job in the security industry.
So this this is kind of like the black hat person trying to become a white hat.
They're going from the perhaps the bad side of hacking
in order to do use their skills for good, to get a legitimate position and a security firm.
And of course, those people are trying to keep their past hidden as best they can because they don't want
potential embarrassment or they don't want to lose their job because they have
maybe a past where they get some things that might not have been completely legal.
We go to the probie.
This is someone that does try to get a job in that field, but maybe they're not good enough yet. Maybe they end up working at a gas station or they're flipping burgers
because they can't seem to get ah, foot into the door for a real social engineering or security professional type of situation.
It does take many years of experience in I T. Before you can even really become qualified to work in the security field.
It's not something that you jump into right away.
It takes time to grow and mature into the the tools and the techniques, even the technology in general,
in order to become truly useful as a contributing member of of the environment,
a job he is that someone who is
perhaps already working as a security professional, and they've got the credentials to prove it.
They are contributing. They're creating tools, maybe their programming. They're part of the product team,
and they're doing this kind of work in order to advance the field and in order to provide better tools for people that are perhaps doing social engineering pen testing,
then you've got someone that's mature. They've already been around for a while.
They might be considered an expert.
They might even have their own form, their own blawg discussion. They started themselves
to try to bring more people into the into the field or more people into the fold,
and they want to share their philosophy. They want to share their tools and promote the idea that social engineering fantastic is valuable and useful.
An organization should be doing it
toe, identify their weaknesses and be able to
re mediate or improve their security overall.
I'll repeat again that social engineering is an art and science.
It's not all technology. Some of it's right here between your ears. You need to think and act and behave and train yourself in order to become convincing to your targets. You can get them to do what you want to say, something that you want or get them to give you information.
It's not something that is Ah,
a skill set that's acquired easily can be for some people.
But for most people they have to practice. They have to
perfect their craft over some period of time.
We know that language maps to our experience, as I say,
people that are very skilled with language they can detect,
uh, the nuances in what people say and how they move and what facial expressions they use and that gives them clues on how to adapt their techniques in order. Get the best possible result.
We know that there's a concept,
um, human buffer overflow, right?
I used the example earlier of trying to back somebody into a corner emotionally in order to get them to do the desired behavior or to take the desired action.
If you feel somebody's head with enough information and then you're able to change course quickly. They might do what you're expecting them to do because they're not
able to switch contacts quickly enough. That sort of a human buffalo airflow similar to a computer buffer overflow. It's an interesting idea.
And then, lastly, we have to try to think about ways to become
artfully vague. You're giving information. You're getting information. Sometimes you leave details out, and that becomes useful because if you if you constantly give all the detail that you know about, you might tip off the target. The target might become suspicious, so leaving certain things out, leaving certain things unsaid,
can produce better results. Overall,
it's an art and a science again difficult thing to master.