Social Engineering - The Greatest Threat
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:03
>> Social engineering and this topic
00:03
is just a real passion of mine because
00:03
so many organizations do
00:03
not protect themselves against
00:03
leaks due to social engineering.
00:03
I believe we don't train our employees enough,
00:03
we don't hold our employees accountable,
00:03
we don't raise awareness and there are
00:03
so many ways that a social engineer can gain access.
00:03
Either of your physical security,
00:03
your physical building,
00:03
your facility, or your information.
00:03
When we talk about social engineering,
00:03
that's a type of masquerading.
00:03
I'm masquerading in such a way that I
00:03
present myself as someone that you can trust.
00:03
Someone that belongs here,
00:03
someone that should be given
00:03
access to whatever I'm asking for.
00:03
Maybe I call and tell you, hey,
00:03
this is Kelly and branch office in office
00:03
3397 because I know the store number,
00:03
then that might validate me and say,
00:03
"Oh, okay, she's in her Tampa office, whatever."
00:03
But the idea is that I use
00:03
social techniques and a lot of times
00:03
if you look at the different
00:03
>> types of social techniques,
00:03
>> they're very much like sales technique.
00:03
Because I'm really selling myself.
00:03
I'm trying to create that illusion of trust.
00:03
Some of the techniques that social engineers use.
00:03
Things like phishing, pretext thing,
00:03
baiting, Quid Pro Quo, tailgating.
00:03
These are just a handful of them.
00:03
But when we talk about phishing,
00:03
that's directly contacting someone through email.
00:03
Actually, it's not necessarily targeted in individual.
00:03
The idea is the more email I send,
00:03
the more likely I am to find
00:03
somebody that will fall for my tricks.
00:03
If I catch, cast a large enough net,
00:03
I will catch some phish.
00:03
It's filled with pH because
00:03
phishing originally began with
00:03
phone conversations and we've all
00:03
probably remember those phone conversations.
00:03
I got a message on my phone not long
00:03
ago that said your credit card has been compromised,
00:03
please call us and provide you
00:03
with your credit card number so that we
00:03
can verify this purchase was yours or whatever.
00:03
If it's the bank telling me my card's been compromised,
00:03
why do I help him my card number?
00:03
That's the idea of phishing either by phone or email.
00:03
Most of us think that we know today.
00:03
Pretexting means that I'm coming in with
00:03
an apparent reason for
00:03
needing to access I'm asking me for.
00:03
I am operating on some pretense
00:03
or some pretext for being there.
00:03
Hi. This is Kelly from Piedmont natural gas.
00:03
We've had reports so that gas leak in your facility,
00:03
it's been traced to this floor.
00:03
I'm going to need access to all the rooms.
00:03
Let's start in the back first.
00:03
Something like that with some urgency to it with
00:03
a significant consequence that gives me
00:03
the pretext of going in and having
00:03
more access than a receptionist
00:03
would normally allow a stranger.
00:03
Baiting. Can I just
00:03
give you little pieces of information?
00:03
I hope that you come back with more.
00:03
Can I find the right terms,
00:03
the right words that would trigger
00:03
you to come back with a response?
00:03
I know sometimes it used car dealerships.
00:03
If you're not capable of making this decision yourself,
00:03
let's ask your wife,
00:03
maybe she can make that decision for you.
00:03
That legally approach saying,
00:03
well, if you are not a grown-up,
00:03
let me find someone that care,
00:03
that's baiting, and we do that
00:03
with social engineering as well.
00:03
Well, John, I was told to ask you,
00:03
but clearly you're not the person I mean.
00:03
Do you have a supervisor or
00:03
somebody that can actually help me?
00:03
That's coming back the little more
00:03
authority and I'm baiting you,
00:03
I'm just pushing your buttons
00:03
>> to see how you'll respond.
00:03
>> A lot of times people come back and say,
00:03
"I have all the authority you need.
00:03
What can I help you do? Quid pro quo,
00:03
you do something for me,
00:03
I'll do something for you."
00:03
For instance, if you'll just give me
00:03
this information so I can create my report,
00:03
I'll make sure that you're given full credit.
00:03
That'll be a great feathering your cat
00:03
professionally because this is an important report.
00:03
You help me and I'll help you.
00:03
Then we've already talked about tailgating,
00:03
following somebody else in on their card swipe,
00:03
sometimes called piggybacking as well.
00:03
There's just a handful of tricks.
00:03
The bottom line is,
00:03
social engineering is huge today.
00:03
The days of me trying to
00:03
hack into your wireless network at
00:03
break eight years or to
00:03
decrypt your mail going across the wire.
00:03
If I want to gain access to information,
00:03
I'm going to come up to you at about 9:30 and say,
00:03
"Hey, I'm here from
00:03
the tech support team
00:03
>> and we're updating all the systems.
00:03
>> I need to run a couple of updates on your computer.
00:03
Why don't you give me about 10 minutes,
00:03
go grab a cup coffee,
00:03
and by the time you come back,
00:03
we'll have everything taken care of."
00:03
Now, you don't even need sign out.
00:03
It's going to be very short. These little things.
00:03
If you're not going to fall for that,
00:03
think about it for a moment.
00:03
Don't just think somebody in your office might
00:03
in all it takes is one.
00:03
With social engineering, it's all
00:03
about an attacker using their social skills,
00:03
their charm in order to
00:03
gain access to things they shouldn't have.
00:03
We have to fight back.
00:03
If that's the case, then what do we do?
00:03
Well, multi-factor authentication from
00:03
a technical perspective as
00:03
well as an in-person perspective.
00:03
For instance, before someone
00:03
is able to login to a system,
00:03
they have to provide a password and thumbprint swipe.
00:03
Two forms of authentication before they gain access.
00:03
But just like when you call me and you say,
00:03
"I am customer ABC and I need to
00:03
find out what my account balance is."
00:03
Well, I'm going to make that customer give me
00:03
multiple factors of authentication so that
00:03
I can ensure I'm speaking with
00:03
the correct customer and very hesitant to give out
00:03
any information without having
00:03
a real assurance that I'm
00:03
talking to the party that I think I am.
00:03
The more ways we acquired
00:03
that party to authenticate the better off.
00:03
Now the second bullet point,
00:03
I hate to sound cynical, but I am.
00:03
The idea is trust no one.
00:03
When you think about that idea,
00:03
we take for granted sometimes that people are good,
00:03
that we all just want to help each other
00:03
and we know that's not true,
00:03
but I think most people,
00:03
for the most part, people are good.
00:03
That's part of the reason that
00:03
>> they're so susceptible to
00:03
>> social engineers is social engineers prey
00:03
upon your desire to help,
00:03
your desire to do the right thing,
00:03
to be courteous and polite.
00:03
Many times people just have difficulty saying no.
00:03
People have difficulty saying I'm just
00:03
not authorized to release that information.
00:03
That's the world that we live
00:03
in and we have to become comfortable with
00:03
saying no and not to just implicitly trust.
00:03
Unfortunately, we live in a world where you
00:03
have to inherently distrust.
00:03
Company policy. When in doubt,
00:03
refer back to company policy.
00:03
If you're still not sure, call your supervisor.
00:03
Get your security team involved,
00:03
I would say I never want my name
00:03
to be at the top of a bad decision.
00:03
If I'm really feeling pressured,
00:03
and I'm not sure what to do,
00:03
I'm going to find somebody else
00:03
to make that decision for me.
00:03
I don't want it coming back.
00:03
Don't give into pressure.
00:03
Like I said, if you're feeling pressure,
00:03
call your supervisor, call your security team,
00:03
let it be fair decision.
00:03
Make sure you have anti-malware.
00:03
If you do make the mistake of connecting somewhere,
00:03
getting some infection that
00:03
any malware program can usually help with that.
00:03
Don't leave important stuff on your desk.
00:03
We talked about a clear desk policy
00:03
>> a little bit earlier.
00:03
>> Again, when in doubt,
00:03
call your security team.
00:03
Not just before, but after.
00:03
One of the things I want to encourage you is
00:03
if you think you've made a mistake,
00:03
it's not too late to call your security.
00:03
Nobody likes to be the person that
00:03
calls somebody and says, "Yeah, we are screwed up."
00:03
But we've all made mistakes and social engineers sin,
00:03
tend to find a way to catch you when you're busy.
00:03
There's a lot going on and
00:03
sometimes we're not thinking clearly.
00:03
When you realize that you
00:03
have given out information you shouldn't have,
00:03
or that maybe there's been a compromise,
00:03
the idea of ignore it and it will go away.
00:03
Orderly enough, this not work
00:03
in the realm of IT security.
00:03
Pick up the phone, call the security team.
00:03
Let them know you've made a mistake.
00:03
It's infinitely easier to
00:03
correct a mistake right after it
00:03
happens than waiting until things
00:03
>> explode down the line.
00:03
>> Do your best to protect yourself
00:03
and your organization from social engineers.
00:03
This really is the new face of security compromise
00:03
and really starts in our desire
00:03
to be helpful our new policy that we trust.
Up Next
Instructed By
Similar Content
