Cyber Security Landscape
About me
Josh Pauli
Associate Professor of Cyber Security
Dakota State University (Madison, SD)
10 years and counting!
About DSU’s Programs
We have 300+ students studying: Cyber Operations (Cyber Security)
Computer Science
Cyber Operations
Largest degree on campus (170 / 1200)
Explosive growth in the last two years (55 in ‘11; 70 in ‘12)
Want the best and brightest regardless of computing history
A great mix of: Programming Networking Operating systems “hacking”! Ethics Critical thinking
Cyber Corps
Full ride scholarships + attractive stipend
$35,000-40,000 per year including $20,000 stipend
Work for Gov’t agencies after graduation National Security Agency (NSA) Central Intelligence Agency (CIA) Space and Naval Warfare Systems
Command (SPAWAR)
Center of Excellence in Cyber Operations
NSA wants the most technical cyber experts
DSU was selected as 1 of 4 in the entire nation Now 8 schools
Only public institution in the nation
Only program with dedicated Cyber Ops program in the nation
Only undergraduate program in the nation
Cyber @ DSU
Best Cyber Operations curriculum in the nation
Cyber Corps scholarships to save over $100,000
Top Secret security clearance before graduation
Work on the top security projects in the world
25 years old: Undergrad & Graduate degrees in Cyber Operations Top Secret government security clearance 2-3 years of experience in a Federal agency Any job you ever want anywhere you want it
Today’s Rundown
1. What’s technical social engineering (TSE)?
2. Timeline of hacking
3. AV is dead! Long live AV!
4. How to prevent TSE attack
5. TSE in penetration testing
6. Q & A
What’s technical social engineering (TSE)?
TSE != traditional social engineering
It’s NOT: Physical impersonation Pretext calling Dumpster diving
Still good stuff; just not what we’re talking about today!
It is
Relying on people being: Gullible Greedy Dumb Naïve
And using technology own them!
What’s this “owned” you speak of?Remote code execution
Administrative rights
Key loggers
<<insert juicy payload here>>
We are actually pretty good at:Not clicking linksOpening filesVisiting websites
But it only takes 1 person!
This is why we can’t have nice things…
Timeline of hacking
That escalated quickly
Future is now
AV is dead! Long live AV!
AV is good at what it does
But it’s not enough Just one “layer”
Signature-based = always behind
How AV vendors work (simplified) Why security researchers giggle at this
How to prevent TSE attack
In a word: You
And only you!
User Awareness Training Currently a raging debate in InfoSec
Fear v. education Punish v. reinforce
TSE in penetration testing
TSE is PT; PT is TSE!
“Check the box” v. “Get after it!”
TimingScopePriceSo this is red team? Who can actually do this?
Q & A