hacking the person: social engineering and phishing · pdf file5 social engineering • the...
TRANSCRIPT
1
© 2014 Solutionary, Inc. November 18, 2014ActiveGuard® U.S. Patent Nos 6,988,208; 7,168,093; 7,370,359; 7,424,743; 7,673,049: 7,954,159; 8,261,347
Hacking the Person: Social Engineering and Phishing Attacks
Jon-Louis Heimerl
What do I know?
2
2
3
Hello. Help Desk. Jim Stanton speaking.
Ray? You sound like crap, man.
No problem. What do you want for a temporary password?
4
3
5
6
4
7
8
5
Social Engineering
• The art of social deception and manipulation.
9
Most important skill forSocial Engineering
10
6
11
12
7
13
What do you want to attack?
14
Vs.
8
15
16
9
17
18
10
How Successful?
19
Social Engineering Success Rate
Success
Failed
How Often?
20
SE & Phishing
SE&P
SE&P
NONE
11
21
Advanced Persistent Threat?
22
ReconnaissanceSocial Engineering – malicious intelligence
Phishing – email with malicious links – CLICK ME!
Active Attacks
Remote Control
Attack Expansion/Elevation
Define Target
Exfiltrate Data
Per
sist
ent
Co
mp
rom
ise
12
23
+ =Social Media BMW
Gary
24
13
25
Gary
26
14
27
28
15
29
30
16
31
Which Subject Line is More Intriguing?
General Specific
Ebola Warning! Health Alert: Ebola Quarantine issued in Pittsburgh!
Go Back to School Now! NOTICE: Lynn Heimerl Academic Suspension
Lower Health Insurance Rates Final Notice: Solutionary Open Enrollment ending for JonHeimerl
Dangerous Drug Side Effects WARNING: Aventis warns of fatal LASIX side effects
Refinance Now – Lower HARP rates!
WellsFargo offering specialrefinance rates in Pittsburgh
32
17
Phishing Email?
33
34
18
35 http://chase.com.ealertsonline.com/update/3393328410575c1867da2dfde44ce78a/Home.php?login.psp?
36
http://chase.com.ealertsonline.com/update/3393328410575c1867d
a2dfde44ce78a/Home.php?login.psp?
http://chase.com.ealertsonline.com
19
37
38
20
39
40
www.urlvoid.com www.ipvoid.com
21
TANSTAAFL
41
• You are not related to a Nigerian Prince.
• No one is sending you money (or gold, etc.)
• Your bank/credit card did not send you a link to “login here”.
• You did not win a jackpot/sweepstakes, et al.
• You are not getting a car at 50% off MSRP.
• The IRS did not send an audit notice by email.
• You do not have outstanding warrants.
42
22
- TRAIN -
Don’t think “Awareness”
Think “Change Habits”
43
44
23
Being a Little Paranoid is Good
45
What is your security posture?
46
24
47
Hacking the Person: Social Engineering and Phishing Attacks
Jon HeimerlSenior Security [email protected]
www.solutionary.com
@solutionary@jonheimerl
© 2014 Solutionary, Inc. November 18, 2014ActiveGuard® U.S. Patent Nos 6,988,208; 7,168,093; 7,370,359; 7,424,743; 7,673,049: 7,954,159; 8,261,347
Thank You!