Securing The Human As Your Greatest Vulnerability

so my name is jennifer cox and i've been working in the tech industry for 15 years now this year uh the last five of them was tenable working with our existing customer base and helping to consult and advise them on best practices when it comes to cyber security and everything around that really but today what i'm going to do is talk about something that is more of a personal interest of mine and really doesn't bear any direct relation i guess to what i do as a job so we'll start from the beginning so what is social engineering and some of you may have heard of somebody called kevin mitnick i would like to think so anyway if you have an

interest in social engineering at all he's a very high profile hacker who spent five years in prison and as a result of his talents shall we say and he almost exclusively helped to popularize the term social engineering back in the 1990s and he made a career out of what it was that he does and now he runs his own security consultancy firm and he's an author of a number of different books around social engineering that i would absolutely recommend that you read if you get a chance to so his definition of social engineering taken directly from his art of deception book in social engineering uses influence and persuasion to deceive people by convincing them that the social engineer

is somebody he isn't or by manipulation much better than any of those dictionary definitions it actually makes sense but it is doing and of course with the nature of anything and in the in the world wonderful world of i.t and security and cyber and the terms tend to change over time so i'm just putting up a list there of a few of i want to say the the lesser known terms when it comes to social engineering you may well know um some of them i may well not know any of them i'll cover a couple but i won't go through them all in any great detail because then there's quite a bit that i want to cover today but just to

to cover the base grain a base level as such so things like spearfishing would be targeting and a high level contact someone like a ceo of a company but using pre-texting um with regards researching and finding finding out information in relation to that individual and making it a very targeted approach so you're not just looking for general information or doing something like phishing where you're sending a name an email out to a mass number of targets and hoping that somebody will click on it in this particular case you'll be gathering information very specific to that individual whether it's on a professional or a personal basis in order to make your your attack um much more targeted in its

approach and then there's a physical type of social engineering so something like tailgating it sounds so simple and works so effectively so where you would um pretend to be somebody that you're not such as maybe a delivery person and you're holding the box and you ask somebody to hold the door open for you um in order to gain entry into an office building or whatever the building is then from there so all you need to do is be pretty convincing whether it's the clothes you wear or the disposition that you have and they'll let you through the door in most cases without any questions asked and then at the bottom of the list there is something we've seen more activity on

recently which is smishing and that's around getting text messages with links so and there was a spate of bank ones last year and click on these details to confirm your online login details and things like confirm your coverage vaccine appointment and your parcel delivery and we're seeing an increased amount an increased um increase in those kind of attacks especially susceptible to people who maybe aren't as technical but um and all the same still happening and then the chances are when it comes to social engineering on some level you have done it as well so you may not be thinking woohoo i'm a social engineer uh and all of the different terminology around it but if you stop

for a minute and think about it in its most simple form as such and let's say in theory that when you were younger um you or a friend uh that you know uh use the fake id in order to buy alcohol not that this happens a whole lot but that's the same idea it's very simple that they're using something to convince a person that they are something that they're not in order to gain to win or gain some property in this case from that individual which would be the alcohol or maybe you went into a cinema at 15 years of age to see an over 12's movie and then dodged out of that one and

waiting to see the over 18s the same idea you've gained access to something that you shouldn't have gained access to under the pretext of being somebody that you're not and most people do it with it without realizing to do this shoulder surfing as uh we would refer to another one of the tactics so let's say you're on public transport you're sitting on a train you're bored the scenery is not so good uh the person beside just answering emails on their phone or arguing with their boyfriend and watching something on netflix typing away on their laptop it's often more interesting to just have a look at what they're doing and without realizing that often these people can give away a significant

amount of information about themselves um in a very very small space of time so for me uh i would say recently but it's when we used to be able to fly last and we all know that that's not been very recent so i was on a plane we were sitting on the tarmac our flight was going to be delayed for 40 minutes um so i thought i'll amuse myself and let's see what mischief i can get up to really and what information i can find out about the people sitting closest to me so i'm in a three seat row i'm sitting by the window there's a gentleman sitting beside me and then a lady beside him none of us knew each

other um but fortunately for me the man who sat beside me obviously forgot his reading glasses and held his phone a good 18 inches away from his face while he was using it which meant that i could easily do some shoulder surfing without him having any idea that i was doing it because i didn't even have to turn my head to look at what he was doing and while i was having a look um in the space of maybe five or six minutes i managed to identify the company that i was working for and they used a full name and full surname in the email address and then the email address for the name of the company obviously so i

was able to search for him on linkedin find out his role find out what he did and find out what his company did it was an engineering manufacturing um and then he was on whatsapp talking to his family he had two uh adult children he was talking to his wife about the hotel he was staying in the days he was coming back when he expected to be arriving at the hotel where he had parked his car and simple conversation that he was innocently having with his family and i was and clocking up all of this data this information about him and yet i've not even spoken to him at most bump elbows at this point

but the most interesting thing is right up to that point he wasn't an interesting target and i had no intentions of exploiting this particular individual it's just an interesting exercise to pass the time and but the next thing that he did after that was he went on to a website where he was looking at bids for antique coins and these coins then were haven't been submitted against him and he also placed some bids against these coins which were in the between the value of about two thousand euro up to about ten thousand euro so of course this individual who was doing nothing more exciting than the person next to him uh right up to that moment wasn't an

interesting target but as soon as he was putting a ten thousand dollar bid on an antique coin he suddenly became way more interesting to me but like i say in that space of time just for the sake of amusement i was able to find out quite a lot about his employer employer himself his employment the amount of money that he clearly has and to play with his family his location his intended behavior over the next few days and i didn't have to try i didn't even have to ask him any questions and that's just using the shoulder surfing technique then from there and like say the chances are you've seen some information like that from individuals

without even realizing that it doesn't make you or nor me um excellent at it but it certainly shows you how easily some of these tactics can be used so recently we've had a few high-profile human attacks as i'll uh call them and very recently 2020 2021 everything obviously everything is massively different uh between this year and last year so it's made some of these things a little bit more interesting and specifically what we've had is uh an attack in 2020 summer 2020 um on twitter so there was three individuals who managed to use means of social engineering to get information from twitter employees around the admin platform and for twitter so it meant that they

were able to get access to pretty much any twitter users logins and posts identification with regards verified accounts and things like that behind the scenes and they did it it's believed that they did it through a chat portal made friends with these individuals and managed to get this information from them potentially and by bribing them but that's unconfirmed so i can't i cannot stick by that one but what these individuals did then is once they got access to these accounts and most of them were uh verified so blue tick accounts meaning that they'd have to um confirm who they are use some form of identification and they probably have a significant number of followers then as

well in order to be a fair verified account these individuals targeted 130 accounts and and 45 of them they managed to successfully hack so that means that of those 45 accounts so there are people like joe biden and before he was the president elon musk and then former president barack obama i think kim kardashian so once i have a significant number of followers they posted cryptocurrency links via these people's sites and of course people who follow them there's always going to be some believed because it was from a verified user that these links were in fact genuine even though the link stated send your cryptocurrency here and we will send you back double and most of us in the area that

we work in i would like to think would see that as a suspicious activity but there's always some and as a result in a very short space of time these individuals managed to steal over 118 000 but of course the the immaturity of their attack as such meant that people reported them pretty quickly they were then discovered and arrested and didn't get any further than that but a hundred and eight thousand dollars is not a small um win for such such a small amount of effort i guess from there and then there's the instagram russia attack so what happened here is that the social engineers managed to target some fake news posts on instagram so they pretended to be one

of the three straight state-run television networks and announced the government payout scheme so all people had to do was to click on the link and enter in their um bank details their personal information and the equivalent of their pps number in order to get their payout from the government or at least that's how it seemed and it was a pretty successful attack successful enough to make headline news in russia um and they very easily managed to get that personally identified information from individuals on the head of a promise of cash in their pocket then one of the more recent uh and more i guess uh common types that we've seen now are the fishing attacks across

things like an amazon prime day or black friday christmas because people are working from home and a lot of the stores have been closed and everybody's locked down basically a lot of our transactions more than ever before being done online and people are much more dependent on basic things through this means so getting an email perfectly timed saying that your transaction has failed and your order won't arrive um is catching more and more people out in 2020 than it would have done previously fishing still proven to be a pretty successful means of attack and with that you'll have people entering in their bank details credit card details personal information passwords for the sites and readily handing it over and

especially around times like christmas where you're waiting for maybe um special personal gifts to arrive and um you uh people will panic when they see it and think that this isn't going to arrive the delivery as hell will put in their information before thoroughly vetting the details that are there in often cases when it comes to things like phishing attacks most people will see through them and you know most people are capable of that it's all about perfect timing if you're particularly stressed um let's say about that package come in for christmas and you get an email right at that precise moment where you're stressing the most about it or there's not enough time for it to arrive

of course that's a very um perfect opportunity for you to click on these things and then finally and uh something that we've seen since 2020 is covet related attacks so we're seeing more and more and smishing attacks where people are getting text messages around uh contacts close contacts that have been um that they've been that they've been in contact with are vaccine appointments and promises to you know register your information here and to get details from that and then of course uh phishing emails around the same thing i know that jason showed us some of those in his and his uh delivery this morning and then calls from people saying that they're from health services

and want to set up appointments and to confirm personal information from there and fear is what and means what enables people to hand over this kind of information for these attacks because everybody wants their vaccine and everybody wants the world to go back to whatever the new normal is going to be so they'll hand over that information readily into these calls and from there so what can you do to prevent against social engineering and social engineering humans obviously there's a lot of technical capabilities that you can put in place and to to protect your network and protect your infrastructure and protect your building but today what we're concerned about is how we best deal with our humans

and help them to protect us and our businesses from there so it seems obvious we talk about security awareness training we want to make sure that everybody has all of the basics so you're talking about these super simple basics like clean desk policies that storage when you have your um employees going back to the office fairmont for a lot of companies they've been out of their offices for up to a year and now we have to remind them not only this is you know uh not normal to i don't know break wind in front of your colleagues because you've been at home working in your home office for so long but it's also good to remind them of

some of these habits that they should have in place not leaving personally identifying information on the desk having lock storage to put it into using that lock storage shredding confidential information and then if they're dealing with and personally identifying information that they have additional gdpr training alongside that so that they're aware of the implications for the company when it comes to things like fines and for mistreating that information or it being exposed in some way and then for those on the access side of things it's a perfect time and it should happen often to review ids and review and permissions you'll have people who won't return to the office straight away some who will return part-time some who

will be on sickly for extended periods it's really important to check that and they'll be in different roles so it's really important to check that their access does continue to match the role that they have and that it's updated on a regular basis then from there but the most important thing when it comes to um enabling your employees is the simulation and the testing side of things so um it's again it's something that jason mentioned earlier this morning that it's much more important that people feel these incidents than just doing 10 minute training once a year where they take the box and say i've done the video and now i'm good for my and my social engineering or anti-social

engineering training for the air that's not effective you're talking about humans and if humans are constantly interacting with something then it's much more likely that it's going to be an automatic process for them to question what's happening around them and if you are facilitating training once a year that's not going to be effective and it's really about considering the weight of importance of that protection via your humans um and simulated intestine is the best way to do that if somebody has been has clicked the phishing link has given the details over the phone and then they have to be a part of a discussion afterwards about what they've done and how to not do it again then they're

going to remember that conversation a lot better than they're going to remember a white page article but a couple of paragraphs about how you know what best practices are out there that aren't real to them and social media sharing it's important to make your employees aware of the the risks of social media sharing so it's not just about the company sharing information that may be sensitive to the company or pictures of the office or photos of people in the office that might show screens in the background it extends beyond that if your employees are sharing and personal information on social media like they're they were promoted and they were promoted into a significantly senior role or one that

has a financial uplift that's worth talking about and they mentioned that they may start seeing themselves and or they may start becoming a target of a social and social engineer within your company and it's very um it's very easily overlooked but what you'd be asking to do is to advise them you can't make them do it but to advise them of the risks and make sure that they're aware of these kind of things then branded workwear is a funny one i love a free t-shirt same as anybody else but when it comes to branded work where i would say that there's one place i wouldn't recommend wearing it and that is in and around the office

wear it anywhere that you want but for me most offices these days have key cards to get access into the office and people will wear their their shirts and their hoodies and such with the brand on it so if they're going out for their lunch they're kind of a walk-in advertisement and for the business which is great but once they have the key cards stuck in their back pocket or on the back of their phone or they're at risk of dropping it or losing it somewhere and they've done that whilst advertising the company that it belongs to and the access that's there so i would be inclined to ask them to just cover up their logos

and or not wear them around the office and embrace all of that those that free work where anywhere else that they are but that's the only place i'd recommend not doing it and then for the those who have to keep the asset infrastructure in place or the acid and the assets in place uh i would recommend against non-brand or against using branded asset tax so it looks really cool having the company logo on your asset tags but um again if you have employees and even though the best of uh intentions they may not want to work on trains or planes or buses but if they have they're they're using their phones or using their their laptops and

so on from there and and they have a sticker on it with an asset tag number and the logo or the name of the company then again it's kind of like a walking advertisement to the potential social engineer with regards then being a target or whether the the kit that they're carrying around is likely to be of any value or have any and data on it and that's before you get into obviously the technical protection that you have in place but the technical protection protection isn't a worry if there's no risk that your employees are going to expose the data like that so i would recommend using aspects of course but to uh not use your logos on those asset

tags from there then the most important thing i would say is to normalize the conversation if your employees are talking about um social engineer hacks that they've heard about blogs that they've read that it's something that is always in conversation whether it's true and water um the remember it's called the water waterfront switching work where you're talking or uh you know any uh news blogs that go out across the rest of your employees where the the names of these kind of attacks are updated on the regular and everybody is well informed as to what's happening and how other people that they know have been called out really really easily then these things are going to be at the

forefront of the mind and they are going to think about it when they get a phone call that seems perfectly innocent from the tech support and they're looking for their password that it's it's natural for them to want to question those conversations again if you're only having that conversation once a year and it's all through paperwork or online videos then it's a whole lot less likely that they're going to remember it when it comes time and then for example i have a colleague who um worked for a company and there's the ceo of that company had set up a planned and fake phishing attack for all the employees not that unusual we've all had them

sent to us and he organized it on friday that on four o'clock on monday the fake fishing email was going to go out and it was going to be in relation to speed and tickets so he came in to work on monday and uh put it around this day as normal then this email arrived into his inbox four o'clock as expected and said that he needed to pay his speeding fine um urgently and he panicked because on saturday morning he had of course been stopped for speeding and was expecting a ticket and was wondering how the hell were they so efficient that they sent this ticket now and i don't want my wife to find out about it

and what am i going to do and he clicked on the link and he paid his ticket and as soon as he hit submit on his payment and that was the moment when he realized that he had fallen for his own attack so and then we call that a face bomb moment and then for me i've had a a tailgating incident i guess when i for when i was working in an office and we had a new general manager that i hadn't met yet so i was the first person in the office in the morning somebody came through the door behind me and and i was tempted as you would be to not say anything seem to know where they

were going and they were about to head off to the desk but i thought i don't know this person i'm the first one here we have a new gm i do not want to get called up on this one because we have a new gym and so i turned around and i introduced myself to him and told him who i was and he turned around and introduced himself back to me and it turns out that it was in fact our new gm so gold star for me thank goodness i didn't get caught out for that one so in the event of an attack if somebody has been successfully socially engineered in your office how do you um

what do you do how do you get around that or what do you do with regards to learning from that so the most important part i would say is no consequences i really believe that if your employees feel safe in reporting an incident like this then you're going to be in a much better position when it comes to protecting your data and protecting your employees so if your employee is scared of retribution and thinks they're going to get fired for making a mistake and they don't tell you about it there's only one thing worse than finding out that you've that someone in your office has been socially engineered and they've gotten the social engineers got access to your network

and that's finding out about it days or weeks or months or maybe not at all later and so you want to make sure that your employees feel comfortable reporting it i mean there's always going to be the one who's the fool and keeps making mistakes all the time and you deal with that separately but for the most part people want to do the right thing and they want to be good people and so you want to make sure that they feel comfortable reporting that stuff to you then and then reward them so if they do uh notice suspicious behavior whether it's among employees or people hanging around outside and they report it then you know reward them by whatever

means you deem necessary if they had any usb key that's clearly not belonging to the company or wasn't issued by i.t again good behavior handed in and if they're reporting that their their badge has been lost or stolen within a certain amount of time or they hand in one belongs to somebody else or they forward on an email that looks like it's suspicious and send it on to the tech department all of that behavior should be rewarded should be incentivized in some way some people might go so far as to say it should be gamified i do like that idea i don't know how practical it is but then i would certainly make sure that people feel that it's the right

thing to do because i could say for the most part that's how they want to behave and then if it happens if somebody does manage to get um to be socially engineered and hands over their password or something happens then review that situation you need to sit down and talk to not just them get all the details of how it happened what was said what they gave over what you did to uh implement what you implemented afterwards in order to protect the data and the individual and the company generally but you need to take that review and send it back uh across the the greater employment employee body and make sure that they're aware of what's happened and then the last bit

then is relearn so again not to do the training and assessment uh once a year keep bringing these new experiences into it these new terminologies anything at all and make sure that it's a conversation that's happening all the time the main point is that you want to keep that at the forefront of your employees minds and otherwise they're not going to be able to defend you and your data when the time comes and that is it does anybody have any questions thank you so much jenny for that talk great insight and there's no questions on the chat but i i i have one myself i'd like to ask so you mentioned that fiesta moment and

i've actually seen something similar in an org one time before in saying that do you think that corporate fake fishing campaigns um are they a necessary evil from a compliance perspective or do you actually think they work to truly prepare staff for email based social engineering attacks and i know the edge case that this particular one just happened to hit the nail in the head from a timeliness perspective but do you think they work in the in the mean i do because if you think about it even outside of the cockpit environment it's working fishing is still one of the most successful means of social engineering it hasn't really become less effective so if that's the one of the ways that

people are more likely to get caught then it makes sense to use it in work but people should use it intelligently i mean i've seen fish fake fishing emails that there's no way like a donkey could tell that it's a fake fishing email you want to put a little bit of effort into making it more convincing because they're the ones that you're going to get caught on and and that just takes a small bit of effort on the side of the company and the people with the best of intentions you'd be surprised always and who will get caught and almost always somebody will click on it obviously depending on the size of the company but

um i don't think it's it's a negative for sure and people almost seem bored by it yet they still click on the links yeah and i i guess similarly we just got a question in and in a similar vein you mentioned you know annual tick box exercise white paper video training you know it isn't as effective as it could be but how would you go about it you mentioned gamification as maybe a potential um for improvement in the in that space what's your thoughts on on that well with gamification i like the idea of um like a reward scheme for people who do things like patching quickly you know the way you get a patch pushed out to your laptop

everybody hates it they go remind me in four hours remind me tomorrow remind me later and do all those things but that if people are rewarded for doing it sooner rather than than later and like say for reporting different types of activity it makes them interact with that whole process and um as a human the more interaction that you have with a particular type of of behavior or task or challenge whether it's that you're building bricks or that you're doing something like this the more likely you are to retain that as it um as a natural uh reaction and automatic process as i say then after that so that's i mean that's the way to do it it

has to be interactive it has to be more hands-on that's the way to do it it has to be interactive it has to be more hands-on

sorry i'm not i'm not sure if you can hear me still just turning off the video there okay excellent and just to wrap it up one last question what's the most strangest or unusual socially in social engineering incident you've ever come across um for me it's usually the the physical one so i've seen i i guess it's more when you look at those kind of like magic tricks style ones where somebody is using the method of distraction um and uh taking something physically off an individual so it's like you can't fathom that i can find them clicking on an email and i can fathom letting somebody in the door behind me we're polite people we want

people to like us and this kind of behavior is natural in that sense but somebody actually taking something physically from me under the the pretense or using the distraction behaviors in order to do that that kind of stuff um gets me and thankfully personally at least it's not as far as i'm aware of i haven't been targeted with anything um more than the the person next door but i'm always fascinated by those ones when people can do something as obvious as lift somebody's you know watch our hat or handbag out of their hands without anyone noticing by just using some simple social engineer techniques such as um distraction and replacement things like that excellent we're on time so thank you

very much jenny for a great insight into social engineering and some of your thoughts thank you for being part of our event thank you very welcome