[kcdc 2022] insider threat : what is social engineering

Speaker: Crux Conception @cruxconceptoin (pen name)

For more, see the table of contents

On walking in

  • He asked what talk was in the room and teased people about giving too much info
  • Also commented there is too much info (wifi password) on the badge

Social Engineering

  • Ability and talent to connect with emotion
  • Can be offline or online
  • We all do it. Ex: lying about what movie you want to see.
  • May earn trust
  • Goal is to do something or gain data
  • Highly evolving method
  • Teaching in college now

Examples

  • Anonymous test messages with links
  • Facebook messages asking where from

Exercises

  • Phishing – say have tickets but didn’t plan trip. Asks for employee id to confirm. Also gave up name by confirming it and said interested in going to Budapest (came from screensaver), – Called you so already know name.
  • Team building – where grow up, how many siblings and unique challenge from childhood. Think about how much you disclosed and if you held anything back.
  • Scenario where pen tester tries to get in building. Try to get someone to let you in. Most people say take to security or get security
  • Scenario – pen tester pretends changed auto pay info and asks for employee id
  • Companies have offices all over US. Try to get id number by calling Miami office and speak to receptionist then victium

Useful insider info

  • Knowing how much a company would pay to recover from an attack
  • Ids
  • Names
  • Departments

Attacks

  • Fill in the blanks
  • Spoof text message numbers
  • Israeli software to crack phone. Don’t even have to click link anymore. Get access to phone just by sending a SMS.
  • 40% of major companies reported industrial espionage incidents in 2016
  • Ex-employee stealing self driving car info from Apple. We focused too much on China. More African students in US than anywhere else.
  • Leaking is making info public. Info is power. Have goal.
  • Spilling is like leaking without intent.
  • Sharing info at conferences. Ex: where you work.
  • Russian and China trying to steal COVID vaccine research using malware and spear phishing
  • Twitter hack on Obama/Biden/Bezos.etc, Trying to get money. Got data from internal employees
  • Fake social media

Espionage

  • Steal sensitive data
  • Espionage is like a double life
  • Affects personality
  • Traits (thrill seeking, sense of entitlement, desire for power/control) are also found in politicians and CEOs
  • Helpful to be calm (see in tech a lot) and strong sense of responsibility
  • May have regrets after
  • Logical at the time
  • More life crises because more than one personality

Tips

  • When someone calls and says “is this Jeanne”, ask who it is rather than confirming
  • Be cautious when people ask you a lot of questions
  • No defense. Just try to avoid answering too many questions.
  • Be careful if they initiate call.
  • Think about info they should now. Ex: HR has employee id already

Human Traits

  • In psych, organized means have life together.
  • Psychopath – born that way. Sociopath – traumatic event started it

My take

Crux is an ex-cop. I like that they had someone from outside development for a different perspective than we usually get. He’s a good speaker and kept it interactive. The scenarios were fun to think about.