1 hour 44 minutes
Hey, everyone, welcome back to the course. So in the last video, we talked about various types of social engineering attacks, so we talked about things like fishing. We also talked about more targeted tax like spearfishing as well as willing. And we also mentioned smashing and fishing as some other attacks, along with things like hoax ing.
In this video, we're gonna talk through different ways. We can help protect against social engineering attacks. So we'll specifically focus on both behavioral types of things we can do as well as technical controls because humans are always gonna be the weakest link. So if we can change behaviors, that's really gonna help going
against protecting against social engineering attacks.
So as I mentioned, we talk about behavior and technical controls.
One thing to keep in mind for behavioral controls. Basically tell people like if you didn't request it, don't click on it.
I'll share an example real quick. As I pulled these other things here,
I worked for a health care organization and
one of the things I found working security was that ah, lot of times the clinician. So the nurses, the doctors, etcetera, they didn't want to do anything that I told him to do, right? So I'd say, Well, you shouldn't do this. You shouldn't do that related to security. And they totally ignored me.
Now I have a background as a nurse myself. And so one day, I sat down to say, Okay, well, look, they're not changing their behavior.
What can I do?
And so I said, Well, what would I care about? Right. So I put myself in their shoes. I said, what would I care about as a nurse?
Hearing all this from some technical person is I just don't as a nurse, I didn't care about
all this stuff. I didn't care about social engineering. Don't want to hear about phishing attacks. I just want to care for my patients.
And so I had to think through, like, what do they actually care about?
I remember some. The challenges I had as a nurse were things like, Hey, I can't take my lunch break right. If I don't get my charting done or I can't get home. You know I can't leave on time because I have all this charting to do or I can't look up what my patients like last blood pressure was when I worked in cardiology. If I can actually secure right
And so when I thought through like that, I was able to position
what I was telling people to do a lot better. And what happened with that is number one. The nursing staff was much more receptive. And number two, they change your behavior, right? We focused on the behavioral controls first, and I related it to what they actually cared about right? And the impact that would it would have on their normal day.
Now the other benefit of that which some people may say it's not a benefit. But the other benefit of doing that was when a new CEO came on board and sent on a survey
just saying, Hey, what can we improve in the company? Every single one of those nurses And I'm talking like 350 nurses. Every single one of them sent me an email and started calling me on the phone, saying, Oh my goodness, is this an evil hacker, right? Is this a hacker they trying to get us? Oh, no, that's a hacker that was getting me and
one side of that's like, Oh, goodness, I've got a lot more work right after answer all these emails and stuff. But
that was a really proud moment because I found a way to actually get through to them so much so that they had to change your behavior and that behavior had changed so much that even when it was a legitimate email going out, they were so suspicious of it, right? So that's what we have to do. So when we talk about behavior controls, I mentioned some things here. But really,
you have to focus on the end user.
And what are you able to do to relate that to what they care about? Now, if you're focused as a pen tester, think about what that individual might be doing on a day to day basis.
And as you think through that, think about
how can I get past them validating a link, for example, right? Or how can I get past them actually going to the rial website versus click on my link? So it really helps you on both sides of the fence, both the defensive side where you understand the impact of what this is what this is doing
to that end individuals day today, as well as on the pen tester side of saying Okay, well,
if there if their ultimate goal is to do this
and I want to get past them doing these security checks like, how could I manipulate them psychologically? Right, So that's what we're talking about with social engineering is all all of one big psychological game.
So let's talk about link validation that's basically use a meal, a link in an email. I throw it into something like virus total dot com or any number of you know sites and basically check to see if it flags for any male where any indication of malware, right? The other thing with Link validation is
I wanna look for things like home A graph attacks right? So basically
what that is is, let's say, instead of google dot com instead of g 00 g. L e dot com. I instead spell it in the email as g 00 g. The number one e dot com writes of the number one and the lower case l look pretty similar. In fact, depending on the phone to use,
they might look extremely similar, right?
So It's just those little tricks like that is. Sometimes it's very hard to tell. Also hidden You RL's right, so we want to validate links. It's tough on mobile devices, though, because we normally don't get a little thing that hovers over top of that link to show us. Hey, this is really what the link is going to,
um, so in those cases, again copy paste into something like Virus Total. That can really help you out quite a bit. Also validating the center like Did did Sally and Accounting really send me this? Let me call her on the phone to make sure. Or if you remember from the last video, did the CEO really send this? Let me call him on the phone or text him on the phone
and just verify this is legit
right before I go sending money off. So that's what we're talking about there,
minimizing your exposure online, just removing as much personal information as you can, scanning links again, putting them into something that virus total and then going to the actual website itself. So instead of just click on the link in the email that says go to Amazon and reset your password.
Actually, go type into Amazon and number one. See if you can log in and guess what. If you can log in, there's no issue with your password. That's common sense. So a lot of this stuff is common sense, but just different behaviors that you're doing right or that your end users were doing. Just making sure that they're taking these extra steps to validate that this is something legitimate
and then our technical control. So here we can jump into things like Sam boxing. So if you don't know that is, basically think of a sandbox is a little kid that sandboxes. A little kid would keep the sand inside of the box. Hence the name right. And that way you could keep playing in the sand, building your castles and whatever you want to do.
Part of that with a sandbox, basically what is doing many forms of it. But essentially, it's
taking anything most year end users or downloading, putting them in this sort of safe container, so to speak.
And that way, if there's any type of malicious file, it's only working. And there you can easily deleted etcetera. They're not 100% But there's some some good ones out there. Endpoint protection. So going along the lines of sand boxing also adding things like anti Mauer antivirus solutions, putting controls in place on what kind of applications can actually execute on the
ah and user device.
Whitely stinks. So let's look only let through the applications that we want and everything else automatically gets blocked. You might run into some issues with that on the defensive side, based off what the user basis using and then compartmentalization. Basically, we're segmenting stuff out. So what that means is that if I
download malley, where are my device, for example? Or if I do something, it's not going to affect your device because it's all compartmentalized in one location and kind of all of along the lines of like sand boxing. Also, we compartmentalize those files in that location where they're not actually touching our actual machine
again. That stuff's not 100% but
just something to keep in mind. There's many different forms of, like sandboxes out there, couple off the top of my head or things like buffer zone, which is more related to like the enterprise level. There's also sandbox E s. So if you go to sandbox CBO xie dot com, however, that one is the switching into open source.
I believe it was sponsored by sofas, and
it's kind of going through a transition right now. So depending on watching when you're watching this video, you might want to Google Search. Just some other ones were things like Shadow defender Deep freeze. You know there's there's many out there. Those are normally Windows based. There's not really any other Mac MCA devices have, like a built in one.
Well, so just keep that in mind, but it takes some configuration to set up.
So in this video, what is talk through some various behavior and technical controls in the next module, we're gonna jump right into a couple of hands on laugh. So we're gonna get some experience with using us the set tool, which is actually standing for the Social Engineering Toolkit. So I'll see you in the next video
In this course, students will learn about different types of social engineering attacks and gain hands-on experience in two labs using the Social Engineering Toolkit (SET).