Time
47 minutes
Difficulty
Beginner
CEU/CPE
1

Video Transcription

00:04
social engineering, and this topic is just a real passion of mine because so many organizations do not protect themselves against leaks due to social engineering.
00:16
I believe we don't train our boys enough. We don't hold our employees accountable. We don't raise awareness. And there are so many ways that a social engineer can gain access either your physical security, your physical building, your facility or your dad your information.
00:35
So when we talk about social engineering, that's a type of masquerade.
00:39
And I'm masquerading in such a way that I present myself as someone that you can trust
00:45
someone that belongs here, someone that should be given access, whatever I'm asking for.
00:50
So maybe I call until you Hey, this is Kelly and Branch office, you know, in office 33 97.
00:57
You know, because I know the store number.
01:00
Then that might short of validate me. Say OK, she's in our campus office. Whatever.
01:06
Ah, but the idea is that I use social techniques, and a lot of times, if you look at the different types of social techniques, they're very much like sales technique. That's right, because I'm really selling myself. I'm trying to create that illusion of crossed
01:22
and some of the the techniques that social engineers use things like fishing, pretexting bathing
01:29
would prove whoa and tailgating.
01:30
You know, these were just a handful of them. But when we talk about fishing, that's directly contacting someone through email
01:38
and, ah, and actually it's not necessarily targeted an individual. The idea is, the more he may lessen, the more likely I am to find somebody that will fall for my tricks, right if I catch cast a large enough that I will catch some fish
01:53
and it's filled with pH. Because fishing originally began with phone conversations and we'd all probably remember those phone conversations. You know, I got a message on my phone not long ago.
02:06
Ah, that said, your credit card has been compromised. Please call us and provide you with your credit card number so that we can verify this purchase was yours or whatever.
02:16
You know, if it's the bank telling me my card's been compromised, why do I have to tell them apart?
02:22
Hey,
02:23
so that's the idea of fishing, either by phone or email. Most of us think about you now. Today,
02:29
pretexting means that I'm coming in with an apparent reason
02:32
for needing the access. I'm asking for him. I'm operating on some sort of pretense or some sort of pretext for being there.
02:42
Hi, this is Kelly from Piedmont Natural Gas. We've had reports of a gas leak in your facility. It's been traced to this floor. I'm gonna need access to all the rooms. Let's start in the back first,
02:54
right? And something like that, with some urgency to it. A very significant consequence that gives me the pretext of going in and having more access than a receptionist would normally allow a stranger,
03:07
Uh, baiting, You know, can I Can I
03:10
just give you a little pieces of information and hope that you come back with more? Can I find the right terms? The right words that would trigger you
03:21
to come back with the response. I know sometimes it used car dealerships.
03:25
You know, if you're not capable of making this decision yourself, let's ask your wife. Maybe she can make that decision for you.
03:34
You know, kind of that needling approach, saying, Well, if you're not a grown up, let me find someone that can.
03:39
That's bathing. And we do that with social engineering as well.
03:44
Well, uh, John, I was told to ask you, but clearly you're not the person I need. Do you have a supervisor or somebody that can actually help me?
03:52
You know, that's that's coming back. The little more authority, and I'm bathing you. I'm just kind of pushing your buttons to see how you respond.
03:59
A lot of times, people come back and say, I have all the authority you need. What can I help you do?
04:04
Um, Quid pro quo. You do something for me, I'll do something for you.
04:10
So, for instance, if you'll just give me this information so I complete my report, I'll make sure that you're given full credit.
04:16
And that will be a great feather in your cat professionally, because this is important,
04:21
right? You help me, I'll help you.
04:25
And then we've already talked about tailgating following somebody else in on their cords. Wipe sometimes called piggy backing as well. You know, there's just a handful of tricks. The bottom line is, social engineering is huge. Today,
04:39
the days of me trying to hack into your wireless network at break eight. Yes, or to decrypt your mail going across the wire.
04:46
Dylan for me. You know what? If I want to gain access to information, I'm gonna come up to you at about 9 30 and say,
04:54
Hey, I'm here from the tech support team and we're updating all the systems. I need to run a couple of updates on your computer. Why don't you give me about 10 minutes, go grab a cup of coffee, and by the time you come back, we'll have everything taken here.
05:09
Now, you don't even need sign out. It's It's gonna be very short
05:12
free
05:13
these little things. And if you're not gonna fall for that, think about it for a moment.
05:16
Don't think somebody in your office mind,
05:19
you know, and all it takes is one.
05:21
So with social engineering, it's all about
05:26
an attacker using their social skills, their charm in order to gain access to things they shouldn't have.
05:33
So we have to fight back.
05:34
And if that's the case, then what do we do?
05:38
Well, multi factor authentication from a technical perspective as well as an in person perspective. So, for instance, before someone is able to log on to a system, they have to provide a password and thumbprints y you know, two forms of authentication before they gain access.
05:58
What?
05:58
Just like when you call me and you say, you know, I'm customer ABC, and I need to find out what my account balances. Well, I'm gonna make that customer give me multiple factors of authentication
06:11
so that I could ensure I'm speaking correct customers.
06:15
I'm very, very hesitant to give out any information without having a riel assurance that I'm talking to the party. But I think I
06:24
and the more ways we require that party to authenticate the better off he'll
06:29
now the second bullet point. I hate to sound cynical, but I am.
06:32
And the idea is trust. No.
06:36
You know, um,
06:40
when when you think about that idea
06:43
we take for granted Sometimes, um, that people are good,
06:47
that we all just want to help each other, and we know that's not true. But I think most people, for the most part,
06:54
um,
06:55
people are good,
06:56
and that's part of the reason that they're so susceptible to social engineers. Is social engineers prey upon your desire to help
07:04
your desire to do the right thing to be courteous and polite. So many times. People just have difficulty saying no,
07:14
and people have difficulty saying I'm just not authorized to release that information.
07:18
That's the world that we live in. And we have to become comfortable with saying no and not to just implicitly trust.
07:26
Unfortunately, we live in the world. Will you have to inherently distrust
07:30
company policy?
07:32
When in doubt, refer back to company policy, and if you're still not sure, call a supervisor.
07:40
All right, get your security team involved.
07:42
I always say, I never want my name to be at the top of a bad decision.
07:46
So if I'm really feeling pressured and I'm not sure what to do, I'm to find somebody else to make that decision for me. I don't want you coming back.
07:57
Don't give in to pressure. Like I said, if you're feeling pressure call supervisor calling your security team, let me think. Their decision.
08:05
Make sure you have anti malware, so if you do make the mistake of,
08:09
you know, connecting somewhere getting some sort of infection, that ending mile, where program can usually help with that
08:16
don't leave important stuff on your desk. Who talked about a clear desk policy a little bit earlier
08:22
and again. When in doubt, call your security team
08:24
not just before, but after,
08:28
Right? Um,
08:30
one of the things I want to encourage you is if you think you've made a mistake,
08:33
it's not too late to call your security.
08:37
Nobody likes to be the person that called somebody says he absolutely screwed up.
08:41
But we've all made mistakes,
08:45
and social engineers send tend to find a way to catch you When you're busy, there's a lot going on, and sometimes we're not thinking clearly. Okay,
08:52
when you realize that you have given out information you shouldn't have or that maybe there's been a compromise,
09:01
the I give Ignore it and it will go away,
09:03
Oddly enough, does not work in the realm of I t. Security.
09:07
Pick up the phone, Call the security team. Let him know you've made a mistake. It's infinitely easier to correct a mistake right after it happens, then waiting until things explode down the line. Right?
09:20
Do your best to protect yourself and your organization from social engineers. This really is the new face of security compromise and, you know, really starts in our desire to be helpful.
09:33
Our new policy that trust

Up Next

Intro to Infosec

Cybrary's introduction to information security is intended for everyone interested in a career in cybersecurity. Learn the basics, then launch your new career by continuing with our CompTIA A+, Network+, or Security+ Courses.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor