“Hacking the Corporate Mind: Using Social Engineering Tactics to Improve Organizational Security Acceptance”
by James Philput
As usual, here is the official abstract…
Network defenders face a wide variety of problems on a daily basis. Unfortunately, the biggest of those problems come from the very organizations that we are trying to protect. Departmental and organizational concerns are often at odds with good security practices. As information security professionals, we are good at designing solutions to protect our networks, and the data housed on them. That said, we are awful at communicating the need for these controls in a way that the users will either understand or listen to. In this presentation, I will discuss using social engineering techniques against your organization’s users. Through the application of social engineering tactics, I will show how to bridge the gulf between the user and the information security team. Allowing for better security awareness, better adherence to information security policy, and fewer difficulties in user acceptance.
And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way…
- James is going over the outline of his talk: Define the Problem, Define the Rules of Engagement, Attack, and Lessons Learned.
- Embarrassing things getting shared. Can’t we all just need to get along.
- Largest obstacle to acceptance is us. Huh? We aren’t communicating well with mgmt after they over rule us and users in general.
- Perhaps we need to be more flexible and it’s a communication problem … basically we suck at it. Makes sense.
- From user perspective … security just needs to get out of the way so we can do our job.
- Sometimes business need trumps security … bringing in the risk analysis angle.
- Follow up discussion to accept risk with quick email confirming that we will be ignoring a regulatory requirement.
- Or maybe mention the fallout being their executive reputation.
- From user perspective we need to be a little more outgoing and talk to them about why we do things.
- We can say to stop things but collect the data and pass it off to HR to make decision. That way security isn’t the mean guy.
- We are good problem solvers though so perhaps social engineering is something.
- Title of current slide – Talk you Introverted Bastards … communications is key.
- Learn small talk … so perhaps attend those silly office functions. We become real people to them.
- Take the 30s and ask people questions instead of just ignoring them when walking by. Makes us much more approachable and more human.
- Now on to attack.. Find out all you can about your users and figure out a way to infiltrate your target office group.
- Ask about the target’s hobby. Fashion is very important (necktie, suites, …). So dress like them.
- “Clothing has a surprising way of getting people’s attention.” Suits listen to suits.
- Examine the target to find out about what they talk about. Use their names in conversations.
- Now use what we learned to strike. You are no longer security; you are a human. Start talking to them as an acquaintance.
- Listen to your users and be flexible. Lessons learned…
- Focus on the audience, know their strengths, and limitations, and shorten your emails.
- Adjust communications per the type of user you are going for (e.g., execs: mention only what’s important to them; management: more detail).
- Conclusion: Communication solves problems, understand your users and adapt, explain limitations, …
#####
Were you at Black Hat and saw this talk? What did you think? Let us know in the comments below. Today’s post pic is from BlackHat.com. See ya!