Security Psychology
Topics We’ve Covered • Ethics • Distributed Systems (and attacks thereof) • XSS • CSRF • SQL injection
Most of these attacks are enabled by social engineering.
Today’s Class • Pretexting • Phishing • People vs. Computers • How this relates back to the other topics
Verizon Breach Report (2017) • 1,616 incidents, 828 with confirmed data disclosure • Web Applications Attacks, Cyber-Espionage and Everything Else represent 96% of all security breaches involving social attacks • 99% External, 1% Internal, <1% Partner (breaches) • 66% Financial, 33% Espionage, <1% Grudge (breaches) • 61% Credentials, 32% Secrets, 8% Personal • 43% of breaches involved social engineering • 93% phishing • 5% pretexting
Verizon Breach Report (2017) Breach Targets Compromised Data
Pretexting • Pretending to be somebody you’re not to gain access to a system
Classic Pretexting • Impersonate CEO to trick an employee to transfer money • particularly, their secretary • time crunch • etc • You’ve been selected for jury duty! Give me your SSN.
Kevin Mitnick • Age 13: Pretexting + dumpster diving to gain free access to the bus system • Art of Deception (released right after he was released from prison for wire fraud): • Pretend to be an employee’s colleague • Get employee to “help”
HP Pretexting • HP boardroom leaks (2005) • Investigators called up phone companies, pretending to be HP board members • Obtained call records • Charges against HP Chairman (at the time) Patrician Dunn and other involved • most later dropped
Protecting against Pretexting • Operational security (opsec) • Rules about limiting access • Train staff and explain rules • Hard. Senior people hard to change.
Phishing • Pretending to be a corporation you’re not to gain access to individual credentials to a system
Phishing - VIBR Click Through Rate
Phishing
Target Phishing • Spear phishing attack on HVAC firm • Stole credentials • Put malware on their computers • Spread to the rest of the system
Target aftermath
Targeted vs Untargeted • Targeted: want access to your organization • Untargeted: want access to banking credentials, social media logins, etc.
Protecting against Phishing • Operational security (opsec) • Email clients not allowing clicks on links • Not downloading attachments • Not answering the phone for numbers you don’t recognize • Outbound firewall rules
What people are bad at • Bad short term memory • 7 +/- 2 choices at once • Capture errors • Click “OK” without reading • Post-completion errors • forget ATM card in machine • Following the wrong rule • look for a lock symbol • Don’t understand • many many things
What people are good at • Image recognition • CAPTCHAs • Understanding speech
Recommend
More recommend
