security psychology topics we ve covered
play

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL - PowerPoint PPT Presentation

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting


  1. Security Psychology

  2. Topics We’ve Covered • Ethics • XSS • CSRF • SQL injection • Passwords • Command injection • Scanning • Malware

  3. Most of these attacks are enabled by social engineering.

  4. Today’s Class • Pretexting • Phishing • People vs. Computers • How this relates back to the other topics

  5. Verizon Breach Report (2017) • 1,616 incidents, 828 with confirmed data disclosure • Web Applications Attacks, Cyber-Espionage and Everything Else represent 96% of all security breaches involving social attacks • 99% External, 1% Internal, <1% Partner (breaches) • 66% Financial, 33% Espionage, <1% Grudge (breaches) • 61% Credentials, 32% Secrets, 8% Personal • 43% of breaches involved social engineering • 93% phishing • 5% pretexting

  6. Verizon Breach Report (2017) Breach Targets Compromised Data

  7. Pretexting • Pretending to be somebody you’re not to gain access to a system

  8. Classic Pretexting • Impersonate CEO to trick an employee to transfer money • particularly, their secretary • time crunch • etc • You’ve been selected for jury duty! Give me your SSN.

  9. Kevin Mitnick • Age 13: Pretexting + dumpster diving to gain free access to the bus system • Art of Deception (released right after he was released from prison for wire fraud): • Pretend to be an employee’s colleague • Get employee to “help”

  10. HP Pretexting • HP boardroom leaks (2005) • Investigators called up phone companies, pretending to be HP board members • Obtained call records • Charges against HP Chairman (at the time) Patrician Dunn and other involved • most later dropped

  11. Protecting against Pretexting • Operational security (opsec) • Rules about limiting access • Train staff and explain rules • Hard. Senior people hard to change.

  12. Phishing • Pretending to be a corporation you’re not to gain access to individual credentials to a system

  13. Phishing - VIBR Click Through Rate

  14. Phishing

  15. Target Phishing • Spear phishing attack on HVAC firm • Stole credentials • Put malware on their computers • Spread to the rest of the system

  16. Target aftermath

  17. Targeted vs Untargeted • Targeted: want access to your organization • Untargeted: want access to banking credentials, social media logins, etc.

  18. Protecting against Phishing • Operational security (opsec) • Email clients not allowing clicks on links • Not downloading attachments • Not answering the phone for numbers you don’t recognize • Outbound firewall rules

  19. What people are bad at • Bad short term memory • 7 +/- 2 choices at once • Capture errors • Click “OK” without reading • Post-completion errors • forget ATM card in machine • Following the wrong rule • look for a lock symbol • Don’t understand • many many things

  20. What people are good at • Image recognition • CAPTCHAs • Understanding speech

  21. Topics We’ve Covered • Ethics • XSS • CSRF • SQL injection • Passwords • Command injection • Scanning • Malware

Recommend


More recommend