opsec and defense agains social engineering for devels
play

OPSEC and defense agains social engineering for devels, execs, and - PowerPoint PPT Presentation

Dec 24, 2023 •605 likes •857 views

OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Contents Problem: Social Engineering concepts

  1. OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security

  2. Contents ● Problem: Social Engineering – concepts – attacks ● Solution: OPSEC – theory – practice Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 2/23 possiblesecurity.com engineering for devels, execs and start-ups

  3. [video] This is how hackers hack you using simple social engineering https://www.youtube.com/watch?v=lc7scxvKQOo Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 3/23 possiblesecurity.com engineering for devels, execs and start-ups

  4. Social Engineering Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 4/23 possiblesecurity.com engineering for devels, execs and start-ups

  5. Social Engineering (SE) is the use of deception to manipulate individuals into divulging sensitive information that may be used for illegitimate or fraudulent purposes or to further attacks on a larger entity Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 5/23 possiblesecurity.com engineering for devels, execs and start-ups

  6. SE attack cycle for organisations ● Research Research ● Target ● Build trust Target ● Exploit Exploit Build trust Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 6/23 possiblesecurity.com engineering for devels, execs and start-ups

  7. SE attack types (in person) ● Impersonation ● Access – VIP, user, tech tailgating – – appeal to authority key duplication – ● Acquisition – reverse social engineering – identity theft eavesdropping – shoulder-surfing – dumpster-diving – Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 7/23 possiblesecurity.com engineering for devels, execs and start-ups

  8. SE attack types (remote) ● Types ● Delivery vehicles – phishing, spearphishing e-mails – – vishing usb drops – – app impersonation instant messages, sms – social networks – traffic injection – malware, adware – Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 8/23 possiblesecurity.com engineering for devels, execs and start-ups

  9. Operations Security Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 9/23 possiblesecurity.com engineering for devels, execs and start-ups

  10. OPSEC or Operations Security Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 10/23 possiblesecurity.com engineering for devels, execs and start-ups

  11. OPSEC history ● Military origins ● Has found use in today’s cybersecurity – Why? Humans – the weakest link – Solution? OPSEC Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 11/23 possiblesecurity.com engineering for devels, execs and start-ups

  12. OPSEC ● Identification of critical information ● Analysis of potential threats ● Analysis of your vulnerabilities ● Assessment of risk ● Application of appropriate countermeasures Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 12/23 possiblesecurity.com engineering for devels, execs and start-ups

  13. Identification of critical information ● Losing which information would be detrimental to you? ● Gaining which information would be beneficial to your competitors? ● Examples: – passwords – research data – analytical data Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 13/23 possiblesecurity.com engineering for devels, execs and start-ups

  14. Analysis of potential threats ● What are the current cybersecurity threats and exploits? ● Which threat actors should you be concerned about? – competitors – entities ● Examples: – Company B is developing the same product as we and is rumored to have offensive cyber capability. – We are travelling to China with corporate laptops and fear intercept. Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 14/23 possiblesecurity.com engineering for devels, execs and start-ups

  15. Analysis of your vulnerabilities ● What are the potential deficiencies of your security process? ● What could reveal your critical information? ● Can you fix it? ● Think like the enemy! Where would you attack? ● Examples: – Our tech support does not properly identify callers before providing assistance – We don’t have a firewall and do not follow secure coding practices Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 15/23 possiblesecurity.com engineering for devels, execs and start-ups

  16. Assessment of risk ● What is the risk of each vulnerability? Multiply every potential threat with every weakness to get the risk! – Risk = Impact × Probability – ● What OPSEC measures can you apply for each vulnerability? ● Examples: Impact of tech support not identifying callers is medium (5), because of limited tech support – permissions. Interests and capabilities of Company B make it very likely (8) that they will target us, therefore risk = 5 × 8 = 40%. We can require callers to provide secret phrases when connecting over the phone. Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 16/23 possiblesecurity.com engineering for devels, execs and start-ups

  17. Application of appropriate countermeasures ● Have you implemented countermeasures for the risks identified? ● What do you need to apply all the required countermeasures? ● What hinders application of the required countermeasures? ● Is it financially feasibile? Prioritize by risk! – ● Examples: Our top risk ir rated 40% and costs 1800€ per year in extra workload and lost productivity, so – we will be implementing it starting 1 st of April 2018 and financing it from the IT support budget. Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 17/23 possiblesecurity.com engineering for devels, execs and start-ups

  18. Tips for Operations Security Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 18/23 possiblesecurity.com engineering for devels, execs and start-ups

  19. Practical OPSEC tips (everywhere) ● Secure passwords – create strong passwords – use a password manager or your head – don’t reuse passwords ● Install latest security updates ● Do not connect unknown devices to your device or vice versa ● Mindfully decide, if you will share a piece of information (including on social media) Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 19/23 possiblesecurity.com engineering for devels, execs and start-ups

  20. Practical OPSEC tips (outside the office) ● Use VPN to protect your data when using other networks – If using a VPN is not possible, do not use shared WiFi hot-spots ● Know where your stuff is ● Keep your devices and work information (e.g. printouts) with you at all times, if possible ● Be aware of your surroundings when processing sensitive information – talking on the phone, working on a laptop, having a face-to-face conversation Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 20/23 possiblesecurity.com engineering for devels, execs and start-ups

  21. Methodological OPSEC tips (1) ● Carry out regular employee awareness trainings – consider reminders / posters ● Test your employees by carrying out mock social engineering attacks ● Make sure that everyone, including especially founders / exec branch commits to OPSEC Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 21/23 possiblesecurity.com engineering for devels, execs and start-ups

  22. Methodological OPSEC tips (2) ● Discover your vulnerability surface as seen from the outside ● Carry out or purchase penetration tests ● Set up technical defenses and countermeasures ● Manage risk posed by contractors and suppliers Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 22/23 possiblesecurity.com engineering for devels, execs and start-ups

  23. Q&A Slides are available on http://kirils.org Find me on twitter: @KirilsSolovjovs Kirils Solovjovs, 22/03/2018 OPSEC and defense against social 23/23 possiblesecurity.com engineering for devels, execs and start-ups

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cracking the Fungal Armor - Studies on Host Defense Mechanisms agains A. fumigatus Tobias M.

Cracking the Fungal Armor - Studies on Host Defense Mechanisms agains A. fumigatus Tobias M.

Cracking the Fungal Armor - Studies on Host Defense Mechanisms agains A. fumigatus Tobias M. Hohl, MD, PhD Memorial Sloan-Kettering Cancer Center hohlt@mskcc org org hohlt@mskcc.org .org A. fumigatus Germination g Intact pulmonary Intact

352 views • 32 slides
OPSEC Obsessed Making good OPSEC decisions @JakeKamieniak { description :

OPSEC Obsessed Making good OPSEC decisions @JakeKamieniak { description :

OPSEC Obsessed Making good OPSEC decisions @JakeKamieniak { description : Cybersecurity Researcher jack of all Trades , curent_role : { job: Red Team , company: GE } prior_experience : [

427 views • 27 slides
Is a social network users behavior unique? 2 1 8/9/14 Has social data made

Is a social network users behavior unique? 2 1 8/9/14 Has social data made

8/9/14 Social Fingerprinting: Identifying Users of Social Networks by their Data Footprint The University of Tennessee Electrical Engineering and Computer Science Dissertation Defense Denise Koessler Gosnell Is a social network

458 views • 31 slides
The devil is in the details How cybercriminals, leakers, State-sponsored hackers failed their

The devil is in the details How cybercriminals, leakers, State-sponsored hackers failed their

The devil is in the details How cybercriminals, leakers, State-sponsored hackers failed their opsec #NOHAT 2019 - Carola Frediani Opsec and the human factor You can get the tech right and still fail the opsec. Why? undisciplined past

492 views • 22 slides
If your ur br brother ther sins ns ag agains ainst you, ou, go o and and tell hi him

If your ur br brother ther sins ns ag agains ainst you, ou, go o and and tell hi him

Ma Mathe hew w 18:1 :15-20 (ESV) V) If your ur br brother ther sins ns ag agains ainst you, ou, go o and and tell hi him his his fault, ult, between een you u and and hi him al alone one. If f he he listens ens to

1.03k views • 15 slides
SOCIAL ENGINEERING Jake Johnson Sixto Bernal AGENDA What is social engineering? Current events

SOCIAL ENGINEERING Jake Johnson Sixto Bernal AGENDA What is social engineering? Current events

SOCIAL ENGINEERING Jake Johnson Sixto Bernal AGENDA What is social engineering? Current events Social engineering risks Mitigation Strategies Q&A WHAT IS SOCIAL ENGINEERING? The Art of Deception, Kevin Mitnick: "Social

449 views • 19 slides
Factors Contributing to Major Social Change Underlying Tap Frustrated Academic Defense of

Factors Contributing to Major Social Change Underlying Tap Frustrated Academic Defense of

The Co-op Era A framework to create a social movement in support of Co-ops 2 Factors Contributing to Major Social Change Underlying Tap Frustrated Academic Defense of Social Anxiety Groups Validation the Status Quo Organize

312 views • 13 slides
Development of the model of in silico design of AMP sequences active agains Staphylococcus aureus

Development of the model of in silico design of AMP sequences active agains Staphylococcus aureus

Development of the model of in silico design of AMP sequences active agains Staphylococcus aureus 25923 Boris Vishnepolsky 1, *, George Zaalishvili 2 , Margarita Karapetian 2 , Andrei Gabrielian 3 , Alex Rosenthal 3 , Darrell E. Hurt 3 , Michael

535 views • 22 slides
Social Engineering UDLS September 11, 2015 Neil Newman Social engineering is a non-

Social Engineering UDLS September 11, 2015 Neil Newman Social engineering is a non-

Social Engineering UDLS September 11, 2015 Neil Newman Social engineering is a non- technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security

340 views • 16 slides
AGENDA Introduction and Bio What is Social Engineering? A T alk about Sales? What the

AGENDA Introduction and Bio What is Social Engineering? A T alk about Sales? What the

AGENDA Introduction and Bio What is Social Engineering? A T alk about Sales? What the Hell, you said Social Engineering?!? Profile? Process? Why not both! Defences against Social Engineering The Mystery Security T est

737 views • 50 slides
Dynamics of Investor Attention on the Social Web Ph.D Defense Presented by: Xian Li Advisor:

Dynamics of Investor Attention on the Social Web Ph.D Defense Presented by: Xian Li Advisor:

Introduction Contribution I. Cognitive Control Contribution II. Collective Regularity Contribution III. Social Tape Summary Dynamics of Investor Attention on the Social Web Ph.D Defense Presented by: Xian Li Advisor: Dr. Jim Hendler

756 views • 71 slides
The Silk Road OPSEC Fail Whoops! Disclaimer Any opinions presented in this talk by the

The Silk Road OPSEC Fail Whoops! Disclaimer Any opinions presented in this talk by the

The Silk Road OPSEC Fail Whoops! Disclaimer Any opinions presented in this talk by the presenter do not in any way represent an official endorsement of these opinions by Freeside Technology Spaces, Inc., nor is intended to reflect the

559 views • 17 slides
StealthWare Social Engineering Malware Running malware for Social Engineering and Covert

StealthWare Social Engineering Malware Running malware for Social Engineering and Covert

StealthWare Social Engineering Malware Running malware for Social Engineering and Covert Operations By: Joey Dreijer StealthWare Social Engineering Malware Social Engineering and Covert Operations Introduction Research Security

403 views • 21 slides
SoK: The Evolution of Sybil Defense via Social Networks Alessandro Epasto 1 joint work with L.

SoK: The Evolution of Sybil Defense via Social Networks Alessandro Epasto 1 joint work with L.

IEEE Symposium on Security & Privacy SAN FRANCISCO 21 ST MAY 2013 SoK: The Evolution of Sybil Defense via Social Networks Alessandro Epasto 1 joint work with L. Alvisi 2 , A. Clement 3 , S. Lattanzi 4 , A. Panconesi 1 Sapienza U.

855 views • 41 slides
OPSEC Failure of Spies Cellular metadata cuts both ways Abu Omar

OPSEC Failure of Spies Cellular metadata cuts both ways Abu Omar

OPSEC Failure of Spies Cellular metadata cuts both ways Abu Omar http://www.youtube.com/watch?feature=player _detailpage&v=Pck96WXcLa0#t=57s http://www.youtube.com/watch?feature=play er_detailpage&v=Gq6gcVKVZ_g#t=132s Matthew Cole

349 views • 21 slides
Hands-On Ethical hacking and Network Defense -2 nd Edition Chapter 4 Summary - Footprinting and

Hands-On Ethical hacking and Network Defense -2 nd Edition Chapter 4 Summary - Footprinting and

Hands-On Ethical hacking and Network Defense -2 nd Edition Chapter 4 Summary - Footprinting and Social Engineering Objectives After reading this chapter and completing the exercises, you will be able to: Use Web tools for footprinting

213 views • 6 slides
Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why

Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why

Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why putting a focus on text? Multimedia: Text plus Discovering Computers Technology in a World of Computers, Mobile Devices, and the Internet Chapter

1.16k views • 81 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad Leslous Valrie Viet Triem Tong The LASER Workshop 2016 Learning from Authoritative Security Experiment Results May 26th 2016 N. Kiss & J.-F.

367 views • 18 slides
Digital signing Digital signing an upcomming service for all apache projects Target of project:

Digital signing Digital signing an upcomming service for all apache projects Target of project:

Digital signing Digital signing an upcomming service for all apache projects Target of project: Use symantec as provider Infra-root as Enterprise Service Provider PMC as Software Publishers Provide signing for microsoft jani

359 views • 8 slides
THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t)

THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t)

THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t) (t)st st] understand it PERSISTENT we detected it [p s st st nt nt] too late Ma Mari rion on Ma Marsc rschalek halek

440 views • 32 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS

TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS

TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS Analysis Baojun Liu, Zhou Li, Peiyuan Zong, Chaoyi Lu , Haixin Duan, Ying Liu, Sumayah Alrwais, Xiaofeng Wang, Shuang Hao, Yaoqi Jia, Yiming Zhang, Kai

819 views • 30 slides

More recommend