Security Psychology Topics Weve Covered Ethics Distributed Systems - PowerPoint PPT Presentation

Security Psychology

Topics We’ve Covered • Ethics • Distributed Systems (and attacks thereof) • XSS • CSRF • SQL injection

Most of these attacks are enabled by social engineering.

Today’s Class • Pretexting • Phishing • People vs. Computers • How this relates back to the other topics

Verizon Breach Report (2017) • 1,616 incidents, 828 with confirmed data disclosure • Web Applications Attacks, Cyber-Espionage and Everything Else represent 96% of all security breaches involving social attacks • 99% External, 1% Internal, <1% Partner (breaches) • 66% Financial, 33% Espionage, <1% Grudge (breaches) • 61% Credentials, 32% Secrets, 8% Personal • 43% of breaches involved social engineering • 93% phishing • 5% pretexting

Verizon Breach Report (2017) Breach Targets Compromised Data

Pretexting • Pretending to be somebody you’re not to gain access to a system

Classic Pretexting • Impersonate CEO to trick an employee to transfer money • particularly, their secretary • time crunch • etc • You’ve been selected for jury duty! Give me your SSN.

Kevin Mitnick • Age 13: Pretexting + dumpster diving to gain free access to the bus system • Art of Deception (released right after he was released from prison for wire fraud): • Pretend to be an employee’s colleague • Get employee to “help”

HP Pretexting • HP boardroom leaks (2005) • Investigators called up phone companies, pretending to be HP board members • Obtained call records • Charges against HP Chairman (at the time) Patrician Dunn and other involved • most later dropped

Protecting against Pretexting • Operational security (opsec) • Rules about limiting access • Train staff and explain rules • Hard. Senior people hard to change.

Phishing • Pretending to be a corporation you’re not to gain access to individual credentials to a system

Phishing - VIBR Click Through Rate

Phishing

Target Phishing • Spear phishing attack on HVAC firm • Stole credentials • Put malware on their computers • Spread to the rest of the system

Target aftermath

Targeted vs Untargeted • Targeted: want access to your organization • Untargeted: want access to banking credentials, social media logins, etc.

Protecting against Phishing • Operational security (opsec) • Email clients not allowing clicks on links • Not downloading attachments • Not answering the phone for numbers you don’t recognize • Outbound firewall rules

What people are bad at • Bad short term memory • 7 +/- 2 choices at once • Capture errors • Click “OK” without reading • Post-completion errors • forget ATM card in machine • Following the wrong rule • look for a lock symbol • Don’t understand • many many things

What people are good at • Image recognition • CAPTCHAs • Understanding speech