Security Psychology Topics Weve Covered Ethics XSS CSRF SQL - - PowerPoint PPT Presentation

security psychology topics we ve covered
SMART_READER_LITE
LIVE PREVIEW

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL - - PowerPoint PPT Presentation

Sep 12, 2022 244 likes •520 views

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

slide-1
SLIDE 1

Security Psychology

slide-2
SLIDE 2

Topics We’ve Covered

  • Ethics
  • XSS
  • CSRF
  • SQL injection
  • Passwords
  • Command injection
  • Scanning
  • Malware
slide-3
SLIDE 3

Most of these attacks are enabled by social engineering.

slide-4
SLIDE 4

Today’s Class

  • Pretexting
  • Phishing
  • People vs. Computers
  • How this relates back to the other topics
slide-5
SLIDE 5

Verizon Breach Report (2017)

  • 1,616 incidents, 828 with confirmed data disclosure
  • Web Applications Attacks, Cyber-Espionage and Everything Else

represent 96% of all security breaches involving social attacks

  • 99% External, 1% Internal, <1% Partner (breaches)
  • 66% Financial, 33% Espionage, <1% Grudge (breaches)
  • 61% Credentials, 32% Secrets, 8% Personal
  • 43% of breaches involved social engineering
  • 93% phishing
  • 5% pretexting
slide-6
SLIDE 6

Verizon Breach Report (2017)

Breach Targets Compromised Data

slide-7
SLIDE 7

Pretexting

  • Pretending to be somebody you’re not to gain

access to a system

slide-8
SLIDE 8

Classic Pretexting

  • Impersonate CEO to trick an employee to transfer

money

  • particularly, their secretary
  • time crunch
  • etc
  • You’ve been selected for jury duty! Give me your

SSN.

slide-9
SLIDE 9

Kevin Mitnick

  • Age 13: Pretexting + dumpster diving to gain free

access to the bus system

  • Art of Deception (released right after he was

released from prison for wire fraud):

  • Pretend to be an employee’s colleague
  • Get employee to “help”
slide-10
SLIDE 10

HP Pretexting

  • HP boardroom leaks (2005)
  • Investigators called up phone companies,

pretending to be HP board members

  • Obtained call records
  • Charges against HP Chairman (at the time)

Patrician Dunn and other involved

  • most later dropped
slide-11
SLIDE 11

Protecting against Pretexting

  • Operational security (opsec)
  • Rules about limiting access
  • Train staff and explain rules
  • Hard. Senior people hard to change.
slide-12
SLIDE 12

Phishing

  • Pretending to be a corporation you’re not to gain

access to individual credentials to a system

slide-13
SLIDE 13

Phishing - VIBR

Click Through Rate

slide-14
SLIDE 14

Phishing

slide-15
SLIDE 15
slide-16
SLIDE 16
slide-17
SLIDE 17
slide-18
SLIDE 18
slide-19
SLIDE 19
slide-20
SLIDE 20

Target Phishing

  • Spear phishing attack on HVAC firm
  • Stole credentials
  • Put malware on their computers
  • Spread to the rest of the system
slide-21
SLIDE 21

Target aftermath

slide-22
SLIDE 22

Targeted vs Untargeted

  • Targeted: want access to your organization
  • Untargeted: want access to banking credentials,

social media logins, etc.

slide-23
SLIDE 23

Protecting against Phishing

  • Operational security (opsec)
  • Email clients not allowing clicks on links
  • Not downloading attachments
  • Not answering the phone for numbers you don’t

recognize

  • Outbound firewall rules
slide-24
SLIDE 24

What people are bad at

  • Bad short term memory
  • 7 +/- 2 choices at once
  • Capture errors
  • Click “OK” without reading
  • Post-completion errors
  • forget ATM card in machine
  • Following the wrong rule
  • look for a lock symbol
  • Don’t understand
  • many many things
slide-25
SLIDE 25

What people are good at

  • Image recognition
  • CAPTCHAs
  • Understanding speech
slide-26
SLIDE 26

Topics We’ve Covered

  • Ethics
  • XSS
  • CSRF
  • SQL injection
  • Passwords
  • Command injection
  • Scanning
  • Malware