Knock, Knock. How Attackers Use Social Engineering To Bypass Your Defenses presented at SOURCE Boston 2010

by Lenny Zeltser,

Tags: Security Testing Phishing

Summary : Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This talk explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing corporate security defenses.
Lenny Zeltser reviews how attackers have bypassed technological controls by making use of social engineering techniques such as:
* Starting attacks in the physical world, rather than the virtual Internet: We have spent most of our lives in the physical world, whose norms we know well. As a result, we tend to trust messages that come to us in the physical world more than those in the "virtual" world of the Internet. The talk presents several examples of suck scenarios.
* Tricking victims into willingly installing malicious software: Attackers increasingly rely on social engineering tactics to trick victims into installing malware, such as worms and trojans. The talk will explore several numerous variations of the approaches seen in the wild.
* Targeting attacks through the use of spear phishing and social networks: The talk will explore how attackers may profile victims to include the person or company-specific social engineering elements in an intrusion campaign. Attend this engaging talk to improve the relevance of your security awareness training and to adjust your defenses by revisiting your perspective of the threat landscape.