Social Engineering: The weakest chain of IT security

Baptiste MOINE <contact@bmoine.fr>                                Romain KRAFT <romain.kraft@protonmail.com>

Disclaimer

  • Social Engineering generally leads to illegal activities

  • This presentation is meant for educational purposes only

  • The information is not guaranteed to be correct, complete or current

  • This presentation isn't intended to be exhaustive

Social Engineering: The weakest chain of IT security

1

You said SE?

  • Social Engineering: “The Art of Deception” - Kevin Mitnick
  • “Deception with the intention of getting someone to do something that may not be in their best interest.” - Social Engineering
  • SE attack: manipulation vs. influencing

Social Engineering: The weakest chain of IT security

2

Hacker tricking someone into sharing personal information.

smartgeek.com.ng

Methodologies

  • Phishing: act of using a bait in an attempt to catch a victim
    • Spear phishing: focused on few targets + OSINT
    • Vishing: voice phishing
  • Water Holing: exploit users' trust in services they regularly use
  • Impersonation: taking on a persona of someone else

Social Engineering: The weakest chain of IT security

3

Someone baiting someone else.

dreamstime.com

Why using SE?

  • Peoples are the biggest vulnerability of any network
  • Old-fashioned attack can be very time-consuming and steeply expensive
  • Often more effective and generic

Social Engineering: The weakest chain of IT security

4

Obligation aspect of influence.

The Big Bang Theory

SE in a nutshell

  • Plan: define what you aim to achieve, perform OSINT, prepare scenarii
  • Exploit human nature: know how to communicate w/ people (NLP)
  • Be persuasive: convince yourself of what you're talking about
  • Keep it simple: use information that needs no verification

Social Engineering: The weakest chain of IT security

5

Keep it simple stupid.

Image from Rick and Morty

Social Engineering: The weakest chain of IT security

6

Demo!

Question time!

  • How can SE be more effective?
  • What's Water Holing attack?
  • Give an example to explain the obligation concept
  • What's the main difference between manipulation and influencing?

Social Engineering: The weakest chain of IT security

7

Social Engineering

By Baptiste MOINE

Social Engineering

Social Engineering talk

  • 859