Social Engineering: The weakest chain of IT security
Baptiste MOINE <contact@bmoine.fr> Romain KRAFT <romain.kraft@protonmail.com>
Disclaimer
-
Social Engineering generally leads to illegal activities
-
This presentation is meant for educational purposes only
-
The information is not guaranteed to be correct, complete or current
- This presentation isn't intended to be exhaustive
Social Engineering: The weakest chain of IT security
1
You said SE?
- Social Engineering: “The Art of Deception” - Kevin Mitnick
- “Deception with the intention of getting someone to do something that may not be in their best interest.” - Social Engineering
- SE attack: manipulation vs. influencing
Social Engineering: The weakest chain of IT security
2
Hacker tricking someone into sharing personal information.
Methodologies
- Phishing: act of using a bait in an attempt to catch a victim
- Spear phishing: focused on few targets + OSINT
- Vishing: voice phishing
- Water Holing: exploit users' trust in services they regularly use
- Impersonation: taking on a persona of someone else
Social Engineering: The weakest chain of IT security
3
Someone baiting someone else.
Why using SE?
- Peoples are the biggest vulnerability of any network
- Old-fashioned attack can be very time-consuming and steeply expensive
- Often more effective and generic
Social Engineering: The weakest chain of IT security
4
Obligation aspect of influence.
The Big Bang Theory
SE in a nutshell
- Plan: define what you aim to achieve, perform OSINT, prepare scenarii
- Exploit human nature: know how to communicate w/ people (NLP)
- Be persuasive: convince yourself of what you're talking about
- Keep it simple: use information that needs no verification
Social Engineering: The weakest chain of IT security
5
Keep it simple stupid.
Image from Rick and Morty
Social Engineering: The weakest chain of IT security
6
Demo!
Question time!
- How can SE be more effective?
- What's Water Holing attack?
- Give an example to explain the obligation concept
- What's the main difference between manipulation and influencing?
Social Engineering: The weakest chain of IT security
7