WEBVTT

00:00.000 --> 00:04.215
>> Hello. Let's talk
about Social Engineering.

00:04.215 --> 00:06.030
This is a type of attack that is

00:06.030 --> 00:08.740
geared at internal employees.

00:08.870 --> 00:11.790
Social engineering
attacks are by

00:11.790 --> 00:14.550
far the most common
direct confidentiality.

00:14.550 --> 00:17.160
In Chapter 1, we
actually already talked

00:17.160 --> 00:19.530
about social engineering when
we talked about phishing,

00:19.530 --> 00:22.080
spear phishing,
whaling, vishing.

00:22.080 --> 00:23.985
I don't know if I
mentioned smishing,

00:23.985 --> 00:26.595
which is using SMS
text messages.

00:26.595 --> 00:28.935
The bottom line is, phishing,

00:28.935 --> 00:30.900
is all about the
impersonation of

00:30.900 --> 00:33.765
someone that should have
access to resources.

00:33.765 --> 00:36.495
However, they really should not.

00:36.495 --> 00:37.730
It's means showing up in

00:37.730 --> 00:40.505
a brown uniform and
saying I'm a TPS.

00:40.505 --> 00:42.440
Can I get access to the backroom

00:42.440 --> 00:44.360
so I can deliver this package?

00:44.360 --> 00:46.010
Social engineers are really

00:46.010 --> 00:47.914
talented and often successful.

00:47.914 --> 00:49.970
People fall for them
because they want to be

00:49.970 --> 00:52.280
helpful and want
to avoid conflict.

00:52.280 --> 00:54.200
Social engineers rely on

00:54.200 --> 00:56.405
a lot of principles
to do what they do.

00:56.405 --> 00:57.890
They use the principle of

00:57.890 --> 00:59.510
authority by being confident and

00:59.510 --> 01:00.890
giving the impression
that they should have

01:00.890 --> 01:02.750
access to something
they shouldn't.

01:02.750 --> 01:04.925
They use the principle
of scarcity.

01:04.925 --> 01:06.290
Like a salesperson at a car

01:06.290 --> 01:07.850
dealership who suggests that you

01:07.850 --> 01:09.065
better buy the car now

01:09.065 --> 01:11.150
because it might not
be there tomorrow.

01:11.150 --> 01:12.830
Social engineers give the

01:12.830 --> 01:14.510
victim the impression
that they will get

01:14.510 --> 01:17.720
something precious but they
need to respond right away.

01:17.720 --> 01:19.910
Like offering a
low-interest loan

01:19.910 --> 01:22.355
to the first 100
people who sign up.

01:22.355 --> 01:25.115
They use the principle
of intimidation,

01:25.115 --> 01:27.410
where they are very
confident and aggressive and

01:27.410 --> 01:30.245
coerce someone into giving
them what they want.

01:30.245 --> 01:32.659
They use the principle
of consensus

01:32.659 --> 01:33.710
to convince someone that

01:33.710 --> 01:34.850
everybody else is doing

01:34.850 --> 01:37.195
a certain thing so
they should do.

01:37.195 --> 01:39.535
They use the
principle of urgency,

01:39.535 --> 01:41.465
where they emphasize that
they need something right

01:41.465 --> 01:42.980
away such as for

01:42.980 --> 01:44.950
an important meeting
that is about to start.

01:44.950 --> 01:46.820
They rush you into
making a decision

01:46.820 --> 01:49.910
quickly without
considering the risks.

01:49.910 --> 01:52.460
They use the principle
of familiarity,

01:52.460 --> 01:54.200
claiming to know
someone you know,

01:54.200 --> 01:55.715
so you will trust them.

01:55.715 --> 01:57.840
They use the principle of trust.

01:57.840 --> 01:59.640
Similar to familiarity,

01:59.640 --> 02:03.230
they use some play to suggest
that you should trust them.

02:03.230 --> 02:06.470
This is like someone dressing
like a police officer.

02:06.470 --> 02:09.990
You will trust what they say
and do what they ask you to.

02:11.050 --> 02:14.240
To mitigate threats with
social engineering,

02:14.240 --> 02:16.175
we normally think
about training,

02:16.175 --> 02:18.590
but training can't
solve everything.

02:18.590 --> 02:20.825
We need good policies in place,

02:20.825 --> 02:22.730
such as separation of duties,

02:22.730 --> 02:25.385
least privilege,
and need to know.

02:25.385 --> 02:26.990
We also need to conduct

02:26.990 --> 02:28.670
social engineering
pen tests from time

02:28.670 --> 02:31.845
to time to see if employees
are following the policies.

02:31.845 --> 02:35.310
Social engineering today
is our greatest threat.

02:35.680 --> 02:39.590
It's important to note that
also with social engineering,

02:39.590 --> 02:41.360
it's more than just phishing.

02:41.360 --> 02:43.280
An example of social engineering

02:43.280 --> 02:44.960
that involves a person
getting an access

02:44.960 --> 02:48.680
to your workspace is called
piggybacking or tailgating.

02:48.680 --> 02:50.930
This is where you swipe
your key card to get

02:50.930 --> 02:52.850
into the building and
a person slips in

02:52.850 --> 02:54.470
behind you or ask you to hold

02:54.470 --> 02:57.245
the door without using
their own card to get in.

02:57.245 --> 02:59.645
The best defense
against that threat

02:59.645 --> 03:02.375
is have a security
guard and a man trap.

03:02.375 --> 03:05.450
A man trap is an area of
dead space where you go

03:05.450 --> 03:07.280
in-between the building
and where you enter

03:07.280 --> 03:09.560
the rest of the
organizational space.

03:09.560 --> 03:11.480
The security guard can monitor

03:11.480 --> 03:12.980
that man trap area to

03:12.980 --> 03:15.320
catch people who are
trying to slip in.

03:15.320 --> 03:17.390
Dumpster diving also can

03:17.390 --> 03:19.250
be considered
social engineering.

03:19.250 --> 03:21.740
It means someone going
through the trash to find

03:21.740 --> 03:23.660
valuable information
that people have thrown

03:23.660 --> 03:26.530
away instead of putting
it in the shredder.

03:26.530 --> 03:30.320
Another form of social
engineering is shoulder surfing.

03:30.320 --> 03:31.880
This is where someone stands

03:31.880 --> 03:33.800
behind you and looks
over your shoulder.

03:33.800 --> 03:36.140
They may be looking at
your computer screen or

03:36.140 --> 03:39.410
an access pad that you were
typing a passcode into.

03:39.410 --> 03:42.740
Our best defense against
social engineering is to

03:42.740 --> 03:46.145
train our people so that they
know what to watch out for.

03:46.145 --> 03:48.050
Also, we need to implement

03:48.050 --> 03:50.090
the policies of
separation of duties.

03:50.090 --> 03:52.735
Need to know and
least privilege.

03:52.735 --> 03:54.950
People only know the
minimum that they need

03:54.950 --> 03:56.960
to know and only have the access

03:56.960 --> 03:58.820
to the minimum amount
of systems and

03:58.820 --> 04:02.070
information that they
need the access to.