Friday, March 16, 2012

Jayson E. Street at the atsec office

We invited Jayson E. Street to our office to speak on the topic of social engineering. Jayson gave an overview of techniques criminals could use to gain access to a company's assets. Some takeaways include:
  • It is easier to go after the spouse (or children, friends) of the target to gain information that might help the attacker breach security.
  • In the same vein: instead of breaking into a well-secured workplace, it's easier to follow the target home and steal a laptop there or hack the home network.
  • Social engineering doesn't have to be complex. Sometimes you will find a password under someone's keyboard instead of hacking a 256 bit AES key.
  • Criminals won't hesitate to lie to a target or take advantage of someone's helpful nature to assist those in need/lost/confused. A realistic physical penetration test has to be as close as possible to the methods a real criminal would use.
  • It can be easier to get access to a company's assets dressed as an electrician than dressed as an armed robber.
  • Employees should feel empowered to speak up and act when they suspect something isn't right, and rewarded for reporting incidents. A company's staff is its human IDS.
  • Actions speak louder than security policies. Randomly checking under keyboards for passwords written down sends a clearer message than a one-time hand off of best security practices.
It was a very informative and fun presentation and Jayson gave us ample opportunity to ask questions.

by Courtney Cavness/Andreas Fabis

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.