Social Engineering engagements can appear to be easy, especially to someone who already has experience in the Information Security industry. All InfoSec consultants have experienced situations where they’ve been let into a meeting or to perform an onsite engagement without the correct paperwork or permission, and we’ve all heard the stories of successful Social Engineering assignments. Combined with frequent news stories on the success of spear phishing and „blagging“ it can seem as though the simplest of attacks will inevitably compromise a target.
However selling, scoping, executing and reporting on regular Social Engineering engagements requires a thorough understanding of the processes, techniques and risks involved, as well as the concepts and issues around Social Engineering in general. With that understanding you can ensure that you have those stories to tell to your peers, and to your current and future customers.
This is why we offer a workshop on Social Engineering at DeepSec 2011. Sharon Conheady and Martin Law of First Defence Information Security Ltd will provide concrete examples of how to run a successful social engineering engagement, and how to forestall the common mistakes and pitfalls experienced by new testers and experienced professionals alike.
The workshop will cover the following areas:
- A working definition of Social Engineering
- Real life examples
- The social engineering threat and the motivations behind it
- Legal and regulatory ramifications
- The ethics of Social Engineering
- Overall Social engineering techniques, from physical intrusion to road apples, from dumpster diving to spear phishing
- Simple techniques to use during “real time” Social Engineering attacks to improve your chances of success
- How to sell Social Engineering to the organisation, and to the individual employee
- Step by step prevention techniques to pass on to clients for every attack technique described
The workshop is designed to make the best use of the people present – please bring along your own questions and experiences. The target audience of the workshop is anyone dealing with social interaction (sysadmins, support staff, management, developers, fraud analysts, etc.).