okay so this talks called hacking humans social engineering and techniques for how to protect against them so it's not an overly technical talk so you can sort of relax a bit there's no complex Maps or coding involved so loose agenda of what I'm gonna go through this afternoon so we can talk a bit about what social engineering actually is then we're going to talk about some famous social engineering cases there's some examples there we're going to go through social engineering techniques and sort of a rough high-level framework which attackers go through when they try to amount an attack and then we're gonna talk about how to protect yourselves and your company against social engineers which is the important part and then I've got a few interesting resources to share with you at the end so quick disclaimer first I'm sure that it to say it but you know I'll say it anyway social engineering generally leads to bad and illegal things so that's the whole point of the talk isn't so teach you how to do illegal things it's to teach you how to protect yourself from it because you don't to end up like this guy so social engineering is a huge huge subject so you know we can't do the entire thing justice in an hour I mean some people spend their lives studying this stuff it's all psychology and all that good stuff but what we're gonna do is we're gonna treat it as an art of the possible so it gives you the the basic grounding is what social engineering is and the steps that you go through to do it and then you know if you're interested in the subjects I've got some good resources and books at the end which you can follow up with so first of all a start off with a little story a little fireside story so we've got a guy called Keith who's sitting there late at night working in tech supports they dreaming about his tea break week and a Goan oneis game of pool with his friend and it suddenly he gets a phone call so he picks it up and goes hello this is Keith from technical support how can I help you and there's a panics voice on the end of the phone Keith it's Tom senior financial VP from floor 9 I've got a big meeting tomorrow and I can't get into my system to access the powerpoints and spreadsheets if I can't access e systems then you know I'm screwed we've got a massive investor meeting in the morning so Tom's like eh well have you gone through the password reset process well of course I've gone through why do you think I'm phoning you it keeps on locking out and I go through it and he's starting to get quite irate and so upset at this point so after a bit of Turing I'm throwing sort of Keith decides okay well I'll do a password reset for you now and we'll get you back into the system you know you're an executive I don't want to I don't want to piss you off so say so time I know well what do me to change your password to and he goes I will change it to monkey 25 made up on the spot so Keith does that and then Tom tries to try to password and in sudden he's in - oh my god thank you very much because of you I'm now going to be able to do this meeting tomorrow so you have just saved this massive investment meeting thank you and he hangs up it's a keep sitting there you know he's very happy with himself you know he's daydreaming about running down the corridor high-fiving all his friends because he's now just helped to senior exec on the floor nine and you know this exact now knows who Keith is so great done a bit of networking as well so what keeps doing this Tom who's not actually a senior VP in the company is actually a hacker is copy and lots of documents off the network onto a USB stick and then he leaves to build him it's a very simple example but you said you know a typical type of thing that can happen in a corporate environment and I've worked in some banks in the UK where these sorts of things have happens in technical support okay so what is social engineering so I went to my good friend Wikipedia for a definition and it's the act of influencing someone to take an action that may not be in their best interest so it's getting people to do something that's not good for them so there's three different types of kind of social engineering attacks out there so the one that we're all probably familiar with is phishing where we get those really annoying emails from people we know we've got rich relatives in some African country or you've got an email trying to get you to log on to your bank account we've very convincing Bank log on page second type is phishing which is where you get people phoning you up so you know the typical call center phone calls you get then you get them over here where it's a call from Microsoft suppose aleena detected a virus on your system and they want to get access to your system to help you out that's a fishing attack and the next one is impersonation which is where someone's taking on a persona of someone else which is kind of what we're going to focus on in this talk so a few stats so there's a link at the bottom there from social engineer dot org and I got some pretty good stats on there most of them are us-based but it kind of illustrates the point so 90% of all the email is spam I think we all know that when we look at our inboxes every day and phishing represents 77% of all social based attacks so it's still one of the most popular types of attacks out there because it's so easy to do at scale and clicking links in emails accounted for 88 percent of all reported phishing so that's like your typical you know click on this link to reset your bank account password go so a very convincing page it's looking identical to your bank but is actually an imposter sites so phishing so in 2012 in the u.s. there's two point four million customers targeted for phone fraud but then in just in the first half of 2013 its 2.3 million customers so you can see how it is you know exponentially growing in severity and to large corporations the average loss per accounts can equal around four to two and a half thousand dollars so you can have a massive impact on companies if I say a bank account gets compromised it's an impersonation so typical touching a personation you know like medical ID theft is very good one my people steal your medical data and use that to build up a persona of who you are because medical data is very private so therefore is generally quite trusted information and typically the top place Ryder theft is in the workplace so you know your companies may spend hundreds of thousands of dollars on firewalls and intrusion protection systems which is all well and good and you know it should be done but the weakest link in your company is gonna be the people working for it and 80 percent of thefts involve disabling or bypassing control so we saw that in the in the story at the beginning caved the technical support engineer sort of bypass that control and did a password reset without really doing too much checking so he makes up social engineers so you know typically we have hackers they're the ones we all know about penetration testers are people who are legitimately paid by companies to try and break into their systems and I'll either do that via traditional hacking or via trying to impersonate people and extract information like passwords from people then you've got your typical things that spies and governments you know the all the sorts of things that we see in James Bond films where you know this Spy takes on a personality or a persona of someone else a disgruntled employees recruiters are very good ones are trying to manipulate you to do something that's not necessarily in your best interest I get about ten of those calls a day and sales people cuz they're trying to get you to buy something which you maybe don't need but they're gonna try and get it to buy anyway it's all a form of social engineering okay anyone think of who the best type of social engineers are there's not on the list actors are so good right I was going to say children especially my daughter she can pretty much get me to do anything I'm sure and there's a lot people nodding so it's similar similar situation so why social engineering well it consistently works people are very easy to manipulate and as we'll see later people generally want to be nice and be be helpful and people use that to their advantage as we've said before people are the biggest vulnerability of any network so if you haven't gone through any of the mitigation techniques which we're going to talk about later you know it doesn't matter how much you spend on expensive hardware to protect your network actually someone's just gonna go in and copy files off onto a USB stick and take them out the building and that's a problem and also it's a path of least resistance so if you're trying to get past where it's whacks a system you know you could do it the traditional way and try and do a data breach and get the password files and then brute force and that's that's a lot of work to try and extract a password or you can just manipulate someone and get them to to tell you it so some typical examples of a social engineering attack so customer services you know they're people on the front line of the company on the phones you know all it takes is you to do you know five or so phone calls to different people extracting different bits of information every time to help build up a larger picture which will then allow you to go in and sort of do your main attack delivery staff is another big problem I mean if someone turns up in a brown boiler suit carrying a load of packages generally companies tend to let them in and if you don't ask or them around the building then you've just given someone access to the building quite easily so generally any type of phone call where you're going to get someone on the phone is a very good way of getting information because they can't see you so it's a very one-sided type of interaction and as we've seen in our example technical support is a great way of trying to get information on a system especially if you target junior members of staff for a fresh out of college or university who that you aren't very experienced in these things they're going to be very eager to help so I've got a few sort of famous software engineering cases just so we can see you know where people have done this and ultimately paid the price of going to prison so as anyone heard of kevin Mitnick you know a very famous guy now so he used to be quite dodgy in his younger years so he had a high profile arrest in 1995 and he spent five years in prison and he's done loads of hacks from the you know from the 1979 onwards so many as 16 he broke into debt computers and he was sort of pirating software off of their servers and he's done things I occurred right in the bus network in LA for free by hacking the payment systems and he's in the end he was charged with 14 counts of fraud and eight cases of unauthorized entry of course these days he's a reformed character so he's now a successful security consultant and he spends most of his time teaching companies how to protect themselves and people like him so he's actually made a very good career off the back of it but yet to spend quite he is in prison to do that those are some books that he's written highly recommend them I'll show you that I'll show them again at the end of the presentation the first two so the art of intrusion in the art of deception are probably some of the best books I've ever read on the subject and then ghost in the wires he's kind of his biography is a fascinating read I read him on holiday once to my wife's horror we didn't technical books on holiday so next one is a guy called Frank Abagnale he said on her do this go yep so he was a yep can you see my next slide but yeah you're right the film catch me if you can so he was a confidence trickster and cheque forger and imposter so he did all sorts of things like taking on different identities to become an airline pilot doctors lawyers all that sort of thing he's very very convincing and even managed to escape custody twice he's quite slippery trap as well but as a guy at the front side here there's a film with Leonardo DiCaprio and Tom Hanks called catch me if you can which is kind of a Hollywood dramatization of his life it's a brilliant film he's not saying it another level so snippet from the film there where he's taken on the persona of an airline pilots which is quite frightening to think that someone who's not actually a pilot is helping to fly your plane I'll bear that in mind when I do my 30 hour journey back to the UK so final example when we look at his Charles Ponzi so everyone's probably heard of the Ponzi scheme or the pyramid scheme and this is a mail fraud scheme using an international reply coupon so you buy the reply coupons and then you can sell them for stamps and he generally get more money when he sold them than what you cost to buy them so he started doing this but then he sort of turned it into a pyramid scheme he had lots of people invested money so he could use that money to buy more of a pie coupons overseas and he still carried on building up this this ruse until it all eventually sort of collapsed and then he cannot remember how long you spent in prison but I mean he I think he made it out of life okay so it's because of social engineering techniques eschaton czar sort of the the process of how it's done so it's generally broken down into four stages through about information gathering pretexting elicitation and manipulation so we'll go through each of those in turn so to do a social engineer attack it takes a lot of preparation so you're not just going to target someone and say you're an associate engineer you and expect to be successful at it because you won't you'll probably fail so you need to gather as much information as you can from different sources and there's various different ways of doing it and one of the easiest ways of doing it is this fishing for bins or dumpster diving as they call it so you're literally looking for any bits of information or paper that's been thrown out at a company or someone's home so bank statements if you don't shred them you just throw them away there's a goldmine of information now prescriptions you know for medication is very useful something you can find out information if I've got any particularly illnesses which you can use to your advantage and so pretty much anything about that I mean another example as well is if you go through someone's bins and it's full of whiskey bottles and you can probably guess that they've got an alcohol problem so you know getting them down the pub might be a good way to do it social engineering attack against them this day and age is you can use lots of social networks this is called open source intelligence Oh since they call it where you're using public-facing sites try and extract information so not everyone has their Facebook profile lock down some people have so have a lot of information on there that's public the same again with Twitter so you can look at the sorts of things that people are tweeting and build up quite a good picture around someone's personality and Linkedin is an absolute goldmine because you generally put your entire career history on them so you can get lots of information from that but also you're just doing a good old-fashioned Google or a Bing search I'll put that on there to balance it out but generally Google so another good way of stealing information is by using malware to install key loggers on people's systems so you know if you want to get someone's password why not just record the keystrokes that they're typing in on their terminal another popular one as well is malware which takes regular screenshots from your system and then post them off to a service if you've got confidential information on your screen then you can have this malware just taking image dumps from the screen compressing them then sending them off to a server which is why you should always run anti-malware software loved one is shoulder surfing again very common so if you sit in there and you just look over look over someone's shoulder and I was on the train commute to work on the train sort of stood up and I could see someone typing on their email you know you just look over and you can see exactly what they're typing in this case someone was writing their message to her husband it's very easy to do it just up and looked so you have to be very aware of what you're doing so if you're doing something this company for then you're on a train just imagine you know the amount of people that could be looking over your shoulder and seeing what you're doing or if you're in your bank balance in a public place that's all things need to be aware of there are ways to help protect yourself akin to shoulder surfing and these days actually these actually exist they're called privacy scuffs when I found the photo I was intrigued and there is actually companies that sell these they look like a bit of an idiot using it good or good on a hot winter's day though you know in Sydney okay so the next station is pretexted and so this is the practice of presenting oneself as someone else in order to obtain private information so it's acting it's taking on someone else's persona and so general principles that you want to follow when you're doing pretexting so the more planning and research you do against persona your take on it's gonna lead to more success so as I said you're not just gonna target someone and then go straight him in for the kill as it were you're gonna put a lot of preparation in and try and work out what your new identity is going to be shared interests makes success more likely so if you're a fan of Manchester United Football Club yeah and you know and you know you're rare you know your target is as well then it gives you a shared interest so we need to start trying to manipulate them you can just spend a lot of time talking about shared interest to help build up a rapport with that person so you don't necessarily go straight in for the kill you might spend weeks building up a friendship someone good acting definitely helps so you know you need to look convincing when you're doing it so it is no different acting in a play you are taking on kind of a real world acting role another principle is always keeping it simple so try not to over complicate the persona that you're taking on because more complicated you make it the easier it is going to be to fail and sort of screw up they ought to try and use information it doesn't need any verification as well so if you say something that the person maybe finds a bit suspect and then they're going to go off and then try and verify that information if you've made a mistake and that's going to help unravel your persona so you're in a mini planning a pretext in the stage you know you need to define what it is you're actually trying to achieve goes without saying with anything you know good planning always leads to more success and you need to plan for different reactions or stray off the happy path so if all goes well you're going to go in and do your pretexting attack against on one if it all goes well you'll get to the result that you want but what if it doesn't go well what are all the different failure cases that can happen you need to prepare for those so if you're trying to say take on a persona of someone who's single not in a relationship and then you accidentally turn up and you've got your wedding ring on and they notice you know what would you do in that situation and we'll just being friendly be sufficient I mean do you need to go to all the efforts of taking on this big big acting persona could just being nice to someone be what you need to do it could be just as simple as that this is another sort of definition of social engineering so it's a clever manipulation of the natural human tendency to trust and the key word there is trust those building up trust with another person okay so we've talked about pretexting which is about you know building up the persona over the person that you're trying to be so the next step is elicitation and this is the act of getting information without directly asking for it so now if I go out to you to say can you tell me your password No so you're trying to get someone to give you information without directly giving it up without directly asking for it so elicitation is all about trying to exploit human nature so most people want to be polite you know not everyone but generally most people are nice want to be helpful especially your conference like this you know people are generally very nice and want to help and people want to appear well-informed as well so nobody wants to be the guy or the girl he doesn't know the answer to something he makes you look a bit stupid so people so if you ask the right questions and it makes people feel like they're being informed and being the person with all of knowledge and people might generally be a bit more loose lips and sort of tell you stuff that they're not supposed to you just to make themselves look and feel better people want to be appreciated as well so if you're as part of your persona if you're being very nice and appeased sooo you know thanking them you know maybe buy them a drink for helping you out with something you know people like to be appreciated yeah bit of a pat on the back and generally honest people don't like to have hold information or life so if you're a good honest person then you know lying isn't in your in your nature so you're gonna be very truthful in the information that you give up the best way to succeed at this then is really understanding how to communicate with people so this is why you know I say it's very easy for us to talk about it now for an hour but actually this some of this stuff can take years and years to master because it's all about human psychology and you need to be able to adapt communications to fit the situation so it's a bit like what we're saying before about trying to cater for the the failure paths in your pretexting you need to change your communication style to fit the situation so if someone starts getting a bit aggressive towards you because you're going in too strong you need to be able to adapt your style of communication to dial it back a bit and you want to build a bond with your target so you're not just going to go straight in directly and try and get the information out with someone you might spend a long period of time friending them so you might meet them down the pub build up a friendship over several weeks or months and then you try and get the information that you want so you don't try to see don't arouse any suspicion no see this goes without saying that whenever you're with that person you have to stay in character so if you go out of character or they see you going out of character when you're on the phone or if they see you around locally then that's not gonna that's not going to help you but also you need to know how to use effective questioning techniques so we'll look at some of these now so four main questioning techniques are out there so we've got neutral open closed and leading so a neutral question doesn't directly targets the person on how to answer the question so you're not leading or direct in there anyway so if you say how do you like the way for today that kind of invites you to say as much as you want then you've got open-ended questions which encourages a full meaningful answer using the subjects own knowledge so tell me about the relationship of your father it's a very open question can go into as much detail as you want or how do you feel about the election candidates you know it gives you the opportunity to be a lot more open in how you answer the question but then on the flip side of that we have closed questions so you know do you get some of your father yes or no you know it doesn't really invite you to say much more because it's very directed in how it's they're being asked and then who are you going to vote for you know Trump or Hillary okay to the American election it doesn't really invite you to say much more then we've got leading questions so these are more open in nature but you're trying to lead the person down a particular way of answering the question so the example on the screen there so do you have any problems with your boss it's kind of implying the you might have some problems with your boss and then that might kind of coerce your answer a little bit or how fast was the red car going when it smashed into the blue car so you're kind of putting the idea into the person's head that was actually the red car that was going fast and it was at fault and it might not have been but you're trying to lead them into a particular way of answering so know me when you're doing this and you want to try and funnel the question so you'll start off very neutral and oh very neutral then you'll go into a more open style and as you start to get towards the information that you're trying to get from the subject you'll then start going a lot more close and if necessary you'll use more directed questions so you think of it as a funnel okay so we've covered protection elicitation so pretexting is taking on a persona and elicitation is using that persona to extract information but what's the difference between manipulation and influencing so very there's very subtle differences between them so influency needs about getting someone to change their mind in a way that is good for them so in the case of the party last night if you're considering having that third whisky and your friend says I think you should do that because you're supposed to be up early you've got to talk at nine o'clock know they're trying to influence you in a way that's good for you by helping you but it's manipulation is influencing someone to change their mind in a way that it's not good for them so in the case of the story at the beginning you know the person who is calling the the technical support line was directly trying to manipulate the person on the phone so it wasn't a way that was good for them it's very bad for them in the end so influencing generally ends up in a win-win situation so it's a win for you and it's a win for the person that you're influencing whereas manipulation is generally a win-lose scenario I think it's without saying the manipulation is generally bad but for social engineering it's good it's kind of the Hult the whole point of is you try to manipulate someone so if we go back to our original definition from the beginning of the talk what we said it's an acts of influencing someone to take an action that may not be in their best interest actually we're talking about manipulation okay so what are some typical manipulation techniques so fear is a typical technique or the what's called the fear there Mele technique so you make someone scared about something and then you offer them instant relief to take that fear away so example here so hi this is technical support we've detected a virus on your machine and it's gonna lock all your files oh I'm gonna lose all my files so fear starts to set in we need to install a virus killer but if you give us the password to your machine will log on and we'll put the virus checker on there and everything could be good so that's the relief so you get that you get the person into a soar heightened state of fear and then you offer immediate relief except they trust you guilt is another way use guilt as a way of making someone comply so you do someone a favor and then use it against them later so blackmail here's a very typical technique here so example I need you to copy these files for me you I mean you owe me a favor after I kept ex a secret for you earlier you know he's guilt tripping someone into doing something for you another technique so the foot in the door technique so asking the victim to do a very small request first gets you get to the foot in the door then once they comply you can then follow on and get more information out of them so very common technique used by salespeople so if you get door-to-door salesmen at your door they might ask you a question like you know howsoever you know you give them a give them a response but by getting that posit response from that person in in the first place yeah actually makes it a lot easier for them so then start up a conversation with you so one day you know can you tell me the time can you spare some change typical like questions you used to lead in with someone so those are the the main stages you go through for mounting a social engineering attack I say that's it's quite a high level framework you can spend a lot of time going into the psychological intricacies of it but what we really want to know is how can we protect ourselves from this so we're going to go through some techniques that we can use for personal mitigation for yourselves but then also what you want your companies to be doing so if your companies aren't doing any of these things even maybe you can go back to your office's next where you can try and get them to change so as you said then common targets in a company tend to be junior staff because they're very eager to to please and help contractors also very common people to be targeted because they don't have the same sort of vested interest in the company as what full time member of staff does and I've worked with various companies before and all contractors are from outsourcing operations as well we're culturally from the countries they're from they're very eager to try and help because they don't want to be seen as evasive or not helpful so they're very good people to target admin staff as well and support staff again people that are popping more junior in the company so if you go in pretending to be an executive and you're trying to get information out of them they're gonna they're gonna want to help so they're very easy to try and target whereas if you try and go against someone who's higher up in the company they're probably gonna be a bit more savvy and not as easily when it provides a manipulatable so if you've got someone phoning you up or turning up at the office the best things to do start with his awesome Friday very simple can you show me your ID you know if a guy turns up wearing a brown boiler suit carrying a load of parcels you know are you just gonna let him in or you gonna check his credentials first is he from DHL is he from Easi from Bob's Delivery Service you need to check and watching for any other character questions as well so again going back to the delivery man example if he turns up and then he starts asking about where the server room is or things that are out of very out of character for a delivery man and that should be an immediate red flag again a lot of these of a kind of common sense which would be clear to know so don't let guests roam free and a building so again delivery man if he turns up and he has to personally deliver a parcel to someone and you check these credentials and you think they're okay then go with him make sure he's escorted or get someone else to escort him don't just let them sort wander off around the building this one again should be obvious especially to our technical folk but it isn't obvious to everyone don't plug in a thumb drives that you find lying on the floor so you know very common scenarios you might see a you know a 16 gig thumb drive on the floor you'll pick it off Nakul 16 gig that's quite a good one yeah they're not they're not cheap and you might go and plug it in into your laptop and then that could be where key loggers get installed or or worse so when you're out and about and you're gonna the organization just be be aware of what you're saying so you know pubs and bars are very bad for this once you've had a few drinks and you out with your colleagues you tend to start being a bit looser with the the type of conversation you have in so you might start talking about projects you're working on at the company or you might start taking the piss out of your boss I'm sure everyone's really professional it doesn't actually do that but you never know who's around you listening yeah all it needs is someone who's deliberately targeting your company to be sitting on the next table listening in it was an image to do anything you're just giving them loads of information to help them build up their pretext so shredding documents is very important so when you finish with your bank statements at home don't just fling them in the bin you know buy one those small portable shredders and shred them first because only if anyone is going for you rubbish trying to find the information you just made their life instantly harder by shredding everything so prescriptions bank statements letters anything again going back to fun drive but don't store really important sensitive documents on thumb drives because they're very easy to lose they fall out of your pocket or you leave them on a train or if you do have to use thumb drives to store documents make sure they're encrypted with a strong password don't write the password on the side of the USB thumb drive I see I seen someone do that before it's hilarious so if you're using company laptops they should all have Drive encryption on them you know laptops are very easy to steal probably not as easy to lose but people do lose them but you know if someone steals you yeah laptop make sure you've got encryption on it you know max for example come with encrypted drives by default I think Windows 10 does now does it what do you have to enable it I thought you might use Windows for a while but make sure you using some kind of full disk encryption larger corporations Germany mandate this as well especially in regulated environments they have full disk encryption again be aware of who's looking over your shoulder you know you could be sitting on on the train or the bus working on some documents for work that you need to get done for tomorrow but do you know who's sitting behind you and looking at your screen or sitting next to you maybe if you've got important sales figures or source code or anything on your screen you think he you know you're being good by working on the train batchi anyone could be looking at what you're doing and a final one for personal mitigation techniques saying is educate yourself you know by going to talks like this reading some of the book resources I'm going to put up at the end he's you know there's lots of really good stuff on YouTube as well about social engineering which is very insightful and as well as resources like Pluralsight if this course is on there as well I guess we talked about kind of personal mitigation techniques so what's about corporate mitigation so what should companies be doing so one thing that company should do is start identifying what information assets are most valuable and they're marking them accordingly so what do we mean by this so I mean using information coding so if you've got documents that are marked with green okay for lise then you kind of know that they're okay to be in the public domain and that's okay then you could have amber release only before ization if you have that on the front cover you it's an immediate flag that okay I can't LIGO sending this document off unless I get permission from someone higher up in the company right away down to red which is confidential do not release you know it's a very sensitive commercial documents we should never leave the building but despite doing a very simple thing by information coding all of your documents on the front page it has becomes very obvious what you can and can't do with those documents so if your company doesn't have this I mean Germany large companies do have corporate security policies but if you're in a smaller company that doesn't it's a good idea to get them written I mean they're not the most interesting of documents granted but it is important to have them and a good place to start is actually on this website here so sounds dot org as a load of open-source templates which you can use to kickstart your own security policy documents but once you've written them obviously if you just have you know 10 or 20 documents you know you can't really expect your staff to sit down and read them all because they won't so you need to follow that up with suitable training as well so I don't know how it works in Australia but in the UK when you have regulated financial companies you have to have training plans in place annually to take people through all the key highlights of the security policies so it's important to have these written down because if you do have to dismiss someone for breaking the cup the security policy you then got that document that you can refer back to so as an organization you should be keeping your software regularly pasión updated goes without saying we will and technically in this room it's very important but if you don't do this and it leads to exploits and vulnerabilities being launched against your network so everyone it's heard about the one acquire virus that went around not so long ago cause absolute chaos in the UK especially around our National Health Service because they hadn't passed all of their machines so they were still running Windows XP and old copies of Windows XP that weren't patched up to the latest version so it made it very easy for that exploit to get passed around so going back to document shredding if you're in a larger company then hiring in one of those document shredding services is very useful you know where you get the confidential waste boxes anything you finish we've just put them in there if it's paper and then they get professionally shredded and disposed of companies are is it talking about dumpster diving companies are a good target for people go through the bins just because there's an absolute goldmine of information if you've got a hundred members of staff and it will fry and stuff in the bins just imagine what information you're gonna find so this one then so you know never assume that your company is too small to be a target if your company is quite small the chances are you're more likely to be a target you'll be easier to infiltrate so never go on the assumption that this isn't gonna happen to you because it probably will okay so I said I said this talk would be nice and easy so we've covered most of it so in summary then so social engineering is the act of influence in someone's take an action that may not be in their best interests yeah you're trying to get people to do something that's not good and you're using lots of manipulation techniques to try and do that we talks about the different types of social engineers that are out there ranging from your more typical hackers your legitimate penetration testers fruit all these different types of people including recruiters they're one of my hated ones so why social engineering again it consistently works it's very easy to do it's you know generally easier to try and get information out of someone than it is to try and break into their network people are the biggest risk in your company so as we said before you could be spending hundreds of thousands of dollars on firewalls and intrusion detection systems but all of that which is good you shouldn't stop doing that but your people in your organization is still your weakest link so having good training about how to mitigate social engineering is very valuable because it stops those people doing something stupid and again it's the path to least resistance so if you can get someone to give up a password he's generally are not easier than trying to score yourself a data breach and in trying to hack all of the passwords are brute force all of the passwords so we went through the the four stages of social engineering so information gathering pretexting which is about taking on a persona to convince someone that you're someone else elicitation which is then using that persona as a way of getting information from people without directly asking for it and then we looked at some different manipulation techniques that you can use like the fear and relief technique footing the door technique there's many many more so we've just covered some of the the common ones and then we followed up with some personal and corporate mitigation as we've seen a lot of them are actually kind of very obvious and common sense things you need to do like asking for ID for any visitors who come in the building don't know people roam around free in the building shredding documents not just frying them in the bins they're all very common-sense but they're but they're very very important okay so some resources which you might want to read if you're interested in this subject so we've got the the free kevin Mitnick books which are highlighted at the beginning so artur deception and the art of intrusion both absolutely fantastic reads you'll find and difficult to put down when you start reading them and then there's a ghost in the wires which is Kevin's biography again it's a fascinating read just looking at some of the things you got up to this book here is kind of considered the Bible of social engineering the art of human hacking it's a it's not an easy read it's about 800 pages long but the amount of detail that book goes into is is absolutely fascinating if you want to go further this one here what everybody is saying by Joe Navarro he's an ex-fbi interrogator and it's all about how to read people's body language to tell if they're lying it's a fantastic book so if you're talking to someone and they're sitting there rubbing their hands for example a lot that's kind of a sign that they're nervous or if I sit in their steepling with their hands like that as a sign of confidence he goes through lots of these different techniques which I've used in interrogations against murderers to try and work out they're lying or not so fascinating hey that's it so thank you for coming along my name is stephen haunts and the co-founder and CTO for small payments company new UK called louder pay and I'm also an author on Pluralsight so I've got a course coming out soon which kind of covers the same subjects of what we've been talking about today let's do out sometime in September and I'm a regular speaker a lot of these events I've done the vast majority the NDC events now and I've spoken in Belgium and Poland other sorts of countries like that and also we run a dotnet user group back in the UK called Derbyshire net so if anyone happens to everyone to travel to heaven a half thousand miles to the UK and then get a four-hour train up to a centre of the UK and feel free to come along on the last Thursday of every month to my user group you'll be welcome I'll also buy you a beer for going to that level of effort as well so thank you very much everyone I hope you're not made you too paranoid and die you're not going to get a coffee thank you [Applause]