Lecture Notes: Security Failures and Social Engineering

Introduction

Speaker: Jason E. Street
Objective: Discuss the importance of physical security and social engineering flaws.
Context: Real-life experiences and encounters to highlight security weaknesses.

Day Job: VP of Information Security at a financial institution
- Responsibilities: Monitor firewalls, watch IDS systems, build infrastructure, Blue Team tasks (defense).
Night Job: CIO at Stratigos Security Solutions
- Pen testing, speaking engagements, authoring "Dissecting the Hack".

Outside Industrial Park (2011): Standing for an hour, no security check despite visible suspicion.
Job Application: Overqualified, got their data instead.
Stole a car from a hotel wearing an "I'm a Liability" shirt.
- Valet handed over car without verifying identity.
Ground Zero Office: High security yet penetrable with a valid badge and a misleading shirt.

Main Fact: Always able to get in.
Rule 1: Aim to misbehave.
Rule 2: Be the bad guy.
Three Outcomes: Successful penetration, unnoticed behavior, and extraction of sensitive info.

Using simple tools to bypass security: Examples include using a pen to disable door latches.
Impersonating officials: Cloning phones, stealing badges, using forged emails on iPads.
Keyless Entry Manipulation: Finding default codes (e.g., 0000, 1234) for security locks.
Forging Emails: Making them look legitimate using urgent and political language.
Exploring Physical Vulnerabilities: Simple tricks to bypass physical security like checking for unlocked doors.

Personal Impact on Security: Involving personal items like car keys, driver's licenses, leading to potential threats against employees' families.
Creating Vulnerabilities: Not securing personal items can lead to significant security breaches.

Employee Education and Awareness: Regular training and creating awareness about securing their stuff.
No Tailgating: Preventing unauthorized entry by following others.
Empower Employees: Encourage employees to report suspicious activities by making them feel part of the security process.

Hotel Sub-Basement: Accessing secure areas by disguising as hotel guests (Pepsi pajama incident).
Kitchen Areas in Hotels: Gaining access without being questioned.
Physical Access Weaknesses: Locks without padlocks, unsecured data areas.

Use of Social Engineering for Pen Tests: Employees easily manipulated by basic techniques.
Example: Example in Malaysia where the head chef was questioned without suspicion.
Understanding Workplace Vulnerabilities: Emphasizing the role of personal and physical security.

Codewords: Establish emergency codewords for employees to use in dangerous situations.
Routine Checks: Conduct regular checks not just on equipment, but also on people's understanding of security protocols.
Limiting Information Leakage: Encourage employees not to print sensitive data unnecessarily.
Using Technology Wisely: Emphasize secure usage of technology (DLP solutions).

Education: Focus on properly educating employees to use technology securely.
Empowerment: Empower employees to contribute to the organization's security proactively.
Positive Reinforcement: Praise and acknowledge employees' efforts in maintaining security. Make it part of the organizational culture.
Breaking "Stupid Users" Mindset: Treat employees as part of the security team, not as liabilities.