Practical Social Engineering Defence: Protection of Sensitive Information



Overview

This course is important for governmental or non-governmental organizations and companies handling sensitive or classified information - a powerful, high-value asset that attracts many attackers.

Are the managers and employees handling this information ready to protect it and to respond to potential threats and attacks?

This program offers attendees the skills and knowledge necessary to identify potential threats and respond to them.


Target Audience

The program is beneficial to managers and employees working in companies and organizations of the public and the private sector.

No previous knowledge is required. We can tailor the course to meet specific requirements. This program can include exercises and role playing.


Duration

Half day to 2 days. We tailor the program to meet specific requirements.


Instructor

Christina Lekati, psychologist, social engineering expert. To learn about her you may visit: https://www.cyber-risk-gmbh.com/About_Christina_Lekati.html



Course Synopsis:


What Is Considered Sensitive Information?

1. What the organization vs. what the attacker considers to be valuable information.

2. Personal information.

3. Classified Information.

4. Information about the organization.


Who is the Attacker and why?

1. Possible adversaries: criminal organizations, nation states, activists, individuals, small groups, insiders.

2. Social engineering is a business, a full-time profession.

3. Selling information in the dark web.

4. Using information to sabotage operations, for reputational damage, for destruction, and more.


Social Engineering Methods for Information Harvesting.

1. Building a personal relationship with the target.

2. Human Intelligence (HUMINT).

3. Open Source Intelligence (OSINT).

4. Geospatial Intelligence (GEOINT).

5. Communications Intelligence (COMINT).

6. Special Issue: the surprising quality of intelligence gathered from inference espionage.

7. Threading them together.


Long term vs short term attack efforts.

1. Short term efforts.

2. Long term efforts: overt and covert asset cultivation.


Social Engineering (SE) Modus Operandi.

Step 1: Reconnaissance.

1. Information Harvesting.

2. In-depth OSINT: Everything that can be found about you.

3. Turning information into intelligence: how even seemingly innocent and irrelevant pieces of information are puzzled together.

4. Profiling targets.

5. Selecting targets.

6. Identifying objectives.

7. Defense.


SE Modus Operandi Step 2: Pretexting.

1. Crafting a strategy based on the target’s profile.

2. Constructing the attacker’s persona.

3. Mirroring or complementing the target’s personality.

4. Cover story.

5. Tailoring the attack.

6. Defense.


SE Modus Operandi Step 3: Building a Relationship.

1. Identifying potential occasions for initiating contact.

2. Getting into the circle of awareness.

3. Initiating contact and hooking the target.

4. Building trust and credibility.

5. Their personality will match yours… almost perfectly.

6. “What are the chances! To meet someone like you”.

7. Frequent high-value contact.

8. Privilege escalation.

9. Study cases.

10. Defense.


SE Modus Operandi Step 4: Exploitation.

1. Stretching the boundaries: escalating from obtaining slightly significant pieces of information to increasingly more important ones.

2. Links, attachments and USBs with malicious code.

3. Obtaining information for other high-value targets.

4. Launching specific attacks (variety of possibilities).

5. Study Cases.

6. Defense.


Frequently Used Influence Tactics.

1. Situational reframing.

2. Satisfying the target’s personal motives and interests.

3. Satisfying the target’s unmet needs.

4. Seduction techniques.

5. Mystery.

6. Familiarity and likeability.

7. The “Feel good” influence factor.

8. The “Halo Effect”.

9. Defense.


Frequently used Information Extortion Techniques.

1. Elicitation.

2. Putting the target in a trance.

3. The magnet effect: how using one piece of information can elicit more.

4. Covertly cultivating a sense of obligation to answering questions.

5. Exploiting compliance.

6. Defense.


The Social Engineer’s Target Management.

1. Targets (assets) that respond and deliver a high ROI – are to be maintained.

2. Targets that hold highly valuable information – are to be cultivated.

3. Targets that do not respond, do not deliver or are suspicious – are to be abandoned.

4. You want to be in the third category.


Frequently Used Scenarios.

1. The “Damsel in Distress”.

2. Romance Fraudsters.

3. The Rescuer.

4. Direct approach with value proposition.


Defense: Know Thyself.

1. The tendency to verify your wished-for scenario and self-induced blindness.

2. The tendency to justify your guilty actions.

3. Know your weaknesses.

4. Believing it will not happen to you.

5. We are inherently bad at detecting deceit.


Defense: Further Countermeasures.

1. Lessons from the field of counterintelligence.

2. The biggest weakness of a social engineer.

3. Using their toolkit against them.

4. Verifying claims.

5. Maintaining boundaries in communication.

6. Handling emotional triggers.

7. “The need to know” principle.

8. New hiring standards.


Attacker Detection Checklist.

Concluding Remarks.




Our Services

Cyber security is ofter boring for employees. We can make it exciting.


Online Training

Recorded on-demand training and live webinars.

In-house Training

Engaging training classes and workshops.

Social Engineering

Developing the human perimeter to deal with cyber threats.


For the Board

Short and comprehensive briefings for the board of directors.


Assessments

Open source intelligence (OSINT) reports and recommendations.


High Value Targets

They have the most skilled adversaries. We can help.





Which is the next step?

1

You contact us

2

We meet and discuss

3

Our proposal

4

Changes and approval

5

We deliver







Cyber Risk GmbH, Cyber Risk Awareness and Training in Switzerland, Germany, Liechtenstein