Category Archives: Cat Murdock

Ep. 114 – Finding Love with Whitney Merrill

What do you get when you mix a lawyer, crypto junkie and a romantic together? Well, none other than our guest for this month, Whitney Merrill. – Feb 11, 2019
Contents Download Get Involved

Download

Ep. 114 – Finding Love with Whitney Merrill
Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form! Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music And check out a schedule for all our training at Social-Engineer.Com Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 114 – Finding Love with Whitney Merrill appeared first on Security Through Education.

Social-Engineer Newsletter Vol 08 – Issue 113

Train as a Social Engineer: The Value of Creating Environments 


When I am not wearing my Social Engineering (SE) hat, I am often wearing the hat of “working dog trainer.” What does this mean? It means my dogs and I train in a variety of useful areas, obedience and tracking being some of the main events. The ladies (aka my dogs) can track articles of clothing, metal, and types of plastic, all because of this training and, more importantly though less glamourous, they will sit when I ask, anywhere, no matter what. This includes if they are off-leash and a moose is barreling by (true story, thanks Colorado). You may be asking yourself, “how did she get this to occur?” And you are most likely wondering, “What does this have to do with Social Engineering?” The answers to both of these questions are the same; you must create the environments to learn social engineering

The ladies sit whenever I ask because they have been trained, under a variety of escalating situations, that they follow sitting protocol no matter what. When they were puppies, they would have a leash tied to a post on one collar, and a leash in my hand on another collar. They would be told “sit,” praised, and once they had nailed that we would repeat the drill, this time with a high value toy. I’d wave the toy in front of their face, and if they tried to jump at it, I would keep them in a sit via the leash in my hand. You could see it in their faces, all they wanted was that ball. They wanted it so badly. However, they were learning that our policy is, “you sit unless you’re told to break.” 
 

Training Through Environment Creation

This is the same methodology that should be applied to learning to be a social engineer and, if this applies to you, social engineering awareness training within your company.  I created the environment and events that were used to train the dogs. I introduced the high-value toy and put them in a situation where they were tempted to break policy and, instead, were taught how to behave in that situation that would be applied later in more intense situations.  

This practice can be applied to so many elements in life including your journey to becoming an SE and, for those of you managing security teams, your vishing, phishing, and red teaming programs. On the corporate side, you have heard from my colleague Ryan about the values of creating strong and properly executed phishing and impersonation programs that increase in difficulty over time that is appropriate for the skill level of your user base. If you work with security training programs, I cannot stress enough the value of creating the correct environments to learn social engineering. These environments should use escalating, real-world events to test your userbase against common social engineering attack vectors. However, what do you do to train yourself as a social engineer? To effectively do this, you must create the environment in which you test and train the skills you need to grow to your next level of SE. Let’s explore how to do this for ourselves to improve as social engineers. 

Train as a Social Engineer: The value of creating environments

Creating Your Own Environments to Learn Social Engineering 

If you are looking to enter the field of SE, you must first assess the requirements for the role and your current skill level. Social engineers need many skills, but a few important ones are human interaction, reacting quickly in unfamiliar situations, critical thinking, ego suspension, and a constant desire to reassess, grow, and try new things. These skills are not often viewed as hard skills, but they can absolutely be trained like them. 

If you are looking to practice your SE skills, you will need to create the environment in which you can learn. Even if your company runs a great security awareness program, that is teaching you the defense against SE. How do you train for your debut as the SE on the red team? Try some of the following drills by creating events and environments where you must exercise the appropriate skillsets:

  • Physical environments: Pick a venue and, if this drill is new to you, you can choose one that is familiar. Decide on an informational flag to get from strangers. Start easy with things like, what did they do today, where do they work, what is their name? Over time, begin choosing more challenging, less familiar environments for this drill and increase the sensitivity of the flag you are going for. Practice asking specific questions of unfamiliar people in unfamiliar situations and increase your own difficulty over time.
    DISCLAIMER: Remember – our goal as white hat social engineers is to leave others feeling better for having met us, per the SE code of ethics. Do not seek to obtain sensitive PII. Try questions that escalate in emotional depth and non-PII informational content.  
  • Mental environments: Challenge your version of comfortable. This practices ego suspension. Have you ever seen something and immediately felt resistant? Perhaps an article from a publication you typically don’t agree with, or an opposing opinion piece on a topic you are passionate about. When you feel yourself think, “no – I won’t read that for X reason,” do it anyway. Enter with an open mind and challenge your status quo. This job does that all the time.
  • Learning environments: Take an improv class. This can teach you to react in unfamiliar situations and think through conversational pathways on the fly. 

While attempting any of these drills, take notes on the interactions and environment. Was there anything that you could have improved upon? Was there an opportunity for rapport building you didn’t capitalize on? Could you have used an influence principle to better effect? Would a different setting have changed things? How? Analyze your own behavior and identify your areas for improvement.

Like the pups, we all benefit from creating real-world events that escalate in difficulty over time in which we can practice our training and skills. It’s better to learn in controlled environments before game-time comes in the real world. Does creating your own training environment seem daunting? We’ve got you covered! Our courses are designed to do just this – provide real world training environments for current and future SEs. Blood, sweat, tears, and countless hours of work have been invested by the great folks here at SECOM to create the following amazing courses:

  • Advanced Open Source Intelligence, next offered April 23-24, 2019  in Denver, CO will teach you OSINT skills and allow you to apply them in practical challenges. 
  • Advanced Practical Social Engineering (APSE) in Bristol, UK May 13-17 and Aug 3-6 at Black Hat USA offers amazing instructional content and specifically curated homework to improve your social engineering.  
  • Masters Level Social Engineering (MLSE) is available to APSE alums where you will practice physical entry and extreme social engineering skills. This course is full for 2019 so get into a 2019 APSE course to be eligible in 2020. 

Ready to practice your SE skills at the next level? Registration is now open for the SECTF at DEF CON 27!! Sign up now and start creating your amazing video so we can get to know you. 

Get out there, create some learning environments, and become better SEs!

Written By: Cat Murdock
Twitter: @CatMurd0ck 

Sources:
https://twitter.com/search?q=joemontmania

https://www.social-engineer.com/what-is-critical-thinking/
https://www.social-engineer.com/in-2019-test-impersonation-attacks/
https://www.social-engineer.com/not-all-phishing-programs-are-created-equal/ https://www.influenceatwork.com/principles-of-persuasion/
https://www.social-engineer.org/sevillage-def-con/the-sectf/
https://www.blackhat.com/us-19/training/schedule/index.html#advanced-practical-social-engineering-13984
https://www.social-engineer.com/store/#!/13-17-May-2019-Advanced-Practical-Social-Engineering-Bristol-UK/p/116061101/category=0
https://www.social-engineer.com/store/#!/23-24-April-2019-Advanced-OSINT-for-Social-Engineer-Denver-Colorado/p/116061102/category=0 

The post Social-Engineer Newsletter Vol 08 – Issue 113 appeared first on Security Through Education.

Ep. 113 – Nutrition Facts for Online Information with Clint Watts

Misinformation is a powerful tool. As we enter 2019 we invite on a fascinating guest, Clint Watts, who has spend his career learning all about how to use it and how it is used. – Jan 14, 2019

Contents Download Get Involved

Download

Ep. 113 – Nutrition Facts for Online Information with Clint Watts

Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form!

Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music

And check out a schedule for all our training at Social-Engineer.Com

Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 113 – Nutrition Facts for Online Information with Clint Watts appeared first on Security Through Education.

Ep. 112 – Catching Spies and Paying Parking Tickets with Joe Navarro

Almost 100 episodes have passed and we finally get one of our all time favorite guests back on the show – Joe Navarro. His new book is literally THE encyclopedia of body language and we must discuss it. Join us – Dec 10, 2018

Contents

Download

Ep. 112 – Catching Spies and Paying Parking Tickets with Joe Navarro

Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form!

Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music

And check out a schedule for all our training at Social-Engineer.Com

Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 112 – Catching Spies and Paying Parking Tickets with Joe Navarro appeared first on Security Through Education.

Social-Engineer Newsletter Vol 08 – Issue 109

Teach Early, Teach Often: Cybersecurity Education for Children

 
 

Teach Early, Teach Often: Cybersecurity Education for Children

This month marks the 15 year anniversary of Cybersecurity Awareness Month in the United States, and it is an important time to remember the systems we protect as well as the social systems that affect them. According to National Cyber Security Awareness Month (NCSAM), their theme this year is that “Cybersecurity is our shared responsibility and we all must work together to improve our Nation’s cybersecurity.” This message really resonates with the team here at SEORG, and me in particular. We spend our days and our careers helping clients, friends, and family improve their security posture. We look to provide our clients with tangible data to guide them in the security education of their staff. The human endpoints are often the hardest to secure, as each human learns in different ways, some need more instruction than others, and they have varying degrees of prior information security and systems knowledge. This last point is critical; to date, the world over, there is little, regular exposure to STEM and cybersecurity in educational systems.

Adults in the information security industry could have entered their roles more prepared had educational systems provided curriculum that mirrored real world needs through an increased focus on STEM curriculum and the accompanying cyber security education users of technology should, ideally, receive. So, while we are teaching our adult learners to improve their security stance, let us not forget about the needs and positive, lasting effects of exposing children to technology, engineering, and cybersecurity skills early and often. Exposing young minds to quality STEM and cybersecurity education will strengthen all of our companies and human endpoints but failing to provide this instruction to today’s youth will result in a workforce that struggles to keep up with the information security needs of the future.

Connecting education and information security

Children today will be the information security professionals who will secure our retirement, secure our increasingly connected healthcare systems, and inherit our digital world. We must begin preparing them from elementary school ages for the ever-quickening pace of technology, and the security needs that come with it. Unfortunately, this is not the status quo in many schools across the globe and that may not change within education systems themselves for many years. While some schools and nations provide better technology programs to children than others, the vast majority of students the world over are not receiving early education on cybersecurity and STEM related skills. This will leave our young learners and future leaders at a disadvantage in the future work force.

Unfortunately, many young students are victims of the ever broadening “opportunity gap,” or the fact that being born into certain zip codes and societal constructs negatively affects the educational opportunity and lifelong opportunity of children. While this phrase is often used in terms of America’s school systems, the concept of the opportunity gap affects students and children globally. Many students are not receiving early or regular exposure to quality science, technology, engineering, and mathematics (STEM) curriculum that provides the foundation for cybersecurity education and an understanding of informational systems.

Networks, organizations, and security departments are all systems. These systems recruit their human endpoints, their people, directly from educational systems; educational systems which desperately underserves many students thus widening the current opportunity gap. The information security industry will struggle to secure its people as long they come out of systems that are under-preparing them for the modern world and modern opportunities. And yet, despite a lack of exposure, children are some of the best and most determined little hackers I have ever met.

Immediately after college, I taught 4th and 6th grade math and science in a rural school district in eastern Arkansas as a corps member with Teach for America. The concept of the program is to take individuals with proven track records of success, either in their academic or professional careers, and train them to teach in low-performing school districts quickly. Corps members make a two-year commitment, and then return to their previous careers, stay in education, or pivot to a new endeavor. The school I taught in had received a grant from Apple for all students to have access to a computer, which then required a staff member to become the IT administrator of the school so hundreds of students with computers had oversight. When the admin would release a new security protocol on the network, it would take mere days for at least one of my very young students to find a way around it and access their favorite YouTube channels and online games. The IT admin would constantly lose their blue teaming endeavors to creative, red teaming children with zero experience. Every. Single. Time.

What can you do?

Kids are hungry to learn. They are ready for challenging STEM and cybersecurity curriculum. They are ready for puzzles, cryptography, and exposure to critical thinking exercises and cybersecurity education for children, but so many of them are denied the opportunity to learn these things based on circumstances they have no control over, circumstances they were born into.

Our industry needs critical thinkers. Our industry needs diversity. Our industry needs a future with qualified professionals. Fortunately, there are a wealth of curious, diverse minds out there waiting for interesting learning opportunities. For the 15th anniversary of Cybersecurity Month, I challenge you to impart your skills to young, hungry minds. An added benefit is many employers will allow their employees to take volunteer days, and, even if this does not apply to you, volunteering looks great on your resume and is very emotionally rewarding. To get involved, here are some ideas:

  • Volunteer to speak at a local school and/or plan interactive games to teach children about protecting their online identities, cryptography, and other cybersecurity and critical thinking skills.
  • Get involved with, or plan, outreach events like the SECTF4Kids and the SECTF4Teens that introduce children and teens to social engineering, puzzles, problem solving, and critical thinking.
  • Educate children in your nuclear and extended family early and often about cybersecurity, their online safety, as well as how the internet is connected, and information is stored. PBS offers a great learning lab aimed at teaching children and teens about securing networks and what types of information attackers are interested in.
  • Provide students and children a safe reporting environment, where if they encounter something alarming online, they have a safe place to tell a knowledgeable adult.
  • If you have children, have them work with you when updating or changing your home network. Talk them through the steps and expose them to the concepts.

It’s never too young to start teaching children the skills we wish all of our end users had. It’s never too young to start teaching children about their online safety. And it’s never too young to begin raising the industry leaders of the future.

Go forth and share your knowledge with the little people.

Written By: Cat Murdock

The post Social-Engineer Newsletter Vol 08 – Issue 109 appeared first on Security Through Education.

Ep. 110 – From SECTF to Pro SE with Whitney and Rachel

So many times we get asked how can you become a professional social engineer.  This month we talk to two amazing women who were never in the industry, took a huge risk and it paid off.  Join us in this fascinating conversation with Whitney Maxwell and Rachel Tobac. Oct 8, 2018

Contents

Download

Ep. 110 – From SECTF to Pro SE with Whitney and Rachel

Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form!

Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music

And check out a schedule for all our training at Social-Engineer.Com

Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 110 – From SECTF to Pro SE with Whitney and Rachel appeared first on Security Through Education.