|Contents Download Get Involved|
2018 was an extremely intense year in the field of cybersecurity. The Verizon Data Breach Report confirmed 2,216 breaches across 65 countries. From what the experts say, we can expect 2019 to be intense as well. According to a report by Cybersecurity Ventures, it’s predicted that by 2021 cybercrime will cost the world $6 trillion annually. The report also predicts that by 2021 there will be 3.5 million unfilled cybersecurity positions. Why is there such a massive shortfall of cybersecurity professionals? In part, the answer lies in the gender gap that plagues the cybersecurity profession. Simply put, women are needed in cybersecurity.
Women Needed in Cybersecurity
In 2013, women made up only 11 percent of the global cybersecurity workforce. Jump forward 5 years to 2018 and a report form Cybersecurity Ventures states that women represent just 20 percent of the global workforce in cybersecurity. The gender gap is not closing quickly enough to meet the shortfall crisis of cybersecurity professionals. What can be done to encourage women to join the ranks of cybersecurity professionals? Two keys to open the cybersecurity door for women are education and environment.
The perception held by both men and women is that cybersecurity is a masculine career. Therefore, education is vital to change this perception. Education that starts early will have the most powerful impact. Parents and guardians, teach your children that both girls and boys can excel in the fields of science, technology, engineering, and science. If you are the parent or guardian of a girl encourage her to pursue STEM curriculum. Show her that there are programs and scholarships designed to engage and promote women in cybersecurity. Helpful ideas for parents and guardians, can be found in this newsletter, Teach Early, Teach Often: Cybersecurity Education for Children. A few programs and organizations that get young girls and women involved in cybersecurity are:
- AWSN – Australian Women in Security Networks
- WSC – The Women’s Society of Cyberjutsu
- Social-Engineer Capture The Flag (The SECTF)
- Masters Level Social Engineering
- Cyber First Girls
- Good girls write code
- Girls who code
- Raytheon’s Women Cyber Security Scholarship Program
- SWSIS Scholarships for Women Studying Information Security
Entering a male-dominated field can be intimidating for women. Government Technology reports on some of the issues facing women. They include: insensitivity in the workplace, the glass ceiling, and a pop culture where the images of tech workers are mostly male.
To attract and keep women in the cybersecurity field, these issues must be addressed. If you are an enterprise looking to fill cybersecurity positions, search for women to hire and promote; doing so will help shatter the glass ceiling. Additionally, broaden the imagery of cybersecurity professionals to include women. The standard picture doesn’t always have to be a guy in a hoodie, or a man in a mask, does it? Don’t simply ignore the issue of insensitivity in cybersecurity culture and the workplace. Take ownership of it and look to effect change by implementing workplace training that promotes respect. Doing so will put your enterprise in a leading position to meet the shortfall of unfilled cybersecurity positions. You will benefit by having a more diverse and innovative workforce. Commenting on the value of women in the cybersecurity field, The University of San Diego quoted this insightful comment from the NCIS, “Diversity encourages a culture where divergent opinions can be brought together to develop innovative solutions to solve some of the toughest problems our nation faces today.”
Women in cybersecurity!
Are you a woman contemplating a career in cybersecurity? If so, a go-to list of female cybersecurity professionals will motivate you. Their efforts to change the face of cybersecurity are inspirational. Here are three must have resources:
- 10 Women in Cybersecurity You May Not Know But Should.
- From SECTF to pro SE with Rachel and Whitney
- Cybersecurity Consultant
We’re proud to say that our own @CatMurd0ck is mentioned by DarkReading’s 10 Women in Cybersecurity You May Not Know but Should. Cat received the highest OSINT score ever at the SECTF competition hosted by Social-Engineer.org. A few months later, Chris Hadngay, CEO of Social-Engineer, LLC hired her as a pentester and podcast panelist.
Women are needed in the cybersecurity field. The need to bridge the gender gap in cybersecurity is recognized by both corporations and government organizations. Leaders, if you are searching for great talent, don’t forget that women are an under-tapped resource!
Misinformation is a powerful tool. As we enter 2019 we invite on a fascinating guest, Clint Watts, who has spend his career learning all about how to use it and how it is used. – Jan 14, 2019
|Contents Download Get Involved|
Got a great idea for an upcoming podcast? Send us a quick message on the contact form!
Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music
And check out a schedule for all our training at Social-Engineer.Com
Check out the Innocent Lives Foundation to help unmask online child predators.
The post Ep. 113 – Nutrition Facts for Online Information with Clint Watts appeared first on Security Through Education.
Social Engineering Can Make You a Better Person
When social engineering makes the headlines, it is generally as a negative term where S.E. principles are used to initiate, perpetuate, or assist a large hack that exfiltrates data or distributes ransomware. With headlines like “Social engineering at the heart of critical infrastructure attack” and “Iranian phishers bypass 2fa protection offered by Yahoo Mail and Gmail,” it is easy to see how the term has developed negative connotation . However, here at SECOM and SEORG we utilize social engineering with the goal to “leave others better for having met [us]” while employing, practicing, and curating strong social engineering skillsets. Here, we discussed whether all social engineers are bad people and, though people rarely fall cleanly into the category of “good” or “bad,” this conversation is constantly being debated.
Almost a year ago, I made my newsletter debut examining how SE skills could be used in everyday life. Since then, I look for opportunities to practice my craft, improve my abilities, and be a stronger SE whenever I can. After reflecting on this last year, I can absolutely say that social engineering makes me a better person, and if you choose to social engineer as a white hat, it can make you one too.
How Social Engineering Can Make You a Better Person
As social engineers, we must quickly build rapport with our targets, maintain that rapport, and accomplish our goals without being burnt. We do this via email through phishing, phone calls through vishing, and in person via impersonation. As white hat social engineers, the skills needed to accomplish these goals effectively range from utilizing Dr. Robert Cialdini’s influence principles to awareness of vocal tone, body language, and facial expressions. Let’s examine some of the positive skills social engineering can foster:
- Reciprocity – the reciprocity principle indicates that people will want to return something, a gift, favor, information, etc., that they are given in equal or greater value. However, it is important to remember that the recipient determines the value of what they have received. To effectively use this, an SE must remember that the target needs to value whatever they are given. In personal life, this causes us to think more about what others value over what we may value. This makes us more conscientious and encourages us to prioritize the other person.
- Awareness of others – in the field, SEs are constantly looking to pick up queues from their targets. What internal jargon do they use? How do they speak? What is their body during the interaction? Do they seem like they want to get away? Are they in a rush? This has caused me, when meeting new people, to study how they are speaking and attempt neutrality until I understand how to communicate most effectively to the person I am speaking with. Additionally, I pay attention to how they are behaving, whether they seem like they need to go, and respect their boundaries. This creates a safe space for the people you interact with.
- Speaking less and listening more – As an SE, we are usually on the hunt for information. It is challenging to get information out of someone if you’re the one doing all the talking. At home, I employ reflective questioning and allow my friends and family to get more speaking time and work to truly listen to the information they are sharing. People appreciate when they feel heard. This will strengthen your interpersonal relationships and improve your conversation skills.
- Empathy – you never know where the other person in the conversation is coming from. They could have just gotten rough news, missed breakfast, or not had enough sleep the night before. While listening, really work to understand the perspective the individual is coming from and assume positive intent. Figuring out where a person is coming from and how they may feel connects you more closely to others.
- Patience – Jumping into an engagement too hard too fast throws your targets off. In my day-to-day life, I have a tendency to want answers RIGHT NOW. However, the value of waiting for others to get on the same page cannot be stressed enough. I am now far more inclined to lay the foundations of a conversation and then wait for the other party to address topics when they are ready.
Great resources to build social engineering and life skills
If you want to practice these skills in your daily life, as well as your career, here are some great resources to start with:
- Joe Navarro’s The Dictionary of Body Language gives many tangible examples of body language that can improve your ability to read a room.
- Dr. Paul Ekman’s micro-expressions training will help you read others’ reactions better and can be used to understand their feelings better.
- Cold reading exercises like those in Ian Rowland’s book “The Full Facts Book of Cold Reading” can help strengthen conversational skills.
- Robin Dreeke’s book “It’s not all about me: The top 10 techniques for building quick rapport with anyone” provides tangible steps to fostering good rapport.
- Chris Hadnagy’s latest book, Social Engineering: The Science of Human Hacking
- The Social-Engineer Podcast hosts great guests who explain unique skill sets and tools that are used in both life and social engineering.
The intention with which you take an action can determine the quality of that action and, broadly, whether it is “good” or “bad.” Should you use your social engineering skills to exploit individuals for your own personal gain, that action is not good. However, by practicing the skillsets of strong social engineers while attempting to leave others better for having met you, you may inadvertently realize you have grown into a better version of yourself. Social engineering can make you a better person, and I challenge you to look for opportunities to practice these skills for the benefit of others in this new year. If you are curious about how to S.E. for good, check out the Social Engineering Code of Ethics. I hope you see yourself grow in the process!
Be secure and be kind,
Written By: Cat Murdock
Security training and awareness must focus on risk scenarios that include the human element. The 2017 Verizon’s Data Breach Digest found that 90 percent of data-loss incidents have a phishing or social engineering component. The cost of a data breach for both large and small to medium-size enterprises continues to rise. In addition to the financial loss there is also the reputational cost to consider. A recent PCIpay survey found that one-fifth of US consumers never return to breached brands and an RSA survey found that 62 percent blame the company first in the event of a data breach rather than the hacker.
Companies with authentication processes, firewalls, VPNs, and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information. Security training and awareness the includes the human element is vital for enterprise survival. A simple social engineering attack, such as a phone call (vishing), can have devastating consequences.
Vishing – A Simple Yet Dangerous Social Engineering Attack Vector
Vishing, commonly known as voice phishing or phone elicitation, is quickly becoming one of the most dangerous social engineering attack vectors. Employees in customer service, sales, and HR departments are highly vulnerable to these types of attacks. Consider what happened to the Boulder Valley School District. In 2017, an attacker collected publicly available information regarding contracts between the school district and its contractor, Adolfson and Peterson Construction Company. Pretexting as an employee of the construction company, the attacker called the school district’s accounts payable department requesting that the school district change the way they pay the construction company. The accounts payable department complied and began sending payments to a fraudulent bank account the attacker had set up. The school district became aware of the theft when they started to receive late payment notices from the genuine Adolfson and Peterson Construction Company. The School District was conned out of $850,000 all due to a simple phone call. If this had been your company, how would you have fared? Are your employees trained to identity vishing attacks?
Training and Awareness Are Vital
An investment in security education, training, and awareness is vital for enterprise survival. Simulated vishing attacks are an effective way to access your enterprise. With over 20,000 vishing calls made over the last three years, Social-Engineer, LLC analyzed the data and pinpointed clear weak points in a corporation’s security. This year, at DerbyCon 8.0, Chris Hadnagy, CEO of Social-Engineer, LLC and Cat Murdock, a pen tester for the company, presented their findings. Three key takeaways from their analysis are:
- Vishing calls are more successful in the afternoon.
- Friday is the most vulnerable day for employees.
- HR open enrollment (for US-based clients) is the most successful pretext.
The value of simulated vishing is clear. With just those three takeaways an enterprise has actionable information to implement security improvements. As noted by Chris Hadnagy at DerbyCon, “your team will be more vulnerable on Friday.” Vishing as a Service (VaaS), such as provided by Social-Engineer, LLC , can provide help in these 4 specific ways:
- Simulated attacks are an effective way to assess vulnerabilities.
- Extensive reporting provides actionable data about employee responses to various vishing attack scenarios.
- Identify which departments or employees are most susceptible.
- Based on results from vishing assessment, develop a continuous assessment and training process to successfully combat vishing attacks.
Creating a culture of security must be a core value for any enterprise. With just one phone call, an enterprise can suffer devastating consequences. Invest in and implement security training and awareness that is multi-layered. Do not overlook the human element. Teach employees how to identify and respond to vishing threats.
Data breaches will happen. However, the risk and cost to your enterprise can be mitigated through effective security training and awareness that includes the human element.
The post Don’t Overlook the Human Element in Security Training and Awareness appeared first on Security Through Education.
Almost 100 episodes have passed and we finally get one of our all time favorite guests back on the show – Joe Navarro. His new book is literally THE encyclopedia of body language and we must discuss it. Join us – Dec 10, 2018
Got a great idea for an upcoming podcast? Send us a quick message on the contact form!
Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music
And check out a schedule for all our training at Social-Engineer.Com
Check out the Innocent Lives Foundation to help unmask online child predators.
The post Ep. 112 – Catching Spies and Paying Parking Tickets with Joe Navarro appeared first on Security Through Education.
Cyber Threats, Are You Trained to Deal with Them?
As every year passes, the cyber threat landscape continues to evolve and along with that, the need for cyber security awareness training to deal with them increases. This past year was no different. The change is that ransomware declined, crypto-mining has risen, and 92 percent of malware was delivered by email, according to a CSO article. It reported that fileless malware is replacing the old .exe files that were attached to emails. Fileless attacks exploit software already installed on the victim’s computer, such as executing in a browser plugin, MS Office macros, or exploit vulnerabilities in server programs to inject malicious code. The result of this shift in threats has resulted in 1,027 breaches and over 57 million records being exposed as of the October 31, 2018 Identity Theft Resource Center (ITRC) report. When you see the change and increase in cyber threats, how trained are you and your organization to deal with them?
We see that the threats continue to advance in order to give the cyber criminals the ability to exploit the increased complexity and connectivity of critical infrastructure systems. In addition, cybersecurity risks continue to affect a company’s bottom line by driving up costs, negatively impacting revenue, causing harm to an organization’s ability to innovate, and to gain and maintain customers. With this constant evolution and risk comes a constant need for cyber security awareness training for an organization’s employees. But what makes for an effective training program that both the organization and employees can benefit from? One that will keep the company secure and give it an acceptable return on investment (ROI)? What about those individuals and organizations that can’t run a corporate cyber security awareness training program, what can they do to get training?
Who should receive training?
Training should be provided to anyone with access to the organization’s infrastructure. This includes new employees, longtime employees, executives, and contractors. If you allow someone access to your infrastructure, they need to receive regular training.
Why are you doing it?
The way to approach creating a successful cyber security awareness training program is to start by establishing clear and definable goals. If you’re going to do training merely for the purpose of having it or just to check a box in an audit, it is not going to have any lasting benefit for anyone. You need concrete outcomes and it needs to be a part of a long-term plan. Change in security awareness will not happen overnight.
The purpose of this training is to create a strong security culture that will breed employee engagement. In order for this to work it has to come from the top down, from the CEO all the way down the corporate ladder. To get the buy-in from the C-suite one company performed a team building exercise in which they split the executives into red and blue teams. In a gamified environment, one group performed a denial-of-service attack on the Domain Name Server (DNS) while the other had to figure out how to defend against it. (Sounds fun, right?) Once the executives are involved, all members of the organization will follow.
Remember, making a successful cyber security awareness training program involves changing the culture of the organization into a security focused culture. Doing a CBT module once a year will not affect change, more is involved. If you were training to be a boxer or an MMA fighter would you depend on just watching videos before entering a match? Can you imagine the outcome? The same is with an awareness training program, real life exposure is needed, such as using a simulation program to send real phishing emails and to do vishing, in addition to doing CBTs.
Everyone in an organization has a stake in keeping it secure. So, even though one person may be the only one officially assigned the task of running the training program, one or more senior leaders need to champion the program. This will help build confidence in the program and make it more visible. You can even involve the communications and marketing teams to help you in creating material and messaging that is engaging and captivating to your audience.
If one is going to influence change in behavior and culture and allow the training to have a lasting effect, post-training reinforcement needs to be established. Ongoing communications and content should be produced monthly not just once a year. So, build a catalog of content and available resources, build a portal where newsletters can be posted along with alerts and videos, and make the program fun.
What about the little guy?
Building a successful program takes time and resources. What should an organization do where resources are limited or for individuals where they don’t get the training from a corporate training program? Where time and resources are limited, start small and grow as your program gains credibility and more resources become available. Use small wins to demonstrate value. There are also plenty of free resources available. Use resources like the Social Engineering Framework that provides plenty of examples and psychological principles of social engineering attacks, and access to tools such as the Social Engineer Toolkit that can be used to test the human element in an organization. Another free tool is the community edition of Lucy which can do basic phishing campaigns. If you want to test your network and your users, you can use the free tools from KnowBe4. Subscribe to industry newsletters, such as this one, and follow blogs such as the Social-Engineer.org blog and the Social-Engieer.com blog that discusses timely information on what is happening in the world of social engineering and how to be cyber security aware.
As a community we can all do our part to help in getting cyber security awareness training to others. One thing I’ve done, to help in training others that may not get the benefits of cyber security awareness training at a company, is to openly discuss with friends and family about phishing, smishing, vishing, and all aspects of social engineering attacks that they need to be aware of. The result is that many will come and show me phish they received or tell me about a call they thought was “phishy”. As you get educated, spread the word to others and this will help everyone get some cyber security awareness training.
Social engineering attacks will not be ending any time soon and they will constantly evolve. Therefore, we will always need regular cyber security awareness training to combat these attacks. Remember your training program needs to be adaptive when dealing with the ever- changing cyber threats and it needs to continue to train your organization how to deal with them. What is your program going to look like for 2019? Let us know.
Stay safe and secure.
Written By: Mike Hadnagy
Hi, It’s Your Bank Calling
So, you receive a call and it’s a local number or it’s the phone number of your bank, should you answer it or let go to voicemail? But the caller ID looks familiar, so you answer. Can you trust that the person that is calling is who they say they are? Was this a sales call, a real call or something called vishing?
Many people reason that if the number is showing as a known number, then the attacker is who they say they are. However, the recipient maybe unaware that the caller is looking to vish them. If you are unfamiliar with what vishing is, it is defined, according to The Social Engineering Framework, as the practice of eliciting information or attempting to influence action via the telephone. Vishing can literally be designed as voice phishing. The goal of vishing is similar to phishing in that it is to obtain valuable information that could contribute to the direct compromise of an organization or individual. Attackers can “spoof” their outgoing phone number to appear like a known number and pose as an authority figure, technician, or fellow employee in order to obtain sensitive information that could lead to the compromise of an organization or clean out your bank account.
Vishing has become one of the tools of choice by cybercriminals. An article from Fortune mentioned that the volume of mobile scam calls has increased from 3.7% of total calls in 2017 to 29.2% in 2018. They predict that the number will exceed 44% by early 2019.
Learn by example
To get an idea of what the scammers are doing, let’s look at some incidents that have been reported:
An article by WHNT News 19 discussed how an FBI agent’s mother fell for a call from someone pretending to be a relative that had a DUI and needed money. It also discussed how hundreds of credit union’s clients received fraudulent calls from fraudsters spoofing bank numbers and asking them to validate their cards by providing the 3 numbers on the back.
Another incident involved someone claiming to be from the Woodburn, Oregon police department that called and told the victim to call a second number. That number belonged to a person who claimed to be an attorney for the police department.
The alleged-attorney then directed the person to remain on the phone, go to a retail location, and buy a prepaid debit card to clear their fake warrant. When the person, being directed by the fake-attorney, arrived at the store, a store employee told the person it was a scam. The phone call was then ended. The fraudulent caller used a fake caller ID showing the actual Woodburn PD number.
Some additional scams are the IRS Scam, the Kidnapping Scam, the Social Security Scam, and the Tech Support Scam:
- The IRS Scam involves someone who is pretending to be an agent of the IRS, they tell you they have a warrant for your arrest unless you pay some money immediately.
- The Kidnapping Scam is where the scammer tells you he has kidnapped a family member, and that you need to make immediate payment for their release.
- The Social Security Scam comes in many forms. One variant is where the caller poses as an SSA employee and needs personal information to round out your file. Another is you’re told that the SSA wants to increase your benefit payment but needs additional information to do so. A third variant involves a threat of stopping your Social Security benefits if you don’t give them the requested information.
- The Tech Support Scam is where the caller attempts to have you pay for fraudulent tech support. Many of my friends have dealt with this and, unfortunately, two of them even fell for the call and paid money to the scammer.
“I’ll never fall for that”
You may reason that you are too tech savvy to become a victim of a vishing call. Many think that way and in the article Voice Phishing Scams Are Getting More Clever by Brian Krebs, he relates several experiences of tech savvy people that either fell for a scam or came critically close to falling for one.
What is it that makes people, even tech savvy people, fall for these calls? Let’s break down the call and see:
- The caller ID looks familiar;
- The caller is persistent, calling back multiple times, creating a sense of urgency or importance to get you to answer;
- The caller uses a pretext that sounds believable;
- The caller uses rapport and trust to convince you that everything they do and say is for your best interest;
- The caller has personal information on you that you believe only the legitimate company would know. Information such as the last 4 digits of your credit card or Social Security number;
- When you combine all these points and the fact that the caller will do all they can to influence you into giving them the information they need, even the most tech savvy person may fall for the call.
Do I need to answer?
What should you do to keep from becoming a victim of vishing? Corporations can help their employees by including vishing training as part of their security awareness program. Training employees to report any suspicious work calls to the appropriate team at the company. As an individual, if the call isn’t from someone in your contacts, let the call go to voicemail. You don’t have to answer every phone call. But if you really feel the need to answer the call then apply the following strategies:
- Trust your gut. Most of the time, if a call is making you uncomfortable, realize you are probably right. Hang up and report the call.
- If the caller says they are from your bank, hang up and call the number on the back of your card.
- If the caller says he is a vendor or client, hang up and call a known number for that entity.
- If any caller asks you for PII (personal identifying information) do not give anything to any unverified user, despite the threats they may say.
- If you receive an urgent call from a supposed family member that had something tragic occur, call that family member or other close relatives to verify the story directly before you wire or send any money. (Do this even if they beg you not to)
- Remember, scammers want to drive you to react emotionally, so if you receive a possible vishing call take pause, breathe, and take a moment to get your critical thinking back in place before you are manipulated into making a poor decision.
Keep these tips in mind as you keep your family, finances and personal information secure and safe from malicious vishers.
Stay safe and secure,
Written By: Mike Hadnagy
Teach Early, Teach Often: Cybersecurity Education for Children
This month marks the 15 year anniversary of Cybersecurity Awareness Month in the United States, and it is an important time to remember the systems we protect as well as the social systems that affect them. According to National Cyber Security Awareness Month (NCSAM), their theme this year is that “Cybersecurity is our shared responsibility and we all must work together to improve our Nation’s cybersecurity.” This message really resonates with the team here at SEORG, and me in particular. We spend our days and our careers helping clients, friends, and family improve their security posture. We look to provide our clients with tangible data to guide them in the security education of their staff. The human endpoints are often the hardest to secure, as each human learns in different ways, some need more instruction than others, and they have varying degrees of prior information security and systems knowledge. This last point is critical; to date, the world over, there is little, regular exposure to STEM and cybersecurity in educational systems.
Adults in the information security industry could have entered their roles more prepared had educational systems provided curriculum that mirrored real world needs through an increased focus on STEM curriculum and the accompanying cyber security education users of technology should, ideally, receive. So, while we are teaching our adult learners to improve their security stance, let us not forget about the needs and positive, lasting effects of exposing children to technology, engineering, and cybersecurity skills early and often. Exposing young minds to quality STEM and cybersecurity education will strengthen all of our companies and human endpoints but failing to provide this instruction to today’s youth will result in a workforce that struggles to keep up with the information security needs of the future.
Connecting education and information security
Children today will be the information security professionals who will secure our retirement, secure our increasingly connected healthcare systems, and inherit our digital world. We must begin preparing them from elementary school ages for the ever-quickening pace of technology, and the security needs that come with it. Unfortunately, this is not the status quo in many schools across the globe and that may not change within education systems themselves for many years. While some schools and nations provide better technology programs to children than others, the vast majority of students the world over are not receiving early education on cybersecurity and STEM related skills. This will leave our young learners and future leaders at a disadvantage in the future work force.
Unfortunately, many young students are victims of the ever broadening “opportunity gap,” or the fact that being born into certain zip codes and societal constructs negatively affects the educational opportunity and lifelong opportunity of children. While this phrase is often used in terms of America’s school systems, the concept of the opportunity gap affects students and children globally. Many students are not receiving early or regular exposure to quality science, technology, engineering, and mathematics (STEM) curriculum that provides the foundation for cybersecurity education and an understanding of informational systems.
Networks, organizations, and security departments are all systems. These systems recruit their human endpoints, their people, directly from educational systems; educational systems which desperately underserves many students thus widening the current opportunity gap. The information security industry will struggle to secure its people as long they come out of systems that are under-preparing them for the modern world and modern opportunities. And yet, despite a lack of exposure, children are some of the best and most determined little hackers I have ever met.
Immediately after college, I taught 4th and 6th grade math and science in a rural school district in eastern Arkansas as a corps member with Teach for America. The concept of the program is to take individuals with proven track records of success, either in their academic or professional careers, and train them to teach in low-performing school districts quickly. Corps members make a two-year commitment, and then return to their previous careers, stay in education, or pivot to a new endeavor. The school I taught in had received a grant from Apple for all students to have access to a computer, which then required a staff member to become the IT administrator of the school so hundreds of students with computers had oversight. When the admin would release a new security protocol on the network, it would take mere days for at least one of my very young students to find a way around it and access their favorite YouTube channels and online games. The IT admin would constantly lose their blue teaming endeavors to creative, red teaming children with zero experience. Every. Single. Time.
What can you do?
Kids are hungry to learn. They are ready for challenging STEM and cybersecurity curriculum. They are ready for puzzles, cryptography, and exposure to critical thinking exercises and cybersecurity education for children, but so many of them are denied the opportunity to learn these things based on circumstances they have no control over, circumstances they were born into.
Our industry needs critical thinkers. Our industry needs diversity. Our industry needs a future with qualified professionals. Fortunately, there are a wealth of curious, diverse minds out there waiting for interesting learning opportunities. For the 15th anniversary of Cybersecurity Month, I challenge you to impart your skills to young, hungry minds. An added benefit is many employers will allow their employees to take volunteer days, and, even if this does not apply to you, volunteering looks great on your resume and is very emotionally rewarding. To get involved, here are some ideas:
- Volunteer to speak at a local school and/or plan interactive games to teach children about protecting their online identities, cryptography, and other cybersecurity and critical thinking skills.
- Make time to work with any number of fantastic STEM programs such as Girls who Code and Kids interested in Technology, Engineering, and Science (KITES).
- Educate children in your nuclear and extended family early and often about cybersecurity, their online safety, as well as how the internet is connected, and information is stored. PBS offers a great learning lab aimed at teaching children and teens about securing networks and what types of information attackers are interested in.
- Provide students and children a safe reporting environment, where if they encounter something alarming online, they have a safe place to tell a knowledgeable adult.
- If you have children, have them work with you when updating or changing your home network. Talk them through the steps and expose them to the concepts.
It’s never too young to start teaching children the skills we wish all of our end users had. It’s never too young to start teaching children about their online safety. And it’s never too young to begin raising the industry leaders of the future.
Go forth and share your knowledge with the little people.
Written By: Cat Murdock
Let’s talk about it
October brought Social-Engineer to the SEVillage at DerbyCon 8.0 – Evolution, SEORG’s final SEVillage for the year, and WOW, was it an AMAZING DerbyCon. Ryan and Colin arrived Tuesday to set up shop and stuff many padfolios to prepare for their OSINT class that ran over Wednesday and Thursday. The OSINT class was Social-Engineer’s largest class EVER and it sold out in TWELVE SECONDS. Yes. You read that correctly. Our largest class sold out in 12 seconds. The students loved it, and one team even finished the final hands-on challenge in just over an hour when it usually takes multiple hours. A second team slid past the finish line in the nick of time, just before class ended on Thursday.
After class, the rest of the team rolled into Louisville, KY where DerbyCon was held at the Marriott downtown, instead of the Hyatt, for the first time. Our amazing volunteers and staff gathered together to set up the village and prep for the amazing few days to come.
Vishing data and the SECTF – Friday, October 4, 2018
Friday started for SEORG at noon when Cat Murdock and Chris Hadnagy took the Track 1 stage to present on Social-Engineer’s last-three years’ of vishing data in their speech “IRS, HR, Microsoft and your Grandma: What they all have in common.”
Cat gets psyched about data
Did you know that Mondays are the hardest day to compromise targets via vishing by a HUGE percentage?!? On Monday, social engineers are looking at a 29% compromise ratio compared to a 58%-65% compromise ratio any other day of the week. Apparently, employees hit the ground running on Mondays, are fresh off the weekend, and ready to secure their information from SEs.
Chris and Cat drop some data knowledge
That one-time Cat stole Dave’s hat but everyone got iced anyway
After the speech, the SEVillage team raced back to launch the 2nd SECTF at DerbyCon. The room was PACKED, with audience members sitting on the floor and lining the walls.
A completely packed room awaited the SECTF at DerbyCon
This year, the targets featured were large energy companies including Halliburton, Phillips 66, Devon Energy, Noble Energy, and Sunoco. While these targets were particularly challenging, and some even had systems that had to ethically be avoided for competition’s sake, it was one of the most entertaining SECTFs to date.
DEF CON’s 2nd place winner and always amazing audience member – Rachel Tobac
All the contestants were able to get targets on the phone and elicit many flags. The competition was SO fierce, the difference between the first and second place winner was only a single flag, making for a great competition. In the end, Krittika’s amazing reporting and calls won her the first-place trophy. This means that all the winners of the SECTF prizes this year were women!!! Get it, ladies!
Our DerbyCon 1st place winner, Krittika, Answering some Q&A after calls
The first competitor started the afternoon off right! Soooo many flags!
This sweet SECTF trophy finally found its forever home!
Can you fool the Polygraph, Mission SE Impossible, and Ethics– Saturday, October 5
Saturday at Derby is always an amazing day, as it starts off with the incredibly unique “Can you fool the Polygraph” challenge. Our reigning champion from 2017 began as the first competitor in this competition.
Reigning champ defends his title!
Contestants had to answer extremely uncomfortable questions while attempting to trick the polygraph machine, which has sensors measuring reactions on the chest, fingers, and even your butt. Questions ran along the lines of, “have you ever taken credit for a coworker’s accomplishments?” As well as, “do you regularly urinate in the shower?” Ultimately, our ferocious, and possibly psycho/sociopathic, competitors ended in a three-way tie!! Whaaatt….
With game faces like this, the tie was not surprising
Clearly, we couldn’t end in a tie. So, our amazing polygraph examiner created a tie breaker for us on the spot! Thanks, Jacob. The tie breaker was having the contestants answer “no” to the question, “Is it <insert day of the week here>?” Each contestant was asked five days of the week, including “Saturday,” the day the competition occurred, and they had to answer “no” to each objective question. The individual who lied the best won!
CONGRATS TO OUR WINNER SCOTT!!!
The most convincing liar of them all – Well done, Scott!
After a brief lunch break, the Village rallied for Mission SE Impossible, a staged “escape room” type competition where competitors have to shim themselves out of handcuffs and leg cuffs, pick a lock, analyze microexpressions, and traverse a laser grid produced by tiny sharks with lasers on their freakin’ heads.
No pressure or anything, but I hope he hustles with all those people watching…
Will he break free?!?! Spoiler alert – he did.
The SEVillage is family friendly, and this kid ROCKED it!
Disclaimer: No sharks were harmed in the making of MSI
Super sweet lasers in the HOUSE
Commitment to dodging those laser sharks
Our winner, squeezing through lasers on his way to victory
Ultimately, MSI ended with our winner, Rick, slamming the competition by finishing in RECORD time at 59 seconds. CONGRATULATIONS, RICK!!!!
Once MSI wrapped up, we only had one SEVillage activity remaining; a panel on Ethics in Social Engineering featuring Jamison Scheeres, Chris Silvers, Rachel Tobac, Grifter, and Chris Hadnagy. This panel was inspired by our recently released Social Engineering Code of Ethics, as, after its release, it quickly became a community tool and topic. It was truly wonderful to see a packed house looking to discuss ethics in our work from 6-8PM on a Saturday.
Full house for the ethics panel
The discussion was amazing, all viewpoints and questions were compelling and deep. Ultimately the community is made stronger when we can have tough conversations like these, where we really dig into thinking about where the tactics we use can take an emotional toll on targets while still being a necessary precaution to protect against malicious actors. A full recording of this panel is available here. #NotAPhish
The participants of the Ethics in Social Engineering Panel, Jamison, Chris S, Rachel, Grifter, and Chris H
Jamison dropping some deep thoughts
Wrap up – Sunday, October 6, 2018
Sunday, the team packed up the village and wearily found brunch in Louisville before heading to closing ceremonies, officially wrapping up the SEVillage at DerbyCon as well as all SEVillages for 2018. The weekend was truly an epic con, and we are always so grateful to be able to attend. We could not do it without our sponsor, Red Sky, or our amazing team. A huge thanks to Jim, Kris, Chris, Hannah, Evan, Spencer, Colin, Ryan, Cat, and Chris H – the weekend would literally not be possible without these wonderful individuals.
Colin manning that swag booth!
These are some great people!
Thank you all and be looking for the SECTF report that dives into the data from all our 2018 SECTF competitions!! The webinar discussing the report will be at 2PM ET on November 28. You can sign up now and don’t forget to mark your calendars!