cyber security landscape
DESCRIPTION
Cyber Security Landscape. About me. Josh Pauli Associate Professor of Cyber Security Dakota State University (Madison, SD) 10 years and counting! . About DSU’s Programs. We have 300+ students studying: Cyber Operations (Cyber Security) Computer Science. Cyber Operations. - PowerPoint PPT PresentationTRANSCRIPT
Cyber Security Landscape
About meJosh Pauli
Associate Professor of Cyber Security
Dakota State University (Madison, SD)
10 years and counting!
About DSU’s Programs
We have 300+ students studying: Cyber Operations (Cyber Security)
Computer Science
Cyber Operations Largest degree on campus (170 / 1200)
Explosive growth in the last two years (55 in ‘11; 70 in ‘12)
Want the best and brightest regardless of computing history
A great mix of: Programming Networking Operating systems “hacking”! Ethics Critical thinking
Cyber CorpsFull ride scholarships + attractive
stipend$35,000-40,000 per year
including $20,000 stipendWork for Gov’t agencies after
graduation National Security Agency (NSA) Central Intelligence Agency (CIA) Space and Naval Warfare Systems
Command (SPAWAR)
Center of Excellence in Cyber Operations
NSA wants the most technical cyber experts
DSU was selected as 1 of 4 in the entire nation Now 8 schools
Only public institution in the nation
Only program with dedicated Cyber Ops program in the nation
Only undergraduate program in the nation
Cyber @ DSU Best Cyber Operations curriculum in the nation
Cyber Corps scholarships to save over $100,000
Top Secret security clearance before graduation
Work on the top security projects in the world
25 years old: Undergrad & Graduate degrees in Cyber Operations Top Secret government security clearance 2-3 years of experience in a Federal agency Any job you ever want anywhere you want it
Today’s Rundown1. What’s technical social engineering (TSE)?
2. Timeline of hacking
3. AV is dead! Long live AV!
4. How to prevent TSE attack
5. TSE in penetration testing
6. Q & A
What’s technical social engineering (TSE)?
TSE != traditional social engineeringIt’s NOT:
Physical impersonation Pretext calling Dumpster diving
Still good stuff; just not what we’re talking about today!
It isRelying on people being:
Gullible Greedy Dumb Naïve
And using technology own them!
What’s this “owned” you speak of?Remote code execution
Administrative rights
Key loggers
<<insert juicy payload here>>
We are actually pretty good at:Not clicking linksOpening filesVisiting websites
But it only takes 1 person!
This is why we can’t have nice things…
Timeline of hacking
That escalated quickly
Future is now
AV is dead! Long live AV!
AV is good at what it doesBut it’s not enough
Just one “layer”
Signature-based = always behind
How AV vendors work (simplified) Why security researchers giggle at this
How to prevent TSE attack
In a word: YouAnd only you!
User Awareness Training Currently a raging debate in InfoSec
Fear v. education Punish v. reinforce
TSE in penetration testing
TSE is PT; PT is TSE!“Check the box” v. “Get after it!”
TimingScopePriceSo this is red team? Who can actually do this?
Q & A