![Page 1: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/1.jpg)
How to Build
Efficient Security Awareness Programs
That Don’t Suck
Vlad StyranCISSP CISA OSCP
Berezha Security
![Page 2: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/2.jpg)
![Page 3: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/3.jpg)
![Page 4: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/4.jpg)
password123
![Page 5: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/5.jpg)
7eh_vveakest_l1nque!1
![Page 6: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/6.jpg)
![Page 7: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/7.jpg)
Social Engineering
Hi-tech & lo-tech human hacking
Influence principles
• Reciprocity
• Commitment
• Social proof
• Authority
• Liking
• Scarcity
![Page 8: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/8.jpg)
Anti- Social Engineering
![Page 9: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/9.jpg)
“Social engineering is cheating.”
– A CISO I once met.
![Page 10: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/10.jpg)
What next?
![Page 11: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/11.jpg)
Raise Awareness
![Page 12: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/12.jpg)
Stop trying to fix
human behavior
with tech only
![Page 13: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/13.jpg)
Give people responsibility
(back)
![Page 14: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/14.jpg)
Security isn’t always
a business problem,
but it’s always
a human problem
![Page 15: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/15.jpg)
The Tools
Fear
Incentives
Habits
![Page 16: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/16.jpg)
Fear
The key to humanity’s survival
Teaches us to deal with threats
“Dumps” precursors of dangerous events
![Page 17: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/17.jpg)
Moar Fear
We need to be told what to be afraid of
Overdose leads to phobias and disorders
Reasonable amount helps to learn
Memory needs refreshing
![Page 18: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/18.jpg)
Social Incentives
Competition:
getting ahead of others
Belonging:
getting along with others
![Page 19: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/19.jpg)
Social Incentives
Competition:
getting ahead of others
Belonging:
getting along with others
![Page 20: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/20.jpg)
Habits
1.Trigger
2.Routine
3.Reward
4.Repeat
![Page 21: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/21.jpg)
Habits
1.Trigger
2.Routine
3.Reward
4.Repeat
![Page 22: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/22.jpg)
Attack methods: phishing, impersonation, elicitation, phone pretexting, software exploits, baiting…
Influence principles: scarcity, reciprocity, social proof, authority, liking…
Security context: anything of personal or business value – privacy, access, trust, confidential data…
You receive an email with an urgent request to provide confidential data.
The pizza delivery guy is staring at you while holding a huge pile of pizza
boxes at your office door.
An "old schoolmate" you just met in the street is asking you about the
specifics of your current job.
You receive a call from a person that introduces themselves as the CEO’s
executive assistant and asks you to confirm the receipt of their previous
email and open its attachment.
An attractive, likable human is asking you to take part in an interview and
is going to compensate that with a shiny new USB drive (in hope you insert
it into your working PC later).
![Page 23: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/23.jpg)
Type of attack
+
Influence principle
⊂Security context
=
![Page 24: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/24.jpg)
![Page 25: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/25.jpg)
CASE STUDIES
![Page 26: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/26.jpg)
CASE STUDIES
![Page 27: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/27.jpg)
Human is the weakest link;by default
We can be taught security;we’re wired for that
Drive security with fear, social incentives, and habits;not money
Knowing attack types, influence principles, and security valuables is essential
![Page 28: How to Build Efficient Security Awareness Programsfiles.brucon.org/2017/006_Vlad_Styran_Security_Awareness_v3.pdf · Attack methods: phishing, impersonation, elicitation, phone pretexting,](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f57e379e3b2eb6d045ceaa5/html5/thumbnails/28.jpg)
“How to stay safe online” guide:
Text https://github.com/sapran/dontclickshit/blob/master/README_EN.md
Mind map http://www.xmind.net/m/raQ4
Contacts: https://keybase.io/sapran