Home > IT, Reviews, Security > [SecTor Review] Defending Layer 8

[SecTor Review] Defending Layer 8

November 23rd, 2007 Leave a comment Go to comments

SecTor Keynote
Speaker: Steve Riley
Presentation (ppt)

Full Title: Defending Layer 8: How to Recognize and Combat Social Engineering

This talk was interesting, funny and informative... a great way to start the second day.

Steve took the 7 layer OSI model and turned it into a 9 layer model. He added layer 0 to the bottom, physical... but not physical like layer 1... He differentiated by referring to layer 1 as 'cyberspace' and layer 0 as 'meatspace'. Layer 0 is your physical location, your physical security... the building itself where your systems are located. The other added layer was layer 8, a layer that is traditionally added to the OSI model and referred to as the 'human layer'.

To demonstrate layer 0 problems, Steve told a story involving the movement of a data center. The company had moved their data center down to street level, and put it on display behind a glass window facing the street. This included server names and ip addresses, dial-in numbers for modems, etc... It turned out some thieves noticed the display and they drove a truck through the window, grabbing the first computer they came across. The computer ended up being the company's domain controller. An hour later they were lucky enough to get the computer back, however instead of performing forensics... they immediately plugged it back into the network.

Steve's talk was full of stories like that one... little, funny, to the point stories that kept you interested and enhanced the overall presentation. I believe that the SecTor organizers are putting video, or at very least audio, online with the presentations... for all of the keynotes so far that will make a huge difference for those intending to go through the slide decks (which I will link to as soon as I see them posted).

Steve continued on with his discussion on social engineering and offered 10 tips for anyone interested in trying out social engineering. The list included:

  1. Be Professional.
  2. Be Calm.
  3. Know your mark.
  4. Do not fool a superior scammer.
  5. Plan your escape from your scan.
  6. Be a woman.
  7. Use watermarks.
  8. Make business cards and fake names.
  9. Manipulate the less fortunate, the unaware, and the stupid.
  10. Use a team if you have to.

Each of these steps included details and descriptions... or at very least amusing commentary.

Steve also outlined 8 types of Social Engineering 'exploits', each with an example:

  1. Diffusion of Responsibility - 'The VP says you won't bare any responsibility'
  2. Chance for ingratiation - 'Look at what you might get out of this'
  3. Trust Relationships - 'He's a good guy, I think I can trust him'
  4. Moral Duty - 'You must help me! Aren't you so mad about it?'
  5. Guilt - 'What, you don't want to help me?'
  6. Identification - 'You and I are really two of a kind, huh?'
  7. Desire to be helpful - 'Would you help me here, please?'
  8. Cooperation - 'Let's work together. We can do so much!'

Following this, along with additional stories, were steps on discovering data on your target, ways to pull off an attack, ways to defend against an attack. It was definitely a great explanation of social engineering. I think that a lot of people walked away with a lot of useful information.

Categories: IT, Reviews, Security Tags: , , , , , , , , ,

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.