 We have our speeches right now. We have Kate Mullins, our first speaker. She's an influential security practitioner with more than 30 years of experience in various areas such as accounting, audit risk, governance. We can go on and on. She's also been in the CISO at various organizations. So what we're going to do is give her attention and we're going to see her give this speech on social engineering from a CISO's perspective. Kate? Thank you everyone. So what I'm going to be talking about is bringing social engineering into an organization and how a CISO can either bring it into the organization as a role within the organization or contracting an external social engineering function. And the great thing about this is social engineering is a key and critical element and we'll be discussing why. So let's talk a little bit about what a CISO is and what it is not. So the CISO role has been developing over the years and part of the problem with the CISO role is it originally founded in IT and is now moving outside of the IT role because it is now more about data and data governance. So the CISO role is a governance role and then what they look at is risk and risk acceptance and risk tolerance and that risk is also opportunity risk making sure that the business is growing and doing new things while limiting the computer security risk. The CISO also is usually responsible for computer incident response as well as security awareness training and a long list of other things. So one of the things we look at is how the human brain functions and how does the human brain look at risk and accept risk because when you're trying to bring in new programs into an organization and fund those new programs and fund a social engineering program one of the big questions is why should we do this and human beings are so poor at defining which risks are good risks and which risks are bad risks. And this has been going on for a very long time because our brains are more used to looking at what is a risk from the primitive brain. So people are afraid of sharks. Not everybody in the room is afraid of sharks. There are a few here that actually like them but most people are afraid of sharks. In the United States every year about one in what is it 1.5 million people will be attacked by sharks and that is of the people that actually go near the water. So people who are landlocked do not have to worry about this. People are actually less afraid of lightning and lightning is more likely to be a problem because if you look at it 1 in 700,000 people in a year are going to be struck by lightning and it is actually even more common that over the length of time that you are actually going to be a victim of a snake bite if you are here in the United States. But of those 1 in 8,000 people who might be bit by a snake by the way only four of them are likely to die. So again we start going through and looking at what risks people are afraid of, what things they will and will not do. So how many of you took a car in any way shape or form to get here today? How about to get here from the airport? Did you get in a lift? So in this state about 1 in 5,000 people in a given year are going to be in a fatal accident. Not that they are going to be the victim but that is the stats. People aren't afraid of getting in cars. Maybe they should be. So when we talk about information security programs, information security programs are actually based on trust. And trust is making sure that people will actually affect change and in order to get them to affect change the CSO is building relationships and they are building relationships throughout the organization and they are trying to build credibility and this is why we are doing this and what we are doing. So when we build those trust relationships they are fragile things. When trust is broken it is something that very quickly we will lose. You just have to betray the trust once and then it takes a very long time to rebuild it. So that foundational trust relationship is what we start with and part of it is we base things on facts. How many in the room have heard of the Verizon DBIR? For those of you who have not, I strongly suggest that when you get home you download the report. It is fascinating. Verizon has been doing this for years. It is a lot of data and basically it is from investigations of actual incidents where organizations have been compromised. I unfortunately in my history have been one of the contributing organizations in number of places that I worked. It is not about what you really want. But what happens is this is broken down by how organizations are breached and because of that if you are in healthcare or you are in banking or you are in government the way that people attack you successfully and what data thereafter varies. So when you go back to your organization and you want to protect your organization you want to protect it against your threats, not the threats to other organizations. It is one of the problems is everybody tries to do everything and you cannot. You have limited resources so protect your organization from what is an actual threat. The other thing is this conference if you go to the other sessions outside of SC Village is focused on the computer security risks and they are important. But when we forget about the human element, the human element is how most breaches occur. Most breaches are actually from phishing and pretexting. And because of that, because it is the easy way, sorry, because we are human beings and they are the weakest factor, that is where we see most of the incidents. And I really, really think that if you could please look at the DVIR, it is somewhat eye-opening and it also helps you explain within your organization why social engineering is important, why doing penetration testing on social engineering is just as important as any other penetration test you are going to do. Now when you are building these relationships, when you are starting social engineering and for those of you that watch the capture of the flag, it is awesome when you do a successful vish or fish or when you do a physical successful attack on an organization. It is a head rush, it really is. But the social engineer has to take into account that these are human beings and if you make them go to a fear factor where they are fearing for their jobs or their lives or livelihood, when they feel like, oh, I was an idiot, they break the relationship with information security. And as I said, part of the CESA's role is computer incident response. And if people don't report incidents, you can't repair the damage quickly. And repairing the damage quickly is the difference between a successful ongoing business and a failed business. So having a trust relationship between the social engineering function and the rest of the information security function is important. And having a trust relationship between social engineering and the rest of the organization is important. So before you do anything, it is important to get base lines. And usually your first social engineering exercises are actually going to help you develop those base lines. And then it's getting metrics and reporting what that information is and what it means. Because it's not just what the click rate is. It is not how successful people are at vishing. It is how fast did they report? Of all of the people in the capture the flag exercises over the course of this week, how many of them after they hung up the phone went, ooh, that wasn't right. How many of them called up and said, I think I may have had a problem. I think I may have done something wrong. Or how many of them are afraid and do not report that information. So I like to start social engineering functions and engagements using OSINT Lite. Because when you start doing social engineering in an organization, you're doing reporting to executive management. And executive management doesn't get IT, doesn't want to get IT, doesn't need to get IT. So you're doing reporting in a way that they will understand. Now look, a lot of our OSINT comes from Instagram. But the reality is executive management for the most part is going to be an older generation. So they're not using Instagram. So saying that I found it on Instagram, they're not going to relate to it. So when you're doing your OSINT, you actually want to look at what it is that they can commonly understand. Guess what? They understand their website. And the website's a great source of information. You will very frequently find the names and titles of executives. And those are the executives that you are going to use for pretext. You're going to find out, you know, if they publish letters that the CEO signed, how does he sign his emails? Because his emails and his letter signature may likely be the same. You will be able to go and find out information about who the accounting firm is. There is a thing called an SSAE 16. There's also a new one called an SSAE 18. It's a report that accounting firms do. And those accounting firms do them about the organizations. And in them they tell critical foundational information about things like what is the critical business functions? What are critical business partners? That's also great for pretexting. And it's on their website. Not always. Sometimes some of this information is stuff you have to request through marketing departments. But it's generally there. If it is a publicly traded company, you can just go to the SEC's website and look at a report called a 10K. 10K has phenomenal information. And by presenting reports, when you're presenting your final report about your engagement, when you put in information that executive management can relate to, they understand it as business risks. And you don't actually have to really understand and have an MBA. Okay, I have one. But by getting this information, they think you would do. So, you know, here, I just saved you a couple of years of education. And then use Twitter, use Facebook, use LinkedIn. Oh, in terms of the search engines you use, use whatever the corporate search engines are. Because if you use honest, dealing with some executives, it's amazing that they can turn their computers on. Okay, so you want to use whatever search engine the company uses because, oh, if you use Chrome and they've only used Internet Explorer, they will shut you down. It's crazy, but it's true. Next, fish. What happens is when we, there's a definition that the Federal Trade Commission has for fish. And if, so you can look it up, there's so many. I mean, look it up on Wikipedia, look it up all over the place. But basically, and I'm reading this because the people in the middle can't actually see it, is when a scammer uses fraudulent emails or text or copycat websites to get you to share valuable personal information. I will add in that generally fish is going to have a malicious payload or a link in order to get information. That is so important when you are starting to talk about incident response. So when you start sending out fish, please, please, please don't use fear because you're going to destroy that trust relationship. You're going to destroy the likelihood of somebody calling in an incident. So fear does work. It really does. And the common fear emails that you will see at work, I'm not talking about the ones that you see at home, but the common fear ones are the, oh, there's a problem with your paycheck. People care about pay. By the way, they don't work if you don't pay them. They're not that charitable. Or your bank account has been hacked. Those type of emails are the ones that generate fear. And I have gone into organizations and had to repair the damage done by these fear fishing emails. And there are some canned programs that actually include them in the distributions. Don't use them. Don't select them. Craft your own. Don't use something that will scare an employee on a personal level because it gets to a gut reaction. So I would always avoid them. But what's better are the emails that are going out all the time. Because remember, you're starting by baselining. And you're trying to find out who is the individual who is going to click everything. Who is it that isn't going to read? Okay. And there are so many examples out there. And, you know, it's the, your account has been deactivated. Or your email account has been overloaded. Or any of a number of other account related emails where it's really funny because you'll, you know, you'll get one about outlook even though you're running 0365 and people will still click on it. So there are tons of examples. Use the ones that actually already exist because you really want to know who is that clicker. The other thing the Verizon DBIR talks about is pretext. And pretext, that's the one that is really great because you're not doing fishing. You're not dropping payloads. You are not doing a link. What you're doing is a direct interaction. These are short term relationships with big payoffs. These are where you are sending out an email and saying you're the CEO or the CFO or some other high level executive within the organization and you are asking for valuable information or money. And people do it. Big companies fall for it. There are millions of dollars lost and valuable information and it doesn't take a lot of work. So if you can just use that OSINT from that webpage for the corporate website, you've got enough to do pretexting. So there are, there's information that for example the FBI has sent out about these pretexting emails that were working. It's, it is information request from CEOs and the problem is people don't have relationships where they would question the CEO asking for something. Now the reality is in most organizations the CEO would never go directly to an accounts receivable or an accounts payable or a payroll clerk. You know in a medium or larger business it doesn't happen. But when they get this email they do it. Especially if the email is CC-ing. So an email from the CEO that appears to be CC-ing the comptroller or CFO or the tax firm or the accounting firm. People actually believe it. They don't want to jeopardize their job so they react to it. So the common ones are the send me a copy of all of the W-2s from last year. Send me all of the payroll and salary information and it has happened and it has happened regularly. Accounts receivables. I worked with an organization where an email went to an accounts receivable clerk asking for a full listing of the accounts receivables and they responded. And it's because people are so used to just responding to an email not actually looking up what the address is. And so the entire accounts receivable listing which included all of the corporations that money was due from and the dollar amounts were sent out. And when this was sent out it was great for whoever got it because it gave them information to do other social engineering or to actually break competitive advantage. So those other social engineering attacks they could go in and say to the company that owed money they could say we've changed our billing address. Please send this accounts receivable of to this other address. And the companies that fall victim to this kind of stuff don't want to reach out to everybody that they owe money and admit that they did this. So there are a lot of ways that this can be a big financial loss to an organization. Accounts payable. Very frequently at the end of the fiscal year or the end of the calendar year there is a big time crunch to get everything paid to get it on the books. It is a perfect time to send a demand letter. So if your social engineering engagement is at that time of year it's beautiful. So you send it a demand letter very similar to the common fish that are going out there with a malicious payload. It is amazing how many people an accounts payable clerk will pass those demands to. You can go into a string of computers that way. It is a gift that keeps on giving. Part of what you want to look at is also the demand for immediate wire transfer. It works. And oh by the way when you're doing this as a social engineering engagement please best be gathering the information. Don't actually take a wire transfer. It's really frowned upon. Information technology. So in organizations that are doing code development or providing services in a publicly traded company or a company that has what's called an SSAE 16. A lot of times the information is going to auditors. So going back to that website when you see who the accounting firm is knowing when the reporting cycle is you can start sending information requests to information technology spoofing the accounting firm. It is amazing what data people will send. So part of a good social engineering program what you're doing is sending target information targeted requests to each individual department. What is each individual department likely to fall victim to this one size fits all type of fish isn't really teaching us what it is that each department is likely to fall victim to. And it's also not teaching people what the true attacks likely are going to be. So help your help the employees help the organization build that trust relationship. So the newest factor that we are seeing and you will likely see a lot of this year is how many here have heard of GDPR. Okay. So the GDPR regulations allow an individual who is called the data subject to request information about what data is being processed and why because a lot of American companies who do not have a lot of European business have not been really good about following these regulations their responses are great but you only have a month not 30 days you have a month so February only 28 days you have a month to respond and so if somebody sends a demand and an organization is not prepared they're going to do panic responses and panic responses tend to leak much more information. So expect to see some of those this year. I'm not talking a lot about fish because fishing was what social engineering village was about but I will let you know that the two best fish vectors that I have ever seen are saying that you are a cold calling vendor into it especially if you're going to lower level employees engineers architects etc and you're saying you're trying to sell a new technology if you flatter an ego it is amazing what information you can get. The other is saying that you are college or university student college and university students. Oh my gosh it's great. You can even get into a relationship where you can say oh well can I just send you this document save you some time and fill it out and they will respond to you in great detail telling you everything about their organization just because you just said you're a student and you're writing a paper. So what does that leave us with communication communication communication build relationships build a relationship with the social engineer and information security and the organization do metrics metrics are important metrics mean that what you are doing is effective and you can prove it to the organization do things like contest between departments how fast you report fish okay what is a click rate for a department oh by the way do not use individual people's names bad idea in some states you can get in real trouble but also what is the rate to report rates to report suspected fish and fish critical the problem with that reporting is it's a lot more work but if you can use the DB IR you can prove why it's important and then communicate the results communicate how people are good what is it they are good at recognizing what is it they are successful at and what is it that you are recommending for the next activity and here's the thing once a year security awareness training is never going to get you anywhere this the attacks that people are getting are continuous so make sure that the social engineering program is continuous so that you get improvement in never is going to be perfect you need all of the technical security controls but this will give you a breather okay so in summary social engineering is a critical critical factor that is neglected in many information security programs but every single day we have more people that are interested more people that are practitioners and it is a valuable valuable skill set thank you very much are there any questions no questions yes so the question is when you go to the C-suite and they say they don't want to spend the money right away so one of the things that I like to talk about our historical attacks that were successful and particularly if you're talking about historical attacks that were successful in that industry so a lot of things that we've seen so for example anthem when anthem was breached it started with a fish so using the db ir is really great because it can give proof of this has happened in our industry and this is how often but the other thing is using real world examples of companies that have been fish within health care most of the ransomware incidents started with fish so it's look this is what you are investing in the rest of the security program and this is what it would take to invest in the social engineering program and the thing is you're talking about leveraging things so you're leveraging systems like proof point and other email systems you are leveraging it all of the know before is and they fish means and all of those others but what happens is if you look at combining all of this information together your business is different and one of the things executives like to talk about is how they are unique so if you can explain to them that you know these can programs are great we are unique and this is how it helps so it's a combination of facts and uniqueness yes okay so the question is how do you justify taking out the fear fish there in some of these campaigns so part of it is look when I when I start a security awareness program I am talking to my employees and I'm saying this is for you as a person this is for you as an employee this is to protect our customers and this is to protect the company and the reason why I take those out is guess what there are so many other fish out there to teach them so because there are so many other fish out there to teach them I avoid using the ones that scare them I avoid the ones that will shut them down I'll talk to them about them I will use them in education campaigns but they are not the ones they send in tests does that make sense yes can you repeat that I'm sorry okay so the question is if if you basically using the CEO CFO's the pretext emails using their names they're concerned about their trust relationships being broken part of the reason and by the way when I do security awareness training with executives I do one on one I don't give them the can program and one of the things that I'm talking to them about is the fact it's there in because they don't have a personal individual relationship with their employees their employees are the ones that are going to fall victim so we want to talk about the risks and again you can use the FBI's information and some of the other publicly accessible information about really large companies where this happened so what you're doing is framing it with we're going to be doing this fishing fishing training and then that communication afterwards with the results we did this because this is real world and and and then you have so if your CEO is giving part of the security awareness saying this is I really believe in this and then afterwards your CEO gives a message saying I would never do this that is really helpful and it really reinforces it okay yes okay there are so many metrics that are out there that are great to measure okay but I think the most important one is response rate how many people are sent a fish and don't report it so one of the things you're going to measure is how many fish did you send out how many fish got clicked how many fish got reported because the reporting metric is the important one is if if when if when something is is a password is compromised they call right away and you reset the password no damage done if they never tell you it is hideous and it's not that you clicked on the link it's somebody else did if you recognize that as a problem you are protecting the weaker employee who doesn't recognize or who's looking on a mobile device or is really stressed okay I am out of time but I am going to be around and answer questions so feel free to grab me later on and thank you very much for your time. Thank you very much Kate.