I want to introduce Graham Stanforth. He is the Head of Information Security Training at DEKRA SE, Stuttgart, I assume. Okay. And this is really an interesting thing.
Actually, if you read that, it's interesting already. The headline is great.
So, how to social engineer during physical penetration test. And I know the only time that I fell for a phishing attack of my colleagues was last year here, when I did a moderation like this. And the guy who did the presentation promised me a PDF version of his slide. And I went out and I got a mail.
Hey, here's the presentation. And this was spare phishing. This was not fair. And that's the only time you think you fell for one of these tricks, right? Exactly. I'm a security analyst. Okay. Please welcome Graham. I'm really looking forward to this how to social engineer during physical penetration test. That's a nice one. Thank you. Thank you. Can we start? Yeah? How much did it cost me to get you to clap? How much did it cost me to do that? You can have the best firewall, you can have all the filters that you want.
All I needed to do was clap my hands and look helpless and hope you help me and you all did. And that's what I want to talk about today. Social engineering. I want to try to see how many victims I can actually find today in this room. I have some bigger audiences I have to say. But I know there's probably about 1.5 million people online that are watching this at the moment. Is that?
Yeah, I thought so. I've been introduced already, so I don't think I need to go too far into that. I know that I'm speaking to professionals here. So I'm not really going to go into too much depth about what is information security. I do want to talk a little bit about social engineering. I'd like to look at what a social engineer actually does, what kind of methods do they use, the tactics. I'd like to show you a few illustrations. I might find a few victims today, who knows? And then I'll show you what I do apart from just being part of DECA and looking after information security training.
I actually do pen testing as well, which is pretty cool. I love doing it. So do you understand me okay? They gave me the death session today, you see. It's the second day after lunch. Everyone's looking forward to the coffee. We've heard it three times already in the last 15 minutes. But I bit my tongue at lunch. Have you ever done that? And I'm not sure if I'm lisping or if I'm mispronouncing things. I bit my tongue and it hurt really, really bad. And the whole time sitting at the back, I started biting it again on purpose to see if it hurts and it doesn't. Funnily enough, I don't know.
I thought I'd mention that to you. Now just a quick show of hands. Did anybody bite their tongue just now to see if it hurts or not?
Hands, be honest. Did anybody try? Normally I get one or two that actually do try that. Some smile at me. Did you try it?
No, I didn't. Okay, very good. So what is information security? First things first, it's basically not just the digital world. Everyone thinks whatever's on my computer, my server, my device, my smartphone, all this needs to be protected. We need lots of technology, artificial intelligence as well.
But no, information security also takes on board analog information, things like clear desk policy. Who could put their hand in fire and say that at home or in the office, there's no paper whatsoever on our desks? I doubt it very much. What about in people's heads? Talking in the lobby. I've been walking up and down here, listening to people talking about all kinds of stuff. It's really cool. And I even waited to see if anybody would speak to me because everyone belongs to the team here. They've all got these badges on.
I thought I'd go without a badge and then I thought I'd put my DECRA one on. And then just for you, I think maybe I'll show you my blue one. I am actually, you know, invited. I'm supposed to be here talking. But nobody for the last hour and a half of me walking and talking to people, nobody asked me to see the badge. Just didn't happen. Maybe because I'm just so charming, I guess. So one thing we need to understand and we need to try and tell our employees as well as people at home is that there's no such thing as 100% security. We can always think that we're nice and safe until it goes wrong.
And once it goes wrong, that's when we identify the vulnerability and hopefully put things back into order again. And it's a constant status. It's not a project. It's a cycle. Anybody who's 27,001 certified knows that it has to be continuously improved.
And again, the three influential factors are people, processes, and technology. Everybody's talking about technology. Lots of people are talking about processes. And the human factor is being completely ignored. And that's where I profit. It's pretty cool. So why is this? We're all psychological beings. We can easily be manipulated into doing things. And this is just one psychological trait that we have, the Pygmalion effect. If I put my trust into you and say, I think you can do it, this actually psychologically influences you to actually up your performance to get a better outcome.
It happens in schools. This is particularly in schools.
You know, you've got the SWAT that's at the front. He always puts his hand up and the teacher always gets this person to answer and they get it right. And if not, then they're perhaps corrected in a different manner. But little Tommy on the side here, he's the bottom of the draw. Teacher never really wants to talk to that person. Gets bad grades, unfortunately. So who's going to say in our company, I trust everybody to make sure that our information is safe. We just heard lots of people fall victim to phishing. Lots of people fall victim to my social engineering skills as well.
Everyone clapped for me, didn't they? Okay. So what's the problem? We rely on these processes and technology. We always think it's somebody else's job. We rely on IT. We rely on the InfoSec team. We rely on human resources. We rely on anybody but refuse to take accountability or responsibility for our own security. Who do we have responsible for security at home? Who's responsible to make sure our local area network is safe? Do you have an IT department or do you do it? Wish everybody would do the same in the office. But we can't blame the employees all the time.
Sometimes it's just a lack of training, a lack of awareness. What's the difference? Training is teaching something new, something they didn't know before and awareness is reminding them of things they already know. Everybody knows when you sit in a car, you have to put on your seatbelt. And if you don't, the car starts to remind you, bing, bing, bing, bing.
Oh yeah, I knew this, I know it really, but I'm only going for two cases. It's okay. Negligence, not to be ignored. People just don't care maybe, or too stupid maybe, just not interested. Or maybe they're malicious, whether internal or external. Someone that didn't get the bonus, didn't get promotion, has been fired in the last couple of days. They decide, well, I'm going to cause a few problems now. The external one could be the social engineer. Someone has been tasked with either espionage or sabotage towards your organization. And then they engage you.
I want to talk about that a little bit as well. So what is social engineering? I think we all know, but basically it's the exploitation of the human factor. And I don't necessarily like the word exploitation. Anybody who's been exploited feels used. They just don't feel good. But manipulation, sometimes people don't even know that they've been manipulated. I got you to clap your hands. And then I told you exactly what I did. If I hadn't have said anything, oh, you just clapped your hands, didn't you? Do you feel bad?
No, not really. But you were manipulated. I didn't exploit you. Has anybody seen the film Catch Me If You Can? Tom Hanks and the other guy, Leonardo DiCaprio.
See, I just have to say, oh, and the other guy. And someone gives me the information I'm looking for. Leonardo DiCaprio. Thank you. In that film, Leo plays the forger, yes. But then he also plays a fantastic social engineer. And he manages, just by gathering information, to morph into several personas that give him all kinds of jobs. What personas did he get into? He pretended to be a pilot. Started flying for American Airways or whatever they were called. He was a federal agent. In the stress situation, he just morphed into the federal agent and managed to get away. Managed to improvise.
He was a teacher. Yeah, some kid bumped into him and then he thought, oh, I'll be the teacher and get this guy to read in front of the class. A doctor. Just watched a couple of films. A lawyer. He tried all kinds of things and was successful. It's based on a true story. Frank Abagnale. Ouch. So trying to socially engineer your way into a certain environment is basically what I do as well. And we have steps, of course. These seven steps.
First, pre-assessment. Normally a meeting with whoever. We do this internally. So at DECRA. We're in 60 countries. We have lots of offices. Lots of employees. And I think there's about 4.5 billion reasons why somebody might want to attack DECRA. So we need to make sure that our people are aware. And we pre-engage. Then we do reconnaissance to try and find out what are the weak spots. If I do this with customers, normally the biggest weak spots are the smoking areas. So people tend to go outside. They smoke. They talk. Somebody charming comes up and starts talking to them. I'm new here.
Do you know where this is and where that is? Or where's my card? And they let me in. Or the canteen. Canteen's a good one as well. You can always observe whether it's an internal canteen or an external one. Some people have to leave certain offices. If it's winter, they've got their big jackets. You just have to go into the canteen and see who's got a jacket, who hasn't. And then follow them. They'll usually leave the door open for you. They'll hold it open until you are safely inside. Very kind of them. Once we've got these vulnerabilities identified, we then exploit them.
Post-exploitation is where we sort of review what's actually done. Then we report in a document and also give a presentation, such as I'm doing now. I'll also give you some insights of one of the tests I did before. And then a year later, normally, we do a retest. And being in 60 countries, I tend to travel quite a lot. It's pretty cool. So does the team. So pre-texting, I've just mentioned. Leonardo DiCaprio played Frank Abagnale. He created a fictitious but believable scenario. He acted and morphed into that role.
He managed, just by gathering information, to create this persona that was believable, which I think was actually pretty cool. And he used numerous tactics to try and get in there. So we are psychologically programmed to actually fall into these tricks.
Now, these are not vulnerabilities. These are actually pretty good traits that we have. We tend to follow this theory of reciprocity. If I offer somebody something, sometimes they feel guilty and want to try it with friends. Go in and put your hand out. And they'll automatically give you their hand, because they want to be polite. They want to be nice. It's just a very basic way of showing that we tend to want to reciprocate what it is that we're being offered. We like to commit to things. God forbid we ever say, I'm going to stop smoking. I'm going to run a marathon. I'm going to lose weight.
You say it. You feel committed to it now. Because a week later, two weeks later, somebody that heard it is going to say, how's the marathon training going? And they're going to go, I'm on a break at the moment. Social proof. Everybody's done it, except you. You see it. People walking in this direction, the right direction is that way, but they still go. They've tested this at traffic lights. They just had a normal guy at red, and he walks over. Nobody follows. Then they had another guy, the very same guy, in an Armani suit, with a briefcase, with a watch. Walks over red. People follow him. Wow.
They did the same test with the same guy, walking up to people. He was in plain clothes.
Said, can I see your ID, please? Nobody would give him the ID. The same person changed into a uniform that's very clearly fake. People showed their ID. Just a badge here, Sheriff. People follow.
Authority, liking, scarcity, lots of good things to follow. The tricks that are in there, I'm not going to go through all of them, but reverse social engineering, techie talk, fishing, we've just heard about spearfishing, vishing, water-holing, quick pro quo.
Oh, I found a USB stick. Let me just put it into my USB port. Let's see if that works. More such as shoulder surfing, piggyback riding. James Bond is good at that, isn't he? He follows somebody and just walks in to the secure area of some building because somebody lets the door slowly close. Ouch. Neuro-linguistic programming. I tried that with you. I said I'd bit my tongue to see if you would fall into it. You didn't really do it. Let's try something else, see if I can get some victims again. Can everybody play again? Touch your forehead. Everybody touch their forehead. Let's play the game.
Touch your forehead. Touch your forehead. You're not touching your forehead. Touch your forehead. Touch your chest. Very good. Touch your wrist.
Okay, that's your elbow. Your wrist is here. This is your elbow. So I'm programming you to do this. You're not listening to what I'm saying. Touch your wrist. Just follow what I was doing visually. So some illustrations. I see my clock is running down here, so I better hurry up. I do travel. This was in Africa. On the left, I think that was Ethiopia. As you can see here, if I click again, it says computer room, authorized personnel only, but it's open, so I could walk in there very easily. The next one was in Kenya. They have some technology involved here, so identity and access management.
You need a card to actually buzz through this door, but the door's wide open. I didn't need anything. I could just walk through. This would never happen here, would it? Would this happen here in your organization? Nah. There you go. I went to some ministries here in Germany, and I was surprised also. They've got technology there. I can see it. Door wide open. Ouch. This technology is actually a bit more impressive than the one I saw before with cameras and speak and everything, but no, the door's open.
I thought, this is a one-off, so I went downstairs and found the next door here. Open. Again.
This time, just to make sure that I can really go through, what they did is they had a wooden wedge there to make sure that the door cannot close so that I can definitely go in and have a look around your offices. Fantastic. Let's try another one. I'm going to give you some numbers up here. All you have to do is add them up in your brain, and when I expect an answer from you, you just shout out the answer into the room so everybody can hear your answer. Do we understand what we're doing? It's not difficult. It's not Einstein.
Just add the numbers and then give me the answer that you have in your brain. Let's go. Add up. Answer? Answer? Excuse me?
5,000? 5,000? Who says 5,000? Hand up.
5,000? Does anybody say 4,100?
Yeah, you said 4,100 because I didn't hear you. I asked you to shout out. Nobody did. Who said 5,000 again?
No, it wasn't me. Doesn't it feel bad if we're exploited? The slope to simplicity, that's the way we are. It's got nothing to do with intelligence. It's just we like to see the world the way we like to see it and not the way it really is. 40 plus 30 plus 20 plus 10 is 100.
At the 4,000 is 4,100 but I put you in the 1,000 category and around the 20 you already saw the pattern that I was giving to you. You expected the 1,000. You expected the 10 and you rounded up automatically in your brain and said 5,000. Wrong. You don't work in accounting, do you? Children are fantastic at social engineering. Pretty cool, huh? Theory of contrast. He comes to me with a big, big problem. I start to worry and then he defuses the whole situation by telling me, no, I just failed my maths exam.
If he'd have come with maths exam initially, there's no more computer games, there's no more phone, no more meeting friends. Now he's just getting hugs because I know the world could be so much more difficult. So what did I do? And I don't have very much time.
In fact, I'm going over time now. We had a look at these seven steps and I tried to morph into perhaps a Decra individual and Decra is well known within the tick industry so we do testing, inspection and certification. So I could put my cappy on. It is Kermit the Frog but nonetheless I have one of these made up badges, the same as any other badge that I might be wearing. As soon as you got one of these, you belong to the team, you can walk anywhere, especially if you have a clipboard. You got a clipboard, then this guy knows what he's doing. Let's open the door for this person.
So I need to then start accessing exactly those words. So access, access, access at three different levels. The first access is to access a physical environment, an infrastructure, your building, your department, your office, something I can walk into. Then when I'm in, I then go for the second access which is I'm looking for a vector, like a device, a smartphone, maybe a computer that's not been locked. People forget Windows L. Maybe I'll find a photocopier with information, pieces of paper that's in there. I'll go into a conference room.
I'm looking for an open cupboard where I might find lots of folders with analog information in there. Once I've found these, I then go for the third access, which is access to the information itself. So A-A-A. Access to infrastructure, access to a device or something that holds information, and then access to the information itself. Sometimes it will be photographed and then replaced. Nobody ever knew that it's gone missing, that it's been photographed.
CIA, we know CIA, don't we? Confidentiality, integrity, availability. They're all damaged as soon as I have the three A's. But I'm pretty good at it, so I look like I belong there. I start observing the buildings. They've got technology, they've got everything, but I do manage to get in, which is pretty cool. It's always the door that slowly closes despite the IAM system that's there. I start walking up and down corridors, trying to avoid people. If they look at me or if they find me, I start looking for things to do with an emergency.
If it's fire, I start looking up here, checking with my clipboard. People think I'm there to test and see if everything's okay. Is there an extinguisher in here somewhere? I'll start asking people, is there an extinguisher somewhere here? I need to go and have a look at it. And they'll send me in the right direction. It's pretty cool. I try to look for these bins. You wouldn't believe how many of these bins I find. They're actually open. This is for confidential information in paper form. That's supposed to be then taken, shredded or molted or whatever, by an organisation.
Sometimes they leave keys in there that's open. It's not really closed properly. See if I can gain access to your digital infrastructure by looking at your Wi-Fi. These are pretty cool, pigeonholes. Has anybody ever found a piece of paper that somebody just left on the photocopier? I'm sure you have. Very interesting for people like me. Conference rooms. Excellent analogue information on flip charts, on whiteboards. These are all photographs. This is real life pen tests. I can find folders everywhere, particularly at lunchtime. People leave, closed door policy, not always present.
I can go onto desks and see desks. I find these devices. I can sometimes find identity cards, access management cards, a toggle. This was in IT. This was an IT department. Access all over the place. I photographed it but left it.
I know, I'm nearly finished. It's putting me under pressure now. I'm looking for computers that perhaps have not been secured with Windows L. Seeing if I can adapt something. Analogue information. This person here is a bit too messy for me. I thought this office was way better. Much easier to organise my attack. Stuff that's on the wall there. Computers. These are all Excel spreadsheets. This is the money. This was board of directors level. I could just walk in. I seem to belong there. That's fine. I can take photographs and so on. Guess what's on these little post-its there?
It wasn't a password but it doesn't surprise me. Just because you have a 27,001 certificate hanging on the wall, that's all you have. It's a piece of paper hanging on the wall saying that you have a functioning information security management system. It's all documented and constantly being updated and constantly being improved. It doesn't mean that you are safe. It just shows that you're taking it seriously, which is pretty good. Even if you have reminders on the wall telling you, oh, if you see somebody in the corridor, speak to them and ask if you can help them. Didn't happen to me today.
Don't leave paper here. Did you print something? All this information on the wall I still manage to get absolutely everywhere. What do we need? I'm not going to spend too much time on here because I don't have any time. The next speaker is going to talk about this. Training employees. Standard framework. You can read it all. I'm sure the next speaker is going to go into more depth about this kind of stuff. One thing I'll leave you with is that sometimes the threat is invisible. We cannot see it. There was an admittance here that I fell into a fishing well once. It might have been more.
Who knows? This young man, he needs some awareness, maybe some training or at least to be made aware that there is a threat here, a problem. He cannot see it, but it is a threat and it is a problem. This is what we need to do with our employees, with your employees, with ourselves. Take on accountability. I'm glad nobody fell asleep and you all played the ball. Thank you very much for your time. That was brilliant. Thank you very much. Thank you very much. That's the reason why I stood up that late. So it was really great. Thank you.
Okay, cool. Thank you. So I don't want, I won't.
