Mar 8, 2010

Announcing BruCON Training #3: Social engineering (for pentesters)

In 2007, one of the biggest diamond robberies ever found place. The thief used no violence. He used one weapon -- his charm -- to gain confidence. He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were. You can have all the safety and security you want, but if someone uses their charm to mislead people it won't help.

Course abstract: Social engineering attacks can have disastrous consequences, both financially and reputationally. You can have the best technical security controls in the world, from the most expensive firewall to the most sophisticated biometrics, but they will not protect you from a social engineering attack. In any security program, people are the weakest link. Social engineering tests can be used to evaluate and strengthen this link.

Like any penetration test, social engineering tests can help to identify security weaknesses that could allow your IT systems to be compromised. Such tests can:

  • Give a good indication of and even improve your staff’s level of security awareness
  • Teach your staff how to identify and deal with social engineering situations
  • Provide valuable recommendations on both security awareness and physical security
However, it can be difficult to know how to conduct a social engineering test. This two-day training course will teach participants how to conduct an ethical social engineering test, the theory behind social engineering, as well as giving recommendations on how to defend against social engineers. The course will include practical exercises and is open to anyone with an interest in social engineering.

Sharon Conheady – Biography

Sharon Conheady is a Director at First Defence Information Security in the UK where she specializes in social engineering. She has social engineered her way into dozens of organizations across the UK and abroad, including company offices, sports stadiums, government facilities and more. She has presented on social engineering at security conferences including Deepsec, Recon, Brucon, CONFidence, ISSE, ISF, SANS Secure Europe and more.

After inventing the Internet alongside Al Gore, Sharon moved on to the development of security protocols that were used to crack 128 bit encryption. She holds a degree in Computer Science from Trinity College Dublin and a MSc in Information Security from Westminster University. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.

If you see Sharon around your office, she kindly requests that you open the door to let her in.

Martin Law – Biography

Martin Law has over 19 years security expertise and has been performing social engineering tests since 1994. He specializes in accessing datacenters by using social engineering techniques and bypassing physical security like a geeky James Bond.

Martin also undertakes investigations into actual or suspected security breaches, and specializes in the area of Information Warfare. He attempts to breach not only the logical security of systems and networks, but also the physical security of the infrastructure and buildings, including the use of social engineering when engaged in an “All-Out-Attack” against an enterprise.

“If you can't go through the firewall, go through the secretary” -- Sharon Conheady

More information on the course can be found here.

No comments:

Post a Comment