Social Engineering Training: Deceptions and Defences

Social Engineering Course Outline

• Introduction to Social Engineering

  Evaluating the organisational risks

  • Assessing social engineering threats
  • Analysing classic case studies

  Thinking like a social engineer

  • Considering attack frameworks
  • Reviewing the methods of manipulation
  • Examining legal issues and social concerns

• Gathering Information and Intelligence

  Identifying information sources

  • Gathering information passively and actively
  • Leveraging social media
  • Exploiting Google hacking

  Collecting target information

  • Ripping information from sites with theHarvester
  • Dumpster diving for secrets and intelligence
  • Profiling users for weaknesses

  Minimising information leaks

  • Securing information leaks
  • Implementing secure disposal policies
  • Pinpointing reconnaissance probes

• Identifying Communication Models

  Profiling an information architecture

  • Implementing the Berlo communication model
  • Source
  • Message
  • Channel
  • Receiver
  • Determining communication weaknesses

  Addressing communication flaws

  • Verifying the source
  • Securing the information channel

• Assessing Elicitation Methods

  Drawing out information

  • Soliciting information
  • Interview techniques
  • Identifying elicitation tactics and goals

  Mitigating information leaks

  • Maintaining situational awareness
  • Implementing scripted responses

• Gaining Physical Access

  Circumventing physical security

  • Identifying weak types of locks
  • Bypassing electronic access controls

  Securing the environment

  • Implementing high security locks
  • Preventing lock bumping

• Impersonating Authorised Personnel

  Gaining access with a disguise

  • Identifying spoofing techniques
  • Discovering change blindness deception
  • Assessing Internet impersonation techniques

  Defending against impersonation and forgery

  • Implementing techniques to verify identity
  • Avoiding skimmers and hidden technology threats

• Employing Psychology for Persuasion

  Examining human weaknesses

  • Leveraging Cialdini’s motivation factors
  • Identifying mindlessness dangers
  • Exploring commitment and consistency vulnerability

  Compelling behaviour

  • Exploiting social proofing
  • Taking advantage of implied authority
  • Demanding action with "quid pro quo"

  Bolstering resistance to persuasion

  • Adhering to policy and rules
  • Recognising risky situations
  • Learning to interpret and then recognise

• Implementing Management Countermeasures

  Assessing social engineering vulnerabilities

  • Conducting a penetration test
  • Creating a scope of work
  • Mitigating legal issues and embarrassment

  Creating comprehensive policies

  • Establishing verification policies
  • Regulating the use of social networks
  • Delivering effective security awareness training