How do cyber criminals go about a hacking attack and how easy is it to capture sensitive data? As the saying goes, "Keep your friends close, but your enemies closer," we take a look at how hackers and social engineers work with social pentester Graham Stanforth.
It's McCaffrey. They came up with a, with a number of how much damage is caused within this cyber world and it's actually reached lots of zeros at the moment. So we're on a trillion already, which is a huge boost from what it was the last time they did the survey in 2018. So we all understand as information security professionals, that it's not just about protecting digital information, it's also about protecting information that we store perhaps on paper. I'm sure that we all have offices, I'm sure we all have folders. And we also need to protect the brain drain, making sure that people carrying this information around in their brains are also protected in that they know exactly where the threat is coming from. Now we know that there's never gonna be a hundred percent guarantee that we're safe. I think we, we appreciate that. Do, does anybody here have a driver's license?
Nobody. Huh? A couple. That's very good. Now there are lots of rules out there. So for some reason in Germany you've decided to drive on the right. I don't understand that one, but everybody does it. There are red traffic lights for example. What does that mean? It means to stop, please. Yeah, we have indicators, we have brakes, we have steerings, all kinds of things. You even need a driver's license to drive your vehicle. But is that a guarantee that you get from A to B once you decide to take a trip? Or do accidents still happen? Right? So there's never gonna be this a hundred percent. In fact, we can never even prove or or be certain that security is actually there. We only notice that perhaps there was a loophole or some sort of vulnerability once something happens. So we can always prove that something went wrong, but we won't know until it goes wrong.
Of course, we humans also need to take part in this security system. We can't just rely on technology and the processes. Oh, we have a 27,001, so we're safe. Wrong People need to play the game. So there's always some sort of compromise that's there. So who's a laptop at home? Does anybody have a laptop or a smartphone or anything that goes online? I suppose we will do. Could we keep our hands up? Very good. Who has antivirus software on there? Keep your hands up if you have on anti soft. Well, okay, some hands are going down. Who paid for this antivirus software that's on? Oh, more hands going down. This is the compromise. Oh, people are not always play into the full. We don't have to go overboard, but certainly try to understand that maybe having a paid antivirus system on my computer might be a good idea. I'm sure most of your companies pay for their security.
So again, the main influenced factors. There are people, processes, and technologies, but the people, people at the front tend to rely on the processes and the technology. We just take it for granted and we think it's not our responsibility. Well, we're wrong. It is our responsibility. We have to play the game. Now a good way to do that is to test yourselves by having a social engineer. For example, come by and see if you're doing the right thing and maybe give you a couple of ideas. I'm not gonna go into too much detail here, but I will prepare myself. I will have a look and do a bit of open source intelligence to find out if your organization is very overly exposed. And then I'll come and pay a visit. And what I'll do is I'll try to use my social engineering skills. Now, social engineering skills basically does not rely on any kind of technology.
Don't even need it stir cheap. You just need someone to have the confidence to follow it through and to actually conduct the attack against other human beings. Pretty easy. And we've all social engineers without even knowing it. And the best social engineer out there is somebody that will social engineer. You get whatever it is they wanted. And you won't even notice the art of manipulation. I don't like the word manipulation. I like the word influence. I prefer to influence people to do things rather than manipulate. Manipulate has a bad day to do it right, but influence somebody to do something. They don't feel like a victim. Later on, they don't feel like they've done anything wrong. Do you understand me? Because I just had lunch before and I bit my tongue. Have you ever bitten your tongue before they really, really hurts? And then just before the meeting, just now or just before I started, I started biting my tongue again to see if it hurt.
And I realized that if you do it on purpose, it doesn't hurt. But if you do it as an exit, it really does hurt. I thought I'd mention that. Just you know now just a show of hands quickly. Didn't anybody here just try and bite their tongue to see if it hurt or not? Hands up. 1, 2, 3, 4, 5. Very good. So just in such a small group, I just managed to influence you in doing something that ideally you wouldn't do. Nobody would sit here and say, You know what? I'm gonna bite my tongue now to see if it hurts. It just wouldn't happen. But I pretested, I gave you, I implanted the, the idea into your brain and you did at least five people.
But we all think we're immune. Unfortunately we are not immune. And it didn't cost me any money. It took me about five seconds and I managed to get a little bit of success. So they can also do this online. What's the biggest lie in the internet? The biggest lie in the internet. Yes. I have read the general terms and conditions and I understood everything. Click, click, done. Did we really read? All of this is about 350 pages written by lawyers with all kinds of links and all kinds of stuff in there. On page 327. It says after 12 months, your house belongs to Facebook. Did you find that clause or do we just trust? We just rely on Facebook because they don't mean any harm. So be careful. Always make sure you check things. Of course, I'm not expecting you to read everything, but just be aware that just clicking like a cowboy doesn't make any sense. They can also phone who's heard these phone calls coming in from Microsoft. So hi Microsoft. Yeah, we need to install a remote admin tool onto your, onto your computer. So because you've, we've had problems, it's a new product, blah, blah. And so many people fall into this trap.
Have you ever had this call?
Usually from India, I think is, yeah, speak very good English. They can get actually quite irate and they do it according, they say they're from a bank, perhaps they say they're maybe from from Microsoft or Apple or something. And people are gullible enough. Some people sit there really for two hours and try to help them. They talk you through everything to try and see how much money you have on your account, whether you can send a screenshot, whether you could this and that. And before you know you've installed a remote admin tool, you've lost control completely. But we all think that we're immune to this, correct? Now I'm pretty cool. I travel around the world. This was in Africa, North Africa. One was in Kenya, the one was in Ethiopia. So they have the same sort of problem, very clearly human complacency. Here on this one it says computer room. This was at the airport, computer room, nice gate open. Wow. In Ethiopia here they've actually invested and put some technology in. But what uses that technology? If the doors open, anybody could walk in. I did. Now of course this is Africa, it's Ethiopia, it's Kenya. This would never happen here in Europe, would it?
Or would it? Maybe a little closer to home. We'll find, actually it does happen here. Human weaknesses all over the place.
This was in a ministry, an organization that really should better. They put the technology in there as well. A lot of money for nothing if nobody closes door. Doesn't make any sense. And I come from decra. We see ourselves as global partner for safety, security and sustainability. Safety's a big one. This is a fire door. This should be closed at all times. This is, this is dangerous now, but the information security people are very clever. They have this little wedge, it's like a wooden information security wedge. And they can put it into the door to make sure that anybody who's an intruder can easily walk in. Wow. But this would never happen to us. Am I right? We're all immune. We're all thinking. This guy's talking rubbish. No way. Let's try a little something If everybody just play the game a little bit. If you touch your forehead, touch your forehead. Yeah. And your chest. And your wrist. Very good. That's your elbow. Your wrist is here. You noticed, well done. Did anybody touch their elbow? Did you just follow me? Did you just see visualized what to do? And you weren't really listening, You just played the game. Very, very cool.
Let's try another thing. The slope to simplicity. We're all affected. Now I'm talking about social engineering. You should know that something here might be off. All I'm gonna do is I'm gonna throw a few numbers up here and all you have to do is, is add them up. It's not an Einstein trick, it's pretty easy. But when we get to the bottom and I need an answer, then just shout out the answer into the room. Okay? Don't be shy, just just say whatever number is in your head. So the numbers are coming, add them up and I'm waiting for the answer. Ready? Let's go.
And your answer is, excuse me, 5,000. Who says who thought 5,000? Who thought 5,000? So is it really for at 5,000 or did they manage to influence you to think that it was 5,000 by first giving you a thousand at the top, puts you in that zone, the thousand zone. And then we add 40. That's pretty easy. It's 1,040. And then I put you back into the thousand zone and then I give you 30 and then another thousand. Now I'm starting to get you to fall into the slope to simplicity. You are starting already to recognize some kind of system there. Oh, if a 20 comes next, then I think I've cracked it. And the 20 does come. And already in your mind you've worked out, the next one is probably a thousand and then the 10 and then you round up and say 5,000. But it's not, It's 4,100. Now does anybody feel victimized? Does anybody feel? Oh, I hope not. But it just shows that we can fall sometimes victim to these things.
Children are the best at social engineering. Who has kids? Wonderful. I have a kid as well. Oh dear. So what? What has my son done? I mean, he is only 14, so this is really, really, really earlier, but, but he's presented me with a huge problem. He knows that he comes with his real problem. There's gonna be no laptop, no smartphone. You're grounded, you're gonna practice, you're gonna, every day you're gonna do Matthias. So what did he do? He, he used this comparison and, and gave me a much, much bigger problem. And then he defused it, which defuses me. In fact, I really, really, really want to hug him now and tell him everything's gonna be okay because he basically showed me what sales people do it all the time and he ever bought a car. And they have the price there. You can always negotiate. And they know that it's just this sort of cat and mouse game. Where do we land at the end?
Wow. Do we all still think that we're immune? No. Very cool. This reminds me, we'll try something. I'm gonna try it with you actually, cuz you are. Yeah, you're nodding at me all the time. We'll see, We'll see. This kind of seating here reminds me when I was a child, I was about six years old and my sister was only half of my age. Now I've grown and I'm now 17 years old. Not really. Excuse me. Okay, sorry. Sorry. I said this scenario here reminds me of when I was a child. I think I was six years old and my sister was half of my age. Half. So now I'm 70, not really 70. How old is my sister? Quickly. Very good. Did anybody think 35? Did anybody think half? Yeah, but then you showed me the three. Okay, very good. These are little tricks just to show that we sometimes fall into the wrong way of thinking.
The wrong train of thought. I mean, Sigmund Floyd, he noticed that a long, long time ago. We have now psychiatrists and psychologists trying to work people's train of thought out. This of course can be manipulated. Using your fear, using your, your willingness to help using authority, all these kind of things. Even in sport. We have social engineering. Does anybody know this game? American football? Anybody play it? Oh really? It's a, excuse me. Oh well nobody's perfect. It's But you played, Yes. It's like a really hard game, isn't it? Oh yes. Yeah, there are. Just for the others, there are two teams here. You've got the red and white here on the right and then we have the, the yellow on the other side. And we can see that this guy is the quarterback. Please correct me if I'm wrong, but that guy's the quarterback, he's the play maker. He has his team to try and protect him and his opposing team. These are the defensive people. Their job, basically, as soon as he has the ball in his hands, is to try and destroy him. Am I right? Right. There you go. So what we'll do is we'll just watch and see what happens. Okay?
Doesn't happen very often, is it? So I looked at this and I thought there's got to be some sort of social engineering, some sort of influencing going on here. And we looked again, again and again and again. And then I sort of noticed something. This quarterback, you can see his helmet. He seems to be looking down towards this guy. And I presume that this guy is perhaps the coach. I'm just gonna guess. Okay, now we can see this quarterback. He stood there with his arms out like this. Ru, what does that mean? International body language. What if someone's standing like this? What do they mean means? I dunno what to do. Okay, so I think that the quarterback is looking at the coach saying, Coach, I dunno what to do. It's a hard game. Perhaps the ball had had lost some air. Perhaps it had burst.
Perhaps something. I don't know. But he's asking his coach, What shall I do? I don't know the coach. You'll see him in a minute. Again, he starts waving around, he's saying, Hey, I don't know. Talk to the ref. Ask the referee. Okay, now the yellow team are listening to this. They hear this. So we're gonna watch it again. Now we're gonna look at the communication between the quarterback. The coach will see the play, will see how the yellow team is. So social engineered has been manipulated to not attack. And then we'll see if the referee is interested in anything that's just been discussed. Okay, let's watch it again. So communication, the coach is talking.
Friend gives him the goal. They've been social engineered. The referee not interested off.
Number 19 was a little bit awake but just not size enough. So what do we think? Six points? Yes, no, absolutely. It's not exactly fair play and it only works once, but it worked. That might have been a final of some sort of championship, I don't know. But it worked. So what am I saying here? We all think we are immune. We, we don't really see the dangers that we're presented with every day. We rely on technology, we rely on the processes, but it starts from here, from us. And sometimes we just need to be enlightened as to where are these problems? Where are these dangers? This young man could use a bit of training. He could use a bit of awareness. Yeah, mom or dad need to come and say, Look son, don't do that because he is not good. Make sense? Very cool. So I'll finish now with the last sentence. And it's there only those who know the dangers can protect themselves. And with that I'll say thank you very much.
Thanks Graham. I don't have any questions online. Are there any questions in the room? I, I just loved your slide with the the baby and the plug point because my son, when he was that age, we said, do never stick your finger in.
He do? So, So one day, No, no one day the light went and he came into our room very pale. He had stuck a key
In Oh nice.
To which he was attached to which he was. Ouch. They came in very pale. He
Said That sounds like a funny story.
Yeah. So yeah. So again, I think the reason there are no questions is cuz it was a brilliant presentation. Thank really engaging, really funny, and really educational. So thank you very much once again for Graham, please. Thank you.
How can we help you