Name and Surname
Pavol LuptákJayson E StreetEszter OrosziMartin PsarskyNick Drage
Company
Nethemba s.r.o.http://stratagem-one.com/kancellar.huESETFirst Defence
Your position
Security consultantCIOinformation security consultantSecurity ConsultantSenior Security Consultant
Link to your public CV
http://trip.sk/wilder/cv/cv-comprehensive.htmlhttp://f0rb1dd3n.com/author.phphttp://www.linkedin.com/pub/eszter-oroszi/45/ab6/906n/a
When you are doing social engineerig (SE) test, what types of SE attacks you do or perform most often?
no non-technical attacks yes
technical attacks: phishing simulation, sms sender spoofing, caller id spoofingForged email
Piggy backing entry
Finding unsecured access doors
Malware on USB
A Hak 5 rubber ducky
SET exploit pack on BT5impersonation, piggybacking, tailgating, phone attacks, dumpster diving, infected mails and phishingphishing
vishing
spoofed SMS
removable media
physical accessNon-technical:
Onsite intrusion against offices
Telephone based attacks against call centres
General telephone based attacks
Technical:
Malicious attachments sent by email
Very targeted malicious softwar...
Which ways/channels do you prefer to conduct SE attacks?
90% Internet channel, 10% telecommunication/mobile channel, 0% physical access/contactMine are mostly exclusively physical on site internet 90%, phone 5%, physical 5%Inet - 30%, telco + mobile - 20+20%, physical - 30%Internet channel: 30
Telecommunications channel: 10
Mobile channel: 10
Physical access/contact: 50
When you are assessing security of various companies, have these companies implemented security guidelines or rules which are directed to defend against SE attacks?
Don't know.10% have it
90% don'tYes, have rules - 70%not specifically against SE attacks, they usually have general rules for employees and if followed would provide some level of protection against SE attacks, no special rules or education regarding SE though, therefore 20-80%Have rules/guidelines - 40
Don't have rules/guidelines - 60
But I think our customers are above average for their industry sectors in general.
What are the most dangerous types of SE attacks according to your opinion?
SMS/CallerID spoofing
Piggybacking
Reverse social engineeringNew hire employees or Job applicant attack.
Being polite and just walking in like you belong.All... :) But maybe phishing and impersonation.phishing, whaling, vishingThat's a difficult question to answer, as so much hinges on how you'd define "dangerous". To me it's the physical attacks against a company's premises, while they put the attacker at the moment risk that physical access can present the greatest danger to a company.