josh pauli associate professor of cyber security dakota state university (madison, sd) 10 years...

Cyber Security Landscape

About me

Josh Pauli

Associate Professor of Cyber Security

Dakota State University (Madison, SD)

10 years and counting!

About DSU’s Programs

We have 300+ students studying: Cyber Operations (Cyber Security)

Computer Science

Cyber Operations

Largest degree on campus (170 / 1200)

Explosive growth in the last two years (55 in ‘11; 70 in ‘12)

Want the best and brightest regardless of computing history

A great mix of: Programming Networking Operating systems “hacking”! Ethics Critical thinking

Cyber Corps

Full ride scholarships + attractive stipend

$35,000-40,000 per year including $20,000 stipend

Work for Gov’t agencies after graduation National Security Agency (NSA) Central Intelligence Agency (CIA) Space and Naval Warfare Systems

Command (SPAWAR)

Center of Excellence in Cyber Operations

NSA wants the most technical cyber experts

DSU was selected as 1 of 4 in the entire nation Now 8 schools

Only public institution in the nation

Only program with dedicated Cyber Ops program in the nation

Only undergraduate program in the nation

Cyber @ DSU

Best Cyber Operations curriculum in the nation

Cyber Corps scholarships to save over $100,000

Top Secret security clearance before graduation

Work on the top security projects in the world

25 years old: Undergrad & Graduate degrees in Cyber Operations Top Secret government security clearance 2-3 years of experience in a Federal agency Any job you ever want anywhere you want it

Today’s Rundown

1. What’s technical social engineering (TSE)?

2. Timeline of hacking

3. AV is dead! Long live AV!

4. How to prevent TSE attack

5. TSE in penetration testing

6. Q & A

What’s technical social engineering (TSE)?

TSE != traditional social engineering

It’s NOT: Physical impersonation Pretext calling Dumpster diving

Still good stuff; just not what we’re talking about today!

It is

Relying on people being: Gullible Greedy Dumb Naïve

And using technology own them!

What’s this “owned” you speak of?Remote code execution

Administrative rights

Key loggers

<<insert juicy payload here>>

We are actually pretty good at:Not clicking linksOpening filesVisiting websites

But it only takes 1 person!

This is why we can’t have nice things…

Timeline of hacking

That escalated quickly

Future is now

AV is dead! Long live AV!

AV is good at what it does

But it’s not enough Just one “layer”

Signature-based = always behind

How AV vendors work (simplified) Why security researchers giggle at this

How to prevent TSE attack

In a word: You

And only you!

User Awareness Training Currently a raging debate in InfoSec

Fear v. education Punish v. reinforce

TSE in penetration testing

TSE is PT; PT is TSE!

“Check the box” v. “Get after it!”

TimingScopePriceSo this is red team? Who can actually do this?

Q & A

Thanks for having me!

Josh.Pauli@dsu.edu

@CornDogGuy

Happy to help anyway that I can!