Post on 12-Jul-2020
transcript
Jen Fox
@j_fox
Sr. Security Consultant
DEF CON 23 Uber Badge winner, SECTF
Objective• Network credentials and/or sensitive information
• Provide value for the client!
Scope• Contact names provided
(My) Problem• Don’t get to pick and
choose
• Need something credible and effective
• Limited time
Goals &
Requirements
Research &
Recon
Analysis
Attack!
Pwn / Fail
Pivot
Company site
Inappropriately exposed docs
Vendor case studies
News
Growth through merger / acquisition• News
Lack of integration• Email addresses
• Service providers
Back to scope – people provided across
depts and levels
What does everyone care about?
+ lack of integration …
(Company Logo)
Company
PayrollCo PayrollCoService
PayrollCo, a payroll company
Copyright © 2014 PayrollCo
user@company.com
company.com
Company,
Payrollco.net/company
Dude-
Other phone calls• Why pretext chosen
Vendor case study
LinkedIn info re: head of HR
Goals &
Requirements
Research &
Recon
Analysis
Attack!
Pwn / Fail
Pivot
Technology Physical security / process Routines – payday, breaks Case studies Org structure / phone
numbers
From IT about upgrades, changes, etc.
Reminders that passwords will never be requested from help desk or IT department
Do it often – make it normal to hear from IT / InfoSec
Reduces uncertainty
Reduces snap decision making for
important transactions
However…• Procedures must reflect and support the actual
process
• Procedures must be applied consistently
Not stressed Not stressedStressed!
Rules don't help people respond well under pressure
Give people permission to say no
Provide examples of what to say or do
Assure them they will be supported when they say "no" to someone