Post · bonfire.cafe

Post

Regarding #SocialEngineering I love the work of Frank Stajano and Paul Wilson. The documented 7 common principles of #scams.

The principles are (in my adaption)

Need or Greed / Bait: Something the victim/mark wants or wants to avoid.
Deception: A connection to reality
Distraction: an elaborate story around the scam hiding the true intentions.
Authority or Trust: Scams "originate" often trusted or authoritative person, role, or organisation
Time pressure & timing: The victims are pressured to decide or act quickly. And the attacks are timed, often after lunch, or the afternoon were the victim is like less energetic and attentive.
Secrecy (or Dishonesty): keep the mark from asking someone else.

and may slightly less relevant in a digital Social Engineering context:

Herd/Group Principle: Others are doing it as well, so I either have FOMO or think it can't be that bad

View (PDF)

Claudius Link

@realn2s@infosec.exchange · 2 years ago

Thanks all, for the great suggestions.

I'll start with the costs of cybersecurity incidents.

For Germany this is estimated to have been 200 billion € for 2023.
So close to 5% of the GDP (~ 4 trillion €)

I'm actually slightly sceptical of this number as it was estimated through a survey. It feels a bit like #FUD to me. I probably wouldn't use this number if the presentation wasn't in a business setting.

Following up with a simplified kill chain and connecting personal, corporate and security of the society

A simplified cyber kill chain with the stage

Prepare, Deliver, Exploit, and Utilize — A simplified cyber kill chain with the stage Prepare, Deliver, Exploit, and Utilize

Claudius Link

@realn2s@infosec.exchange · 2 years ago

I then talk about the different context of #cybersecurity and their overlap
(I don't want to suggest these are the only or correct ones ;-)

Personal, Coporate and Society security. Mention common attacks, methods used and counter measures. With #SocialEngineering as a common method and Credentials/Passwords as common between personal and corporate security.

(I'm not totally satisfied with "society security", so suggestions welcome)

Ven diagram of Personal, Coporate and Society security). Showing an overlap

Claudius Link

@realn2s@infosec.exchange · 2 years ago

Regarding #SocialEngineering I love the work of Frank Stajano and Paul Wilson. The documented 7 common principles of #scams.

The principles are (in my adaption)

Need or Greed / Bait: Something the victim/mark wants or wants to avoid.
Deception: A connection to reality
Distraction: an elaborate story around the scam hiding the true intentions.
Authority or Trust: Scams "originate" often trusted or authoritative person, role, or organisation
Time pressure & timing: The victims are pressured to decide or act quickly. And the attacks are timed, often after lunch, or the afternoon were the victim is like less energetic and attentive.
Secrecy (or Dishonesty): keep the mark from asking someone else.

and may slightly less relevant in a digital Social Engineering context:

Herd/Group Principle: Others are doing it as well, so I either have FOMO or think it can't be that bad

View (PDF)

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.2-alpha.29 no JS en

Automatic federation enabled