White-Hat Workshop Shows Risks of Personal Data
It was standing room only in Verizon's social-engineering hack activity at Tuesday's Cybersecurity Education Summit.
This story is limited to Industry Insider — California members.
This story is limited to Industry Insider — California members. Login below to read this story or learn about membership.
Private- and public-sector participants examined financial records and calendar information of an unknown person before using online information to guess the identity of the victim.
Craig Bowman, vice president of Advanced Solutions at Verizon, led the exercise, which was meant to focus on how hackers establish "points of truth" — information that a subject would confirm in order to trust an email, text or other digital contact. Those points of truth allow hackers to profile and build out an attack, just like attendees did.
"The more points of truth, the better chance you're going to get that action you need done," California CISO Peter Liebert said.
Cybersecurity's biggest threat is the human element, Bowman said.
One attendee was able to identify the victim so well, they tracked the person's social media back to videos of the victim's children at school and extracurricular activities.
Attendees were then asked to build attacks against the victim that would gain access to the victim's personal data and financial information, much like hackers do in the real world.
"How do you socially engineer people to give them something that they would never give willingly?" Bowman asked.
Some attacks included:
- Sending an email to the victim's spouse about one of the child's activities.
- Contacting the victim while pretending to be a health-care provider treating the victim's injured child.
- Befriending the victim's child on a social game and offering maps to play on or asking for donations.
- Offering a reward for customer loyalty to a trusted brand.
- Sending an email from a trusted colleague's address, asking for help on a project.