Security BSides Orlando is taking place later this week on April 5th and 6th, so in the run-up to the event we are showcasing a few of the informative sessions they have lined up for this year’s gathering.
Security BSides Orlando is a community driven event seeking to bring together anyone with a passion for making, breaking or protecting, and they welcome newbies, experts and anyone in between.
First we looked at a session by Lee V. Mangold (@LeeMangold) titled Open Source Security: Security Poverty and the Small Enterprise, and then at a talk to be delivered by Alex Hutton (@AlexHutton) titled Alex Dreams of Risk.
Next up is a session with Luis “Connection” Santana (@hacktalkblog) called Phishing Like the Pros, which will cover techniques employed by security professionals and criminal phishers alike to increase the possibility of success during a phishing campaign.
Santana is a security consultant and independent security researcher who has spoken at numerous conferences including Derbycon and HackCon, and runs the HackTalk blog where he posts various security news items and memes.
During this talk, Santana will discuss the use of tools like “PhishPoll”, a PHP-based framework for managing phishing engagements, as well as the importance of phishing exercises for internal security awareness campaigns.
“While tools such as the Social Engineering Toolkit by David “reL1K” Kennedy exist to aid in the job functions of external attackers, there is a gap in tools for internal security teams,” Santana said. “This talk will not only advise on ways to improve a phishing campaign’s click-thru rates, but will also provide a tool for internal security teams to manage metrics on the effectiveness of their security awareness trainings.”
Phishing as a tactic for gaining initial access to an organization’s networks is a major threat, and while most companies are beginning to understand the intricacies of maintaining a secure network, too many still fall prey to attacks against the human element, as was exemplified by the recent Target breach.
“As it stands, phishing is one of the most effective ways to breach an otherwise secure organization, and as such tools such as PhishPoll and SET will see an increased amount of use among both internal security teams and consultants alike,” Santana said.
He hopes the Phishing Like The Pros session will provide the attendees a good sense of what goes into an effective phishing campaign, what mistakes to avoid, and what professional phishers are doing to ensure high click-thru rates.
“The human element and its role in security remains an area of much concern, as it is often much harder to instill a sense of security awareness throughout an organization than it is to mitigate security issues in servers and workstations,” Santana said.
“This talk aims to show that targeting the human element is an extremely viable option for attackers, and as such should be an active topic within any internal security program.”
In a perfect world Santana says, we would imagine the eventual death of phishing as a tactic through increased security awareness and education, but realistically, these methodologies and frameworks can only help to reduce the potential impact of phishing within any given organization
“As more talks and more tools are developed to aid both attackers and defenders, I hope we eventually reach a point where employees begin to better understand their role in keeping the organization secure.”
- The Ever Expanding Trust Boundary: To Infinity and Beyond
- Your Biggest Threats are Coming from Inside
- Wendy Nather’s Surprising Response to Public Apathy about Security
- Grounding Anti-Phishing Programs in Cognitive Foundations
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock