Josh Pauli Associate Professor of Cyber Security Dakota State University (Madison, SD) 10 years and counting! We have 300+ students studying: Cyber Operations (Cyber Security) Computer Science Largest degree on campus (170 / 1200) Explosive growth in the last two years (55 in ‘11; 70 in ‘12) Want the best and brightest regardless of computing history A great mix of: Programming Networking Operating systems “hacking”! Ethics Critical thinking Full ride scholarships + attractive stipend $35,000-40,000 per year including $20,000 stipend Work for Gov’t agencies after graduation National Security Agency (NSA) Central Intelligence Agency (CIA) Space and Naval Warfare Systems Command (SPAWAR) NSA wants the most technical cyber experts DSU was selected as 1 of 4 in the entire nation Now 8 schools Only public institution in the nation Only program with dedicated Cyber Ops program in the nation Only undergraduate program in the nation Best Cyber Operations curriculum in the nation Cyber Corps scholarships to save over $100,000 Top Secret security clearance before graduation Work on the top security projects in the world 25 years old: Undergrad & Graduate degrees in Cyber Operations Top Secret government security clearance 2-3 years of experience in a Federal agency Any job you ever want anywhere you want it 1. What’s technical social engineering (TSE)? 2. Timeline of hacking 3. AV is dead! Long live AV! 4. How to prevent TSE attack 5. TSE in penetration testing 6. Q &A It’s NOT: Physical impersonation Pretext calling Dumpster diving Still good stuff; just not what we’re talking about today! Relying on people being: Gullible Greedy Dumb Naïve And using technology own them! Remote code execution Administrative rights Key loggers <<insert juicy payload here>> Not clicking links Opening files Visiting websites But it only takes 1 person! This is why we can’t have nice things… But it’s not enough Just one “layer” Signature-based = always behind How AV vendors work (simplified) Why security researchers giggle at this And only you! User Awareness Training Currently a raging debate in InfoSec Fear v. education Punish v. reinforce “Check the box” v. “Get after it!” Timing Scope Price So this is red team? Who can actually do this? [email protected] @CornDogGuy Happy to help anyway that I can!