WEBVTT

1
00:00:00.090 --> 00:00:01.230
In this lesson,

2
00:00:01.230 --> 00:00:03.630
we are going to learn about awareness

3
00:00:03.630 --> 00:00:05.760
and training considerations.

4
00:00:05.760 --> 00:00:08.250
Awareness and training considerations

5
00:00:08.250 --> 00:00:11.190
are a part of Security Program Management.

6
00:00:11.190 --> 00:00:14.700
These considerations include educating employees

7
00:00:14.700 --> 00:00:19.650
about security risks such as phishing, social engineering,

8
00:00:19.650 --> 00:00:23.040
physical security, and privacy practices.

9
00:00:23.040 --> 00:00:25.500
Employees learn about security through

10
00:00:25.500 --> 00:00:27.720
initial and recurring training,

11
00:00:27.720 --> 00:00:30.270
which enhances situational awareness

12
00:00:30.270 --> 00:00:34.500
and promotes operational security known as OPSEC.

13
00:00:34.500 --> 00:00:36.270
In this lesson, we will use

14
00:00:36.270 --> 00:00:39.750
the Social-Engineer Toolkit, or SET,

15
00:00:39.750 --> 00:00:43.260
to demonstrate the importance of situational awareness

16
00:00:43.260 --> 00:00:45.840
and the impact of social engineering

17
00:00:45.840 --> 00:00:49.110
on operational security and privacy.

18
00:00:49.110 --> 00:00:52.950
The Social-Engineer Toolkit is an open-source tool

19
00:00:52.950 --> 00:00:56.070
used to simulate social engineering attacks,

20
00:00:56.070 --> 00:00:58.830
such as phishing and credential harvesting

21
00:00:58.830 --> 00:01:00.840
through malicious websites.

22
00:01:00.840 --> 00:01:02.250
As a training tool,

23
00:01:02.250 --> 00:01:05.700
the Social-Engineer Toolkit can expose employees

24
00:01:05.700 --> 00:01:10.410
to realistic attack scenarios such as credential harvesting.

25
00:01:10.410 --> 00:01:13.680
Additionally, the Social-Engineer Toolkit highlights

26
00:01:13.680 --> 00:01:17.040
operational security by showing how easily

27
00:01:17.040 --> 00:01:20.880
sensitive information such as login credentials

28
00:01:20.880 --> 00:01:24.180
can be compromised if employees are not vigilant

29
00:01:24.180 --> 00:01:26.220
about where they enter data.

30
00:01:26.220 --> 00:01:29.220
Furthermore, this type of simulation

31
00:01:29.220 --> 00:01:33.510
reinforces security training by offering a real world

32
00:01:33.510 --> 00:01:36.150
and interactive example attack,

33
00:01:36.150 --> 00:01:39.060
teaching employees to recognize and avoid

34
00:01:39.060 --> 00:01:41.700
manipulation attempts that could lead

35
00:01:41.700 --> 00:01:43.890
to credential compromise.

36
00:01:43.890 --> 00:01:46.590
Training with the Social-Engineer Toolkit

37
00:01:46.590 --> 00:01:50.160
also emphasizes the importance of privacy,

38
00:01:50.160 --> 00:01:52.650
as credential harvesting directly

39
00:01:52.650 --> 00:01:55.200
exploits personal information.

40
00:01:55.200 --> 00:01:58.830
Finally, the Social-Engineer Toolkit may also be used

41
00:01:58.830 --> 00:02:02.250
to expose users to phishing strategies,

42
00:02:02.250 --> 00:02:04.830
improving their situational awareness

43
00:02:04.830 --> 00:02:07.740
and ability to detect fraudulent websites

44
00:02:07.740 --> 00:02:09.570
and suspicious links.

45
00:02:09.570 --> 00:02:11.850
Before we conduct the demonstration,

46
00:02:11.850 --> 00:02:15.300
let's define the terms operational security,

47
00:02:15.300 --> 00:02:19.590
physical security, privacy, social engineering,

48
00:02:19.590 --> 00:02:22.440
phishing, and situational awareness.

49
00:02:22.440 --> 00:02:25.710
First, we have operational security.

50
00:02:25.710 --> 00:02:30.000
Operational security includes processes and practices

51
00:02:30.000 --> 00:02:33.120
designed to protect sensitive information

52
00:02:33.120 --> 00:02:36.000
from being inadvertently exposed.

53
00:02:36.000 --> 00:02:39.420
It focuses on identifying critical data

54
00:02:39.420 --> 00:02:43.230
and controlling its dissemination to mitigate risk.

55
00:02:43.230 --> 00:02:45.720
Second, we have physical security.

56
00:02:45.720 --> 00:02:48.270
Physical security involves protecting

57
00:02:48.270 --> 00:02:52.380
an organization's assets, facilities and personnel

58
00:02:52.380 --> 00:02:55.560
from unauthorized access or harm

59
00:02:55.560 --> 00:02:57.630
through measures like surveillance,

60
00:02:57.630 --> 00:03:01.260
access control systems, and secure entry points.

61
00:03:01.260 --> 00:03:05.340
Employees should be trained to identify and respond

62
00:03:05.340 --> 00:03:07.530
to physical security threats,

63
00:03:07.530 --> 00:03:11.910
ensuring safety of both people and infrastructure.

64
00:03:11.910 --> 00:03:13.950
Third, we have privacy.

65
00:03:13.950 --> 00:03:16.500
Privacy is the practice of safeguarding

66
00:03:16.500 --> 00:03:21.150
personal and sensitive information from unauthorized access.

67
00:03:21.150 --> 00:03:25.020
It involves ensuring that data is handled securely

68
00:03:25.020 --> 00:03:29.520
and in compliance with legal and regulatory standards.

69
00:03:29.520 --> 00:03:32.340
Fourth, we have social engineering.

70
00:03:32.340 --> 00:03:36.330
Social engineering refers to manipulation tactics

71
00:03:36.330 --> 00:03:39.150
used by attackers to trick individuals

72
00:03:39.150 --> 00:03:42.420
into divulging confidential information.

73
00:03:42.420 --> 00:03:45.750
This manipulation is often done by exploiting

74
00:03:45.750 --> 00:03:50.640
human psychology rather than technical vulnerabilities.

75
00:03:50.640 --> 00:03:52.530
Fifth, we have phishing.

76
00:03:52.530 --> 00:03:55.320
Phishing is a form of manipulation

77
00:03:55.320 --> 00:03:58.440
where attackers use fraudulent communications,

78
00:03:58.440 --> 00:04:03.180
typically emails, to trick individuals into taking an action

79
00:04:03.180 --> 00:04:07.380
like clicking on a link or revealing sensitive information.

80
00:04:07.380 --> 00:04:11.460
Sixth and last, we have situational awareness.

81
00:04:11.460 --> 00:04:15.210
Situational awareness is having a clear understanding

82
00:04:15.210 --> 00:04:19.170
of the current threat landscape, recognizing potential risks

83
00:04:19.170 --> 00:04:21.630
and maintaining constant vigilance

84
00:04:21.630 --> 00:04:26.460
to detect and respond to security incidents as they arise.

85
00:04:26.460 --> 00:04:29.160
Now, let's get to that demonstration.

86
00:04:29.160 --> 00:04:31.950
I am logged in to a virtual machine

87
00:04:31.950 --> 00:04:35.040
running the Kali Linux operating system.

88
00:04:35.040 --> 00:04:39.995
My IPv4 address is 10.0.2.15.

89
00:04:41.130 --> 00:04:44.610
And as you can see, I have a Terminal window open.

90
00:04:44.610 --> 00:04:46.740
Overall, in this demonstration,

91
00:04:46.740 --> 00:04:50.190
we are going to use this Social-Engineer Toolkit

92
00:04:50.190 --> 00:04:54.120
to create a fake website to harvest credentials.

93
00:04:54.120 --> 00:04:56.220
So, the first thing I'm going to do

94
00:04:56.220 --> 00:05:01.220
is enter in the command, sudo setoolkit, to start it up.

95
00:05:01.410 --> 00:05:02.640
As you can see here,

96
00:05:02.640 --> 00:05:06.180
the Social-Engineer Toolkit is menu-based.

97
00:05:06.180 --> 00:05:11.160
I'm going to select option one for a social engineering attack.

98
00:05:11.160 --> 00:05:14.730
On this next menu, I'm going to select option two

99
00:05:14.730 --> 00:05:17.190
for a website attack vector,

100
00:05:17.190 --> 00:05:20.430
but please notice that we could select option one,

101
00:05:20.430 --> 00:05:22.290
a spearfishing attack vector,

102
00:05:22.290 --> 00:05:25.953
or option five, a mass mailer attack.

103
00:05:27.060 --> 00:05:28.380
On this next menu,

104
00:05:28.380 --> 00:05:31.920
I need to choose how I'm going to do the attack,

105
00:05:31.920 --> 00:05:34.440
and I'm going to choose option three,

106
00:05:34.440 --> 00:05:36.873
a credential harvester attack method.

107
00:05:37.980 --> 00:05:41.310
On this menu here, I need to choose how I want to

108
00:05:41.310 --> 00:05:44.670
present or how I want to create the website

109
00:05:44.670 --> 00:05:46.230
that is going to be used.

110
00:05:46.230 --> 00:05:49.233
I'm going to use option one, a web template.

111
00:05:50.550 --> 00:05:53.250
Now, I need to choose where I'm going to host

112
00:05:53.250 --> 00:05:54.930
that malicious website.

113
00:05:54.930 --> 00:05:59.894
My IP address, which we've already seen, is 10.0.2.15.

114
00:06:01.050 --> 00:06:03.990
So that's already pre-populated for me here,

115
00:06:03.990 --> 00:06:05.853
I'm just going to select Enter.

116
00:06:06.930 --> 00:06:09.150
All right, we are almost ready to go.

117
00:06:09.150 --> 00:06:12.750
The last thing I need to do is choose what website

118
00:06:12.750 --> 00:06:16.050
I want to use as that malicious template.

119
00:06:16.050 --> 00:06:20.220
I could use a Java, a Google, or a Twitter template.

120
00:06:20.220 --> 00:06:21.933
I'm going to choose Google.

121
00:06:23.160 --> 00:06:25.680
All right, it is up and running.

122
00:06:25.680 --> 00:06:30.240
My Kali Linux machine is now hosting a malicious website

123
00:06:30.240 --> 00:06:34.050
that will harvest credentials and capture those credentials

124
00:06:34.050 --> 00:06:37.200
for me right here in this command line.

125
00:06:37.200 --> 00:06:41.670
So, the next thing I need to do is go out and find a victim.

126
00:06:41.670 --> 00:06:44.820
Let's say I was running an internal phishing test

127
00:06:44.820 --> 00:06:47.490
and a user clicked on the link

128
00:06:47.490 --> 00:06:48.990
that I had provided for them,

129
00:06:48.990 --> 00:06:52.980
directing them to my credential harvesting website.

130
00:06:52.980 --> 00:06:57.690
I'm going to simulate that by opening up Mozilla Firefox

131
00:06:57.690 --> 00:07:00.993
and navigating to my local host machine.

132
00:07:03.540 --> 00:07:07.110
There it is, that is the website that I am hosting,

133
00:07:07.110 --> 00:07:10.920
which is the malicious credential harvesting website.

134
00:07:10.920 --> 00:07:14.250
So, I'm going to go ahead and enter in some credentials.

135
00:07:14.250 --> 00:07:17.400
I'll enter in my name, Jeremiah, I'll enter in a password,

136
00:07:17.400 --> 00:07:21.630
capital, P-A-S-S-W-0-R-D,

137
00:07:21.630 --> 00:07:24.570
and then I'm going to go ahead and try to sign in.

138
00:07:24.570 --> 00:07:25.403
Huh?

139
00:07:25.403 --> 00:07:26.850
I don't want to save those credentials,

140
00:07:26.850 --> 00:07:30.300
but look, it didn't work, I wasn't able to sign in,

141
00:07:30.300 --> 00:07:33.180
but now here I am at another Google page.

142
00:07:33.180 --> 00:07:35.730
All right, well, I can click sign in here.

143
00:07:35.730 --> 00:07:39.840
Now that I'm on the actual Google page I was redirected to,

144
00:07:39.840 --> 00:07:42.300
I could sign in with my actual credentials,

145
00:07:42.300 --> 00:07:44.130
and log into Google.

146
00:07:44.130 --> 00:07:47.850
Now, my credentials have been harvested in the background.

147
00:07:47.850 --> 00:07:51.210
I can see that if I go back to this command line,

148
00:07:51.210 --> 00:07:52.830
you can see here that it tells me

149
00:07:52.830 --> 00:07:56.850
that it found a possible username of Jeremiah

150
00:07:56.850 --> 00:08:01.850
and a possible password of capital, P-A-S-S-W-0-R-D.

151
00:08:03.300 --> 00:08:07.080
Those are the username and password that I entered

152
00:08:07.080 --> 00:08:10.470
into that initial credential harvesting website.

153
00:08:10.470 --> 00:08:14.070
This is an example of the Social-Engineer Toolkit

154
00:08:14.070 --> 00:08:16.710
being used to harvest credentials,

155
00:08:16.710 --> 00:08:19.680
and that's the end of this demonstration.

156
00:08:19.680 --> 00:08:23.940
So, remember, awareness and training considerations

157
00:08:23.940 --> 00:08:27.090
are essential to security program management.

158
00:08:27.090 --> 00:08:30.060
Training should focus on educating employees

159
00:08:30.060 --> 00:08:32.940
about risks resulting from phishing,

160
00:08:32.940 --> 00:08:34.290
social engineering,

161
00:08:34.290 --> 00:08:38.400
physical security deficiencies, and privacy concerns.

162
00:08:38.400 --> 00:08:41.700
Training through tools like the Social-Engineer Toolkit

163
00:08:41.700 --> 00:08:44.040
enhances situational awareness

164
00:08:44.040 --> 00:08:46.650
by simulating real world attacks,

165
00:08:46.650 --> 00:08:48.900
which can help employees recognize

166
00:08:48.900 --> 00:08:51.570
and avoid security threats.

167
00:08:51.570 --> 00:08:53.490
Training simulations are used

168
00:08:53.490 --> 00:08:56.460
to emphasize operational security

169
00:08:56.460 --> 00:08:59.280
by showing how easily sensitive information

170
00:08:59.280 --> 00:09:03.030
can be compromised if employees are not vigilant.

171
00:09:03.030 --> 00:09:04.830
Training also reinforces

172
00:09:04.830 --> 00:09:07.410
the importance of protecting privacy,

173
00:09:07.410 --> 00:09:11.460
as attackers often attempt to exploit personal data.

174
00:09:11.460 --> 00:09:15.330
By regularly conducting security and awareness training

175
00:09:15.330 --> 00:09:19.380
organizations improve their overall security posture,

176
00:09:19.380 --> 00:09:23.853
ensuring employees remain prepared for evolving threats.