U.S. J-School Digital Security Sample Slides

�Questions? Suggestions? �Reach out:�https://freedom.press/contact/

training@freedom.press

Freedom of the Press Foundation (CC BY 4.0)

README: How might these slides be used?

• We hope these slides will provide some inspiration. To that end, these slides are intended to provide examples of digital security topics that might be covered, and how visual aids might help.
• We expect instructors to use these slides based on their needs for their courses and expectations of students. Ultimately, we hope instructors will modify these slides or find inspiration when creating learning materials independently.
• Make a copy of slides or the deck (“File” > “Make a Copy”). Make it your own! You don’t need to use our branding.
• Check back in occasionally! Like all digital security training materials from Freedom of the Press Foundation, we intend to keep it up-to-date.

​

​

​

https://freedom.press

README: Use or modify as needed

• Unless otherwise noted, our U.S. J-school security curriculum is Creative Commons-friendly (CC-BY 4.0), meaning that you can use or modify it as needed. When using the slides, we only ask that you give us attribution somewhere in your deck:

Freedom of the Press Foundation (CC BY 4.0)

• You don’t need to use our branding, if you don’t want to! Within any slide, click “Layout” and change the template to “Absolute zero branding” for a blank background.

​

​

https://freedom.press

Social engineering

https://freedom.press

Source: Watch a CNN reporter get hacked

https://freedom.press

Social engineering: Convincing well-meaning humans to give you access

• Getting someone to do something that may or may not be in their best interest.
• Leveraging publicly accessible data to make the the attacker look like a legitimate “insider.”
• Often leveraging psychological principles of influence.
• May incorporate hacking tools to aid in impersonation.

https://freedom.press

Getting compliance through authority

People are more likely to defer to authority figures — which is why social engineers particularly like impersonating contextually-relevant authorities. For example…

• Your IT help desk co-worker of high status (e.g., CEO’s office), to get you to share information or install something.
• Someone who seems to “belong” somewhere — such as a delivery worker letting themselves into a building.

https://freedom.press

Getting compliance through urgency

Social engineers often try to establish a sense of urgency, to get you to act before you’ve thought it through. For example…

• The IT help desk tells you that you can save them from getting fired by giving them some information they need right now.

​

https://freedom.press

Getting compliance through kindness

People often just want to be helpful, particularly to those who are nice to them. You guessed it—social engineers use this. E.g.,

• After you unlock a locked door to your office building, someone awkwardly jogs up nearby, smiles, and says thank you. You, nice person, politely hold the door to let them in. (Sometimes we call this tailgating.)

https://freedom.press

The Attack Cycle. Credit: Imperva

https://freedom.press

Common tactics

• Phishing: Posing as a reputable source to extract information over email.
• Vishing: The same thing, but by talking to someone on the phone.
• SMiShing: The same thing, via text.
• Impersonation (e.g., impersonating a delivery person)

https://freedom.press

Psychological principles of influence

Cialdini’s six principles of influence

• Reciprocity: People feel compelled to reciprocate when someone does something for them (e.g., a car dealer feeds you donuts; you buy a car).
• Commitment/consistency: People want their words and actions to appear consistent (e.g., “You said you would finish the draft by Friday…”)
• Social proof: When unsure what to do, people look to other similar peoples’ behavior (e.g., if you see someone enthusiastically purchase dodgy watches, it makes the transaction look more legitimate)

https://freedom.press

Psychological principles of influence

• Authority: People tend to listen to authoritative-looking figures. (e.g., someone emails claiming to be the CEO or their assistant)
• Liking: Just how it sounds! (e.g., you’re more likely to listen to someone who pays you a compliment, or claims to share your interests)
• Scarcity: People are more likely to act when they believe their opportunity to do so is in jeopardy. (e.g., social engineers will make you think you need to act right now)

https://freedom.press

What kind of psychological principles do you think are in play here?

• Reciprocity?
• Commitment/consistency?
• Social proof?
• Authority?
• Liking?
• Scarcity?

Source: Sneakers (1992)

https://freedom.press

What kind of psychological principles do you think are in play here?

• Reciprocity?
• Commitment/consistency?
• Social proof?
• Authority?
• Liking?
• Scarcity?

Source: Real Future (2016)

https://freedom.press

Social engineering software

• OSes with pre-installed hacking tools, like Kali Linux
• Popular: Social engineering toolkit (built into Kali Linux)
• Tools for impersonating phone numbers over text and calls
• Similar tools to impersonate email addresses
• Tools for automating the deployment of phishing pages
• Tools for mass emailing (for untargeted phishing)
• Tools for generating malware-laden files
• Remote “listening” tools for hackers to receive data from targets
• Lots more!

​

https://freedom.press

Social engineering software

Relationship-mapping software (e.g., Maltego) helps attackers determine where weaknesses in a network might exist, and who the relevant actors are.

https://freedom.press

Source: SocialLinks Facebook transforms in Maltego XL [Hidden Friends]

https://freedom.press

Activity: Thinking like a social engineer

Put yourself in the shoes of a social engineer. Let’s imagine they want your credit card number. If you were them, how would you get it?

Take 5 minutes and write down your social engineering strategy. Get as creative as you want, but try to keep it realistic.

​

https://freedom.press

How might you defend yourself against this kind of attack?

https://freedom.press

What can you do to defend yourself?

• Remember our phishing defenses: Double check email address, navigate to links yourself, rather than using the email link.
• Contact your phone company and set an additional authentication PIN.

https://freedom.press

What can you do to defend yourself?

• When receiving calls, verify people are who they say they are: When in doubt, ask for more information. �(e.g., more about who they are, where they work)
• Notice when you feel pressured! Something might be wrong. Again, when in doubt, ask for more information.

https://freedom.press