SlideShare a Scribd company logo

The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?

Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE

Talk in The Social-Engineer Village at DEF CON 24 http://www.social-engineer.org/social-engineer-village/ [Overview] As a Japanese security consultant, one of my research questions in social engineering is whether or not cultural difference becomes the barrier for social engineering. It is because the malicious practice of social engineering is different between in Japan and the U.S. I think it is true. Since I have the both experience of being the company in Japan and the U.S., I would like to consider various technique of social engineering from both cultural glasses, such as tailgating, phishing or vishing method. In my talk, I would like to discuss the workability of several social engineering techniques from both Japanese and U.S. culture. It will support the cultural difference can become the barrier or vulnerable weakness.

Technology
1 of 64
Does Cultural Differences Become a Barrier for Social Engineering? TOMOHISA ISHIKAWA scientia.admin@gmail.com www.scientia-security.org
>> WHO AM I ?  Tomo (Tomohisa Ishikawa) • Japanese Security Consultant (7 years experience) • ESL (English as a Second Language) • A Doctoral Program Student • Currently in insurance company in Philadelphia • CISSP, CISA, CISM, CFE, QSA, GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, GCIH  Specialized Area • Penetration Test • Incident Response • Vulnerability Management • Security Awareness & Education
Background  Social Engineering is remarkable attack vectors now • HBGary hacked by Anonymous • CloudFlare hacked by UGNazi • Mat Honan (WIRED Journalist) • Naoki Hiroshima (Stealing Twitter Username “@N”) • CIA Director hacked by CWA (Crackas with Attitude) • BEC (Business Email Compromise)  Is it popular in Japan ?? • Spear phishing email attack is popular • but…not so active compared with U.S. such as BEC
My Research Questions:  Does Cultural Difference become a barrier for SE? • If culture works as the barrier, “Cultural Defense” will be one of the solutions. • The design of organization, corporate culture, business process will be the effective method against SE.
Additional Notes:  Why is the idea of “cultural defense” so important?
https://isc.sans.edu/diary/Managing+CVE-0/10933
Additional Notes:  Why is the idea of “cultural defense” so important? • CVE-0 ( No patch Tuesday for Human Being )
Disclaimer  I AM NOT … • A Cultural anthropologist, Sociologist, Psychologist, Philosopher, etc…  Any opinions offered are … • my opinion, hypothesis and thought based on a few my examples • NOT those of my employers.  Focus on the difference between Japan and U.S  I may be biased because… • 28 yrs experience in Japanese Culture (Guru) • 8 months experience in U.S. culture (Beginner or Intermediate)  It is NOT conclusion, and I would like to start the discussion • Welcome constructive criticism and opinion
Disclaimer  I DO NOT want to discuss the advantage or disadvantage of each culture • I would like to respect both cultures • Only discuss the defensive workability against SE attack  I welcome the question and comment, but • PLEASE PLEASE speak slowly and easily
1. What is Culture? Cultural Difference?
Cultural Difference?  The Size
Cultural Difference?  The Size US S-Size JP L-Size
Cultural Difference?  The Punctuality
Cultural Difference?  The Pokemon Go indicator
FYI : Steve’s POV
Again, What is Culture? Cultural Difference?
Wikipedia say…
What is Culture?  A lot of Definition is available  The Definition of E.B.Tylor • “that complex whole which includes knowledge, belief, art, morals, law, custom and any other capabilities and habits acquired by man as a member of society”
What is Culture?  A lot of Definition is available  The Definition of E.B.Tylor • “that complex whole which includes knowledge, belief, art, morals, law, custom and any other capabilities and habits acquired by man as a member of society”
What is Cultural Difference?  Hofstede's cultural dimensions theory • He had comprehensive analysis for IBM employees, and he proposed six dimensions to characterize the culture • DataSet : http://www.geerthofstede.nl/dimension-data-matrix
Hofstede's cultural dimensions theory INDEX DETAILS PDI Power Distance Index IDV Individualism vs. collectivism MAS Masculinity vs. femininity UAI Uncertainty avoidance index LTO Long-term orientation IVR Indulgence versus restraint 0 10 20 30 40 50 60 70 80 90 100 PDI IDV MAS UAI LTO IVR Cultural Differences by Hofstede Indicator Japan U.S.A. JPN USA DIFF PDI 54 40 14 IDV 46 91 45 MAS 95 62 33 UAI 92 46 46 LTO 88 26 62 IVR 42 68 26
Hofstede's cultural dimensions theory  From this Data Item Diff Japan U.S.A LTO 62 Long Term Oriented Short Term Oriented UAI 46 Hate uncertainly Accept Risk IDV 45 Collectivism Individualism
2. Social Engineering and Cultural Difference
If you are NOT familiar with SE
Today we are discussing…  OSINT  Tailgating  Vishing  Remittance Scam (Supplementary)
2. Social Engineering and Cultural Difference ~2-1 : OSINT~
OSINT  Open Source Intelligence • Collecting necessary information by using public resource for SE  Cultural Defense Workability of JP Culture: • Japan prefer anonymity in the Internet • It means that the difficulty of OSINT in JP is high.  MIC 2014 Research (MIC : Ministry of Internal Affairs and Communications) • 6 countries (JP, US, UK, FR, SK, SGP) comparison • http://www.soumu.go.jp/johotsusintokei/whitepaper/eng/WP2014/chapter-4.pdf
OSINT – Cultural Defense  MIC 2014 Research • The US tend to use Real Name, but JP prefers to use false name 10.1 12.6 30.2 17.8 20.8 15.5 22 24.3 26.7 19.7 29.8 67 7.8 28.1 18.1 25.3 1.5 16.6 2.5 18.1 1.2 3.9 2.2 3.9 2.7 5.4 2 6 2.3 4.6 58.9 16.5 59.8 50.2 58.4 53.8 74.5 53.1 68.5 57.6 0 10 20 30 40 50 60 70 80 90 100 JP US JP US JP US JP US JP US FBTwitterChatSNSBBSBlog Use of false names versus real names on SNS Use False Name Use Real Name Use Both (multiple acount) Not User
OSINT – Cultural Defense  MIC 2014 Research • 66.3% of JP have antipathy against disclosing real name (US: 35.9%) 15.9 41.7 13.1 23.2 24.6 22.8 24.8 13.7 28.3 22.4 12.7 22.2 13.7 7.3 13.6 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 Total JP U.S. The Antipathy against disclosing real name Strong Moderate Nuetral/Neither Not much No
OSINT – Cultural Defense  MIC 2014 Research • Approximately 60% of JP and US people feel the risk of being identified even though they use false name 20.2 16.5 24.4 39.1 43.7 36.9 29.9 26.5 27.4 10.8 13.3 11.3 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 Total JP US Awareness of The Risk of Being Identified with Anonymous Use High Possiblity Some Possiblity Low Possiblity Almost No Possiblity
2. Social Engineering and Cultural Difference ~2-2 : Tailgating~
Tailgating  Tailgating • Breaking physical access control by using pretexting • Ex) Pretending to be a “FedEx guy” or “pest control guy” • Ex) Pretending to be a freshman, WFH employee, employee in different branch  Cultural Defense Workability of JP Culture: • Japanese culture is detective environment • Office Layout • Working Style Culture
Tailgating – Cultural Defense  Office Layout • US : Cubicle • JP : Flat Desk
Tailgating – Cultural Defense  Why does it work as a defense? • Easy to identify the stranger or attackers • Know the usual behavior (baseline) of colleagues and other vendors
Tailgating – Cultural Defense  Working Style Culture • Before that, let’s look at the working style difference U.S.A Japan Working Style • WFH is popular • WFH is NOT popular Employment Mobility • High Mobility • Join frequently, leave frequently • Low Mobility • JP company do not like mid-carrier recruiting • Stay one companies +10 years New Graduate Job Hunting • Apply to “Job” • Specialist Oriented • Apply to “Company” • Generalist Oriented • Join into the company on April 1st • 2-4 month Bootcamp Training (Project works) • Company assigned the division (=Job) • Job rotation is popular
Company Welcoming Ceremony @ April 1st
Tailgating – Cultural Defense  Working Style Culture • Let’s look at the working style difference U.S.A Japan Working Style • WFH is popular • WFH is NOT popular Employment Mobility • High Mobility • Join frequently, leave frequently • Low Mobility • JP company do not like mid-carrier recruiting • Stay one companies +10 years New Graduate Job Hunting • Apply to “Job” • Specialist Oriented • Apply to “Company” • Generalist Oriented • Join into the company on April 1st • 2-4 month Bootcamp Training (Project works) • Company assigned the division (=Job) • Job rotation is popular It creates strong informal connection btw colleagues.
Tailgating – Cultural Defense  Why does it work as a defense? • New guys or stranger = easy to identify • Informal connection will work as the verification method • It may be difficult to create workable pretexting
2. Social Engineering and Cultural Difference ~2-3 : Vishing~
Vishing  Vishing • Phishing attack by using Phone Call • Ex) pretending to be a “computer support” guy • Ex) pretending to be people in WFH / another branches  Cultural Defense Workability of JP Culture: • Working Style • Decision Making Process
Vishing – Cultural Defense  Working Style • WFH is not popular • Outsourcing is not so popular • The employee have strong informal connection  Why does it work as a defense? • Pretexting may be hard • If the phone call is suspicious, it is possible to ask the question by using the informal network of colleague. (validation function)
Vishing – Cultural Defense  Phone Call Handling • When your colleague get the phone call... • In Japan, freshman or administrative staff take the phone within 3 ringing  Why does it work as a defense? • Share the contents through the process (flat desk will be helpful) • Freshman or administrative staff can create the baseline
Vishing – Cultural Defense  Decision Making Process • US If boss said Yes, it is done • JP prefer the consensus (many escalation flow to decide)  Why does it work as a defense? • Various validation function by the process, especially for financial settlement
2. Social Engineering and Cultural Difference ~2-5 : Remittance Scam~
I give the couple of examples about Japanese (business) cultures & it’s workability.
I give the couple of examples about Japanese (business) cultures & it’s workability. However, it does not necessarily means Japanese cultures and people are tolerant for social engineering.
Scams to elderly people are serious problems in Japan and we see a lot of SE techniques.
Scenarios:  Step 1 Victim Attacker (Police Officer A)
Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group.
Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name.
Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name. • They also committed cloning of credit card, and your credit card has the possibility of abusing.
Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name. • They also committed cloning of credit card, and your credit card has the possibility of abusing. • We investigate this case with FSA and FSA staff will contact you. FSA : Financial Service Agency
Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) Attacker (Police Officer A)
Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A Attacker (Police Officer A)
Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card Attacker (Police Officer A)
Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. Attacker (Police Officer A)
Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. • Umm…abused Attacker (Police Officer A)
Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. • Umm…abused • We will start the process to issue new card and FSA staff go to your home to pick up it. Attacker (Police Officer A)
Scenarios:  Step 3 Victim FSA : Financial Service Agency Attacker (FSA Staff) Attacker (Police Officer A) Attacker (FSA Staff) • Pick Up
3. Wrap -Up
Wrap-Up  Does Cultural Difference become a barrier for SE? • I think YES. • But it is the beginning of my first thought, and I think I need further discussion • Also, from attacker’s perspectives, the adjustment of pretexting to specific culture will be effective.  The design consideration of culture, business process may help to avoid the social engineering
Thank You!!  If you have any questions, please feel free to contact me Contact Info • Email scientia.admin@gmail.com • JP Blog www.scientia-security.org • EN Blog blog.scientia-security.org (Coming Soon)

Recommended

Understanding Intersectionality in a High School English Class
Understanding Intersectionality in a High School English ClassUnderstanding Intersectionality in a High School English Class
Understanding Intersectionality in a High School English ClassKristinaOng1
 
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)Mike Murray
 
OAuth2.0によるWeb APIの保護
OAuth2.0によるWeb APIの保護OAuth2.0によるWeb APIの保護
OAuth2.0によるWeb APIの保護Naohiro Fujie
 
capybara で快適なテスト生活を
capybara で快適なテスト生活をcapybara で快適なテスト生活を
capybara で快適なテスト生活をRyunosuke SATO
 
HLSについて知っていることを話します
HLSについて知っていることを話しますHLSについて知っていることを話します
HLSについて知っていることを話しますMoriyoshi Koizumi
 
Shaping and Shifting Cultural Perceptions of Disability Abroad
Shaping and Shifting Cultural Perceptions of Disability AbroadShaping and Shifting Cultural Perceptions of Disability Abroad
Shaping and Shifting Cultural Perceptions of Disability AbroadCIEE
 
Day 5 - Pathways Ch. 1, Vocab and Note-taking
Day 5 - Pathways Ch. 1, Vocab and Note-takingDay 5 - Pathways Ch. 1, Vocab and Note-taking
Day 5 - Pathways Ch. 1, Vocab and Note-takingZachary Shellenberger
 
Tok prezis 2013
Tok prezis 2013Tok prezis 2013
Tok prezis 2013gwsis
 

Recommended

Understanding Intersectionality in a High School English Class
Understanding Intersectionality in a High School English ClassUnderstanding Intersectionality in a High School English Class
Understanding Intersectionality in a High School English ClassKristinaOng1
 
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)Mike Murray
 
OAuth2.0によるWeb APIの保護
OAuth2.0によるWeb APIの保護OAuth2.0によるWeb APIの保護
OAuth2.0によるWeb APIの保護Naohiro Fujie
 
capybara で快適なテスト生活を
capybara で快適なテスト生活をcapybara で快適なテスト生活を
capybara で快適なテスト生活をRyunosuke SATO
 
HLSについて知っていることを話します
HLSについて知っていることを話しますHLSについて知っていることを話します
HLSについて知っていることを話しますMoriyoshi Koizumi
 
Shaping and Shifting Cultural Perceptions of Disability Abroad
Shaping and Shifting Cultural Perceptions of Disability AbroadShaping and Shifting Cultural Perceptions of Disability Abroad
Shaping and Shifting Cultural Perceptions of Disability AbroadCIEE
 
Day 5 - Pathways Ch. 1, Vocab and Note-taking
Day 5 - Pathways Ch. 1, Vocab and Note-takingDay 5 - Pathways Ch. 1, Vocab and Note-taking
Day 5 - Pathways Ch. 1, Vocab and Note-takingZachary Shellenberger
 
Tok prezis 2013
Tok prezis 2013Tok prezis 2013
Tok prezis 2013gwsis
 
Classroom Makeover Day 1
Classroom Makeover Day 1Classroom Makeover Day 1
Classroom Makeover Day 1Liz Fogarty
 
1. goldsmiths short course The Attention Economy - 1st may
1. goldsmiths short course The Attention Economy - 1st may1. goldsmiths short course The Attention Economy - 1st may
1. goldsmiths short course The Attention Economy - 1st mayRoyal Holloway, University of London
 
Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01
Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01
Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01Cleophas Rwemera
 
16Jul20 ILC webinar - DICE In it together
16Jul20 ILC webinar - DICE In it together16Jul20 ILC webinar - DICE In it together
16Jul20 ILC webinar - DICE In it togetherILC- UK
 
Designing Next Generation Conference Education Sessions
Designing Next Generation Conference Education SessionsDesigning Next Generation Conference Education Sessions
Designing Next Generation Conference Education SessionsJeff Hurt
 
Goldsmiths short course the attention economy - 17th march
Goldsmiths short course the attention economy - 17th marchGoldsmiths short course the attention economy - 17th march
Goldsmiths short course the attention economy - 17th marchRoyal Holloway, University of London
 
Classroom makeover day 1
Classroom makeover day 1Classroom makeover day 1
Classroom makeover day 1Liz Fogarty
 
"Navigating complex work environment". Nov 2019.
"Navigating complex work environment". Nov 2019."Navigating complex work environment". Nov 2019.
"Navigating complex work environment". Nov 2019.Irina Filonova, PhD
 
Social Media And The Gov’t: A Brief Introduction
Social Media And The Gov’t: A Brief IntroductionSocial Media And The Gov’t: A Brief Introduction
Social Media And The Gov’t: A Brief IntroductionJeffrey Levy
 
WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...
WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...
WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...Society of Women Engineers
 
G325 L1 Introduction to Collective Identity
G325 L1 Introduction to Collective IdentityG325 L1 Introduction to Collective Identity
G325 L1 Introduction to Collective IdentityStuart Coppard
 
Preliminary excercise teenage identity
Preliminary excercise teenage identityPreliminary excercise teenage identity
Preliminary excercise teenage identityctkmedia
 
Preliminary excercise teenage identity
Preliminary excercise teenage identityPreliminary excercise teenage identity
Preliminary excercise teenage identityctkmedia
 
Ellingboe 3 interactiveactivitieshandout
Ellingboe 3 interactiveactivitieshandoutEllingboe 3 interactiveactivitieshandout
Ellingboe 3 interactiveactivitieshandoutMinnesota English Learner Education Conference
 
Ethics in Psychology CourseDirections This is three-part assi.docx
Ethics in Psychology CourseDirections This is three-part assi.docxEthics in Psychology CourseDirections This is three-part assi.docx
Ethics in Psychology CourseDirections This is three-part assi.docxhumphrieskalyn
 
Ancient civilization project
Ancient civilization projectAncient civilization project
Ancient civilization projectandy_saf
 
Ancient civilization project
Ancient civilization projectAncient civilization project
Ancient civilization projectandy_saf
 
Cultural Competency & Culture Vocab pt 2
Cultural Competency & Culture Vocab pt 2Cultural Competency & Culture Vocab pt 2
Cultural Competency & Culture Vocab pt 2Danielle Edwards
 
Astia diversity-inclusion-primer jan2017
Astia diversity-inclusion-primer jan2017Astia diversity-inclusion-primer jan2017
Astia diversity-inclusion-primer jan2017Yuka Nagashima (she/her)
 
Reu13 orientation
Reu13 orientationReu13 orientation
Reu13 orientationgestrine
 
HDC2022:Track A - 脅威ハンティング
HDC2022:Track A - 脅威ハンティングHDC2022:Track A - 脅威ハンティング
HDC2022:Track A - 脅威ハンティングTomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 
Internet Week 2020:C12 脅威インテリジェンスの実践的活用法
Internet Week 2020:C12 脅威インテリジェンスの実践的活用法Internet Week 2020:C12 脅威インテリジェンスの実践的活用法
Internet Week 2020:C12 脅威インテリジェンスの実践的活用法Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 

More Related Content

Similar to The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?

Classroom Makeover Day 1
Classroom Makeover Day 1Classroom Makeover Day 1
Classroom Makeover Day 1Liz Fogarty
 
Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01
Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01
Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01Cleophas Rwemera
 
16Jul20 ILC webinar - DICE In it together
16Jul20 ILC webinar - DICE In it together16Jul20 ILC webinar - DICE In it together
16Jul20 ILC webinar - DICE In it togetherILC- UK
 
Designing Next Generation Conference Education Sessions
Designing Next Generation Conference Education SessionsDesigning Next Generation Conference Education Sessions
Designing Next Generation Conference Education SessionsJeff Hurt
 
Classroom makeover day 1
Classroom makeover day 1Classroom makeover day 1
Classroom makeover day 1Liz Fogarty
 
"Navigating complex work environment". Nov 2019.
"Navigating complex work environment". Nov 2019."Navigating complex work environment". Nov 2019.
"Navigating complex work environment". Nov 2019.Irina Filonova, PhD
 
Social Media And The Gov’t: A Brief Introduction
Social Media And The Gov’t: A Brief IntroductionSocial Media And The Gov’t: A Brief Introduction
Social Media And The Gov’t: A Brief IntroductionJeffrey Levy
 
WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...
WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...
WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...Society of Women Engineers
 
G325 L1 Introduction to Collective Identity
G325 L1 Introduction to Collective IdentityG325 L1 Introduction to Collective Identity
G325 L1 Introduction to Collective IdentityStuart Coppard
 
Preliminary excercise teenage identity
Preliminary excercise teenage identityPreliminary excercise teenage identity
Preliminary excercise teenage identityctkmedia
 
Preliminary excercise teenage identity
Preliminary excercise teenage identityPreliminary excercise teenage identity
Preliminary excercise teenage identityctkmedia
 
Ethics in Psychology CourseDirections This is three-part assi.docx
Ethics in Psychology CourseDirections This is three-part assi.docxEthics in Psychology CourseDirections This is three-part assi.docx
Ethics in Psychology CourseDirections This is three-part assi.docxhumphrieskalyn
 
Ancient civilization project
Ancient civilization projectAncient civilization project
Ancient civilization projectandy_saf
 
Ancient civilization project
Ancient civilization projectAncient civilization project
Ancient civilization projectandy_saf
 
Cultural Competency & Culture Vocab pt 2
Cultural Competency & Culture Vocab pt 2Cultural Competency & Culture Vocab pt 2
Cultural Competency & Culture Vocab pt 2Danielle Edwards
 
Reu13 orientation
Reu13 orientationReu13 orientation
Reu13 orientationgestrine
 

Similar to The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering? (20)

Classroom Makeover Day 1
Classroom Makeover Day 1Classroom Makeover Day 1
Classroom Makeover Day 1
 
1. goldsmiths short course The Attention Economy - 1st may
1. goldsmiths short course The Attention Economy - 1st may1. goldsmiths short course The Attention Economy - 1st may
1. goldsmiths short course The Attention Economy - 1st may
 
Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01
Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01
Vermettesocy101coursecompletedblueprint 141108235019-conversion-gate01
 
16Jul20 ILC webinar - DICE In it together
16Jul20 ILC webinar - DICE In it together16Jul20 ILC webinar - DICE In it together
16Jul20 ILC webinar - DICE In it together
 
Designing Next Generation Conference Education Sessions
Designing Next Generation Conference Education SessionsDesigning Next Generation Conference Education Sessions
Designing Next Generation Conference Education Sessions
 
Goldsmiths short course the attention economy - 17th march
Goldsmiths short course the attention economy - 17th marchGoldsmiths short course the attention economy - 17th march
Goldsmiths short course the attention economy - 17th march
 
Classroom makeover day 1
Classroom makeover day 1Classroom makeover day 1
Classroom makeover day 1
 
"Navigating complex work environment". Nov 2019.
"Navigating complex work environment". Nov 2019."Navigating complex work environment". Nov 2019.
"Navigating complex work environment". Nov 2019.
 
Social Media And The Gov’t: A Brief Introduction
Social Media And The Gov’t: A Brief IntroductionSocial Media And The Gov’t: A Brief Introduction
Social Media And The Gov’t: A Brief Introduction
 
WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...
WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...
WE16 - Practical Integration of Diversity and Inclusion Competencies into Eng...
 
G325 L1 Introduction to Collective Identity
G325 L1 Introduction to Collective IdentityG325 L1 Introduction to Collective Identity
G325 L1 Introduction to Collective Identity
 
Preliminary excercise teenage identity
Preliminary excercise teenage identityPreliminary excercise teenage identity
Preliminary excercise teenage identity
 
Preliminary excercise teenage identity
Preliminary excercise teenage identityPreliminary excercise teenage identity
Preliminary excercise teenage identity
 
Ellingboe 3 interactiveactivitieshandout
Ellingboe 3 interactiveactivitieshandoutEllingboe 3 interactiveactivitieshandout
Ellingboe 3 interactiveactivitieshandout
 
Ethics in Psychology CourseDirections This is three-part assi.docx
Ethics in Psychology CourseDirections This is three-part assi.docxEthics in Psychology CourseDirections This is three-part assi.docx
Ethics in Psychology CourseDirections This is three-part assi.docx
 
Ancient civilization project
Ancient civilization projectAncient civilization project
Ancient civilization project
 
Ancient civilization project
Ancient civilization projectAncient civilization project
Ancient civilization project
 
Cultural Competency & Culture Vocab pt 2
Cultural Competency & Culture Vocab pt 2Cultural Competency & Culture Vocab pt 2
Cultural Competency & Culture Vocab pt 2
 
Astia diversity-inclusion-primer jan2017
Astia diversity-inclusion-primer jan2017Astia diversity-inclusion-primer jan2017
Astia diversity-inclusion-primer jan2017
 
Reu13 orientation
Reu13 orientationReu13 orientation
Reu13 orientation
 

More from Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE

金融ISAC アニュアルカンファレンス 2020:Intelligence Driven Securityの「ことはじめ」
金融ISAC アニュアルカンファレンス 2020:Intelligence Driven Securityの「ことはじめ」金融ISAC アニュアルカンファレンス 2020:Intelligence Driven Securityの「ことはじめ」
金融ISAC アニュアルカンファレンス 2020:Intelligence Driven Securityの「ことはじめ」Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 
Internet Week 2019:D2-3 攻撃者をあぶり出せ!! プロアクティブなセキュリティアプローチ
Internet Week 2019:D2-3 攻撃者をあぶり出せ!! プロアクティブなセキュリティアプローチInternet Week 2019:D2-3 攻撃者をあぶり出せ!! プロアクティブなセキュリティアプローチ
Internet Week 2019:D2-3 攻撃者をあぶり出せ!! プロアクティブなセキュリティアプローチTomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 
ニューヨーク州金融サービス局 金融サービス企業に対するサイバーセキュリティ規制
ニューヨーク州金融サービス局 金融サービス企業に対するサイバーセキュリティ規制ニューヨーク州金融サービス局 金融サービス企業に対するサイバーセキュリティ規制
ニューヨーク州金融サービス局 金融サービス企業に対するサイバーセキュリティ規制Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 

More from Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE (9)

HDC2022:Track A - 脅威ハンティング
HDC2022:Track A - 脅威ハンティングHDC2022:Track A - 脅威ハンティング
HDC2022:Track A - 脅威ハンティング
 
Internet Week 2020:C12 脅威インテリジェンスの実践的活用法
Internet Week 2020:C12 脅威インテリジェンスの実践的活用法Internet Week 2020:C12 脅威インテリジェンスの実践的活用法
Internet Week 2020:C12 脅威インテリジェンスの実践的活用法
 
金融ISAC アニュアルカンファレンス 2020:Intelligence Driven Securityの「ことはじめ」
金融ISAC アニュアルカンファレンス 2020:Intelligence Driven Securityの「ことはじめ」金融ISAC アニュアルカンファレンス 2020:Intelligence Driven Securityの「ことはじめ」
金融ISAC アニュアルカンファレンス 2020:Intelligence Driven Securityの「ことはじめ」
 
Internet Week 2019:D2-3 攻撃者をあぶり出せ!! プロアクティブなセキュリティアプローチ
Internet Week 2019:D2-3 攻撃者をあぶり出せ!! プロアクティブなセキュリティアプローチInternet Week 2019:D2-3 攻撃者をあぶり出せ!! プロアクティブなセキュリティアプローチ
Internet Week 2019:D2-3 攻撃者をあぶり出せ!! プロアクティブなセキュリティアプローチ
 
CISO Mind Map v10(日本語版)
CISO Mind Map v10(日本語版)CISO Mind Map v10(日本語版)
CISO Mind Map v10(日本語版)
 
Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今
Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今
Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今
 
[AVTOKYO 2017] What is red team?
[AVTOKYO 2017] What is red team?[AVTOKYO 2017] What is red team?
[AVTOKYO 2017] What is red team?
 
米国のペネトレーションテスト事情(ssmjp)
米国のペネトレーションテスト事情(ssmjp)米国のペネトレーションテスト事情(ssmjp)
米国のペネトレーションテスト事情(ssmjp)
 
ニューヨーク州金融サービス局 金融サービス企業に対するサイバーセキュリティ規制
ニューヨーク州金融サービス局 金融サービス企業に対するサイバーセキュリティ規制ニューヨーク州金融サービス局 金融サービス企業に対するサイバーセキュリティ規制
ニューヨーク州金融サービス局 金融サービス企業に対するサイバーセキュリティ規制
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?

  • 1. Does Cultural Differences Become a Barrier for Social Engineering? TOMOHISA ISHIKAWA scientia.admin@gmail.com www.scientia-security.org
  • 2.
  • 3.
  • 4. >> WHO AM I ?  Tomo (Tomohisa Ishikawa) • Japanese Security Consultant (7 years experience) • ESL (English as a Second Language) • A Doctoral Program Student • Currently in insurance company in Philadelphia • CISSP, CISA, CISM, CFE, QSA, GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, GCIH  Specialized Area • Penetration Test • Incident Response • Vulnerability Management • Security Awareness & Education
  • 5. Background  Social Engineering is remarkable attack vectors now • HBGary hacked by Anonymous • CloudFlare hacked by UGNazi • Mat Honan (WIRED Journalist) • Naoki Hiroshima (Stealing Twitter Username “@N”) • CIA Director hacked by CWA (Crackas with Attitude) • BEC (Business Email Compromise)  Is it popular in Japan ?? • Spear phishing email attack is popular • but…not so active compared with U.S. such as BEC
  • 6. My Research Questions:  Does Cultural Difference become a barrier for SE? • If culture works as the barrier, “Cultural Defense” will be one of the solutions. • The design of organization, corporate culture, business process will be the effective method against SE.
  • 7. Additional Notes:  Why is the idea of “cultural defense” so important?
  • 9. Additional Notes:  Why is the idea of “cultural defense” so important? • CVE-0 ( No patch Tuesday for Human Being )
  • 10. Disclaimer  I AM NOT … • A Cultural anthropologist, Sociologist, Psychologist, Philosopher, etc…  Any opinions offered are … • my opinion, hypothesis and thought based on a few my examples • NOT those of my employers.  Focus on the difference between Japan and U.S  I may be biased because… • 28 yrs experience in Japanese Culture (Guru) • 8 months experience in U.S. culture (Beginner or Intermediate)  It is NOT conclusion, and I would like to start the discussion • Welcome constructive criticism and opinion
  • 11. Disclaimer  I DO NOT want to discuss the advantage or disadvantage of each culture • I would like to respect both cultures • Only discuss the defensive workability against SE attack  I welcome the question and comment, but • PLEASE PLEASE speak slowly and easily
  • 12. 1. What is Culture? Cultural Difference?
  • 14. Cultural Difference?  The Size US S-Size JP L-Size
  • 16. Cultural Difference?  The Pokemon Go indicator
  • 18. Again, What is Culture? Cultural Difference?
  • 20. What is Culture?  A lot of Definition is available  The Definition of E.B.Tylor • “that complex whole which includes knowledge, belief, art, morals, law, custom and any other capabilities and habits acquired by man as a member of society”
  • 21. What is Culture?  A lot of Definition is available  The Definition of E.B.Tylor • “that complex whole which includes knowledge, belief, art, morals, law, custom and any other capabilities and habits acquired by man as a member of society”
  • 22. What is Cultural Difference?  Hofstede's cultural dimensions theory • He had comprehensive analysis for IBM employees, and he proposed six dimensions to characterize the culture • DataSet : http://www.geerthofstede.nl/dimension-data-matrix
  • 23. Hofstede's cultural dimensions theory INDEX DETAILS PDI Power Distance Index IDV Individualism vs. collectivism MAS Masculinity vs. femininity UAI Uncertainty avoidance index LTO Long-term orientation IVR Indulgence versus restraint 0 10 20 30 40 50 60 70 80 90 100 PDI IDV MAS UAI LTO IVR Cultural Differences by Hofstede Indicator Japan U.S.A. JPN USA DIFF PDI 54 40 14 IDV 46 91 45 MAS 95 62 33 UAI 92 46 46 LTO 88 26 62 IVR 42 68 26
  • 24. Hofstede's cultural dimensions theory  From this Data Item Diff Japan U.S.A LTO 62 Long Term Oriented Short Term Oriented UAI 46 Hate uncertainly Accept Risk IDV 45 Collectivism Individualism
  • 25. 2. Social Engineering and Cultural Difference
  • 26. If you are NOT familiar with SE
  • 27. Today we are discussing…  OSINT  Tailgating  Vishing  Remittance Scam (Supplementary)
  • 28. 2. Social Engineering and Cultural Difference ~2-1 : OSINT~
  • 29. OSINT  Open Source Intelligence • Collecting necessary information by using public resource for SE  Cultural Defense Workability of JP Culture: • Japan prefer anonymity in the Internet • It means that the difficulty of OSINT in JP is high.  MIC 2014 Research (MIC : Ministry of Internal Affairs and Communications) • 6 countries (JP, US, UK, FR, SK, SGP) comparison • http://www.soumu.go.jp/johotsusintokei/whitepaper/eng/WP2014/chapter-4.pdf
  • 30. OSINT – Cultural Defense  MIC 2014 Research • The US tend to use Real Name, but JP prefers to use false name 10.1 12.6 30.2 17.8 20.8 15.5 22 24.3 26.7 19.7 29.8 67 7.8 28.1 18.1 25.3 1.5 16.6 2.5 18.1 1.2 3.9 2.2 3.9 2.7 5.4 2 6 2.3 4.6 58.9 16.5 59.8 50.2 58.4 53.8 74.5 53.1 68.5 57.6 0 10 20 30 40 50 60 70 80 90 100 JP US JP US JP US JP US JP US FBTwitterChatSNSBBSBlog Use of false names versus real names on SNS Use False Name Use Real Name Use Both (multiple acount) Not User
  • 31. OSINT – Cultural Defense  MIC 2014 Research • 66.3% of JP have antipathy against disclosing real name (US: 35.9%) 15.9 41.7 13.1 23.2 24.6 22.8 24.8 13.7 28.3 22.4 12.7 22.2 13.7 7.3 13.6 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 Total JP U.S. The Antipathy against disclosing real name Strong Moderate Nuetral/Neither Not much No
  • 32. OSINT – Cultural Defense  MIC 2014 Research • Approximately 60% of JP and US people feel the risk of being identified even though they use false name 20.2 16.5 24.4 39.1 43.7 36.9 29.9 26.5 27.4 10.8 13.3 11.3 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 Total JP US Awareness of The Risk of Being Identified with Anonymous Use High Possiblity Some Possiblity Low Possiblity Almost No Possiblity
  • 33. 2. Social Engineering and Cultural Difference ~2-2 : Tailgating~
  • 34. Tailgating  Tailgating • Breaking physical access control by using pretexting • Ex) Pretending to be a “FedEx guy” or “pest control guy” • Ex) Pretending to be a freshman, WFH employee, employee in different branch  Cultural Defense Workability of JP Culture: • Japanese culture is detective environment • Office Layout • Working Style Culture
  • 35. Tailgating – Cultural Defense  Office Layout • US : Cubicle • JP : Flat Desk
  • 36. Tailgating – Cultural Defense  Why does it work as a defense? • Easy to identify the stranger or attackers • Know the usual behavior (baseline) of colleagues and other vendors
  • 37. Tailgating – Cultural Defense  Working Style Culture • Before that, let’s look at the working style difference U.S.A Japan Working Style • WFH is popular • WFH is NOT popular Employment Mobility • High Mobility • Join frequently, leave frequently • Low Mobility • JP company do not like mid-carrier recruiting • Stay one companies +10 years New Graduate Job Hunting • Apply to “Job” • Specialist Oriented • Apply to “Company” • Generalist Oriented • Join into the company on April 1st • 2-4 month Bootcamp Training (Project works) • Company assigned the division (=Job) • Job rotation is popular
  • 39. Tailgating – Cultural Defense  Working Style Culture • Let’s look at the working style difference U.S.A Japan Working Style • WFH is popular • WFH is NOT popular Employment Mobility • High Mobility • Join frequently, leave frequently • Low Mobility • JP company do not like mid-carrier recruiting • Stay one companies +10 years New Graduate Job Hunting • Apply to “Job” • Specialist Oriented • Apply to “Company” • Generalist Oriented • Join into the company on April 1st • 2-4 month Bootcamp Training (Project works) • Company assigned the division (=Job) • Job rotation is popular It creates strong informal connection btw colleagues.
  • 40. Tailgating – Cultural Defense  Why does it work as a defense? • New guys or stranger = easy to identify • Informal connection will work as the verification method • It may be difficult to create workable pretexting
  • 41. 2. Social Engineering and Cultural Difference ~2-3 : Vishing~
  • 42. Vishing  Vishing • Phishing attack by using Phone Call • Ex) pretending to be a “computer support” guy • Ex) pretending to be people in WFH / another branches  Cultural Defense Workability of JP Culture: • Working Style • Decision Making Process
  • 43. Vishing – Cultural Defense  Working Style • WFH is not popular • Outsourcing is not so popular • The employee have strong informal connection  Why does it work as a defense? • Pretexting may be hard • If the phone call is suspicious, it is possible to ask the question by using the informal network of colleague. (validation function)
  • 44. Vishing – Cultural Defense  Phone Call Handling • When your colleague get the phone call... • In Japan, freshman or administrative staff take the phone within 3 ringing  Why does it work as a defense? • Share the contents through the process (flat desk will be helpful) • Freshman or administrative staff can create the baseline
  • 45. Vishing – Cultural Defense  Decision Making Process • US If boss said Yes, it is done • JP prefer the consensus (many escalation flow to decide)  Why does it work as a defense? • Various validation function by the process, especially for financial settlement
  • 46. 2. Social Engineering and Cultural Difference ~2-5 : Remittance Scam~
  • 47. I give the couple of examples about Japanese (business) cultures & it’s workability.
  • 48. I give the couple of examples about Japanese (business) cultures & it’s workability. However, it does not necessarily means Japanese cultures and people are tolerant for social engineering.
  • 49. Scams to elderly people are serious problems in Japan and we see a lot of SE techniques.
  • 50. Scenarios:  Step 1 Victim Attacker (Police Officer A)
  • 51. Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group.
  • 52. Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name.
  • 53. Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name. • They also committed cloning of credit card, and your credit card has the possibility of abusing.
  • 54. Scenarios:  Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name. • They also committed cloning of credit card, and your credit card has the possibility of abusing. • We investigate this case with FSA and FSA staff will contact you. FSA : Financial Service Agency
  • 55. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) Attacker (Police Officer A)
  • 56. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A Attacker (Police Officer A)
  • 57. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card Attacker (Police Officer A)
  • 58. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. Attacker (Police Officer A)
  • 59. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. • Umm…abused Attacker (Police Officer A)
  • 60. Scenarios:  Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. • Umm…abused • We will start the process to issue new card and FSA staff go to your home to pick up it. Attacker (Police Officer A)
  • 61. Scenarios:  Step 3 Victim FSA : Financial Service Agency Attacker (FSA Staff) Attacker (Police Officer A) Attacker (FSA Staff) • Pick Up
  • 63. Wrap-Up  Does Cultural Difference become a barrier for SE? • I think YES. • But it is the beginning of my first thought, and I think I need further discussion • Also, from attacker’s perspectives, the adjustment of pretexting to specific culture will be effective.  The design consideration of culture, business process may help to avoid the social engineering
  • 64. Thank You!!  If you have any questions, please feel free to contact me Contact Info • Email scientia.admin@gmail.com • JP Blog www.scientia-security.org • EN Blog blog.scientia-security.org (Coming Soon)