Danny Ocean ft. Bryon Singh, RailWorks Corporation

Danny Ocean ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On June 19, 2024

Danny Ocean, played by George Clooney in Ocean’s 11 shows the complexity, timing, and sometimes ease of leveraging social engineering for an attack. This film provides a compelling look into the art of deception and manipulation, showcasing strategies that are surprisingly relevant to cybersecurity training.

In "Ocean's Eleven," Danny Ocean and his team use sophisticated social engineering tactics to rob a casino. They employ pretexting when posing as technicians or officials to access restricted areas or gather critical information from unsuspecting employees. This mirrors real-world scenarios where attackers might pose as IT staff to ask for your password or as executives requesting urgent wire transfers.

The movie also demonstrates tailgating during the scene where characters bypass security checkpoints by closely following authorized personnel into restricted areas. This scene vividly illustrates the need for vigilance and strict access controls in sensitive environments.

Cybercrime tactics are evolving, moving beyond technical exploits to exploit the weakest link in security: people. That's why CIS Safeguard 14.2 emphasizes training your staff to detect social engineering attacks like phishing, pretexting, and baiting.

What is Social Engineering?

Social engineering manipulates individuals to divulge sensitive information or undertake actions that compromise security. These attacks often exploit emotions such as fear, urgency, greed, or the desire to assist.

Recognizing Social Engineering Red Flags

  • Suspicious Emails: Unusual sender addresses, typos, unusual requests for information, or misleading links
  • Urgent Requests: Pressure tactics to prompt immediate action without careful consideration
  • Offers Too Good to be True: Unexpected prizes, offers, or warnings about account issues may be bait
  • Impersonation: Attackers posing as IT support, bank representatives, or company executives

Transforming Training into a Defensive Strategy

  • Real-world Examples: Illustrate concepts with recent phishing attacks or scams to enhance relevance
  • Simulated Phishing Tests: Conduct safe simulations to help staff recognize red flags in a controlled environment
  • Gamification: Engage employees with quizzes and incentives for identifying social engineering attempts
  • Reporting Protocols: Clearly outline procedures for reporting any suspected attacks encountered by employees

Here’s a link to the Security Awareness Skills Training Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/security-awareness-skills-training-policy-template-for-cis-control-14

Here are some details on this specific Control/Safeguard. If you want more info, DM me.

CIS Control 14 – Security Skills Awareness & Training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Implementation Group 1

CIS Safeguard 14.2 - Train Workforce Members to Recognize Social Engineering Attacks

Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.