Loading images...
Loading images...
Loading images...

May 2013 – Social Engineering: Strategies, Methods and Tactics.

Date Venue Presentations
May 8, 2013
2 PM – 5 PM
Protiviti – 1290 Avenue of the America’s, 5th Floor, New York, NY 10104 Check back after this event.
Dress: Business casual
Register: Click here to Register

May 8, 2013 – ISSA PROGRAM



May 8, 2013

Event Start Time – End Time

2 PM – 5 PM

Overall Event Title

Social Engineering: Strategies, Methods and Tactics.

Event abstract

Despite the efforts of security professionals, information everywhere remains vulnerable and continues to be the centric target of malicious actors.  While enhancements are often made to technological defenses to protect information assets, the deployment of more technology has not solved the most exposed and susceptible aspect of the security problem, humans. 


With today’s attacker community constantly maturing and refining its approach capabilities, exploiting the human link to access proprietary information or penetrate the corporate network may become more common and attractive to malicious actors.


The threat of a break-in to your organizations information systems may not seem real until it happens (out of sight out of mind) and in most cases an organization will never know when they were hit by a social engineer, however understanding the strategies, methods, and tactics of a social engineer to attack the confidentiality, integrity, and availability of information systems and networks will help you to proactively prepare, enhance, educate and deploy controls to safeguard your information assets.


Protiviti – 1290 Avenue of the America’s, 5th Floor, New York, NY 10104

Dress Code

Business casual

Event kickoff opening remarks

2:00 – 2:10


NY ISSA Board Member

Session description

Welcome attendees



Session Title

Training Employees to Recognize and Avoid Advanced Attacks

Start Time – End Time

2:10 – 2:55

Session Description



Joe Ferrara, President and CEO – Wombat Security Technologies, Inc.


Joe Ferrara is the President & CEO of Wombat Security Technologies, a leading security awareness assessment and training company. Joe has provided expert commentary and has spoken at numerous information security industry events including RSA Europe, the CISO Executive Network forum, ISSA International and information security regional conferences. His security awareness articles have been published in Network World, CSO magazine, TechWorld, FierceCIO, Computerworld, etc. He brings over 20 years of experience in technology marketing, operations and management to his role at Wombat. His previous roles include President, CEO and Chairman of Tollgrade Communications, CEO of Marconi Communications North America and General Manager of Ericsson’s Wireless Software & Services and Routing & Switching Divisions. Joe is also a Board Member of Voci Technologies.

Session Title

“Making You Employees Mal-Aware: Lessons Learnt From Having Successfully Trained 4 Million People”

Start Time – End Time

2:50 – 3:30 PM

Session Description

 Cyber crime and electronic espionage, most commonly, initiate with an employee clicking a link to a website hosting malware, opening a file attached to an email and laden with malware, or just simply giving up corporate credentials when solicited via phishing websites. Phishing has been used to hijack online brokerage accounts to aid pump n’ dump stock scams, compromise government networks, sabotage defense contracts, steal proprietary information on oil contracts worth billions, and break into the world’s largest technology companies to compromise their intellectual property. Technical controls presented as silver bullets provide false hope and a false sense of security to employees, promoting dangerous behaviors. This continued threat makes it more important than ever for companies to provide an effective security awareness program to users on their networks.


During this talk, I will present the techniques used by attackers to execute these attacks, and real-world cases that my team have responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS. It’s about more than awareness training, it’s about modifying employee perception of phishing emails and the responses to these types of attacks.


Rohyt Belani, Co-Founder & CEO, PhishMe


Rohyt Belani is the CEO of PhishMe – a company focused on improving employees’ security behavior towards targeted phishing, malware, and drive-by attacks.

Prior to starting PhishMe, Rohyt was the co-founder and CEO of Intrepidus Group (acquired by NCC Group Plc), Managing Director at Mandiant, Principal Consultant at McAfee’s Foundstone division, and a Researcher at the Software Engineering Institute. He was also an Adjunct Professor at Carnegie Mellon University for five years.

Rohyt is a contributing author to several information security books and publications, has spoken at leading security conferences world-wide including Black Hat, RSA, OWASP and forums catering to the FBI, US Secret Service, and US Military. He provides regular commentary and analysis on cybersecurity issues for national print and broadcast media, including BBC, CNN, ABC News, and Forbes.

Rohyt holds a Bachelors in Computer Engineering from University of Mumbai, and a Masters in Information Networking from Carnegie Mellon University.



Networking Break

3:30 pm – 4:00

Session Title

Social Engineering

Start Time – End Time

4:00 – 4:45 PM

Session Description

Social Engineering gets increasing attention as an attack vector as more incidents as being due to human vs. technical vulnerabilities. Unfortunately, the term has come to mean any non-technical attack, which means that Social Engineering has become too broad of a vulnerability to mitigate.  This presentation defines Social Engineering, discusses methodologies with case studies, and mitigation strategies.

This presentation begins by identifying what Social Engineering is and isn’t.  The reason is critical in that there is a difference in taking advantage of random human error, and purposeful manipulation of people to get them to take actions that they otherwise would not take.  The psychological aspects of attack methodologies are detailed.  Case studies are provided to demonstrate the methodologies.  The presentation will also include the results of a detailed study that examined the effectiveness of Fortune 500 security awareness methodologies.


Ira Winkler


Ira Winkler has performed Social Engineering attacks for almost two decades and has simulated a wide variety of threats, ranging from unskilled hackers to highly trained intelligence operatives.  Combining this experience with his psychological training, Ira identified the root causes that enable Social Engineering attacks.

Who should attend this session?

ISSA Members, ISACA Members and FS/ISAC Members (and other ISAC’s)

This program has been created for information security practitioners,
but may also be of interest to the following:

IT professionals – Understand common social engineering methods and tactics, the importance of security awareness training and education as well as the importance of security policies and procedures.

Security Assessors – Identify deceptive social engineering penetration testing methods and tactics that can be leveraged to expose any weakness in training or lack of adherence to company policies and procedures.

Security Management & Executives – With a goal of understanding industry practices trends, and seeking perspective on implementing technical assessment activities in the context of a broader security services program.