Network defenders face a wide variety of problems on a daily basis. Unfortunately, the biggest of those problems come from the very organizations that we are trying to protect. Departmental and organizational concerns are often at odds with good security practices. As information security professionals, we are good at designing solutions to protect our networks, and the data housed on them. That said, we are awful at communicating the need for these controls in a way that the users will either understand or listen to. In this presentation, I will discuss using social engineering techniques against your organization's users. Through the application of social engineering tactics, I will show how to bridge the gulf between the user and the information security team. Allowing for better security awareness, better adherence to information security policy, and fewer difficulties in user acceptance.
James Philput has worked in Information Technology for the past 15 years. Specializing in Information Security, he has worked for organizations in the Education, Healthcare, Communications, Government, and Defense fields. James is currently a Sr. Information Security Analyst with IAP, Information Assurance Professionals. There he works with clients to secure their infrastructure, focusing on organizational architecture, and compliance with applicable laws and standards. In addition to consulting on security architecture, James is responsible for the design and maintenance of the intrusion detection and prevention systems, writing and updating information security policy, and running the vulnerability assessment tools needed to keep abreast of potential vulnerabilities within client networks. Prior to his work with the IAP, James worked to improve the state of information security as a whole in his time as an author and instructor for the SANS Institute. At SANS, James co-authored a course on Linux Systems Administration, and acted as editor and technical reviewer for various security courses. While acting as an author and editor, James also taught various courses on information security and IT operations at SANS conferences across the US. James plays an active role in the security community. An active participant of the GIAC advisory board, and several other mailing lists, he provides information and opinion that is used to shape future training classes and best practices within the industry. James continues to work on a volunteer basis for the SANS Institute as a technical reviewer for new and updated course material, and has begun working as a guest speaker for organizations such as the Virginia Information Security Officers Advisory Group and the League of Women Voters.