Many companies view phishing as a given: employees will click links and enter credentials, and we just need to be okay with that. Phishing prevention usually takes the form of training, and a warning to be careful when reading email. But does phishing training actually work? In this talk, we'll cover the psychology behind successful phishing campaigns, then walk through a series of attacks run against a Bay Area tech company. We'll cover how effective campaigns were built, including bypassing existing protections. Finally, we'll discuss evidence-based techniques to prevent, rather than just mitigate, credential phishing.

Karla has a varied offensive security background: she's reverse engineered train ticketing systems, written articles on TLS and SSH, and competed in the Defcon CTF finals for the last several years running. She officially works on authentication and application security at Stripe, but builds internal phishing campaigns when she has business hours to spare. She's triggered many bouts of internal paranoia, and has built a reputation as being entirely untrustworthy when it comes to email.

Back to Circle City Con 2017 Videos list