top of page

Dr. Aunshul Rege

Social engineering based cyberattacks in the health sector

Bio:


Dr. Aunshul Rege is an Associate Professor and director of the Cybersecurity in Application, Research, and Education (CARE) Lab at Temple. Her research has been funded by several National Science Foundation and Department of Energy/Idaho National Lab grants. Her work focuses on critical infrastructure and cybersecurity, cyberadversarial decision-making and adaptation, ransomware, social engineering, and cybersecurity education. She is the organizer and host of the summer social engineering competitions for high school, undergraduate, and graduate students. Her cybersecurity awareness and training efforts extend beyond higher education to include working with youth, elderly, and previously incarcerated individuals via partnerships with local nonprofits. She has been featured on BBC World Service, WHYY/ PBS/NPR’s Studio 2, and the CBC Podcast “Love, Janessa”, to name a few. She currently serves as the Research Lead for the Social Engineering Community at Defcon. She also serves on the Advisory Board of Raices Cyber and Black Girls Hack.


Abstract:


Social engineering (SE) involves the manipulation of human psychology and behavior to gain access to information and systems that otherwise may not have been possible. Many security experts consider SE to be a top attack vector in cyberattacks, particularly in critical infrastructure. Despite its relevance, SE is downplayed in current cybersecurity curricula. This talk shares findings from a cybersecurity competition for undergraduate students that emphasized SE in the healthcare sector. Teams were given a target medical facility where they had to employ passive OSINT and use these findings in simulated phishing and vishing exercises that involved interactions with expert social engineers who posed as employees at those facilities. The talk will share the wealth of information that students found online about these medical facilities (ex: employee email address, VPNs used, names of food service, cleaning, trash disposal companies, IT help documents, etc.). The talk will then share how students used these findings to craft effective pretexts and personas that they used in simulated phish and vish campaigns (example phish emails and vish recordings will be shared). Finally, the talk demonstrates how important SE can be as a point of entry and escalation in cyberattacks against critical infrastructure. It makes the case that these types of SE competitions can be used in-house as a means of training and awareness programming for infrastructure employees.

Dr. Aunshul Rege
bottom of page