Download presentation
Presentation is loading. Please wait.
Published byMadeline Tyler Modified over 8 years ago
1
When Things Go Wrong The Results of Losing your Common Sense By: Barak Engel, CISSP Principal, Engel & Associates ISACA May 2006
2
What will we talk about? The theory –Approaches –The role of the individual user –The gap The practice –Common and pervasive risk areas Email (Viruses, Phishing and other diseases) Web Browsing (“the free mug”) Wireless connectivity (War Driving) Filling the gap
3
In Theory… Security controls… –Can be standardized –Can be applied uniformly –Can be identified and defined in advance –Can have their efficacy analyzed/determined –Can be audited Hidden assumptions –Level of accuracy –The issue of scale –Statistical equality of cost
4
The individual user Users… –Represent the largest install base –Completely lack standards –Cannot be controlled centrally (or otherwise) –Are only predictable in their unpredictability –Cannot be redesigned –Are all of us In the knowledge society, employees own the tools AND the means of production –Peter Drucker, 1994
5
The gap Knowledge –The awareness problem Would this be useful to you?this –The issue of relevancy –Cross-contamination Motivation –The role of open-source and freeware Least Effort and the path of least resistance
6
Common Risk Area – Email Public email service providers
7
Phishing for Fun and Profit
8
Anatomy of a Phishing Attempt.1 Email from a trusted source
9
Anatomy of a Phishing Attempt.2 “Clean” headers – and no virus
10
Anatomy of a Phishing Attempt.3 Email text certainly looks odd Exploring deeper, we find…
11
Anatomy of a Phishing Attempt.4 Analyzing the ASCII code: –Source: http://%36%36%2E%31%32%33%2E%32%30 %33%2E%31%35%32:%38%37/%63%69%74 /%69%6E%64%65%78%2E%68%74%6D –Target: 66.123.203.152:87/cit/index.htm
12
Anatomy of a Phishing Attempt.5 And that leads us… …Absolutely nowhere
13
Could the average user have figured this out? Common sense must be “calibrated”! Heard warnings Wording is slightly awkward Underlying text is weird Has logo and a “legit” email address Proper english Maybe needed? And it comes from IT anyway Virus-free (cross- contamination)
14
Email – right or privilege? Corporate email can be controlled… –…but not so private email Controls –Updated anti virus (FW: AVG) –Encryption (FW: PGP) –Secure email client (FW: Thunderbird) –Spam blocker (FW: Spambayes) Motivation –Identity Theft
15
A cryptic code? 042103580, 062360749, 095073645, 128036045, 135016629, 141186941, 165167999, 165187999, 165207999, 165227999, 165247999, 189092294, 212097694, 212099999, 306302348, 308125070, 468288779, 549241889
16
Web Browsing To whom are you giving your personally identifiable information and why?
19
The Tradeshow Participant.1
20
The Tradeshow Participant.2 Oh, look, protected access! What are those files, I wonder?
21
The Tradeshow Participant.3
22
The Tradeshow Participant.4 Hey! They paid less than we did!
23
The Tradeshow Participant.5 Some information can be more useful… …to certain people.
24
Information can end up anywhere
25
Web Browsing – Tool of Production Browsing habits are learned at home – not at work Web-based research is efficient and highly valuable Monitoring web access provides rapidly diminishing return
26
Good Habits in Browsing Some better habits are easy to acquire: –“Understanding” SSL –Different browser (FW: Firefox) –Limiting (personal) exposure –The concept of lying –Fighting spyware (FW: Spybot S&D, Spyware Blaster/Guard, Windows Defender) –Password Management (Keypass) Motivation –Identity Theft –Online Predators
27
Mrs. Hilda Schrader Whitcher 078051120 Actual SSN of E.H.Ferree ’ s Treasurer Douglas Patterson ’ s secretary An insert in wallets sold at Woolworth Used by over 40,000 people
28
Wireless Connectivity A new attack vector “Invisible” infrastructure KISS –But only in basic mode Highly distributed
29
Is the network a free-for-all? The story of an afternoon visit to 7-11
30
Wireless Behavior Explain basic concepts –defaults Network name (SSID) Channel Beaconing –Encryption –MAC filtering Motivation –Personal information (…Identity Theft) –Job Security
31
Users = The X-Factor* Common sense can be taught It’s all about motivation –Close and personal Hidden assumption –People generally have good intentions We are all users! * (and that’s not a bad thing)
32
Thank You! http://www.engelassociates.net/ barak@engelassociates.net (888) 509 3561
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.