Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Role of People in Security

Published byRosalyn Suzan McKenzie Modified over 8 years ago

Similar presentations

Presentation on theme: "The Role of People in Security"— Presentation transcript:

1 The Role of People in Security
Chapter 4

2 Objectives Define basic terminology associated with social engineering. Describe steps organizations can take to improve their security. Describe common user actions that may put an organization’s information at risk. Recognize methods attackers may use to gain information about an organization. Determine ways in which users can aid instead of detract from security.

3 Key Terms Backdoor Dumpster diving Phishing Piggybacking
Reverse social engineering Shoulder surfing Social engineering Vishing Backdoor - Avenues that can be used to access a system while circumventing normal security mechanisms. Dumpster diving - The process of going through a target’s trash searching for information that can be used in an attack, or to gain knowledge about a system or network. Phishing - A scam wherein an user is duped into revealing personal or confidential information that the scammer can use illicitly. Piggybacking - The simple tactic of following closely behind a person who has just used their own access card or PIN to gain physical access to a room or building. Reverse social engineering - This technique is similar to social engineering in that attackers are attempting to obtain information that can be used in an attack, but in this case, the attacker uses techniques to convince the target to initiate the contact. Shoulder surfing - A procedure in which attackers position themselves in such a way as to be able to observe the authorized user entering the correct access code. Social engineering - The art of deceiving another individual so that they reveal confidential information. This is often accomplished by posing as an individual who should be entitled to have access to the information. Vishing - An electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities using voice technology.

4 People A Security Problem
The role of people in security: It is nearly impossible to detect all of the possible ways that humans can deliberately or accidentally cause security problems or circumvent our security mechanisms. The role of people in security involves both the user practices that can aid in securing an organization and the vulnerabilities or holes in security that users can introduce.

5 Social Engineering Technique in which the attacker uses deceptive practices to Convince someone to divulge information they normally would not divulge. Convince someone to do something they normally wouldn’t do. Why social engineering is successful People desire to be helpful. People desire to avoid confrontation. Social engineering is successful because: 1. First: The basic desire of most humans to be helpful. When an individual asks another a question, they are most likely to answer the question if they know the answer instead of being suspicious to why the question was asked. 2. Second: Individuals normally seek to avoid confrontation and trouble. If an attacker attempts to intimidate the target, threatening to call the target’s supervisor because of a lack of help, the target may give in and provide the information to avoid confrontation. This second reason is most often successful in organizations that have a strict hierarchical structure.

6 Social Engineering (continued)
Seemingly innocuous information can be used Directly, in an attack Indirectly, to build a bigger picture to create an aura of authenticity during an attack Indirect methods Phishing Vishing The more information an individual has about an organization, the easier it will be to convince others that he is part of the organization and has a right to sensitive information. Social engineering is not always a case of an outsider attempting to get the inside information of an organization. Insiders may also attempt to gain information they are not authorized to have. In many cases, the insider may be much more successful since they will already have a certain level of information regarding the organization and can therefore spin a better story that will be more believable to other employees. 3. An attacker who is attempting to exploit the natural tendency of people to be helpful may take one of several approaches: Simple questions may be asked in hopes of obtaining the desired information. This method generally works for basic information that is not considered sensitive. The attacker may also try to engage the target in conversation with a concocted story to gain sympathy for more sensitive information that may arouse suspicion if asked about bluntly. The attacker may also try to appeal to an individual’s ego. This technique is normally used to gain multiple pieces of information or change information on an account they are not authorized for by buffering their ego. This technique may be used to accomplish something such as having the target’s password reset.

7 Obtaining Insider Information
1978 Stanley Mark Rifkin stole $10.2 million from the Security Pacific Bank This was a social engineering attack involving the technique of obtaining insider information. Rifkin Was a computer consultant for the bank Obtained the information needed to do wire transfers Impersonated a bank officer, and ordered a transfer of $10.2 million to a bogus account in a New York bank Transferred that money to an account in Switzerland Used the money to buy diamonds Was caught after bragging Served eight years in prison for his crime An example of a social engineering attack involving the technique of obtaining insider information occurred in 1978, when Stanley Mark Rifkin stole $10.2 million from the Security Pacific Bank in Los Angeles. Rifkin was a computer consultant for the Security Pacific Bank in Los Angeles. He used the knowledge he obtained while working as an employee to obtain the electronic transfer code used by the bank to transfer money to other banks for one day. He then impersonated a bank officer and ordered a transfer of $10.2 million to a bogus account in a New York bank. He transferred that money to an account in Switzerland before using the money to buy diamonds and have them smuggled into the United States. Rifkin was caught after telling his story to an individual who happily turned him in. He served eight years in prison for his crime; the bank tried to make up for their losses by selling the diamonds.

8 Phishing Type of social engineering Typically used to obtain
Attacker masquerades as a trusted entity Typically sent to a large group of random users via or instant messenger Typically used to obtain Usernames, passwords, credit card numbers, and details of the user’s bank accounts Preys on users PayPal, eBay, major banks, and brokerage firms Security+ objective 6.6a Phishing Phishing is a popular form of social engineering attack because it takes little effort and is cheap way to gain the information the attacker is seeking. Phishing is now the most common form of social engineering attack related to computer security. The target may be a computer system and access to the information found on it (such as the case when the phishing attack asks for user ID and password) or the target may be personal information, generally financial, about an individual.

9 Recognizing Phishing Analyze any s received asking for personal information carefully. Organizations should forewarn their users. Never send s asking for personal information. Never request passwords. Watch for technical or grammatical errors. Strange URL address Avoiding phishing attacks – analyze any s received asking for personal information carefully. Almost unanimously, organizations will never send s asking for personal information. An with technical or grammatical errors is unlikely to be legitimate. Check the URL address, often the URL address will not match the organization’s official website address.

10 Spear Phishing & Pharming
Relatively new term Modification to normal phishing attacks Special targeting using specific information Designed to trick user into believing message is genuine Pharming Redirects the user to a bogus website Appears similar to the original Convinces the user to give information Spear pishing: The special targeting of groups with something in common when launching a phishing attack. The ratio of successful attacks to the total number of false s or links sent increase because a targeted attack seems more plausible. Pharming: The attacker attempts to obtain sensitive information (such as credit card numbers) while the user is at the bogus site. The redirection can occur as a result of: Modifications to a system’s host file Through attacks on DNS servers which would cause an individual to be taken to the wrong web site because the DNS server would return the incorrect IP address. Links in s that look like they go to the legitimate site, while the reference link is actually the bogus site.

11 Vishing Use of voice technology to obtain information
Variation of phishing Takes advantage of the trust people place in the telephone network Attackers spoof calls from legitimate entities using VoIP Voice messaging can be compromised and used in these attempts. Attackers hope to obtain credit card numbers or other information for identity theft. Successful because Individuals trust in the telephone system. With caller ID, people believe they can identify who is calling them. Caller ID can be spoofed. Avoiding a vishing attack: if a user receives a message that claims to be from a reputable entity and asks for sensitive information, use the Internet or examine a legitimate account statement to get the correct phone number Call them back. If it is them, OK, if it is not, then you avoided a big mess. Examples of vishing attempts include: The user may receive an asking him to call a number that is answered by a potentially compromised voice message system. Users may also receive a recorded message that appears to come from a legitimate entity. In both cases, the user will be encouraged to respond quickly and provide the sensitive information so that access to their account is not blocked.

12 Shoulder Surfing Attacker directly observes sensitive information by
Looking over the shoulder of the user Setting up a camera Using binoculars Targeted information Personal identification number (PIN) at an ATM Access control entry code at a secure gate or door Calling card or credit card number Defenses Small shield to surround a keypad Scramble the location of the numbers i.e. the top row at one time includes the numbers 1, 2, and 3 and the next time 4, 8, and 0. Cameras do not have to be set up far away. They can be small and unnoticeable. Cameras now come hidden in pens and watches, and are commercially available. Take a look at Thinkgeek.com. The best defense is for users to be aware of their surroundings Do not allow individuals to get into a position from which they can observe the information being entered. The attacker may attempt to increase the chance of successfully observing the target entering the data by starting a conversation with the target. This provides an excuse for the attacker to be physically closer to the target. Otherwise, the target may be suspicious if the attacker is standing too close. In this sense, shoulder surfing can be considered a social engineering attack. A related, somewhat obvious security precaution is that a person should not use the same PIN for all of their different accounts, gate codes, and so on, since an attacker who learns the PIN for one type of access could then use it for all of the other types of access.

13 Reverse Social Engineering
The victim initiates contact with the social engineer. Can result in increased trust Trick is in convincing user to initiate contact Easier to do during times of change or confusion Company merges with another One or more new hires that are not familiar with the company New software roll out Not as well known as normal social engineering. Attacks can be extremely successful and harmful. This type of contact can be more successful than a normal social engineering attack, because the target is initiating the contact, which means the attacker may not have to convince the target of their authenticity. Possible methods of attempting to convince the target to contact the attacker might include: Sending out a spoofed or falsified that claims to from a reputable source and provides another address or telephone number to contact for a fake tech support. Posting a notice or creating a fake website resembling an official company that also claims to provide tech support. If either of these attacks is timed with a merge of companies or change of software within the company, the attacks may be successful because employees will not be aware of the new organization or new procedures.

14 Security Hoaxes Hoaxes designed to elicit user reaction Defense
Delete a file Change a setting Spread the word Defense Training and awareness Security+ objective 6.6b Hoaxes Security+ objective 6.4m Education and awareness training A hoax can be very damaging if it causes users to take an action that can weaken security. Training and awareness are the best forms of defense for both users and administrators. Users should be trained to be suspicious of unusual s and know who to contact to check the validity of any stories received. Hoaxes often advise the user to send the message to others in order to spread the word. Users should be made aware that any message asking them to ‘spread the word’ in some form could be a possible hoax. Example of a hoax: A new, highly destructive piece of software that instructed users to check for the existence of a certain file and to delete it if the file was found. Since the file mentioned was in reality an important file used by the operating system, deleting it caused problems the next time the system was booted. The damage caused by users modifying the system is serious.

15 Poor Security Practices
Users create security problems via poor practices Writing secrets down Password selections Piggybacking Dumpster diving Installing unauthorized hardware/software A significant portion of human-created security problems results from poor security practices. These poor practices may be those of an individual user who is not following established security policies or processes, or they may be caused by a lack of security policies, procedures, or training within the user’s organization.

16 Password Selection Users tend to pick passwords that are easy for them to remember Dates Names +1,2,3 on changes Mary1, Mary2, Mary3 If it’s easy for them to remember, it means that the more you know about the user, the better your chance of discovering their password. Security+ objective 2.5b Weak passwords This is and the next slide are important slides both for test reasons and practical reasons. Spending a little extra time with these concepts is advised. Using the username or some variation as the password is bad, as it will be the first guesses of an attacker. Names of family members, pets, or teams are also bad and easily guessed. G0*Spurs*G0, capitalizing three of the letters, inserting a special character twice, and substituting the number zero for the letter O. This makes the password harder to crack, but it is still possible to guess the password. Password changes often result in a new password that simply incorporates a number at the end of the old one. G0*Spurs*G1 as the new password. It is a good bet that the next password chosen will be G0*Spurs*G2, followed by G0Spurs*G3, and so forth. Studies have found that, while overall more users are learning to select good passwords, a significant percentage of users still make poor choices. Even when users have good passwords, they often resort to another poor security practice: writing the password down in an easily located place.

17 Password Selection (continued)
The rules for good password selection in general: Use eight or more characters in your password Include a combination of upper- and lowercase letters Include at least one number and one special character Do not use a common word, phrase, or name, and Choose a password that you can remember so that you do not need to write it down. Think of a phrase, song, poem or speech that you know by heart. Use the first letter of each word in the phrase. Jack be nimble, jack be quick, jack jumped over the candlestick Becomes Jbnjbqjj0tcs! Passwords must not be written down. Users will write them on a slip of paper and keep them in their calendar, wallet, or purse. Most security consultants agree that if they are given physical access to an office, they will be able to find a password somewhere—the top drawer of a desk, inside of a desk calendar, attached to the underside of the keyboard, or even simply on a yellow “sticky note” attached to the monitor. Today, the average Internet user probably has at least a half dozen different accounts and passwords to remember. Selecting a different password for each account, following the guidelines mentioned previously regarding character selection and frequency of changes, only aggravates the problem of remembering the passwords. This results in users all too frequently using the same password for all accounts. If a user does this, and then one of the accounts is broken, all other accounts are subsequently also vulnerable to attack. good password selection and the protection of passwords also applies to another common feature of today’s electronic world, PINs. Guessing PINs follows the same sort of process that guessing a password does. You may want to demonstrate different passwords and how strong they are at Microsoft’s Web site. Check your password strength

18 Piggybacking Following closely behind a person who has just used their own access card to gain physical access to a room or building. Relies on the attacker taking advantage of an authorized user not following security procedures. i.e. returning from a smoking area Countered by Training and awareness Guards Man trap Piggybacking is related to social engineering attacks. Both the piggybacking and shoulder surfing attack techniques can be easily countered by using simple procedures to ensure nobody follows you too closely or is in a position to observe your actions. Both of these rely on the poor security practices of an authorized user, such as: People are often in a hurry and will frequently not follow good physical security practices and procedures. Attackers know this and may attempt to exploit this An attacker can gain access to the facility without having the access code or card. Piggybacking is related to social engineering attacks: The attacker may start a conversation with the target before reaching the door. Avoid piggybacking: a “man trap,” which utilizes two doors to gain access to the facility. The second door does not open until the first one is closed and is spaced close enough to the first that an enclosure is formed that only allows one individual through at a time.

19 Dumpster Diving Process of going through a target’s trash
The tactic is not unique to the computer community Identity thieves, private investigators, and law enforcement personnel have done it for years to obtain information about an individual or organization Sensitive information should be shredded. Consider securing the trash receptacle. Consider shredding personal or sensitive information you discard in the trash. Security+ objective 6.6d Dumpster Diving They may actually find user IDs and passwords in the trash. They will undoubtedly will find employee names, where it’s not hard to determine user IDs, as discussed earlier. Manuals from hardware or software that have been purchased may also provide clues as to the vulnerabilities that exist. In most locations, trash is no longer considered private property after it has been discarded (and even where dumpster diving is illegal, little enforcement occurs).

20 Installing Unauthorized Hardware and Software
Establish a policy that restricts users installing software and new hardware on their systems. Common examples: Installing unauthorized communication software to allow them to connect to their machine from their home. Installing a wireless access point so that they can access the organization’s network from many different areas. In these examples, the user has set up a backdoor into the network, circumventing all the other security mechanisms in place. Security+ objective 2.7f Rogue access point Security+ objective 2.5c Backdoors The term “rogue modem” or “rogue access point” may be used to describe these two examples. A backdoor is an avenue that can be used to access a system while circumventing normal security mechanisms Periodically scan systems for either of these rouge devices to ensure that users haven’t created a backdoor.

21 Installing Unauthorized Hardware and Software (continued)
Another example of unauthorized software is games. Many organizations do not allow their users to load software or install new hardware without authorization. Many organizations also screen, and occasionally intercept, messages with links or attachments that are sent to users. This helps prevent users from unwittingly executing malware. Many organizations have their mail servers strip off executable attachments to so that users can’t accidentally cause a security problem. Downloaded games from the internet - users don’t always know where the software came from and what may be hidden inside it. Many individuals have unwittingly installed what seemed to be an innocuous game, only to have downloaded a piece of malicious code

22 Physical Access by Non-Employees
If an attacker can gain physical access, the attacker can penetrate the computer systems and networks. Organizations frequently become complacent when faced with a legitimate reason to access the facility. Consider personnel who have legitimate access, but also have intent to steal intellectual property Physical access provides opportunity for individuals to look for critical information carelessly left out. With the proliferation of devices such as cell phones with built-in cameras, an individual could easily photograph information without it being obvious to employees. Organization Complacency: Individual shows up with a warm pizza, claiming it was ordered by an employee. It has often been stated by security consultants that it is amazing what you can obtain access to with a pizza box or a vase of flowers. If the organization doesn’t enforce good password policies, a casual stroll through an office may yield passwords or other important information. Contractors, consultants, and partners have physical access and network access. Custodial crewmembers and security guards have unrestricted access. Hackers have been known to take temporary custodial jobs simply to gain access to facilities. Example method of avoiding physical access by non-employees: Wear identification badges when at work. Safety requires that employees actively challenge individuals who are not wearing the required identification badge. Combine an attacker who slips in by piggybacking off of an authorized individual, and an environment where employees do not challenge those without a badge and you have a situation where you might as well not have any badges in the first place.

23 People as a Security Tool
People can be an effective security mechanism. Policies and procedures Training and awareness Many eyes Challenge visitors Report abnormal conditions Make everyone responsible and involved. An interesting paradox when speaking of social engineering attacks is that people are not just the biggest problem and security risk, but are also the best tool in defending against a social engineering attack. The first step a company should take to fight potential social engineering attacks is to create the policies and procedures that establish the roles and responsibilities for not only security administrators but for all users.

24 Security Awareness An active security awareness program will vary depending on The organization’s environment The level of threat Initial employee training on social engineering As well as periodic refresher training Security+ objective 6.6e User education and awareness training The single most effective method for countering potential social engineering attacks—after establishment of the organization’s security goals and policies—is an active security awareness program. Initial employee training on social engineering at the time a person is hired is important, as well as periodic refresher training. The type of information that the organization considers sensitive and information that it is believed may be the target of a social engineering attack should be stressed to the new employee.

25 Individual User Responsibilities
Lock doors No sensitive information in your car Secure storage media containing sensitive information. Shred sensitive documents before discarding. Do not divulge sensitive information to individuals not authorized to know it. Do not discuss sensitive information with family members.

26 Individual User Responsibilities (continued)
Protect laptops that contain the organization’s information. Be aware of who is around you when discussing sensitive information. Enforce corporate access control procedures. Report suspected or actual violations of security policies. Follow procedures established to enforce good password security practices. Corporate security officers must cultivate an environment of trust in their office, as well as an understanding of the importance of security. If users feel that security personnel are only there to make their life difficult or dredge up information that will result in an employee’s termination, the atmosphere will quickly turn adversarial and be transformed into an “us versus them” situation. Security personnel need the help of all users and should strive to cultivate a team environment in which users, when faced with a questionable situation, will not hesitate to call the security office. In situations like this, security offices should remember the old adage of “Don’t shoot the messenger.”

27 Chapter Summary Define basic terminology associated with social engineering. Describe steps organizations can take to improve their security. Describe common user actions that may put an organization’s information at risk. Recognize methods attackers may use to gain information about an organization. Determine ways in which users can aid instead of detract from security.

Download ppt "The Role of People in Security"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Fraud Protection. Agenda Start time: ____ Break time: ____ (10 minutes) End time: ____ Please set phones to silent ring and answer outside of the room.

Fraud Protection. Agenda Start time: ____ Break time: ____ (10 minutes) End time: ____ Please set phones to silent ring and answer outside of the room.
WEEK 2 Organizational/Operational Security. Security operations in an organization Information security performs four important functions for an organization:

WEEK 2 Organizational/Operational Security. Security operations in an organization Information security performs four important functions for an organization:
4 Information Security.

4 Information Security.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do To Avoid Becoming a Victim?

1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do To Avoid Becoming a Victim?
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
Protect Yourself Against Phishing. The good news: The number of US adult victims of identity fraud decreased from 9.3 million in 2005, to 8.4 million.

Protect Yourself Against Phishing. The good news: The number of US adult victims of identity fraud decreased from 9.3 million in 2005, to 8.4 million.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.

Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

Similar presentations

Ads by Google