Download presentation
Presentation is loading. Please wait.
1
United States Department of the Interior
Social Engineering & Internal/External Threats March 22, Leland C.Dudek
2
Agenda What’s at stake? DOI FY 2005 Threat/Incident Statistics
Survey of Government Departments - Alarming Statistics Social Engineering – Often the first vector of attack Internal and External Threats These are the points I’d like to cover during our briefing today. (Read slide)
3
What’s at Stake Information Privacy - Confidentiality
Train2Secure What’s at Stake Information Privacy - Confidentiality Provision of Services - Availability Data Manipulation - Integrity Critical Roles and Missions Critical Infrastructure Agency Reputation First let’s talk for a minute about what’s at stake when IT security is not taken seriously. The Department of the Interior deals with sensitive information, and it’s important to ensure that the data and information we maintain remains confidential, retains its integrity, and its availability is not compromised by security incidents. Without ensuring that employees at DOI are fully informed about IT security risks and ways to prevent them, critical missions and our roles in them, the National infrastructure and the reputation of our agency are at risk of being irreparably compromised.
4
DOI FY 2005 Threat/Incident Statistics
Over 650 million suspicious probes/attacks blocked Over 3.4 million viruses, trojans, worms detected, deleted, cleaned In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
5
Survey of Government Departments - Alarming Statistics
Train2Secure Survey of Government Departments - Alarming Statistics 99% use anti-virus software, yet 82% have been hit by viruses, worms, etc. 98% have firewalls and 73% have IDS, yet 36% report penetration from the outside 90% detected computer security breaches 84% blame their most recent security breach on human error 80% attribute human error to lack of security knowledge, a lack of training or a failure to follow security procedures. 75% acknowledged financial losses due to breaches. These are a few statistics based on some questions that were asked of Government department in the past 2 years. (Read slide) The second to last bullet is of particular importance – the human error factor. Eighty percent of the Departments surveyed felt that many of the security breaches they experienced could have been prevented or lessened if only their employees had received IT security training. Sources: 2003 CSI/FBI Computer Crime and Security Survey & 2004 CompTia Survey
6
Hey! I need to reset your password… can you tell me your old one?
Social Engineering Hey! I need to reset your password… can you tell me your old one? Help Desk or Social Engineering? Can be either an internal or external threat… In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
7
What is Social Engineering
Social Engineering is the unauthorized acquisition of sensitive information or inappropriate access privileges by a potential threat source, based upon the building of an inappropriate trust relationship with a legitimate user of an information technology system. The goal of social engineering is to trick someone into providing valuable information or access to that information. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
8
Social Engineering… a Wikipedia definition
In the field of computer security, social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. Perhaps the simplest, but still effective attack is tricking a user into thinking one is an administrator and requesting a password for various purposes. Users of Internet systems frequently receive messages that request password or credit card information in order to "set up their account" or "reactivate settings" or some other benign operation in what are called phishing attacks. Users must be warned early and frequently not to divulge passwords or any other sensitive information to anyone for any purpose, even to legitimate system administrators. In reality, administrators of computer systems rarely, if ever, need to know the user's password to perform administrative tasks. Social engineering also applies to the act of face-to-face manipulation to gain physical access to computer systems. In an IT security survey, 90% of office workers gave away their password in exchange for a cheap pen. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
9
The Weakest Link in the IT Security Chain
People are usually the weakest link in the security chain. Social engineering is still the most effective method used to get around security obstacles. A skilled social engineer will often try to exploit this weakness before spending time and effort on other methods to crack passwords. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
10
The Weakest Link in the IT Security Chain
Why try to hack through someone’s security system when you can get a user to open the door for you? Social engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone. A successful defense depends on having good policies in place ensuring that all employees are trained to follow them. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
11
Different Avenues of Persuasion
In attempting to persuade someone to do something, there are two methods a persuader can employ: The Direct Route the social engineer simply asks for the information or access with no set up often challenged and refused seldom used due to low probability of success The Peripheral Route Contrived situation - The more factors the target must consider in addition to the basic request, the more likely the target is to be persuaded. Forgot a password Manager on vacation Looming deadlines Personal Persuasion - Many social engineers are adept at using personal persuasion to overcome initial resistance. The goal is not to force compliance but to get voluntary action Target believes they are making the decision In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
12
Different Avenues of Persuasion
A Direct Route uses: Systematic logical arguments To: stimulate a favorable response prompting the recipient to action In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
13
Different Avenues of Persuasion
A Peripheral Route uses: peripheral cues mental shortcuts misrepresent their objectives To: trigger acceptance without thinking In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
14
Different Avenues of Persuasion
One way in which the social engineer can make prospective victims more susceptible to Peripheral routes to persuasion is by making some statement at the outset that triggers a strong emotion such as: Excitement “The Chief of Staff is writing up an award nomination for you and needs some additional information!” Fear “The Chief Information Officer is waiting for this!” In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
15
Perception In a typical transaction our perception about the request for service begins with a basic belief that each party is who they say they are. Some social engineering victims may tend to rely primarily on their belief that the person with whom they dealt was honest, and to give little thought to the activities. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
16
Common Types of Social Engineering Exploit Methods
Social engineering can be broken into : Human based: person-to-person interactions to retrieve the desired information Computer based: computer software that attempts to retrieve the desired information. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
17
Human-based Impersonation - Case studies indicate that help desks are the most frequent targets of social engineering attacks. A Social Engineer calls the help desk Help desk is helpful Social engineer will often know names of employees Important User - A common ploy is to pretend to be a senior executive. Help desk is less likely to turn down a request coming from a high-level official Social engineer may threaten to report the employee to their supervisor. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
18
Human-based Third-party Authorization - The social engineer may have obtained the name of someone in the organization who has the authority to grant access to information. Mr. Martinez says its OK. “Before he went on vacation, Mr. Martinez said I should call you to get this information. Tech Support - Social engineer pretends to be someone from the infrastructure-support groups. System is having a problem Needs them to log on to test the connection In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
19
Human-based In Person - The social engineer may enter the building and pretend to be an employee, guest or service personnel. May be dressed in a uniform Allowed to roam Becomes part of the cleaning crew Dumpster diving - Going through the trash Shoulder Surfing - Looking over a shoulder to see what someone is typing. Passwords Phone-card numbers In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
20
Computer-based Popup Windows - A window will appear on the screen telling the user they have lost their network connection and needs to reenter their user name and password. A program will then the intruder the information. Mail attachments - Programs can and are frequently hidden in attachments. Viruses Worms Trojans In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
21
Computer-based Spam, Chain Letters and Hoaxes - These all rely on social engineering to be spread. While they do not usually cause damage, they do cause a loss of productivity. Frequently used by entrepreneurs in African countries (e.g., Nigerian scams) They use valuable network resources. Websites - A common ploy is to offer something free or a chance to win a sweepstakes on a Website. To register requires an address and password. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
22
Computer-based Hacking Made Easy ( When Graeme Frost received an notice that an expensive digital camera had been charged to his credit card account, he immediately clicked on the Internet link included in the message that said it would allow him to dispute the charge. As the 29-year-old resident of southwestern England scoured the resulting Web page for the merchant's phone number, the site silently installed a password-stealing program that transmitted all of his personal and financial information. Frost is just one of thousands of victims whose personal data has been stolen by what security experts are calling one of the more brazen and sophisticated Internet fraud rings ever uncovered. The Web-based software employed by ring members to manage large numbers of illegally commandeered computers is just as easy to use as basic commercial office programs. No knowledge of computer programming or hacking techniques is required to operate the software, which allows the user to infiltrate and steal financial information from thousands of PCs simultaneously. The quality of the software tools cyber criminals are using to sort through the mountains of information they've stolen is a clear sign that they are seeking more efficient ways to monetize that data, experts say. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
23
Computer-based Hacking Made Easy
Frost's data, along with information stolen from thousands of other victims, made its way to a Web site hosted by a Russian Internet service provider. The site is currently the home base of a network of sites designed to break into computers through a security hole in Microsoft's Internet Explorer Web browser. The data thieves use the IE flaw to install programs known as "keyloggers" on computers that visit the specially coded Web pages. The keyloggers then copy the victims' stored passwords and computer keystrokes and upload that information to the database. The hacking software also features automated tools that allow the fraudsters to make minute adjustments or sweeping changes to their networks of hacked PCs. With the click of a mouse or a drag on a pull-down menu, users can add or delete files on infected computers. They can even update their spyware installations with new versions tailored to defeat the most recent anti-virus updates. With one click on the Web site's "Add New Exploit" button, users can simultaneously modify all of the keylogger programs already installed on their networks. Symantec and other security experts also have spotted earlier versions of the software installed on at least two other Web sites, one of which is still active and has harvested password information from nearly 30,000 victims, the bulk of whom reside in the United States and Brazil. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
24
Computer-based Hacking Made Easy ( Keyloggers – Watching while you type… Fast becoming among the most prevalent and insidious online threats: More than half of the viruses, worms and other malicious computer code that Symantec now tracks are designed not to harm host machines but to surreptitiously gather data from them. These keylogger-control Web sites follow a trend toward automation in other realms of online fraud, such as virus-creation programs, spamming software and pre-packaged toolkits to help fraudsters set up "phishing" sites -- Web pages designed to trick people into giving away their personal and financial data at what looks like a legitimate e-commerce or banking site. "This type of plug-and-play, click-and-hack software simply represents the commercialization of criminal activity, and in many respects lowers the technical knowledge barrier of entry to this type of crime." Online criminals hack into thousands of small-merchant Web sites and embed code that silently install keyloggers when users browse the sites with Internet Explorer. A recent analysis for SANS estimated that nearly 10 million U.S. households own a computer that is infected with some type of keystroke logging program. Although not every PC user whose keystrokes are being logged has experienced financial losses the analysis estimates that organized-crime groups have access to roughly $24 billion in bank assets from accounts associated with the owners of infected machines. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
25
Computer-based eBay, Yahoo, Microsoft – All ask us to click Yes
… and so do Spyware sites In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
26
Computer-based In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
27
Computer-based Drag the window to Reveal the real info!
In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
28
Computer-based Drive-by social engineering
Free game Sites! Hey we ALL love free stuff! In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
29
Computer-based Free Games site
Exploits our desktop to install a Trojan In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
30
Computer-based Each user session includes different exploit content
In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
31
Common Types of Social Engineering Exploit Methods
Most dire request (e.g., recent PayPal phishing scams) Contrived situation (e.g., Nigerian scams) In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
32
Exploiting Human Nature and Personality Traits
Social engineers prey on qualities of human nature and personality traits: the desire to be helpful, cooperative, or a team player the tendency to trust people the fear of getting into trouble, moral obligation or duty, guilt The most skilled social engineer is able to obtain information without raising any suspicion as to what they are doing. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
33
Personality Traits In the following discussion we will examine how various social engineering personality traits enhance the possibility of successful social engineering. When present, these traits increase the likelihood of compliance. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
34
Personality Traits Diffusion of responsibility - The target is made to believe that they are not solely responsible for their actions. The social engineer creates situations with many factors that dilute personal responsibility for decision making. The social engineer may drop names. May claim someone higher up has made the decision. Chance for ingratiation - The target is lead to believe that compliance with the request will enhance their chances of receiving some sort of benefit. Gaining advantage over a competitor. Getting in good with the boss. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
35
Personality Traits Trust Relationships - The social engineer expends time developing a trust relationship with the intended victim. Usually following a series of small interactions. Moral duty - Encouraging the target to act out of a sense of moral duty or moral outrage. Requires the social engineer to gather information on the target and the organization. Tries to get the target to believe that compliance will mitigate some sort of wrong that has been done. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
36
Personality Traits Guilt-Most individuals attempt to avoid guilt feelings if possible. Social engineers create situations designed to: tug at the heartstrings manipulate empathy create sympathy If granting a request will lead to avoidance of guilt, target is more likely to comply. Believing that not granting the request will lead to significant problems to the requestor is often enough to weigh the balance in favor of compliance with the request. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
37
Personality Traits Identification - Trying to get the target to identify with the social engineer. The social engineer tries to build a connection with the target based on information gathered. Informality is another trait social engineers excel at. Desire to help - Social engineers rely on people’s desire to be helpful. Holding the door. Logging on to an account. Lack of assertiveness or refusal skills. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
38
Personality Traits Cooperation - The less conflict with the target the better. Voice of reason logic patience In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
39
Social Engineering Example
Mr. Smith: Hello? Caller: Hello, Mr. Smith. This is Fred Jones in tech support. Due to some disk space constraints, we’re going to be moving some user’s home directories to another disk at 8:00 this evening. Your account will be part of this move, and will be unavailable temporarily. Mr. Smith: Uh, okay. I’ll be home by then, anyway. Caller: Good. Be sure to log off before you leave. I just need to check a couple of things. What was your username again, smith? Mr. Smith: Yes. It’s smith. None of my files will be lost in the move, will they? Caller: No sir. But I’ll check your account just to make sure. What was the password on that account, so I can get in to check your files? Mr. Smith: My password is Tuesday, in lower case letters. Caller: Okay, Mr. Smith, thank you for your help. I’ll make sure to check you account and verify all the files are there. Mr. Smith: Thank you. Bye. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
40
Potential Security Breaches
Help Desks - They try too hard to be helpful. Websites - As we discussed before, setting up a bogus website to trap information (e.g., clone any well-known web site and cause people to click on a bogus link in an to enter their logon credentials – phishing). A social engineer may simply walk in and behave like one of the employees. We tend NOT to challenge unfamiliar personnel often enough In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
41
Common Defenses Everyone that enters the building (contractors, business partners, vendors, employees) must show identification. Passwords should never be spoken over the phone. Passwords are not to be left lying around – they must be stored in a secure location only accessible to the individual they were issued to. Caller ID technology can be used to help verify who you are speaking to. Properly destroy passwords and all sensitive but unclassified (SBU) information - invest in and properly use shredders and degaussers. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
42
Recognize the Signs Recognize key signs that indicate you may be the target of a social engineering attack: Refusal to give contact information “I cannot be contacted” “I’m on my cell phone and the battery is about to die” The number they give you is a “call out only” number Rushing Name-dropping Intimidation Small mistakes Requesting sensitive information In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
43
Defense… the 2 step… (actually 4 step)
If you cannot personally identify a caller who asks for Personal information about you or anyone else (including badge number or employee number), for information about your computer system, or for any other sensitive information, do not provide the information. Insist on verifying the caller’s identity by calling them back at their proper telephone number as listed in organization’s telephone directory. This procedure creates minimal inconvenience to legitimate activity when compared with the scope of potential losses. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
44
Defense… the 2 step… (actually 4 step)
Remember that passwords are sensitive. A password for your personal account should be known ONLY to you. Systems administrators or maintenance technicians who need to do something to your account will not require your password. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal you password. If a system administrator or maintenance technician asks you for your password, be suspicious, very suspicious. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
45
Defense… the 2 step… (actually 4 step)
Systems maintenance technicians from outside vendors who come on site should be accompanied by the local site administrator (who should be known to you). If the site administrator is not familiar to you, or if the technician comes alone, it is wise to give a call to your known site administrator to check if the technician should be there. Unfortunately, many people are reluctant to do this because it makes them look paranoid, and it is embarrassing to show that they do not trust a visitor. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
46
Defense… the 2 step… (actually 4 step)
If you feel you have thwarted or perhaps been victimized by an attempt at social engineering, report the incident to your manager and to security personnel immediately! In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
47
Final Thoughts A social engineer with enough time, patience and tenacity will eventually exploit some weakness in the security of an enterprise. The best defense against social engineering attacks combines raising the bar of awareness among employees, volunteers and contractors, a sense of personal responsibility to protect DOI’s mission and IT assets, an understanding of the signs of social engineering attacks, and reporting any suspected incidents. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
48
Credits (or who I stole this presentation from…)
Plagiarism is the greatest form of flattery With Permission from Stan Lowe (DOI BLM) Melissa Guenther Wikipedia Foundstone In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
49
Ready for a break? Questions?
50
United States Department of the Interior
Social Engineering & Internal/External Threats March 22, Lawrence K. Ruffin
51
Internal and External Threats
The greatest security risks to an agency frequently come from the action, inaction, or inadvertent mistakes of people. Motivated internal threat agents pose the greatest risk due to their access to sensitive information and privileges External threats pose a risk to vulnerable systems and gaps in network security coverage. It is estimated that 99% of all reported intrusions result through exploitation of known vulnerabilities or configuration errors, for which safeguards and countermeasures were available. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
52
Internal and External Threats
Insider Threat Greatest at Financial Institutions By Allen CIOUpdate.com Internal attacks on information technology systems are surpassing external attacks at the world's largest financial institutions, according to the 2005 Global Security Survey by Deloitte Touche Tohmatsu (DTT). Thirty-five percent of respondents confirmed encountering attacks from inside their organization in 2005 (up from 14% in 2004) compared to 26% from external sources (up from 23% in 2004). In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
53
Internal and External Threats
Before We Do Anything… Accept the FACT that vulnerabilities open doors to the unexpected. Accept that there is NO separation between the cyber world and the physical world. We’ve become distracted – insider threat is real & growing. Terrorism is multifaceted. Traditional definitions must be adapted to the new realities. Change the way you THINK about future threats…don’t be a security APPEASER. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
54
Appeaser According to Webster’s Dictionary:
\Ap*peas"er\, n. One who appeases; a pacifier. According to Verton’s Dictionary: \Ap*peas"er\, n. “One who feeds a crocodile hoping it will eat him last.” Sir Winston Churchill In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
55
What Do I Really Mean By “Appeasement?”
Maybe we are growing dangerously complacent? Maybe we do underestimate our enemies? Maybe we really do think this is as bad as it can get? Maybe the threat-independent model is not how we should be approaching these issues? In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
56
The Vulnerability Matrix
Viruses, Worms 5,800 registered hospitals Home Users 5,000 airports 300 maritime ports Wireless 3,000 govt. facilities 2,800 power plants 104 commercial nuclear plants Broadband Connections EmergencyServices 26,000 FDIC institutions Government Transportation Insiders Electric 150,000 miles transmission lines Configuration Problems 66,000 chemical plants Chemical Banking 130 overlapping grid controllers Rail 300,000 production sites Oil In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide) Natural Gas Telecom Water Waste Water 120,000 miles of major rails E-commerce 2 billion miles of cable 2 million miles of pipelines Natural Gas 1,600 municipal wastewater facilities 80,000 Dams
57
IT Security - How Important Is It Really?
Not only about $… It’s about public safety too! Railroads. Water & Wastewater Treatment. Uranium Mining. Oil Wells, Water Flood Operations. Airline Baggage Checking. Aug. 14 Power Failure. Online Information Control. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
58
Risk = Threat * Probability * Impact
Risk Management Risk = Threat * Probability * Impact Threat = an entity likely to have intent and capability to exploit a vulnerability in a system Disgruntled Insiders (e.g., employees or contractors) Hackers for Hire (e.g., State- or non-State sponsored) Organized Crime Terrorists Probability = Likelihood of someone having intent, motivation and capability to exploit a known weakness in a system Impact = Potential magnitude of harm to information or an information system resulting from someone actually exploiting a known weakness In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
59
Cyber-Terrorism: Controversial Topic
“The problem is that when you make a recommendation before [an attack] happens, people tend to think you're nuts.” “That's the kind of mind set that made it difficult for us…the institutional bureaucracy…couldn't see the threat because it hadn't happened.” Richard Clarke Testifying at 9/11 Commission Hearing, 3/24/04 In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
60
Cyber-Terrorism: Controversial Topic
Omar Bakri Muhammad Bin Laden's man in London Syrian-born, radical, founder of Al-Muhajirun Spokesman for the International Islamic Front, the political wing of the International Islamic Front for Jihad Against Jews and Crusaders, led by Osama bin Laden Has recruited for Hamas, Hezbollah and various groups in Afghanistan FBI memo on July 10, 2001, noted a connection between Middle Eastern men in Phoenix-area flight schools and Bakri's London-based Al-Muhajirun. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
61
Cyber-Terrorism: Controversial Topic
Bakri On Cyber Attacks "In a matter of time, you will see attacks on the stock market." “I would not be surprised if tomorrow I hear of a big economic collapse because of somebody attacking the main technical systems in big companies." "The third letter from Osama bin Laden…was clearly addressing using the technology in order to destroy the economy of the capitalist states. This is a matter that is very clear." In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
62
Insider Threats Why spend R&D money when you can steal it?
Economic Espionage: $ hundreds of billions Four forms of insider: Internal (current/former employees, executives) External (contractor, maintenance, business partner) Collaborator (external working with internal) Rogue Ideologue (seeks hire for purpose of doing harm) Technology Complicates Internal Defenses The Perimeter is gone! USB devices, cell phone cameras, common configuration errors, lack of access controls, contractors, outsourcing In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
63
Insider Stats (2004) In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
64
Types of Data Being Stolen
Computer source code Business plans and design specifications Customer and order information databases Motorola 2-way radio specifications Newest Intel chip specifications (twice) Sales and pricing data Oil and gas well logs and software used in the analysis of the information Engineering drawings for next generation of Gillette razor systems Eng. Drawings Next Generation Space Shuttle (inside or outside??) In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
65
Robert Hanssen – The worst insider spy case in FBI history.
Case: Ramon An intellectual of sorts, highly educated, conservative in his politics, painfully introverted, somewhat arrogant and kind of a geek. Expert programmer who preferred communicating with associates through rather than in person. Hacked his employer's computer system without permission to show management that there were serious security gaps that needed to be fixed. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide) Robert Hanssen – The worst insider spy case in FBI history.
66
Insider Psychological Profile
Introverted: A common characteristic of IT specialists, which can pose a significant management challenge. Frustrated: Family or social problems may be compounded by negative attitudes toward authority. Computer-dependent: Such individuals often prefer online activity to direct social interaction. Ethical flexibility: Dangerous insiders view malicious actions as justified, given their circumstances. Entitlement: Feelings of being “special” employees—for example, the only ones with the necessary training. Being overworked with no rewards can lead to a desire for revenge. Reduced loyalty: Some insiders identify with the IT/programming profession and not with the organization that employs them. Lack of empathy: The impersonal nature of cyberspace leads to a lack of regard for the impact of the perpetrators’ actions on others. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
67
Final Thoughts Think differently… the Threats do every day!
New frontiers and attack vectors continue to emerge with advances in technology… Instant Messaging (IM) – Year-on-year rises of over 800% increase in exploitation of IM technology to introduce viruses, worms, and trojans into unsuspecting system. A steady climb throughout 2005 showed a disturbing trend. IM threats are more popular than ever and this momentum is increasing. November 2005 was the most dangerous month to date with a record number of unique threats being discovered. IM worms are the most dominant threat type hitting the public IM networks and all of the popular networks have been attacked (AIM, ICQ, MSN, WM, Yahoo!). In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
68
Final Thoughts Think differently… the Threats do every day!
New frontiers and attack vectors continue to emerge with advances in technology… Wireless technology and devices potentially open back-doors into networks and bridges agency trusted networks with un-trusted networks and the public infrastructure (the Internet). Highly portable media with enormous storage capacity on extremely small footprints can be used to steal information. In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
69
Credits Dan Verton - Vice President & Executive Editor, IT Security Magazine, FISSEA March 2005 presentation on Cyber-Terrorism and Security In really generic terms, the FISMA mandate boils down to these 2 points relating to IT Security training: (read slide)
70
Thank You Questions?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.