Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information."— Presentation transcript:

1 Social Engineering Jero-Jewo

2 Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim. – www.wikipedia.org confidence trickfraud As a service provider, Duo Consulting helps clients manage the publication of critical business information on their web sites. Integrity and availability are important considerations for Duo when processing requests for changes

3 Case Study There is currently a communication process in place to receive and manage requests 99% of requests come from known contacts How should we handle requests from contacts that are not known?

4 Real World New request comes in from an unknown contact at Setton Farms for ftp access to their web server on a Saturday Contact explains that there is an immediate need to publish critical information about a recall on their site and they have hired a designer to make the updates to their site. This contact is not known to Duo Need to question identity Need to question authenticity of request

5 What’s missing? We do not have a policy or process in place to confirm identity of contacts making requests We do not have a list of authorized contacts There is a service level agreement in place for managed hosting - but nothing defined about emergency requests from clients that do not have a services support contract in place

6 Proposed Solution We need a policy to address unknown and unauthorized customer contacts The delivery stages of this policy must include planning, design, implementation, rollout, and operation of such policy

7 Proposed Solution (Continued) The policy must be integrated into our business and it must address the following: People: a team must address the planning, design, implementation, rollout and operation Technology: the proper technology must be in place to implement such policy (i.e. ticketing system, electronic approvals of users, escalation, etc.) Process: there must be a living process to address such incidents and that ensures enforcement of the policy Business value: business value of establishing this policy will clearly protect the customer as well as Duo in the legal and availability aspect IT Strategy: the four pillars of security must be addressed, including authenticity, confidentiality, integrity and availability

8 People Duo understands the need to assemble a team to address the development of the policy through the different stages Planning: the team must establish the strategy, initial approximation of the effort, plan for releases for delivery, perform a preliminary risk assessment, develop policy organization, and establish leadership. Design: the team ensures that the policy is meeting the goals and that it serves the intended goal. Feasibility is addressed here, as well as estimates of implementation (time and effort) Implementation: the team must ensure the policy is tested and approved. The team ensures management approval, and re-assesses risk Test: all aspects of the policy must be tested, including process, sign-offs, technology, etc Rollout: the team ensures prior to rollout that all training and legal aspects are covered Operate: periodically review the policy to ensure its enforceability and effectiveness

9 Technology The policy will have a technology aspect which ensures that there is an electronic list of authorized contacts Privileges will be honored accordingly: Content contributor Publisher Employee access will be via a portal

10 Technology (Continued) Create a system of records for authorized contacts SalesForce.com Contains customer database with privilege levels Granular control of access Change/version control and user logs

11 Process A process ensures the policy is working for Duo: Usable Enforceable Effective Legal

12 Business Value What’s in it for Duo? Prevention of unauthorized work Policy provides legal protection from liability lawsuits including: Unauthorized changes Inaccurate content Site downtime Leakage of information

13 Business Value (Continued) What’s in it for Duo’s customers? The Four Pillars: Integrity Authenticity High availability Confidentiality

14 IT Strategy Integrity and availability were cited as top most concerns for our particular problem However, Duo must address all four cornerstones of security: Availability Integrity Confidentiality Authenticity

15 Policy Contents Authenticity: Who is authorized to make requests? How do we determine that the request is legitimate? Is the person making the request authorized to perform the operation requested? Develop and maintain a list of authorized contacts Designate 1 or more authoritative contacts and require them to approve all requests Maintain a secret pass phrase to authenticate users who make requests

16 Policy Contents (Continued) Integrity Integrity is maintained by only performing operations which are assigned to authorized, authenticated contacts Each contact will have specific operations defined Confidentiality Establish appropriate level of confidentiality of request based upon client input Availability Ensure that proper client contact communication information is available and up to date Enforce policies in regards to authentication, integrity, confidentiality and availability

17 Questions? Thank you!

Download ppt "Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information."

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Auditing Computer Systems

Auditing Computer Systems
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
Security Controls – What Works

Security Controls – What Works
Social Engineering Jero-Jewo. Social Engineering Social engineering is the act of manipulating people into performing actions or divulging confidential.

Social Engineering Jero-Jewo. Social Engineering Social engineering is the act of manipulating people into performing actions or divulging confidential.
Information Systems Security Officer

Information Systems Security Officer
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models

Similar presentations

Ads by Google