350 likes | 490 Views
Lesson 4-General Security Concepts. The Role of People in Security. This presentation discusses: The human element and the role that people play in security. User practices that help in securing an organization. Vulnerabilities that users can introduce. Background.
E N D
The Role of People in Security • This presentation discusses: • The human element and the role that people play in security. • User practices that help in securing an organization. • Vulnerabilities that users can introduce.
Background • The operational model of computer security acknowledges that absolute protection of computer systems and networks is not possible. • People need to be prepared to detect and respond to attacks that were able to circumvent the security mechanisms.
Background • Technology alone will not solve the security problem. • No matter how advanced the technology is, it will ultimately be deployed in an environment where humans exist. • The human element is the biggest problem to security.
Defense-In-Depth Information Assurance Triad TECHNOLOGY ALL People-Centric OPERATIONS PEOPLE Fundamentally, only THREE countermeasures are available to protect critical information infrastructures.
Background • It is difficult to compensate for all the ways humans can deliberately or accidentally cause security problems or circumvent security mechanisms. • Despite the technology, security procedures, and security training provided, some people will not do what they are supposed to, and will create vulnerability in an organization’s security posture.
Objectives • Upon completion of this lesson, the learner will be able to: • Define basic terminology associated with Social Engineering. • Describe the number of poor security practices that may put an organization’s information at risk. • Describe methods attackers may use to gain information about an organization. • List and describe ways in which users can aid instead of detract from security.
People • Prevention technologies are not sufficient since every network and computer system has at least one human user. • A significant portion of security problems that humans can cause result from poor security practices.
Password Selection • Computer intruders rely on poor passwords to gain unauthorized access to a system or network.
Passwords • Password Problems • Users choose passwords that are easy to remember and often choose the same sequence of characters as they have for their userIDs. • Users also frequently select names of family members, their pets, or their favorite sports team for their passwords.
Improving Passwords • To complicate the attacker’s job: • Mix uppercase and lowercase characters. • Include numbers and special characters in passwords.
Policy • Organizations have instituted additional policies and rules relating to password selection to complicate an attacker’s effort. • Organizations may require users to change their passwords frequently. • This means if an attacker is able to guess a password, it is valid only for a limited time before the attacker is locked out.
Notes on the Monitor • Another policy or rule for password selection adopted by an organization is that passwords should not be written. • To make the passwords more difficult for attackers to guess, users need to change the passwords frequently.
Increasing Problem • Users frequently use the same password for all accounts on many systems. • If one account is broken, all other accounts are subsequently also vulnerable to attack.
PINs • Most people have at least one Personal Identification Number (PIN). • They are associated with things such as their automated teller machine or a security code to gain physical access to a room. Users invariably select numbers that are easy to remember.
Human Attacks • Piggybacking and shoulder surfing • Dumpster diving • Installing unauthorized hardware and software • Access by non-employees • Social engineering • Reverse social engineering
Piggybacking and Shoulder Surfing • Piggybacking is the tactic of closely following a person who has just used an access card or PIN to gain physical access to a room or building. • Shoulder surfing is a procedure in which attackers position themselves in such a way as to be able to observe the authorized user entering the correct access code.
Dumpster Diving • Attackers need some information before launching an attack. • A common place to find this information is to go through the target’s trash. • This process, of going through a target’s trash, is known as dumpster diving.
Dumpster Diving • If the attackers are fortunate and the target’s security procedures are very poor, attackers may find userids and passwords. • Manuals of hardware or software purchased may also provide a clue as to what vulnerabilities might be present on the target’s computer systems and networks.
Unauthorized Hardware and Software • Organizations should have a policy to restrict normal users from installing software and hardware on their systems. • Communication software and a modem may allow individuals to connect to their machines at work using a modem from home. • This creates a backdoor into the network and can circumvent all the other security mechanisms. • There are numerous small programs that can be downloaded from the Internet. • Users cannot always be sure where the software originally came from and what may be hidden inside.
E-Mail • Tasks that can be performed using received e-mails can be controlled. • This helps prevent users from executing a hostile program that was sent as part of a worm or virus.
Access by Non-employees • If an attacker gains access to a facility, there are chances of obtaining enough information to penetrate computer systems and networks. • Many organizations require employees to wear identification badges at work. • This method is easy to implement and may be a deterrent to unauthorized individuals. • It also requires that employees challenge individuals not wearing identification badges.
Access by Non-employees • One should examine who has legitimate access to a facility. • Non-employees may not have the same regard for the intellectual property rights of the organization that employees have. • Contractors, consultants, and partners may frequently not only have physical access to the facility but also have network access. • Nighttime custodial crewmembers and security guards have unrestricted access to the facility when no one is around.
Social Engineering • Using social engineering, the attacker deceives to: • Obtain privileged information. • Convince the target to do something that they normally would not.
Social Engineering • Social engineering is successful because of two reasons. • The first is the basic human nature to be helpful. • The second reason is that individuals normally seek to avoid confrontation and trouble.
Variations • A variation on social engineering uses means other than direct contact between the target and the attacker. • Insiders may also attempt to gain unauthorized information. • The insider may be more successful. • They have a level of information regarding the organization. • They can better spin a story that may be believable to other employees.
Stanley Mark Rifkin (1978) • In 1978, when Stanley Mark Rifkin stole $10.2 million from the Security Pacific Bank in Los Angeles: • He was working as a computer consultant for the bank. • He learned details on how money could easily be transferred to accounts anywhere in the United States. • He transferred the money to another account in Switzerland under a different name. • The crime might have gone undetected if he had not boasted of his exploits to an individual.
Reverse Social Engineering • An alternate approach to social engineering is called reverse social engineering. • Here, the attacker hopes to convince the target to initiate the contact. • The attack may be successful because the target initiates the contact. • Attackers may not have to convince the target of their authenticity.
Reverse Social Engineering • Methods of convincing the target to make the initial contact include: • Sending out a spoofed e-mail claiming to be from a reputable source that provides another e-mail address or phone number to call for “tech support.” • Posting a notice or creating a bogus Web site for a legitimate company that also claims to provide “tech support.” • This may be successful in conjunction with the deployment of a new software or hardware platform or when there is a significant change in the organization itself.
People as a Security Tool • A paradox of social engineering attacks is that people are not only the biggest problem and security risk, but also the best tool to defend against these attacks. • Organizations must fight social engineering attacks by establishing policies and procedures that define roles and responsibilities for all users and not just security personnel.
Security Awareness • Organizations can counter potential social engineering attacks by conducting an active security awareness program for the organization’s security goals and policies. • The training will vary depending on the organization’s environment and the level of threat.
Security Awareness • An important element that should be stressed in the training on social engineering is the type of information that the organization considers sensitive and that may be the target of a social engineering attack.
Individual User Responsibilities • Certain responsibilities that should be adopted by all users include: • Locking the door to the office or workspace. • Not leaving sensitive information unprotected inside the car. • Securing storage media containing sensitive information. • Shredding paper containing organizational information before discarding it.
Individual User Responsibilities • Certain responsibilities that should be adopted by all users include (continued): • Not divulging sensitive information to unauthorized individuals. • Not discussing sensitive information with family members. • Protecting laptops that contain sensitive or important organization information. • Being aware of who is around when discussing sensitive corporate information. • Enforcing corporate access control procedures.
Individual User Responsibilities • Certain responsibilities that should be adopted by all users include (continued): • Being aware of the procedures to report suspected or actual violations of security policies. • Enforcing good password security practices, which all employees should follow. • Cultivating an environment of trust in the office and an understanding of the importance of security.