E N D
Social Engineering • Jero-Jewo
Case study • Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim. – www.wikipedia.org • As a service provider, Duo Consulting helps clients manage the publication of critical business information on their web sites. • Integrity and availability are important considerations for Duo when processing requests for changes
Case Study • There is currently a communication process in place to receive and manage requests • 99% of requests come from known contacts • How should we handle requests from contacts that are not known?
Real World • New request comes in from an unknown contact at Setton Farms for ftp access to their web server on a Saturday • Contact explains that there is an immediate need to publish critical information about a recall on their site and they have hired a designer to make the updates to their site. • This contact is not known to Duo • Need to question identity • Need to question authenticity of request
What’s missing? • We do not have a policy or process in place to confirm identity of contacts making requests • We do not have a list of authorized contacts • There is a service level agreement in place for managed hosting - but nothing defined about emergency requests from clients that do not have a services support contract in place
Proposed Solution • We need a policy to address unknown and unauthorized customer contacts • The delivery stages of this policy must include planning, design, implementation, rollout, and operation of such policy
Proposed Solution (Continued) • The policy must be integrated into our business and it must address the following: • People: a team must address the planning, design, implementation, rollout and operation • Technology: the proper technology must be in place to implement such policy (i.e. ticketing system, electronic approvals of users, escalation, etc.) • Process: there must be a living process to address such incidents and that ensures enforcement of the policy • Business value: business value of establishing this policy will clearly protect the customer as well as Duo in the legal and availability aspect • IT Strategy: the four pillars of security must be addressed, including authenticity, confidentiality, integrity and availability
People • Duo understands the need to assemble a team to address the development of the policy through the different stages • Planning: the team must establish the strategy, initial approximation of the effort, plan for releases for delivery, perform a preliminary risk assessment, develop policy organization, and establish leadership. • Design: the team ensures that the policy is meeting the goals and that it serves the intended goal. Feasibility is addressed here, as well as estimates of implementation (time and effort) • Implementation: the team must ensure the policy is tested and approved. The team ensures management approval, and re-assesses risk • Test: all aspects of the policy must be tested, including process, sign-offs, technology, etc • Rollout: the team ensures prior to rollout that all training and legal aspects are covered • Operate: periodically review the policy to ensure its enforceability and effectiveness
Technology • The policy will have a technology aspect which ensures that there is an electronic list of authorized contacts • Privileges will be honored accordingly: • Content contributor • Publisher • Employee access will be via a portal
Technology (Continued) • Create a system of records for authorized contacts • SalesForce.com • Contains customer database with privilege levels • Granular control of access • Change/version control and user logs
Process • A process ensures the policy is working for Duo: • Usable • Enforceable • Effective • Legal
Business Value • What’s in it for Duo? • Prevention of unauthorized work • Policy provides legal protection from liability lawsuits including: • Unauthorized changes • Inaccurate content • Site downtime • Leakage of information
Business Value (Continued) • What’s in it for Duo’s customers? The Four Pillars: • Integrity • Authenticity • High availability • Confidentiality
IT Strategy • Integrity and availability were cited as top most concerns for our particular problem • However, Duo must address all four cornerstones of security: • Availability • Integrity • Confidentiality • Authenticity
Policy Contents • Authenticity: • Who is authorized to make requests? • How do we determine that the request is legitimate? • Is the person making the request authorized to perform the operation requested? Develop and maintain a list of authorized contacts • Designate 1 or more authoritative contacts and require them to approve all requests • Maintain a secret pass phrase to authenticate users who make requests
Policy Contents (Continued) • Integrity • Integrity is maintained by only performing operations which are assigned to authorized, authenticated contacts • Each contact will have specific operations defined • Confidentiality • Establish appropriate level of confidentiality of request based upon client input • Availability • Ensure that proper client contact communication information is available and up to date • Enforce policies in regards to authentication, integrity, confidentiality and availability
Questions? • Thank you!