1 / 28

The Human Side of Security

The Human Side of Security. “To err is human…” Alexander Pope. Agenda. The threat exposed Phishing Social Engineering Digital leakage Know your enemy Bring a gun to the sword fight Get a clue, get a policy in place Education makes the difference Human firewalls. The threat is real!.

phuc
Download Presentation

The Human Side of Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Human Side of Security “To err is human…” Alexander Pope

  2. Agenda • The threat exposed • Phishing • Social Engineering • Digital leakage • Know your enemy • Bring a gun to the sword fight • Get a clue, get a policy in place • Education makes the difference • Human firewalls

  3. The threat is real! • Over the course of the last year at least two CU*Answers credit unions were the targets of phishing attacks. • Our alerts page has been updated multiple times with information regarding Social Engineering attacks. • Credit Unions are no longer off the radar screen. • The threat is global.

  4. What is Phishing? • In computing, phishing is the act of attempting to fraudulently acquire sensitive information. • The attacker literally fishes for a weak user who may be gullible enough to perform an action the attacker desires. From clicking on an e-mail link to giving out a credit card number over instant messenger. • Puddle phishing • Target the small and the less secure. (Big companies have strong defenses.) • Spear phishing • Sophisticated targeted phishing attack. • Go after the CEO, CIO, CFO. • Customize the attack the individual level.

  5. More stats than a baseball card. • 5,259 phishing sites in August 2005 • 642 mortgage fraud cases reported to FBI in the first half of 2005 • 45% of banking customers would like complete guarantee against identity theft • New account fraud on average takes 59 hours to rectify • 10% of consumers still click on suspicious links in e-mails • 80% of phishing is targeted at financial institutions • 57 million Americans received a phishing e-mail • 2.4 million Americans lost money to phishing, 33% are buying less online

  6. Phishing example and why it’s done. • NCUA- '*** WARNING: Security Issues ***' • Classic e-mail redirection. • Very professionally written and designed. • Site was really hosted in Paris France. • Why phishing? • Sending mass amounts of e-mail is cheap. • 10% of users still click the link. • Can be very difficult to trace back the real owner of the spoofed site. • The spoofed site may be hosted in a country that does not recognize US commercial law such as Iran. The site creator can have the data e-mailed anywhere including free and virtually untraceable e-mail accounts or IRC chartrooms.

  7. Where the heck is Tokelau? • The member number, PIN, and card information were sent via email to a gmail and yahoo accounts. • A number of skilled individuals and two hours later we had stopped the attack. • Domain was .TK for the island of Tokelau.

  8. What does CU*Answers do? (phishing) • Continual education of staff. • Policies on how to handle suspicious e-mail. • Enforcement of those policies. • Notify clients of the phishing attack (initial, then more detailed follow up as information warranted) • Determine scope of the attack • Determine where phishing site was being hosted • Shut down the site or otherwise stop the attack

  9. Solutions (phishing) • Do you have a policy? • Create a policy that focuses on education. Use the resources you already have. • http://www.cusecure.org/ • Statement inserts (contact Melinda Haehnel x138) • Use common accepted tools or add them to your policy. • Netcraft toolbar. • IE 7 • Others.

  10. Social Engineering • Social Engineering is the act of manipulating a person to obtain confidential information. • Phishing is a subset of Social Engineering. • Social Engineering relies on the user being the weakest link and easily manipulated.

  11. Social Engineering • Industrial Espionage is a common Social engineering crime • Does not require massive or specialized resources like a technology threat. • Can be done within the law of some foreign countries. • Blackmail. • Similar Domain Hijacking. • Phishing.

  12. Social Engineering • Don’t get so involved on the technology you forget the obvious. • Information security is not computer security. While computer security is an integral part of a good security program, it is only one part. • Firewalls and other Internet security mechanisms are the hottest selling products. While firewalls go a long way in preventing the traditional computer hackers from intruding into a corporate computer network, they do nothing to stop the most significant source of computer crime: Insiders.

  13. What does CU*Answers do? (social engineering) • Our staff report suspicious behavior such as shoulder surfing, or unauthorized people using a PC they shouldn't have access to. • If staff are contacted by anyone seeking unauthorized access to information, report it to a security manager or other authorized personnel. • Our staff approach a security manager or other designated person with their security concerns rather than discussing it with their co-workers. • Our security team is always on the lookout for employees who are not acting in a security conscious manner, we give them a gentle reminder if we find: • computer left unlocked • passwords written on sticky notes • sensitive company information left out in the open • We build awareness! • We audit and test! Then audit and test again!

  14. Solutions (social engineering) • Do you have a policy? • Create a policy that focuses on education. Use the resources you already have. • Test your policy. • Social engineering testing can be cheap and easy. • Make a call and ask for a password or a password reset. • Walk into unauthorized space and see if you are challenged.

  15. Digital leakage • Unauthorized access to and redistribution of confidential digital information, either accidentally or intentionally. • A backup tape sent to a vendor by mistake. • An employee downloading corporate information to a thumb drive. • A cleaning person stealing a programmers laptop with a valuable database. • Misplaced documents.

  16. Digital Leakage • There must be a thorough investigation of all people with potential access to sensitive information. • The term employees should be used broadly to include anyone with physical access to facilities or information. • Any device that has access to corporate information is capable of being a digital leak.

  17. What does CU*Answers do? (digital leakage) • Network staff should also establish a strategic relationship with the Human Resources department. • It is critical to be aware of any pending employee departures that could be under less than amicable circumstances. • systems administrators must lock the accounts of departed employees on the day that they leave the company. • Create and enforce strong policy systems for critical data. • Backup tape rotation and location. • Encryption. • Storage of confidential documents. • Employee education and ongoing training. • Third party auditing.

  18. Know your enemy. • Hacker • They discover holes within systems and the reasons for such holes. • Cracker • One who breaks into otherwise violates the system integrity of remote machines with malicious intent. • Script Kiddies • Mostly young, unskilled crackers who find and use scripts and utilities other skilled crackers have written. • Insider • An insider is a member of any group of people of limited number and generally restricted access.

  19. What motivates them? • Notoriety • Elite factor, bragging • Malicious or destructive • Pranks or disgruntled employee • Making a political statement • Financial gain and theft • Theft of unauthorized transfer of funds • Theft of intellectual property and corporation espionage • Credit card theft • Money – • Zombie PC’s • Spam relay

  20. How do they do it? Here is one way.

  21. How do they do it? Here is another way!

  22. Internal Risks • Most networks are “crunchy” on the outside but “chewy” on the inside. The network perimeter is incredibly more secure than the inside of your network. • Internal risks include disgruntled employees, temporary, planted or baited employees, trusted vendors, public (lobby PC), etc. • Intent may be opportunistic • Recent report from CSI (Computer Security Institute) stated in recent CCSC survey: • 90% of the respondents surveyed reported security breaches. • Of them, only 25% were from the outside. • 71% detected unauthorized access by insiders • Summarized the report stating that “insiders cause 80% of the security problems on networks”.

  23. The Incident Response Plan to the rescue! • A good response plane will include: • Incident Severity and Declaration • Response Procedures • General guidelines and beginning of the paper trail. • This is one of our paper trails… • Alert Phase • Triage Phase • examining the information available about the incident to determine first if it is a “real” incident, and second, if it is, its severity • Response & Recovery Phase

  24. Security Awareness Training • Your ultimate defense may be your “Human Firewalls”. • Successful awareness programs not only educate employees about why security is important, they should also get the workers involved in making the organization secure. • Every employee should: • sign an acknowledgement of their information security responsibilities • know where to find security policies and procedures online and in print • complete a basic security awareness course • visit the organizations security awareness intranet site • understand a specific list of information security issues and risk • be able to recognize an actual or potential incident • know how to report an incident • be willing to report an incident

  25. Never Forget: First Immutable Law of Security • In security, there are no “silver bullets” • Security is built in layers • No one piece of software, no single firewall, no single policy can totally protect

  26. Additional Resources • CU*Answers has two CISSP (Certified Information Systems Security Professional) on staff. • Randy Brinks (rbrinks@wesconet.com) • Joe Couture (jcouture@wesconet.com) • CERT (www.cert.org) • Home computer security document • Home computer security checklist handout • SANS (www.sans.org) • Microsoft Product Security Notification • http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/notify.asp

  27. Additional Resources • Other SECURE-U courses • 9.15 – “Security Essentials“ • Essential security and privacy issues • 9.35 – “The Armored Network” • Network security at CU*Answers • 9.55 – “The Human Side of Security” • Social Engineering and other exploits • 9.65 – “Disaster Recovery and Business Continuity” • The CU*Answers plan

  28. Questions and Answers • ???

More Related