1 / 35

Lesson 4-General Security Concepts

Lesson 4-General Security Concepts. The Role of People in Security. This presentation discusses: The human element and the role that people play in security. User practices that help in securing an organization. Vulnerabilities that users can introduce. Background.

shadow
Download Presentation

Lesson 4-General Security Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 4-General Security Concepts

  2. The Role of People in Security • This presentation discusses: • The human element and the role that people play in security. • User practices that help in securing an organization. • Vulnerabilities that users can introduce.

  3. Background • The operational model of computer security acknowledges that absolute protection of computer systems and networks is not possible. • People need to be prepared to detect and respond to attacks that were able to circumvent the security mechanisms.

  4. Background • Technology alone will not solve the security problem. • No matter how advanced the technology is, it will ultimately be deployed in an environment where humans exist. • The human element is the biggest problem to security.

  5. Defense-In-Depth Information Assurance Triad TECHNOLOGY ALL People-Centric OPERATIONS PEOPLE Fundamentally, only THREE countermeasures are available to protect critical information infrastructures.

  6. Background • It is difficult to compensate for all the ways humans can deliberately or accidentally cause security problems or circumvent security mechanisms. • Despite the technology, security procedures, and security training provided, some people will not do what they are supposed to, and will create vulnerability in an organization’s security posture.

  7. Objectives • Upon completion of this lesson, the learner will be able to: • Define basic terminology associated with Social Engineering. • Describe the number of poor security practices that may put an organization’s information at risk. • Describe methods attackers may use to gain information about an organization. • List and describe ways in which users can aid instead of detract from security.

  8. People • Prevention technologies are not sufficient since every network and computer system has at least one human user. • A significant portion of security problems that humans can cause result from poor security practices.

  9. Password Selection • Computer intruders rely on poor passwords to gain unauthorized access to a system or network.

  10. Passwords • Password Problems • Users choose passwords that are easy to remember and often choose the same sequence of characters as they have for their userIDs. • Users also frequently select names of family members, their pets, or their favorite sports team for their passwords.

  11. Improving Passwords • To complicate the attacker’s job: • Mix uppercase and lowercase characters. • Include numbers and special characters in passwords.

  12. Policy • Organizations have instituted additional policies and rules relating to password selection to complicate an attacker’s effort. • Organizations may require users to change their passwords frequently. • This means if an attacker is able to guess a password, it is valid only for a limited time before the attacker is locked out.

  13. Notes on the Monitor • Another policy or rule for password selection adopted by an organization is that passwords should not be written. • To make the passwords more difficult for attackers to guess, users need to change the passwords frequently.

  14. Increasing Problem • Users frequently use the same password for all accounts on many systems. • If one account is broken, all other accounts are subsequently also vulnerable to attack.

  15. PINs • Most people have at least one Personal Identification Number (PIN). • They are associated with things such as their automated teller machine or a security code to gain physical access to a room. Users invariably select numbers that are easy to remember.

  16. Human Attacks • Piggybacking and shoulder surfing • Dumpster diving • Installing unauthorized hardware and software • Access by non-employees • Social engineering • Reverse social engineering

  17. Piggybacking and Shoulder Surfing • Piggybacking is the tactic of closely following a person who has just used an access card or PIN to gain physical access to a room or building. • Shoulder surfing is a procedure in which attackers position themselves in such a way as to be able to observe the authorized user entering the correct access code.

  18. Dumpster Diving • Attackers need some information before launching an attack. • A common place to find this information is to go through the target’s trash. • This process, of going through a target’s trash, is known as dumpster diving.

  19. Dumpster Diving • If the attackers are fortunate and the target’s security procedures are very poor, attackers may find userids and passwords. • Manuals of hardware or software purchased may also provide a clue as to what vulnerabilities might be present on the target’s computer systems and networks.

  20. Unauthorized Hardware and Software • Organizations should have a policy to restrict normal users from installing software and hardware on their systems. • Communication software and a modem may allow individuals to connect to their machines at work using a modem from home. • This creates a backdoor into the network and can circumvent all the other security mechanisms. • There are numerous small programs that can be downloaded from the Internet. • Users cannot always be sure where the software originally came from and what may be hidden inside.

  21. E-Mail • Tasks that can be performed using received e-mails can be controlled. • This helps prevent users from executing a hostile program that was sent as part of a worm or virus.

  22. Access by Non-employees • If an attacker gains access to a facility, there are chances of obtaining enough information to penetrate computer systems and networks. • Many organizations require employees to wear identification badges at work. • This method is easy to implement and may be a deterrent to unauthorized individuals. • It also requires that employees challenge individuals not wearing identification badges.

  23. Access by Non-employees • One should examine who has legitimate access to a facility. • Non-employees may not have the same regard for the intellectual property rights of the organization that employees have. • Contractors, consultants, and partners may frequently not only have physical access to the facility but also have network access. • Nighttime custodial crewmembers and security guards have unrestricted access to the facility when no one is around.

  24. Social Engineering • Using social engineering, the attacker deceives to: • Obtain privileged information. • Convince the target to do something that they normally would not.

  25. Social Engineering • Social engineering is successful because of two reasons. • The first is the basic human nature to be helpful. • The second reason is that individuals normally seek to avoid confrontation and trouble.

  26. Variations • A variation on social engineering uses means other than direct contact between the target and the attacker. • Insiders may also attempt to gain unauthorized information. • The insider may be more successful. • They have a level of information regarding the organization. • They can better spin a story that may be believable to other employees.

  27. Stanley Mark Rifkin (1978) • In 1978, when Stanley Mark Rifkin stole $10.2 million from the Security Pacific Bank in Los Angeles: • He was working as a computer consultant for the bank. • He learned details on how money could easily be transferred to accounts anywhere in the United States. • He transferred the money to another account in Switzerland under a different name. • The crime might have gone undetected if he had not boasted of his exploits to an individual.

  28. Reverse Social Engineering • An alternate approach to social engineering is called reverse social engineering. • Here, the attacker hopes to convince the target to initiate the contact. • The attack may be successful because the target initiates the contact. • Attackers may not have to convince the target of their authenticity.

  29. Reverse Social Engineering • Methods of convincing the target to make the initial contact include: • Sending out a spoofed e-mail claiming to be from a reputable source that provides another e-mail address or phone number to call for “tech support.” • Posting a notice or creating a bogus Web site for a legitimate company that also claims to provide “tech support.” • This may be successful in conjunction with the deployment of a new software or hardware platform or when there is a significant change in the organization itself.

  30. People as a Security Tool • A paradox of social engineering attacks is that people are not only the biggest problem and security risk, but also the best tool to defend against these attacks. • Organizations must fight social engineering attacks by establishing policies and procedures that define roles and responsibilities for all users and not just security personnel.

  31. Security Awareness • Organizations can counter potential social engineering attacks by conducting an active security awareness program for the organization’s security goals and policies. • The training will vary depending on the organization’s environment and the level of threat.

  32. Security Awareness • An important element that should be stressed in the training on social engineering is the type of information that the organization considers sensitive and that may be the target of a social engineering attack.

  33. Individual User Responsibilities • Certain responsibilities that should be adopted by all users include: • Locking the door to the office or workspace. • Not leaving sensitive information unprotected inside the car. • Securing storage media containing sensitive information. • Shredding paper containing organizational information before discarding it.

  34. Individual User Responsibilities • Certain responsibilities that should be adopted by all users include (continued): • Not divulging sensitive information to unauthorized individuals. • Not discussing sensitive information with family members. • Protecting laptops that contain sensitive or important organization information. • Being aware of who is around when discussing sensitive corporate information. • Enforcing corporate access control procedures.

  35. Individual User Responsibilities • Certain responsibilities that should be adopted by all users include (continued): • Being aware of the procedures to report suspected or actual violations of security policies. • Enforcing good password security practices, which all employees should follow. • Cultivating an environment of trust in the office and an understanding of the importance of security.

More Related