1 / 38

Social Engineering and Physical Security

Social Engineering and Physical Security. BAI514 – Security I. Social Engineering. Social engineering involves obtaining protected information from individuals by establishing relationships with them and manipulating them Two types of social engineering Human-based Computer-based.

tiara
Download Presentation

Social Engineering and Physical Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering and Physical Security BAI514 – Security I

  2. Social Engineering • Social engineering involves obtaining protected information from individuals by establishing relationships with them and manipulating them • Two types of social engineering • Human-based • Computer-based

  3. Social Engineering • Human-Based Social Engineering (Person-to-Person) • Impersonation (masquerading) • Attacker pretends to be someone else • eg. repairman, employee, student, etc. • In Person • Attacker gathers information in person on the premises of the organization • Dumpster diving • Shoulder surfing

  4. Social Engineering • Human-Based Social Engineering (cont.) • Important user posing • Attacker pretends to be an individual in a position of authority to intimidate users • Technical support (help desk) • Attacker poses as a technical support person • Authorization by a third party • Attacker convinces an unsuspecting individual that he or she is authorized by a third party in a position of authority

  5. Social Engineering • Computer-Based Social Engineering • Mail / IM attachments • When opened install a Trojan • Pop-up windows • Simulate an urgent condition on the users system and instruct the user to perform an action • Spam mail • Initiate fraud by a variety of means • Websites • Fake website appears legitimate but collects user credentials

  6. Social Engineering • Reverse Social Engineering • Attacker convinces a target individual that he or she is having a problem or may have one soon and the attacker is ready and willing to help • Uses three steps • Sabotaging the target’s equipment • Ensuring the target is aware that the attacker is a person of authority and has the skills needed to repair the equipment • Providing assistance in solving the problem and, in doing so, gaining the trust of the target and obtaining access or information

  7. Social Engineering • Phishing • The process of obtaining sensitive personal data, usually financially related, under false pretenses from unsuspecting individuals for fraudulent purposes • Bank account numbers • PINs • SINs • etc

  8. Social Engineering • Phishing (cont.) • Phishing messages and Web hosting can be based on • servers whose organizations tolerate phishing activity • computers that have been compromised • reputable Web hosting providers that are unaware of the content

  9. Social Engineering • Phishing (cont.) • A typical phishing attack • Hacker will send a fraudulent email with false headers to indicate the email is from a bank • Message will ask for confirmation of the victim’s account information and password • Message will contain a link to a web server that generates a windows that looks like the bank’s site • User will be prompted to enter userid and password

  10. Social Engineering • Hidden Frames • Used to maintain the state of a web site without using cookies to store session variables • Store data until required • Attacker can define two frames • Primary visible frame • Hidden frame containing the running attack

  11. Social Engineering • URL Obfuscation • Used to obscure a fake web site’s URL • Representing characters in URL as hex format • Expressing the domain name as decimal IP address in different formats • hex • octal • decimal • dword • Adding irrelevant text after “http://” and before the @ symbol • e.g. http://login.citibank.com/secure_login/login@attacker.com

  12. Social Engineering • HTML image mapping • Allows the ability to link different parts of a single image to different hyperlinks (i.e. other websites) • Entire text of email might be represented as an image • no matter where you click, you’re going to the attackers website!

  13. Social Engineering • Identity Theft • Stealing another person’s personal information and using that information to assume that person’s identity • Once obtained, attacker can start making purchases or signing up for services • Credit card fraud • Mail fraud • Other financial transactions

  14. Social Engineering • Identity Theft (cont.) • Attack vectors • Phishing • Stealing information from financial institutions • Dumpster diving • Stealing email • Stealing credit card numbers • Stealing wallet or purse

  15. Social Engineering • Identity Theft (cont.) • Warning signs • Unauthorized or unknown long distance calls on victim’s phone • Phone calls from collection agencies regarding unknown accounts • Denial of credit when applying for new accounts • You wake up one morning and realize you’re not who you think you are

  16. Social Engineering • Defending Against Social Engineering Attacks • Best defenses are personnel related • Policies and Procedures • Must have comprehensive, up-to-date information security policies • Personnel must read the policies and be able to recognize potential social engineering attacks

  17. Physical Security • Physical security is a necessary countermeasure to hacking • Concerned with • Physical access • Environmental issues • Power source(s) • Biometrics • Fire protection • Inventory control • Media erasure/destruction • etc.

  18. Physical Security • Threats to physical security • Human actions • War • Labor strikes • Sabotage • Theft • Vanalism • Natural events • Storms • Earthquakes • etc. • Disasters • Release of toxic gases • Fire • Power outage • Water damage • Equipment failure

  19. Physical Security • Physical Security Implementation • Includes various controls • Facility • Personnel • Environment • HVAC • Fire safety • Access • Fax machines • Physical

  20. Physical Security • Physical Security Implementation (cont.) • Facility controls • Must be an integral part of planning and design of data facilities • Issues • Heights • Fire ratings of walls and ceilings • Weight ratings • Electrical conductivity of floors (to reduce static electricity) • Window security • Door security • Emergency exits • Fire suppression • Shut-off switches • Air conditioning • positive air pressure (to protect against airborne particles entering the building) • UPS

  21. Physical Security • Physical Security Implementation (cont.) • Facility controls (cont.) • Site selection considerations • Local environment • Security situation, types of other facilities in area • Joint tenancy • Restrictions/complications/vulnerabilities caused by other tenants • Visibility • Prominence of building • Transportation • Accessibility, congestion, etc • Emergency services • availability of police, fire, medical

  22. Physical Security • Physical Security Implementation (cont.) • Facility controls (cont.) • Access logs for facility entry • Violations • Modification of access privileges and by whom • Time and date of access attempt • Successful/Unsuccessful attempts • Point of entry • Name of individual attempting access

  23. Physical Security • Physical Security Implementation (cont.) • Company Personnel Controls • Procedures related to HR such as hiring, termination, background checks, performance reviews, etc. • Employment background, reference, and education reviews • Security clearances • Personnel performance reviews • Non-disclosure agreements • Exit interviews • Return of company property • Change of passwords and encryption keys

  24. Physical Security • Physical Security Implementation (cont.) • Environmental Controls • Electrical power • Heating • Ventilation • Air conditioning (HVAC) • Humidity

  25. Physical Security • Physical Security Implementation (cont.) • Fire Safety Controls • Principal life safety control • Impacts • Personnel safety • Economic impact from losses • Loss of critical documents/data

  26. Physical Security • Physical Security Implementation (cont.) • Fire Safety Controls (cont.) • Combustible Material Classes

  27. Physical Security • Physical Security Implementation (cont.) • Fire Safety Controls (cont.) • Fire Suppression Classes

  28. Physical Security • Physical Security Implementation (cont.) • Fire Safety Controls (cont.) • Fire Detection • Critical to life safety • Heat Detectors • Respond to either rate of temp change or actual temperature • Flame Detectors • Respond flame pulsation or infrared emissions • Smoke Detectors • Respond to smoke interference • Interference with ionization current

  29. Physical Security • Physical Security Implementation (cont.) • Fire Safety Controls (cont.) • Fixed fire extinguishing • Water sprinkler system • Wet pipe • Dry pipe • Deluge • Preaction • Combines wet and dry pipe

  30. Physical Security • Physical Security Implementation (cont.) • Access Controls • Applies to both physical and data entities • Access cards • Dumb – simple id card with picture • Smart – embedded intelligence

  31. Physical Security • Physical Security Implementation (cont.) • Access Controls (cont.) • Biometric • Provides an automated means of identifying and authenticating a living person based on physiological or behavioral characteristics • Finger prints • Face recognition • Retina scan • Gait • Hand geometry • Voice • Signature dynamics

  32. Physical Security • Physical Security Implementation (cont.) • Access Controls (cont.) • Intrusion Detection Systems

  33. Physical Security • Physical Security Implementation (cont.) • FAX machines • Place in secure, restricted access area • Protect FAX servers with security hardware and software

  34. Physical Security • Physical Security Implementation (cont.) • Physical Facility Controls • Guards • Guard dogs • Fences • Mantrap • Bollards • Lights • Video cameras • PC/laptop controls • Tethers, etc.

  35. Physical Security • Physical Security Implementation (cont.) • Physical Facility Controls (cont.) • Locks • Warded locks • common padlock opened with a key • Tumbler locks • more secure locks that use pin tumblers, lever tumblers, or wafer tumblers • Combination locks • dials or series of wheels that require correct combination • Programmable locks • electronic or mechanical keypad or card-key • Device locks • used to secure equipment (cables, port block, etc.)

  36. Physical Security • Physical Security Implementation (cont.) • Storage Media Controls • Data encryption • Cable locks (for laptops) • Secure storage of paper and magnetic media • Backing up data • Storing critical data offsite • Destroying paper documents and magnetic media • Auditing media use and storage

  37. Physical Security • Physical Security Implementation (cont.) • Storage Media Controls (cont.) • Data Remanence and Object Reuse • Data remanence is the data that remains on magnetic media following erasure • Object reuse is the reusing of data storage media • Data remanence safeguards • Clearing – overwriting magnetic medium, usually done when media remain in the original environment • Purging – degaussing or overwriting media intended to be removed from a monitored environment • Destroying – physical destruction of the media

  38. FIN

More Related