lesson 4-general security concepts. the role of people in security this presentation discusses: –...
TRANSCRIPT
Lesson 4-General Security Concepts
The Role of People in Security
This presentation discusses:
– The human element and the role that people play in security.
– User practices that help in securing an organization.
– Vulnerabilities that users can introduce.
Background
The operational model of computer security acknowledges
that absolute protection of computer systems and networks
is not possible.
People need to be prepared to detect and respond to
attacks that were able to circumvent the security
mechanisms.
Background
Technology alone will not solve the security problem.
– No matter how advanced the technology is, it will ultimately be
deployed in an environment where humans exist.
– The human element is the biggest problem to security.
TECHNOLOGYTECHNOLOGY
OPERATIONSOPERATIONS
PEOPLEPEOPLE
Fundamentally, only THREE countermeasures areFundamentally, only THREE countermeasures areavailable to protect critical information infrastructures.available to protect critical information infrastructures.
Defense-In-DepthInformation Information AssuranceAssurance
TriadTriad
Information Information AssuranceAssurance
TriadTriad
Background
It is difficult to compensate for all the ways humans can
deliberately or accidentally cause security problems or
circumvent security mechanisms.
Despite the technology, security procedures, and security
training provided, some people will not do what they are
supposed to, and will create vulnerability in an
organization’s security posture.
Objectives
Upon completion of this lesson, the learner will be able to:
– Define basic terminology associated with Social Engineering.
– Describe the number of poor security practices that may put an
organization’s information at risk.
– Describe methods attackers may use to gain information about
an organization.
– List and describe ways in which users can aid instead of detract
from security.
People
Prevention technologies are not sufficient since every
network and computer system has at least one human user.
A significant portion of security problems that humans can
cause result from poor security practices.
Password Selection
Computer intruders rely on poor passwords to gain
unauthorized access to a system or network.
Passwords
Password Problems
– Users choose passwords that are easy to remember and often
choose the same sequence of characters as they have for their
userIDs.
– Users also frequently select names of family members, their
pets, or their favorite sports team for their passwords.
Improving Passwords
To complicate the attacker’s job:
– Mix uppercase and lowercase characters.
– Include numbers and special characters in passwords.
Policy
Organizations have instituted additional policies and rules
relating to password selection to complicate an attacker’s
effort.
Organizations may require users to change their passwords
frequently.
– This means if an attacker is able to guess a password, it is valid
only for a limited time before the attacker is locked out.
Notes on the Monitor
Another policy or rule for password selection adopted by an
organization is that passwords should not be written.
To make the passwords more difficult for attackers to guess,
users need to change the passwords frequently.
Increasing Problem
Users frequently use the same password for all accounts on
many systems.
If one account is broken, all other accounts are
subsequently also vulnerable to attack.
PINs
Most people have at least one Personal Identification
Number (PIN).
They are associated with things such as their automated
teller machine or a security code to gain physical access to
a room. Users invariably select numbers that are easy to
remember.
Human Attacks
Piggybacking and shoulder surfing
Dumpster diving
Installing unauthorized hardware and software
Access by non-employees
Social engineering
Reverse social engineering
Piggybacking and Shoulder Surfing
Piggybacking is the tactic of closely following a person who
has just used an access card or PIN to gain physical access
to a room or building.
Shoulder surfing is a procedure in which attackers position
themselves in such a way as to be able to observe the
authorized user entering the correct access code.
Dumpster Diving
Attackers need some information before launching an
attack.
A common place to find this information is to go through the
target’s trash.
This process, of going through a target’s trash, is known as
dumpster diving.
Dumpster Diving
If the attackers are fortunate and the target’s security
procedures are very poor, attackers may find userids and
passwords.
Manuals of hardware or software purchased may also
provide a clue as to what vulnerabilities might be present on
the target’s computer systems and networks.
Unauthorized Hardware and Software
Organizations should have a policy to restrict normal users
from installing software and hardware on their systems.
– Communication software and a modem may allow individuals to
connect to their machines at work using a modem from home.
• This creates a backdoor into the network and can circumvent all the
other security mechanisms.
There are numerous small programs that can be
downloaded from the Internet.
• Users cannot always be sure where the software originally came from
and what may be hidden inside.
Tasks that can be performed using received e-mails can be
controlled.
This helps prevent users from executing a hostile program
that was sent as part of a worm or virus.
Access by Non-employees
If an attacker gains access to a facility, there are chances of
obtaining enough information to penetrate computer
systems and networks.
– Many organizations require employees to wear identification
badges at work.
– This method is easy to implement and may be a deterrent to
unauthorized individuals.
– It also requires that employees challenge individuals not
wearing identification badges.
Access by Non-employees
One should examine who has legitimate access to a facility.
Non-employees may not have the same regard for the
intellectual property rights of the organization that
employees have.
– Contractors, consultants, and partners may frequently not only
have physical access to the facility but also have network
access.
Nighttime custodial crewmembers and security guards have
unrestricted access to the facility when no one is around.
Social Engineering
Using social engineering, the attacker deceives to:
– Obtain privileged information.
– Convince the target to do something that they normally would
not.
Social Engineering
Social engineering is successful because of two reasons.
– The first is the basic human nature to be helpful.
– The second reason is that individuals normally seek to avoid
confrontation and trouble.
Variations
A variation on social engineering uses means other than
direct contact between the target and the attacker.
Insiders may also attempt to gain unauthorized information.
The insider may be more successful.
– They have a level of information regarding the organization.
– They can better spin a story that may be believable to other
employees.
Stanley Mark Rifkin (1978)
In 1978, when Stanley Mark Rifkin stole $10.2 million from
the Security Pacific Bank in Los Angeles:
– He was working as a computer consultant for the bank.
– He learned details on how money could easily be transferred to
accounts anywhere in the United States.
– He transferred the money to another account in Switzerland
under a different name.
The crime might have gone undetected if he had not
boasted of his exploits to an individual.
Reverse Social Engineering
An alternate approach to social engineering is called reverse
social engineering.
Here, the attacker hopes to convince the target to initiate
the contact.
– The attack may be successful because the target initiates the
contact.
– Attackers may not have to convince the target of their
authenticity.
Reverse Social Engineering
Methods of convincing the target to make the initial contact
include:
– Sending out a spoofed e-mail claiming to be from a reputable
source that provides another e-mail address or phone number
to call for “tech support.”
– Posting a notice or creating a bogus Web site for a legitimate
company that also claims to provide “tech support.”
This may be successful in conjunction with the deployment
of a new software or hardware platform or when there is a
significant change in the organization itself.
People as a Security Tool
A paradox of social engineering attacks is that people are
not only the biggest problem and security risk, but also the
best tool to defend against these attacks.
Organizations must fight social engineering attacks by
establishing policies and procedures that define roles and
responsibilities for all users and not just security personnel.
Security Awareness
Organizations can counter potential social engineering
attacks by conducting an active security awareness program
for the organization’s security goals and policies.
– The training will vary depending on the organization’s
environment and the level of threat.
Security Awareness
An important element that should be stressed in the training
on social engineering is the type of information that the
organization considers sensitive and that may be the target
of a social engineering attack.
Individual User Responsibilities
Certain responsibilities that should be adopted by all users
include:
– Locking the door to the office or workspace.
– Not leaving sensitive information unprotected inside the car.
– Securing storage media containing sensitive information.
– Shredding paper containing organizational information before
discarding it.
Individual User Responsibilities
Certain responsibilities that should be adopted by all users
include (continued):
– Not divulging sensitive information to unauthorized individuals.
– Not discussing sensitive information with family members.
– Protecting laptops that contain sensitive or important
organization information.
– Being aware of who is around when discussing sensitive
corporate information.
– Enforcing corporate access control procedures.
Individual User Responsibilities
Certain responsibilities that should be adopted by all users
include (continued):
– Being aware of the procedures to report suspected or actual
violations of security policies.
– Enforcing good password security practices, which all
employees should follow.
– Cultivating an environment of trust in the office and an
understanding of the importance of security.