View
220
Download
0
Category
Tags:
Preview:
Citation preview
Copyright © 2011 IsecT Ltd.
Securing people
Security awareness seminarfor IT professionals
Information Security Awareness
September 2011
2Copyright © 2011 IsecT Ltd.
Introduction
• Do you use Facebook, MySpace, Flickr, Linked In, Blogger or Twitter?
• Do your colleagues, friends or family use them?
• Do you tend to trust the people you know?
• Are you human?
3Copyright © 2011 IsecT Ltd.
The risks
Negligible ExtremeHuman factors risk-control spectrum
Risks
Mino
r misu
nder
stand
ings
Terro
rism
Trivial
mist
akes
Fraud
, iden
tity th
eft
Crimina
l gan
gs
Coerc
ion
Sabot
age,
crim
inal
d
amag
e
Blackm
ail
Social
eng
ineer
ing
Casua
lly e
xploi
ting
vu
lnera
bilitie
s
Delibe
rate
ly ex
ploitin
g
vu
lnera
bilitie
s
Proac
tively
crea
ting
&
e
xploi
ting
vulne
rabil
ities
Seriou
s mist
akes
Cyber
warfa
re
4Copyright © 2011 IsecT Ltd.
Low-end risk
5Copyright © 2011 IsecT Ltd.
High-end risk?
“Personal information on as many as 35 million users of a South Korean social network site may have been exposed as the result of what has been described as the country's biggest ever hack attack … Names, phone numbers, email addresses, and other details may have been exposed through the Cyworld hack, which follows previous attacks against South Korean government sites and financial service firms. North Korea has been implicated in some of these hacks. …”
The Register 28th July 2011
6Copyright © 2011 IsecT Ltd.
Leveraging information
Search onlinee.g. Myspace &
Ask the victim’s friends & colleagues
Gather personal information about
the victim
Hack the victim’s PC
Use a virus
Exploit the informatione.g. to commit identity
theft
7Copyright © 2011 IsecT Ltd.
Social engineering
Socialengineering
Attack
methods
& tools
Target people
Lie, persuade, connive, bribe
Push/threaten or flirt
Collate and re-use info
Email, online, phone or visit
Blend-in with localsBuild rapport, persist
Malware, APTs
Dumpster diving
8Copyright © 2011 IsecT Ltd.
Social engineering
Socialengineering
Attack
methods
& toolsPrevention
DetectionCorrection
Target people
Lie, persuade, connive, bribe
Push/threaten or flirt
Collate and re-use info
Email, online, phone or visit
Blend-in with localsBuild rapport, persist
Malware, APTs
Policies, standards
& guidelines
Physical access controls
Dumpster diving
Technical security controls
Information classification
Vigilant employees
Incident reporting &
response procedures
Logging & alerting
Be “guarded”
Contingency plans
Disciplinary &
legal action
Hotline
9Copyright © 2011 IsecT Ltd.
Social engineering
Socialengineering
Security awareness
DART
10Copyright © 2011 IsecT Ltd.
Delay
Authenticate
Resist
Transfer
Dealing with social engineers
Generalemployees
Front-line employees
11Copyright © 2011 IsecT Ltd.
Other controls
Negligible ExtremeHuman factors risk-control spectrum
Risks
Controls
Self-correction
Red teams
Information security &
privacy laws & regulations
Black ops
Mino
r misu
nder
stand
ings
Security awareness,
training & education
Terro
rism
Trivial
mist
akes
Fraud
, iden
tity th
eft
Crimina
l gan
gs
Coerc
ion
Sabot
age,
crim
inal
d
amag
e
Blackm
ail
Social
eng
ineer
ing
Information security & privacy
policies, procedures & guidelines
Dual control
Formal com
pliance assessments
Ethics, peer pressure, norms
Casua
lly e
xploi
ting
vu
lnera
bilitie
s
Delibe
rate
ly ex
ploitin
g
vu
lnera
bilitie
s
Proac
tively
crea
ting
&
e
xploi
ting
vulne
rabil
ities
Seriou
s mist
akes
Defined security rôles &
responsibilities
Codes of conduct
Informal com
pliance activities
Compliance clauses in
employm
ent contracts
Human factors engineering
Surveillance, entrapment
Cyber
warfa
re
Divisions of responsibility
12Copyright © 2011 IsecT Ltd.
Conclusion
You may believe you are immune to the kinds of attacks we have discussed … but are your colleagues, friends, bosses, family members, suppliers …?
Please help us raise awareness: knowing that we might be attacked, what forms attacks may take, and how to respond (remember DART) are important controls
13Copyright © 2011 IsecT Ltd.
Further information• Speak to colleagues
• Visit the intranet Security Zone
• Contact the Information Security Manager
• Read these books …
Recommended