Keeping Personal Information Personal – Defeating Social

Networking Attacks

Presented By: Ian Trump

DEFINITIONS

Social Engineering are two new words to describe a very old (2nd oldest)

profession in the world:

• Governments call “Social Engineers” Spies, or Intelligence Operatives

• Spies and Intelligence Operators are trying to conduct espionage

• Counter-Intelligence prevents espionage

2

ASSUMPTIONS

Our personal information in today's world is frequently linked to our

business information:• Passwords used at home are frequently used at

work• Social Networking is a valuable business tool• Personal information can be leveraged• Work and Home computers are interchangable

SOCIAL ENGINEERS

The con artists of the electronic age, social engineers will play any game to

get their hands on:

• Passwords that provide access to networks• Identities that get them into restricted facilities• Hard copies of sensitive data

4

OBJECTIVES

At the end of this session, you will know:

• Why social engineers target employees• How to recognize when you are being ‘conned’• How to deflect a social engineer

5

OBJECTIVES

At the end of this session you will also know how a security program can help

you safeguard your personnel and business IT resources through:

• Policies, Standards, Guidelines & Best Practices• Threat Risk Assessments• Security Awareness program• Other Information Security Professionals

6

A NEW BREED OF COMPUTER CRIMINAL

Social engineers are known to use non-technical tactics to gather information

about:

• The organization• Its projects and products• Its people• You and your position in the organization

7

YOU ARE THE WEAKEST LINK!

Social engineers prey upon the human desire to be helpful and trust those around us.

• Follow your instincts and err on the side of caution• Educate yourself and use common sense• Don’t be paranoid• Threat Intelligence and Risk Assessments are extremely

effective in defeating social engineering attacks

8

WHAT MAKES US SO VULNERABLE?

• Desires

• Beliefs

• Perceptions

• Behaviors

9

RECOGNIZE THE SIGNS

Social engineers study the human psyche to develop effective

manipulation tactics:

• Diffusing responsibility• Ingratiation• Building false trust• Appealing to strong morals

10

IT’S A FAKE

11

WHAT ARE THEY AFTER?

Anything that might be valuable to cyber criminals, other organizations, or that

could be used for blackmail:• Research secrets• Project schedules• Collaborator lists• Financial, legal, and licensing information• Personal and system information

12

HOW DO THEY GET IT?

Collecting corporate knowledge is usually the first step:

• Ply employees for information• Pose as a consultant or technician• Apply for work inside the organization• Apply for work with a third-party collaborator• Social Networking and Internet Research

13

HOW DO THEY GET IT?

Once inside, social engineers will hand-pick information…literally:

• Searching file cabinets, grabbing paper files from desks

• Staking out printers, fax machines, and photocopiers

• Collecting the garbage especially from shredding bins

14

HOW DO THEY GET IT?

• Smart Phones, USB sticks, keys, car GPS• Tapping telephones and video conference

rooms• Taking advantage of open workstations • Hacking systems, installing malware, installing

rogue wireless devices, USB stick modems • Stealing laptops and backup tapes/hard drives

15

BEHAVIOUR MODIFICATION

Keeping private information where it belongs is everyone’s responsibility:

• Buy time• Verify identity and authority• Respect restrictions• Handle hard copies with care

16

BEHAVIOUR MODIFICATION

Commit yourself to using the tools already in place:

• Follow your organizations security program• Identify computer support people• Create a security alert system.• Subscribe to IT security newsletters/RSS feeds

17

BE CONSISTENT—EVEN WITH COLLEAGUES

Up to 80% of attacks are carried out by insiders:*

• Exercise caution• Cross-check staff lists• Verify ‘need to know’• Be aware of unauthorized activity

*The Computer Security Institute, San Francisco

18

FINDING THE WEAK SPOT

Identify possible leaks before the dam breaks:

• Physical Security• IT Security• Personal Safety• Control Access to secure areas• Meet your co-workers• Pick up the phone

19

JOIN THE SECURITY TEAM

Every employee is part of the IT security team.

• No technical knowledge required• Must have an eye for detail• Must be willing to play active role• Will keep your personal life secure as well

20

It Security is Here to Help

Being a target of an attack personally, or professionally is daunting to say the least:

• Seek expert advice• Tell your story• Talk to the Police• Reduce your online presence• Be mindful of your physical security, especially if an

electronic attack is thwarted• Keep your home and work computer up to date

21

What IT Security Does

IT Security professionals should be a central point of contact for all IT security matters and

usually hold responsibility for:

• Certification, Accreditation and Risk Management• Security Policy and Procedures• Verification and Review• Problem Management• IT security awareness, education, and training

22

Food For Thought

• What is already known about you on the Internet?

• What information is useful for identity theft?• What is your personal risk or professional

liability?• Is the nature of your work or partner’s work or

children’s activities sensitive?• What information needs to be on the Internet?

23

Where Does Information Live?

• Everywhere, but it can be hard to find or easy to find depending on several factors.

• Social networking sites give context to the information, making it easier to identify you.

• Social networking sites make it easy to gain your trust (Linkedin & Facebook Spam).

• Social networking sites are a “one-stop-shop” for the complete collection about you.

24

Be Informed

• Facebook is the number one social networking site. Facebook is an all-purpose, come-as-you-are social medium.

• LinkedIn is a social networking platform specifically targeting the business community.

• Search engines like Google, Pippl, archive.org and many others can point to data about you.

• Social networking sites make it easy to find data about you.

25

Be Aware of the Tools

• Identity thieves and intelligence operators have sophisticated data mining and analytical software tools (I2, Facebook Visualizer).

• Your relationships can be identified and can be used to confirm your activities and associations.

26

Personal Risk

• Your personal circumstance should inform your decisions to put stuff on a social networking site (Divorce, Separation, Litigation, etc).

• Anything posted by you or anyone else is available to the court.

• However, it is also necessary to be able to communicate and form personal or business relationships.

27

Safety First

• Do not display your full birth date.• Do not post a child's name. • Do not mention being away from home. • Restrict searches for your information. • Do not permit youngsters to use social

networks unsupervised. • Think about whom you are allowing to

become your online friend.

28

More Safety

• Make sure you have an up-to-date web browser and comprehensive security software on your computer.

• Adjust your privacy settings to help protect your identity.

• Set and review your privacy settings regularly.

• Make only a cut-down version of your profile visible to everyone.

29

Still More Safety

• Disable options, and then add them in one by one.

• Join groups and networks cautiously. • Understand what happens when you quit the

site.

But, I am LinkedIn!

30

LinkedIn Cautions

• Remove phone numbers and specific address information.

• Understand the business oriented audience of LinkedIn.

• Recommendations can haunt you. • Be honest on your professional profile. • Beware of the reference check tool.

31

Final Thoughts

• Protection of your personal information is your responsibility.

• All bets are off if your subject to criminal or civil court investigation.

• If you are unsure, talk to a professional or review the FAQ’s on social networking sites.

• Keep in mind that, the act of posting information makes you potentially liable for the accuracy of the information.

32

LEARN MORE ABOUT IT!

Additional information about dealing with social engineers is available from a variety

of sources:• ‘Social Engineering Simulation’

www.nwfusion.com/newsletters/sec/2000/00292157.html?nf

• The Human Firewall www.humanfirewall.org/

• SecurityFocus Online www.securityfocus.com/infocus/1527

33

LEARN MORE ABOUT IT!

Additional tutorials on topics such as will be beneficial and contribute to organizational

and personal security as well.• Copyright and computer piracy

• E-mail security and SPAM

• Laptop security

• Peer-to-peer security

• Web surfing and privacy

34

QUESTIONS?

Thank You

35