Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Slides:

Advertisements

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

Advertisements

Module N° 4 – ICAO SSP framework

CIP Cyber Security – Security Management Controls

SL21 Information Security Board Mission, Goals and Guiding Principles.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

Auditing Computer Systems

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Security Controls – What Works

Social Engineering Jero-Jewo. Social Engineering Social engineering is the act of manipulating people into performing actions or divulging confidential.

Information Systems Security Officer

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Risk Management Vs Risk avoidance William Gillette.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

INTERNET and CODE OF CONDUCT

Session 3 – Information Security Policies

Network security policy: best practices

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Chapter 7 Database Auditing Models

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Release & Deployment ITIL Version 3

Website Hardening HUIT IT Security | Sep

Information Asset Classification

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

City Hall of Iasi Ethics in e-guidance, privacy and security devices Date: Author: Cristina Nucuta.

© 2012 IBM Corporation Rational Insight | Back to Basis Series Documents and Record Control Liu Xue Ning.

 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Roles and Responsibilities

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Service Transition & Planning Service Validation & Testing

Information Systems Security Operational Control for Information Security.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.

Software Project Management

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Gulana Hajiyeva Environmental Specialist World Bank Moscow Safeguards Training, May 30 – June 1, 2012.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

a guidance to conversion

Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.

Common PSMFC “data use agreement or policy” Overview of current data sharing in PTAGIS, RMIS, StreamNet.

Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.

NON-COMPULSORY BRIEFING SESSION REQUEST FOR INFORMATION: ICT SECURITY SOLUTIONS RAF /2015/00019 Date: 29 September 2015 Time: 10:00.

SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Protecting the Integrity of Tests Delhi, 20 November, 2015.

Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

State of Georgia Release Management Training

Role Of Network IDS in Network Perimeter Defense.

Introduction to ITIL and ITIS. CONFIDENTIAL Agenda ITIL Introduction  What is ITIL?  ITIL History  ITIL Phases  ITIL Certification Introduction to.

Incident Response Christian Seifert IMT st October 2007.

 How to Reach Us  Service Support Levels  Support Definitions & Standards  Response Levels  Point of Contact  Our Escalation Processes  Expect a.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.

NON-COMPULSORY BRIEFING SESSION REQUEST FOR INFORMATION: ICT SECURITY SOLUTIONS RAF /2015/00019 Date: 29 September 2015 Time: 10:00.

Privacy & Confidentiality

Security Engineering.

Information Security Board

Presentation transcript:

Social Engineering Jero-Jewo

Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim. – confidence trickfraud As a service provider, Duo Consulting helps clients manage the publication of critical business information on their web sites. Integrity and availability are important considerations for Duo when processing requests for changes

Case Study There is currently a communication process in place to receive and manage requests 99% of requests come from known contacts How should we handle requests from contacts that are not known?

Real World New request comes in from an unknown contact at Setton Farms for ftp access to their web server on a Saturday Contact explains that there is an immediate need to publish critical information about a recall on their site and they have hired a designer to make the updates to their site. This contact is not known to Duo Need to question identity Need to question authenticity of request

What’s missing? We do not have a policy or process in place to confirm identity of contacts making requests We do not have a list of authorized contacts There is a service level agreement in place for managed hosting - but nothing defined about emergency requests from clients that do not have a services support contract in place

Proposed Solution We need a policy to address unknown and unauthorized customer contacts The delivery stages of this policy must include planning, design, implementation, rollout, and operation of such policy

Proposed Solution (Continued) The policy must be integrated into our business and it must address the following: People: a team must address the planning, design, implementation, rollout and operation Technology: the proper technology must be in place to implement such policy (i.e. ticketing system, electronic approvals of users, escalation, etc.) Process: there must be a living process to address such incidents and that ensures enforcement of the policy Business value: business value of establishing this policy will clearly protect the customer as well as Duo in the legal and availability aspect IT Strategy: the four pillars of security must be addressed, including authenticity, confidentiality, integrity and availability

People Duo understands the need to assemble a team to address the development of the policy through the different stages Planning: the team must establish the strategy, initial approximation of the effort, plan for releases for delivery, perform a preliminary risk assessment, develop policy organization, and establish leadership. Design: the team ensures that the policy is meeting the goals and that it serves the intended goal. Feasibility is addressed here, as well as estimates of implementation (time and effort) Implementation: the team must ensure the policy is tested and approved. The team ensures management approval, and re-assesses risk Test: all aspects of the policy must be tested, including process, sign-offs, technology, etc Rollout: the team ensures prior to rollout that all training and legal aspects are covered Operate: periodically review the policy to ensure its enforceability and effectiveness

Technology The policy will have a technology aspect which ensures that there is an electronic list of authorized contacts Privileges will be honored accordingly: Content contributor Publisher Employee access will be via a portal

Technology (Continued) Create a system of records for authorized contacts SalesForce.com Contains customer database with privilege levels Granular control of access Change/version control and user logs

Process A process ensures the policy is working for Duo: Usable Enforceable Effective Legal

Business Value What’s in it for Duo? Prevention of unauthorized work Policy provides legal protection from liability lawsuits including: Unauthorized changes Inaccurate content Site downtime Leakage of information

Business Value (Continued) What’s in it for Duo’s customers? The Four Pillars: Integrity Authenticity High availability Confidentiality

IT Strategy Integrity and availability were cited as top most concerns for our particular problem However, Duo must address all four cornerstones of security: Availability Integrity Confidentiality Authenticity

Policy Contents Authenticity: Who is authorized to make requests? How do we determine that the request is legitimate? Is the person making the request authorized to perform the operation requested? Develop and maintain a list of authorized contacts Designate 1 or more authoritative contacts and require them to approve all requests Maintain a secret pass phrase to authenticate users who make requests

Policy Contents (Continued) Integrity Integrity is maintained by only performing operations which are assigned to authorized, authenticated contacts Each contact will have specific operations defined Confidentiality Establish appropriate level of confidentiality of request based upon client input Availability Ensure that proper client contact communication information is available and up to date Enforce policies in regards to authentication, integrity, confidentiality and availability

Questions? Thank you!