Chapter 4

 Can technology alone provide the best security for your organization?

 Your organization can have the best and the latest technology to provide security. But, if that technology is not used properly or ignored, then your organization is at risk.  The biggest threat for your organization is from internal sources.  People (Employees, Custodians, Consultants etc.) are the biggest security threat to an organization’s security.

 The users often pick something easy for them to remember, which means that the more you know about the user, the better your chances of discovering their passwords.

 Password Dilemma - The more difficult we make it for attackers to guess our passwords, and the more frequently we force password changes, the more difficult the passwords are for authorized uses to remember and the more likely they are to write them down.

 Piggybacking – is the simple tactic of following closely behind a person who has just used their own access card or PIN to gain physical access to a room or a building.

 Shoulder Surfing – is a similar procedure in which attackers position themselves in such a way as to be able to observe the authorized user entering the correct access code.

 Dumpster Diving – is the process of going through (searching) the target’s trash cans/ bins in order to find little bits of information that could be useful for a potential attack.

 System administrators should restrict the normal users from installing unnecessary hardware and software.  Software’s such as communication tools (messenger's and VOIP clients) and games should not be installed on your computer without the knowledge of the system administrator.

 When a normal user installs unauthorized software or hardware, he is setting up a backdoor.  Backdoor – Backdoors are avenues that can be used to access a system while circumventing normal security mechanisms.

 If any unauthorized person can gain physical access to a faculty, chances are very good that enough information has been collected to plan a potential attack, or carry out any unlawful activity.  Common method used to prevent unauthorized access is the use of identification badge/ card (id cards).  Problems with identification badge ◦ Easy to forge ◦ Often neglected or ignored

 How do you prevent genuine employees from planning an attack or collecting sensitive information?  Examples ◦ Consultants ◦ Business Partners ◦ Janitorial and security staff

 Social Engineering – is a technique in which the attacker uses various deceptive practices to obtain information they would normally not be privilege to, or to convince the target of the attack to do something they normally wouldn't. Attacker Target Attacker contacts the Target

 Reverse Social Engineering – in this technique, the attacker hopes to convince the target to initiate the contact. Attacker Target Target contacts the Attacker

 Social Engineering and Reverse Social Engineering are very common when the organization is going through some significant changes. ◦ Deployment of new software and hardware ◦ When two companies merge

 Employees/ People can be the biggest threat to the organization’s security, but, they can also be the best tool in defending against social engineering, reverse social engineering and other security breaches and break-ins.  Organization can implement stringent policies and procedure that establishes the roles and responsibilities for all the employees within an organization.

 Providing periodic security awareness and training programs to all the employees is the single most important step any organization can take to prevent against any attacks, especially social engineering and reverse social engineering.  Employees should know the importance of information and also, they should know what kind of information is sensitive to their organization.