1 People By Jamie Sims February 13, 2003

2 Outline Trusting other computers Trusting other computers Firewall Vulnerabilities Firewall Vulnerabilities Employees Employees Consultants Consultants Outsiders Outsiders

3 Trusting Other Computers The question is how much each system should trust other systems it communicates with. The question is how much each system should trust other systems it communicates with. –Always insist on too much security –Even though it might make employees angry, you will be protecting their work

4 Trusting Other Computers Some Computers contain data so confidential that they should have no connection to the Internet or company network Some Computers contain data so confidential that they should have no connection to the Internet or company network

5 Examples of Databases not to put on the Network Ones that contain: Ones that contain: –Employee Data –Patient medical data –Financial databases (banking, stock, etc…) –Legal Cases –Customer Information (credit cards, passwords) –Security Information

6 Firewall Vulnerabilities 1. Attacks from Within a) Someone with access to internal systems initiates an attack 2. End runs and tunneling a) Intruder gets past the firewall and “has his way with your systems a) Intruder gets past the firewall and “has his way with your systems b) All it takes is someone connecting a modem to his/her desktop system to defeat the firewall b) All it takes is someone connecting a modem to his/her desktop system to defeat the firewall

7 Firewall Vulnerabilities 3. Content-based attacks a)Malicious attachment b)MS word macros c)Evil Web pages 4. Address spoofing attacks a)Any decent firewall will detect a packet originating from outside the agency, spoofing an address of an inside machine and drop it

8 Firewall Vulnerabilities 5. DOS attacks a)The attacker can flood your firewall with more traffic than it can handle, burying legitimate packets 6. Misplaced Server attacks a)Vulnerable services should be provided by systems in the DMZ (web server configs, externally accessible DNS, sendmail) 7. Configuration Error attacks a)Analyze any changes to firewall configuration carefully

9 “...the human factor is truly security’s weakest link.” Kevin D. Mitnick The FBI claims that more than 80% of all computer intrusions are from within.

10 Employees Hacking tools used by employees within organizations may be the biggest security threat to emerge this year, leading to increased vulnerabilities, lost data, and wasted time and resources Hacking tools used by employees within organizations may be the biggest security threat to emerge this year, leading to increased vulnerabilities, lost data, and wasted time and resources Websense, the worldwide leader of employee Internet management (EIM) solutions, reports that the number of hacking Web sites has increased 45 percent in the last 12 months, now totaling approximately 6,000 Web sites, encompassing more than 1 million pages of content Websense, the worldwide leader of employee Internet management (EIM) solutions, reports that the number of hacking Web sites has increased 45 percent in the last 12 months, now totaling approximately 6,000 Web sites, encompassing more than 1 million pages of content Nearly 90 percent of U.S. businesses and government agencies suffered hacker attacks in the last year, according to Newsbytes, while 80 percent of network security managers claim their biggest security threat comes from their own employees, according to a survey conducted at this year's Gartner Information Security Conference. Nearly 90 percent of U.S. businesses and government agencies suffered hacker attacks in the last year, according to Newsbytes, while 80 percent of network security managers claim their biggest security threat comes from their own employees, according to a survey conducted at this year's Gartner Information Security Conference

11 The Social Engineer Social Engineering is the hacker term for a con game: persuade the other person to do what you want Social Engineering is the hacker term for a con game: persuade the other person to do what you want Bypasses: Bypasses: –Cryptography –Computer Security –Network Security –Everything else technological

12Employees Companies need to prepare for social engineering attacks from current or former employees who may have an axe to grind. Companies need to prepare for social engineering attacks from current or former employees who may have an axe to grind. Background checks may be helpful to weed out prospects who may have a propensity toward this type of behavior. But in most cases, these people will be extremely difficult to detect. Background checks may be helpful to weed out prospects who may have a propensity toward this type of behavior. But in most cases, these people will be extremely difficult to detect. The only reasonable safeguard in these cases is to enforce and audit procedures verifying identity, including the person’s employment status, prior to disclosing any information to anyone not personally known to be with the company. The only reasonable safeguard in these cases is to enforce and audit procedures verifying identity, including the person’s employment status, prior to disclosing any information to anyone not personally known to be with the company.

13 Employees  New Employees  Current Employees  Former Employees  Disgruntled Employees

14 New Employees New Employees New Employees are ripe targets for attackers New Employees are ripe targets for attackers oDo not know company procedures oEager to show how cooperative and quick to respond they can be, so they will give out any information anyone asks them for! oUnaware of the value of specific company information or of the possible results of certain actions. oTend to be easily influenced by some of the more common social engineering approaches: oa caller who invokes authority oa person who seems friendly and likeable oa person who appears to know people in the company who are know to the victim oa request that the attacker claims is urgent othe inference that the victim will gain some kind of favor or recognition

15 New Employees Andrea in HR Andrea in HR

16 Former Employees  Need to have ironclad procedures when a departing employee has had access to sensitive information, passwords, dial-in numbers, etc… – Your security procedures need to provide a way to keep track of who has authorization to various systems.  Change passwords for accessing systems (administrator passwords if applicable).  For companies that need very high security, it needs to be required that all employees in the same workgroup as the person leaving change their passwords

17 Disgruntled/Fired Employees Story about employee who was transferred to a different department within the city offices. Story about employee who was transferred to a different department within the city offices.

18 Policies for All Employees 1. Reporting suspicious calls  Employees who suspect that they may be the subject of a security violation must immediately report the event to the company’s incident reporting group  When a social engineer fails to convince his or her target, they will try someone else. 2. Documenting suspicious calls  The employee shall, to the extent practical, draw out the caller to learn details that might reveal what the attacker is attempting to accomplish and make notes  Such details can help the incident reporting group spot the object or pattern of an attack

19 Policies for All Employees 3. Disclosure of dial-up numbers  Company personnel must not disclose company modem telephone numbers, but should always refer such requests to the help desk.  Treat dial up numbers an internal information, only to be given to employees who need to know such information 4. Corporate ID badges  Except in their immediate office area, all company personnel, including management and executive staff, must wear badges at all times  All employees who arrive at work without their badge should be required to stop at the lobby desk or security office to obtain a temporary badge

20 Polices for All Employees 5. Challenging ID badge violations  All employees must immediately challenge any unfamiliar person who is not wearing an employee badge or visitor’s badge. 6. Piggybacking  Employees entering a building must not allow anyone not personally known to them to follow behind them when they have used a secure means to gain entrance into an area  Carrying boxes so the worker will hold the door open for them to be nice

21 Policies for All Employees 7. Shredding sensitive documents  cross-shred sensitive documents and destroy hard drives and disks that contained sensitive information 8. Personal identifiers  Never used employee numbers, social security numbers, driver’s license’s numbers, date and place of birth and mother’s maiden name for verifying identity  These are not secret and can be obtained numerous ways

22 Policies for All Employees 9. Organizational charts  A company’s organization chart details should never be released to anyone outside the company  This includes positions, contact numbers, extensions, s 10. Audit access to sensitive files, like payroll files, unless the employee is allowed to have access to these files for job reasons  Employees have been know to write a program where they will receive a raise every few months

23 Malicious Insiders A dangerous and insidious adversary A dangerous and insidious adversary Can be impossible to stop because they’re the same people we’re forced to trust Can be impossible to stop because they’re the same people we’re forced to trust Know how system works and where the weak points are Know how system works and where the weak points are

24 Consultants Insiders are not always employees, they can be consultants Insiders are not always employees, they can be consultants Consultants have access to sensitive information and are trusted by the company’s employees, so they could easily attack a system Consultants have access to sensitive information and are trusted by the company’s employees, so they could easily attack a system Stanley Mark Rifkin story Stanley Mark Rifkin story

25 Outsiders Someone who does not have security clearance to access information Someone who does not have security clearance to access information The “unverified” person The “unverified” person

26 What to do when confronted by an Outsider 1. Verify that the person is who he or she claims to be 2. Callback 3. Vouching 4. Shared Secret 5. Employee’s Supervisor 6. Secure 7. Personal Voice Recognition 8. Dynamic Password Verification 9. In person with ID

27 Outsiders  Michael Parker figured out that people with college degrees got better paying jobs….

28 References Mitnick, K.D & Simon W.L. The Art of Deception Controlling the Human Element of Security Wiley Publishing, Inc., Indianapolis, IN Mitnick, K.D & Simon W.L. The Art of Deception Controlling the Human Element of Security Wiley Publishing, Inc., Indianapolis, IN Schneier, B. Secrets & Lies Digital Security in a Networked World John Wiley & Sons, Inc. New York, NY Schneier, B. Secrets & Lies Digital Security in a Networked World John Wiley & Sons, Inc. New York, NY Toxen, B. Real World Linux Security nd Ed. Pearson Education. Upper Saddle River, New Jersey Toxen, B. Real World Linux Security nd Ed. Pearson Education. Upper Saddle River, New Jersey