1. IT Arkitektur og Sikkerhed Social Engineering Architecture Patterns

2. Sidste uge I sidste uge gennemgik vi – Risiko Analyse

3. Dagsorden I denne uge gennemgår vi – Del 1 Social Engineering (mini) – Del 2 Architecture Patterns (mini)

4. Definition “ Social engineering is the ‘ art ’ of utilizing human behavior to breach security without the participant (or victim) even realizing that they have been manipulated. ” (SAN) S ocial engineering preys on qualities of human nature: – The desire to be helpful – The tendency to trust people – The fear of getting into trouble

5. Why Social Engineering? Easier than technical hacking Hard to detect and track

6. The Mind of a Social Engineer More like actors than hackers Learn to know how people feel by observing their actions – Can alter these feelings by changing what they say and do – Make the victim want to give them the information they need

7. Physical Cycle of Social Engineering Research (Dumpster diving, et. al.) Developing rapport and trust Exploiting trust Use the information Mitnick, 2002

8. Social Engineering Aspects Appeal to vanity Appeal to authority Eavesdropping Prey on natural helpfulness Manipulate lack of awareness of value of info

9. Approaches Carelessness Comfort Zone Helpfulness Fear

10. Careless Approach Victim is Careless – Does not implement, use, or enforce proper countermeasures Used for Reconnaissance Looking for what is laying around

11. Careless Examples Dumpster Diving/Trashing – Huge amount of information in the trash – Most of it does not seem to be a threat – The who, what and where of an organization – Knowledge of internal systems – Materials for greater authenticity – Intelligence Agencies have done this for years

12. Careless Examples (cont.) Building/Password Theft – Requires physical access – Looking for passwords or other information left out in the open – Little more information than dumpster diving

13. Careless Examples (cont.) Password Harvesting – Internet or mail-in sweepstakes – Based on the belief that people don’t change their passwords over different accounts

14. Comfort Zone Approach Victim organization members are in a comfortable environment – Lower threat perception Usually requires the use of another approach

15. Comfort Zone Examples Impersonation – Could be anyone Tech Support Co-Worker Boss CEO User Maintenance Staff – Generally Two Goals Asking for a password Building access - Careless Approach

16. Comfort Examples (cont.) Shoulder Surfing Direct Theft – Outside workplace – Wallet, id badge, or purse stolen Smoking Zone – Attacker will sit out in the smoking area – Piggy back into the office when users go back to work

17. Comfort Examples (cont) Insider Threats – Legitimate employee – Could sell or use data found by “accident” – Result of poor access control – Asking for favors from IT staff for information Usually spread out over a long period of time

18. Helpful Approach People generally try to help even if they do not know who they are helping Usually involves being in a position of obvious need Attacker generally does not even ask for the help they receive

19. Helpful Examples Piggybacking – Attacker will trail an employee entering the building – More Effective: Carry something large so they hold the door open for you Go in when a large group of employees are going in – Pretend to be unable to find door key

20. Helpful Examples (cont.) Troubled user – Calling organization numbers asking for help – Getting a username and asking to have a password reset

21. Fear Approach Usually draws from the other approaches Puts the user in a state of fear and anxiety Very aggressive

22. Fear Examples Conformity – The user is the only one who has not helped out the attacker with this request in the past – Personal responsibility is diffused – User gets justification for granting an attack.

23. Fear Examples (cont) Time Frame – Fictitious deadline – Impersonates payroll bookkeeper, proposal coordinator – Asks for password change

24. Fear Examples (cont) Importance – Classic boss or director needs routine password reset – Showing up from a utility after a natural occurrence (thunderstorm, tornado, etc)

25. Advanced Attacks Offering a Service – Attacker contacts the user – Uses viruses, worms, or trojans – User could be approached at home or at work – Once infected, attacker collects needed information

26. Advanced Attacks (cont) Reverse Social Engineering – Attacks puts themselves in a position of authority – Users ask attacker for help and information – Attacker takes information and asks for what they need while fixing the problem for the user

27. Factors Making Companies Vulnerable Large number of employees Multiple facilities Info on employee whereabouts left invoice mail messages Phone extension info made available Lack of security training Lack of data classification system No incident reporting/response plan

28. Common Targets of Attacks in Company Unaware of info value Receptionist Special privileges Helpdesk tech support Specific departments Accounting, HR

29. TheBroken TheBrokenEpisode

30. Architecture Patterns EA patterns: proven architecture blueprints for well defined type of enterprises. Should reference: – Name of the pattern – definitions of a typical enterprise that matches the pattern. – Forces that could influence the match between the pattern and enterprise. – Blueprints of architectures – Relations to other patterns – Known uses of the pattern

31. Architecture Patterns Business Process Blueprints Information and Data Blueprints Application Design Blueprints IT infrastructure Blueprints

32. Business Proces Blueprints Adapt to Best Practice Business Processes – Industry Specific Best Practices – Example: SAP SAP Best Practices cover well-proven industry-specific business processes

33. Example: SAP Building Block Principle Layer 0 Building Blocks Layer 1 Building Blocks Layer 1 Scenarios Building Blocks… are the technical methodology for the SAP Best Practices development and delivery provide SAP Best Practices users with small, flexible, and transparent pieces of functionality, for example a specific scenario that can be implemented like an Add-on to an existing solution foster inter-operability and reusability by providing the necessary guidelines and tools to enable content developers to create Building Blocks that follow a common structure

34. Example: SAP Building Block Principle To set up an SAP Best Practices scenario, you have to install a number of Building Blocks in a predefined sequence This sequence is documented in the SAP Best Practices “Installation Quick Guide” 1. 2. 3. 4.

35. Building Blocks SAP BP Baseline Package (1)

36. Building Blocks SAP BP Baseline Package (2)

37. Information and Data Blueprints Adapt to Common Semantics and Metadata – Industry Specific Common Metadata – Example: ACORD Standards allow different companies to transact business electronically with agents, brokers and other data partners in the insurance, reinsurance and related financial services industries. They serve as a common communication method for use by multiple parties, thereby increasing the efficiency of the entire industry. – Example: ACORD develops and maintains data standards for the following segments of the insurance industry: Life & Annuity Property & Casualty/Surety Reinsurance – Andre eksempler: OIOXML

38. Application Architecture Blueprints Service Orientated Architecture as discussed earlier

39. Infrastructure Blueprints Adapt to common infrastructure blueprints – Common reference infrastructure blueprints – Example: Microsoft Windows Server System Reference Architecture including Network architecture Storage architecture Application infrastructure architecture Management architecture Security architecture

40. Architecture Anti-Patterns 30,000 feet an climbing The enterprise architecture is so high-level that it is of limited or no practical use to application teams. Bleeding Edge The architects are constantly trying out new technologies and techniques before they are mature or stable enough to deploy effectively. Brain Trust Parking Lot Your enterprise architect group is composed of a lot of very smart people who don't fit in well anywhere else within IT but you don't want to lose their knowledge. Buzzword-Driven Architecture Your enterprise architecture depicts an amalgam of technologies, many of which were added into the model when someone read about a "really cool" new technology. Detailed Enterprise Model The enterprise architecture model(s) are overly detailed, often in an attempt to comprehensive define what the enterprise does (or should do). Goldplating The architects overbuild the architecture to implement really cool features that you might need at some point, but these features don't add value today (and may never do so). Ivory Tower Architecture Your enterprise architecture model(s) reflect a wishful, perfect world scenario instead of the realities of your actual environment. Technology Above All The architects make technology a business driver instead of a business enabler.

41. Vigtig lovgivningsområder Intellectual Property Copyright Privacy

42. Intellectual Property Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights. (See DMCA Usa)

43. Copyright Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society

44. Privacy Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.