Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 People By Jamie Sims February 13, 2003. 2 Outline Trusting other computers Trusting other computers Firewall Vulnerabilities Firewall Vulnerabilities.

Published byPrimrose Cain Modified over 9 years ago

Similar presentations

Presentation on theme: "1 People By Jamie Sims February 13, 2003. 2 Outline Trusting other computers Trusting other computers Firewall Vulnerabilities Firewall Vulnerabilities."— Presentation transcript:

1 1 People By Jamie Sims February 13, 2003

2 2 Outline Trusting other computers Trusting other computers Firewall Vulnerabilities Firewall Vulnerabilities Employees Employees Consultants Consultants Outsiders Outsiders

3 3 Trusting Other Computers The question is how much each system should trust other systems it communicates with. The question is how much each system should trust other systems it communicates with. –Always insist on too much security –Even though it might make employees angry, you will be protecting their work

4 4 Trusting Other Computers Some Computers contain data so confidential that they should have no connection to the Internet or company network Some Computers contain data so confidential that they should have no connection to the Internet or company network

5 5 Examples of Databases not to put on the Network Ones that contain: Ones that contain: –Employee Data –Patient medical data –Financial databases (banking, stock, etc…) –Legal Cases –Customer Information (credit cards, passwords) –Security Information

6 6 Firewall Vulnerabilities 1. Attacks from Within a) Someone with access to internal systems initiates an attack 2. End runs and tunneling a) Intruder gets past the firewall and “has his way with your systems a) Intruder gets past the firewall and “has his way with your systems b) All it takes is someone connecting a modem to his/her desktop system to defeat the firewall b) All it takes is someone connecting a modem to his/her desktop system to defeat the firewall

7 7 Firewall Vulnerabilities 3. Content-based attacks a)Malicious email attachment b)MS word macros c)Evil Web pages 4. Address spoofing attacks a)Any decent firewall will detect a packet originating from outside the agency, spoofing an address of an inside machine and drop it

8 8 Firewall Vulnerabilities 5. DOS attacks a)The attacker can flood your firewall with more traffic than it can handle, burying legitimate packets 6. Misplaced Server attacks a)Vulnerable services should be provided by systems in the DMZ (web server configs, externally accessible DNS, sendmail) 7. Configuration Error attacks a)Analyze any changes to firewall configuration carefully

9 9 “...the human factor is truly security’s weakest link.” Kevin D. Mitnick The FBI claims that more than 80% of all computer intrusions are from within.

10 10 Employees Hacking tools used by employees within organizations may be the biggest security threat to emerge this year, leading to increased vulnerabilities, lost data, and wasted time and resources Hacking tools used by employees within organizations may be the biggest security threat to emerge this year, leading to increased vulnerabilities, lost data, and wasted time and resources Websense, the worldwide leader of employee Internet management (EIM) solutions, reports that the number of hacking Web sites has increased 45 percent in the last 12 months, now totaling approximately 6,000 Web sites, encompassing more than 1 million pages of content Websense, the worldwide leader of employee Internet management (EIM) solutions, reports that the number of hacking Web sites has increased 45 percent in the last 12 months, now totaling approximately 6,000 Web sites, encompassing more than 1 million pages of content Nearly 90 percent of U.S. businesses and government agencies suffered hacker attacks in the last year, according to Newsbytes, while 80 percent of network security managers claim their biggest security threat comes from their own employees, according to a survey conducted at this year's Gartner Information Security Conference. Nearly 90 percent of U.S. businesses and government agencies suffered hacker attacks in the last year, according to Newsbytes, while 80 percent of network security managers claim their biggest security threat comes from their own employees, according to a survey conducted at this year's Gartner Information Security Conference. http://www.websense.com/company/news/pr/02/121702.cfm http://www.websense.com/company/news/pr/02/121702.cfm http://www.websense.com/company/news/pr/02/121702.cfm

11 11 The Social Engineer Social Engineering is the hacker term for a con game: persuade the other person to do what you want Social Engineering is the hacker term for a con game: persuade the other person to do what you want Bypasses: Bypasses: –Cryptography –Computer Security –Network Security –Everything else technological

12 12Employees Companies need to prepare for social engineering attacks from current or former employees who may have an axe to grind. Companies need to prepare for social engineering attacks from current or former employees who may have an axe to grind. Background checks may be helpful to weed out prospects who may have a propensity toward this type of behavior. But in most cases, these people will be extremely difficult to detect. Background checks may be helpful to weed out prospects who may have a propensity toward this type of behavior. But in most cases, these people will be extremely difficult to detect. The only reasonable safeguard in these cases is to enforce and audit procedures verifying identity, including the person’s employment status, prior to disclosing any information to anyone not personally known to be with the company. The only reasonable safeguard in these cases is to enforce and audit procedures verifying identity, including the person’s employment status, prior to disclosing any information to anyone not personally known to be with the company.

13 13 Employees  New Employees  Current Employees  Former Employees  Disgruntled Employees

14 14 New Employees New Employees New Employees are ripe targets for attackers New Employees are ripe targets for attackers oDo not know company procedures oEager to show how cooperative and quick to respond they can be, so they will give out any information anyone asks them for! oUnaware of the value of specific company information or of the possible results of certain actions. oTend to be easily influenced by some of the more common social engineering approaches: oa caller who invokes authority oa person who seems friendly and likeable oa person who appears to know people in the company who are know to the victim oa request that the attacker claims is urgent othe inference that the victim will gain some kind of favor or recognition

15 15 New Employees Andrea in HR Andrea in HR

16 16 Former Employees  Need to have ironclad procedures when a departing employee has had access to sensitive information, passwords, dial-in numbers, etc… – Your security procedures need to provide a way to keep track of who has authorization to various systems.  Change passwords for accessing systems (administrator passwords if applicable).  For companies that need very high security, it needs to be required that all employees in the same workgroup as the person leaving change their passwords

17 17 Disgruntled/Fired Employees Story about employee who was transferred to a different department within the city offices. Story about employee who was transferred to a different department within the city offices.

18 18 Policies for All Employees 1. Reporting suspicious calls  Employees who suspect that they may be the subject of a security violation must immediately report the event to the company’s incident reporting group  When a social engineer fails to convince his or her target, they will try someone else. 2. Documenting suspicious calls  The employee shall, to the extent practical, draw out the caller to learn details that might reveal what the attacker is attempting to accomplish and make notes  Such details can help the incident reporting group spot the object or pattern of an attack

19 19 Policies for All Employees 3. Disclosure of dial-up numbers  Company personnel must not disclose company modem telephone numbers, but should always refer such requests to the help desk.  Treat dial up numbers an internal information, only to be given to employees who need to know such information 4. Corporate ID badges  Except in their immediate office area, all company personnel, including management and executive staff, must wear badges at all times  All employees who arrive at work without their badge should be required to stop at the lobby desk or security office to obtain a temporary badge

20 20 Polices for All Employees 5. Challenging ID badge violations  All employees must immediately challenge any unfamiliar person who is not wearing an employee badge or visitor’s badge. 6. Piggybacking  Employees entering a building must not allow anyone not personally known to them to follow behind them when they have used a secure means to gain entrance into an area  Carrying boxes so the worker will hold the door open for them to be nice

21 21 Policies for All Employees 7. Shredding sensitive documents  cross-shred sensitive documents and destroy hard drives and disks that contained sensitive information 8. Personal identifiers  Never used employee numbers, social security numbers, driver’s license’s numbers, date and place of birth and mother’s maiden name for verifying identity  These are not secret and can be obtained numerous ways

22 22 Policies for All Employees 9. Organizational charts  A company’s organization chart details should never be released to anyone outside the company  This includes positions, contact numbers, extensions, emails 10. Audit access to sensitive files, like payroll files, unless the employee is allowed to have access to these files for job reasons  Employees have been know to write a program where they will receive a raise every few months

23 23 Malicious Insiders A dangerous and insidious adversary A dangerous and insidious adversary Can be impossible to stop because they’re the same people we’re forced to trust Can be impossible to stop because they’re the same people we’re forced to trust Know how system works and where the weak points are Know how system works and where the weak points are

24 24 Consultants Insiders are not always employees, they can be consultants Insiders are not always employees, they can be consultants Consultants have access to sensitive information and are trusted by the company’s employees, so they could easily attack a system Consultants have access to sensitive information and are trusted by the company’s employees, so they could easily attack a system Stanley Mark Rifkin story Stanley Mark Rifkin story

25 25 Outsiders Someone who does not have security clearance to access information Someone who does not have security clearance to access information The “unverified” person The “unverified” person

26 26 What to do when confronted by an Outsider 1. Verify that the person is who he or she claims to be 2. Callback 3. Vouching 4. Shared Secret 5. Employee’s Supervisor 6. Secure Email 7. Personal Voice Recognition 8. Dynamic Password Verification 9. In person with ID

27 27 Outsiders  Michael Parker figured out that people with college degrees got better paying jobs….

28 28 References Mitnick, K.D & Simon W.L. The Art of Deception Controlling the Human Element of Security. 2002. Wiley Publishing, Inc., Indianapolis, IN Mitnick, K.D & Simon W.L. The Art of Deception Controlling the Human Element of Security. 2002. Wiley Publishing, Inc., Indianapolis, IN Schneier, B. Secrets & Lies Digital Security in a Networked World. 2000. John Wiley & Sons, Inc. New York, NY Schneier, B. Secrets & Lies Digital Security in a Networked World. 2000. John Wiley & Sons, Inc. New York, NY Toxen, B. Real World Linux Security. 2002 2 nd Ed. Pearson Education. Upper Saddle River, New Jersey Toxen, B. Real World Linux Security. 2002 2 nd Ed. Pearson Education. Upper Saddle River, New Jersey

Download ppt "1 People By Jamie Sims February 13, 2003. 2 Outline Trusting other computers Trusting other computers Firewall Vulnerabilities Firewall Vulnerabilities."

Similar presentations

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.

Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.

Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
Deter, Detect, Defend: The FTC’s Program on Identity Theft.

Deter, Detect, Defend: The FTC’s Program on Identity Theft.
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
1. 2 Someone steals your personal information to commit fraud. A “buy now, pay never” shopping experience. What is Identity Theft?

1. 2 Someone steals your personal information to commit fraud. A “buy now, pay never” shopping experience. What is Identity Theft?
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Aleksandra Kurbatova 111611 IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.

Aleksandra Kurbatova IVCM.  What is social engineering?  Types  Pretexting  …  Summary  Conclusion.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Social Engineering Networks Reid Chapman Ciaran Hannigan.

Social Engineering Networks Reid Chapman Ciaran Hannigan.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
22 November 2010. Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.

22 November Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.

The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.

Similar presentations

Ads by Google