Presentation is loading. Please wait.

Presentation is loading. Please wait.

When John arrives, do you allow him to use your computer under your account? “I’m John Newbie - the latest hire in the company’s Tech Support. Director.

Published byDenis Richard Modified over 9 years ago

Similar presentations

Presentation on theme: "When John arrives, do you allow him to use your computer under your account? “I’m John Newbie - the latest hire in the company’s Tech Support. Director."— Presentation transcript:

1 When John arrives, do you allow him to use your computer under your account? “I’m John Newbie - the latest hire in the company’s Tech Support. Director Sue suggested that a good way for me to introduce myself is to install the company’s new anti-spam software on all computers. When would it be convenient for me to stop by and update your office machine?”

2 FROM: reliable@FriendliWare.comreliable@FriendliWare.com TO: you@FriendliWare.comyou@FriendliWare.com DATE: September 7, 2005 Message to all FriendliWare employees, In response to employee requests, President Pauline has created a new electronic way for you to view your personnel information online. This new system provides access to all salary records, performance evaluations and productivity information. Of course, you can be assured that your personal information is confidential - protected by secure login. To activate this new system every employee needs to follow the following link... http: info.YourCompany.com In the interest of your convenience you can log in using your existing user name and password. Please follow the directions. This should take no more than a couple of minutes of your valuable time. Thanks. Sam Reliable Assistant to President Pauline FriendliWare Corp.

3 Friday, 4:45 p.m. -- “Hi, this is Sam in Accounting. Is Bob around?” “No? Is this Bob’s assistant, Chris?” “Chris, I don’t know why we haven’t met before. I guess I just haven’t stopped by old Bob’s office in the past few months. You see Bob and I go way back to college days. Our families spend a week every spring in Aruba. In any event, the reason for my call is that Bob and I have been developing this new security system that could save the company thousands. Bob and I plan to pitch our idea to the Board next Tuesday, and I need to polish the PowerPoint slides this weekend. Bob was working on some major revisions and said they would be ready today. He told me that if I missed him you would be able to log into his corporate account and send me a copy of the files I know it’s late, but would you mind emailing the files to me?” “You don’t know the presentation file names? Well, I know Bob developed a new spreadsheet and added some nice graphics, but I don’t know the names of these new files. Perhaps it would be easier for you if you just let me log in and access them directly from my office. This would also be more secure, since the company doesn’t use email encryption. The odds are slim, but we could lose our jobs if these files were somehow intercepted by a competitor.”

4 FROM: David RileyDavid Riley TO: David RileyDavid Riley DATE: February 17, 2004 SUBJECT: I love you, David. Someone loves you! Click on the web link below to find out who. www.iloveyou.com A Classic

5 Def’n ______________ is a category of attack in which the perpetrator manipulates humans into divulging sensitive information. Social engineering preys on human qualities such as... your desire to be _________. your tendency to ________ others. your ________ of getting into trouble. Social engineering is still viewed as the most effective (and often the most convenient) means of breaching security. Social engineering is not based on hardware or software vulnerabilities, but rather human vulnerabilities..

6 Methods of the Social Engineer befriend your victim trigger rapid response from excitement or fright gather bits of information from various sources impersonate (president, tech support staff) shoulder surfing dumpster diving software mimic phishing

7 Anatomy of an Attack telephone book local office company web pages reception annual report toll free number staff directory help desk executive assistant lunch restaurant human resources org chart new hire list employee contacts login info

8 Why is social engineering successful? diffusion of responsibility opportunity for benefit - help desks are particularly vulnerable trust moral responsibility guilt

9 MITIGATION - policy How should sensitive materials be handled? What information is considered sensitive/confidential? Who should have access to sensitive documents? How are people authenticated? How are electronic documents authenticated? Who is responsible for what?

10 MITIGATION - infrastructure Sound physical security is essential. Practice good electronic security (firewalls, encryption, etc.) Phone calls can be traced and/or recorded. Selected computer transactions should be logged and audited. An internal website can assist authentication. Conduct simulated attacks.

11 MITIGATION - awareness be aware of the signs name dropping intimidation request for sensitive info rushed need uniformed personnel be aware of your environment what is your keyboard’s viewing exposure? is your computer logged in? what is your screen’s viewing exposure? are sensitive documents visible? who sent your email? (be header-aware) what web server are you viewing? (be URL-aware)

12 use callback authentication protocols never share passwords (tech support should have their own accounts) Some specific ideas (for social engineering mitigation) “lockdown” confidential material shred all confidential paper use ctrl-alt-del login (for Windows) mark sensitive/confidential documents require escort of offsite personnel enact introduction procedures for new employees establish procedures to verify identities password lock a computer when you leave the room

Download ppt "When John arrives, do you allow him to use your computer under your account? “I’m John Newbie - the latest hire in the company’s Tech Support. Director."

Similar presentations

Welcome to eDMR This PowerPoint presentation is designed to show eDMR users how to login and begin using the eDMR system.

Welcome to eDMR This PowerPoint presentation is designed to show eDMR users how to login and begin using the eDMR system.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
HIPAA Security.

HIPAA Security.
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.

Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.
Security Awareness Lloyd Guyot – Steelcase Ed Jaros – Tenundra Inc. July 17, 2003.

Security Awareness Lloyd Guyot – Steelcase Ed Jaros – Tenundra Inc. July 17, 2003.
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.

Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Social Engineering Networks Reid Chapman Ciaran Hannigan.

Social Engineering Networks Reid Chapman Ciaran Hannigan.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
We are partners in learning.. Note: Office 365 works best in Internet Explorer V 9 or above. Some features do not work in PWCS’s Chrome Browser or in.

We are partners in learning.. Note: Office 365 works best in Internet Explorer V 9 or above. Some features do not work in PWCS’s Chrome Browser or in.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Sensitive Data Accessibility Financial Management College of Education Michigan State University.

Sensitive Data Accessibility Financial Management College of Education Michigan State University.
Self Service Connection Users Guide

Self Service Connection Users Guide
Fire Officer Strategy and Tactics (FOST)

Fire Officer Strategy and Tactics (FOST)
Welcome to the Sinclair Community College Online Employment Applicant Tutorial.

Welcome to the Sinclair Community College Online Employment Applicant Tutorial.
IMonitor Software About IMonitorSoft Since the year of 2002, coming with EAM Security Series born, IMonitor Security Company stepped into the field of.

IMonitor Software About IMonitorSoft Since the year of 2002, coming with EAM Security Series born, IMonitor Security Company stepped into the field of.
Welcome to the Southeastern Louisiana University’s Online Employment Site Applicant Tutorial!

Welcome to the Southeastern Louisiana University’s Online Employment Site Applicant Tutorial!

Similar presentations

Ads by Google