1. December 10, 2002 Bob Cowles, Computer Security Officer bob.cowles@stanford.edu

2. December 10, 2002Security Awareness2

3. December 10, 2002Security Awareness3 Tarsier Native of East Indies jungles, eating insects, active only at night, 6 in. tall, loners Used at SLAC –Very curious and attracted by any movement in the beamline tunnel or klystron gallery –The radiation when the accelerator is running has allowed them grow a little larger which explains why the one in the pictured above is carrying a section of spare beampipe particularly useful in dealing with those unbadged creepy, crawly things. ;-)

4. December 10, 2002Security Awareness4 Social Engineering The Art of Deception by Kevin Mitnick “Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not. As a result, the social engineer is able take advantage of people to obtain information with or without the use of technology.”

5. December 10, 2002Security Awareness5 Is Technology the Answer? “When trusted employees are deceived, influenced, or manipulated into revealing sensitive information or creating a hole for an attacker to slip through, no technology in the world can protect a business.” TAD p7 Humans – we, each of us – are the most severe threat to each other’s security. p8

6. December 10, 2002Security Awareness6 Ex. 1 Let Me Help Plant expectation of problem and offer help Create problem Help solve problem – attacker now has –credibility –created an obligation Ask for a favor p55

7. December 10, 2002Security Awareness7 Ex. 2 Target: Inexperienced New employees are prime targets Trying to please and fit in Not familiar with policies Not familiar with lines of authority p61

8. December 10, 2002Security Awareness8 Ex. 3 Needing Help Large or distributed companies are very susceptible Help a co-worker in distress Knowing the right lingo or a few names is usually sufficient to provide credibility p77

9. December 10, 2002Security Awareness9 Ex. 4 High Tech Security Secure ID card required for access Not a problem for social engineer – get someone to read you the display from theirs And get his manager to authorize doing it And have him set up a temporary account behind the firewall for the attacker to use p85

10. December 10, 2002Security Awareness10 Kevin Mitnick’s s Advice Golden Questions –How do I know this person is who he says he is? –How do I know this person has the authority to make this request? Golden Rules –No implicit trust of anyone without verification –Challenging requests is encouraged

11. December 10, 2002Security Awareness11 Policies Information classification Identification Verification –Role –Authorization Incident reporting and handling

12. December 10, 2002Security Awareness12 Policies – Classification Confidential – release would harm the organization Private – release would harm individuals Internal – release allows masquerade as insider Public – specifically designated for release First three categories termed “sensitive” Unverified – someone not known to have authorization or vouched for by trusted 3 rd party (Not government accepted usage of these terms)

13. December 10, 2002Security Awareness13 Policies – Verification Identify the person is who they claim to be Verify the role (employee, contractor with need-to-know, etc.) Determine that role is authorized to receive the information or perform the requested action

14. December 10, 2002Security Awareness14 Policies – Identity Checking CallerID Callback Vouching Shared Secret Emp Supervisor/Manager Secure email Personal voice recognition Dynamic password In person with ID

15. December 10, 2002Security Awareness15 Information Security Summary Clear policies w/ compliance & enforcement Data classification Good, appropriate identification, authentication and authorization controls Your active involvement