Lecture 08 - Human Element Security PDF

CSSY1208 Introduction to Information Security Lecture 08 - Human Element Security Textbook : The Basics of Information Security Understanding the Fundamentals of InfoSec in Theory and Practice Second Edition, Jason Andress Elsevier Publication Referenced Book : Cryptography and Network Security 6th Edition, William Stallings, Pearson Publication Outline CHAPTER-8-Human Element Security Introduction Humans: the weak link Security awareness Protecting data Passwords Social engineering Network usage Malware 3 Introduction One of the more difficult aspects in all of information security is providing security for and against the people within and surrounding our information, including our employees, contractors, partners, customers, service providers, and other people. Almost without fail, we can expect these people to behave in unexpected or unusual ways, whether innocently , through ignorance, or maliciously. Whatever the case, providing security for this area can be a challenge. 4 Humans: The Weak Link 1. Security professionals spend a great deal of time assembling the layers of security that protect our organizations. 2. We put controls in place (administrative, technical, and physical) in order to keep the bad out and the good in. 3. Expend a great deal of time and resources in ensuring that our various intrusion detection, mail filtering, web proxies, firewalls, and a myriad of other technologies in order to maintain optimal security for our environments. 4. Unfortunately, bad decisions on the part of our users can nullify all of these measures with a single click. 5 Security awareness  Security awareness in our users are crucial to the ongoing security of the organizations.  There are a few core items that will be standard in the majority of such efforts.  The efforts are protecting data, passwords, social engineering, network usage, malware, the use of personal equipment, clean desk, and policy knowledge. 6 Protecting data There are numerous laws and regulations that govern data, and compliance with them is one of the costs of doing business. Payment Card Industry Data Security Standard (PCI- DSS) for process credit card transactions Health Insurance Portability and Accountability Act (HIPAA) for those that handle medical patient data, Family Educational Rights and Privacy Act (FERPA) for educational data processing, and numerous others. 7 Compliance on Protecting data 1. In addition to compliance requirements, protecting data is also required for other reasons, such as reputation and customer retention. 2. Appearing in the news because of a data breach can be extremely damaging to a company and can drive customers to competitors very swiftly. 3. Additionally not being in compliance with some regulations can result in penalties like suspensions, fines, and in some cases jail. 4. In order to adequately communicate the need for data security to users, we should present them with reoccurring training that regularly covers the data with which we work. 5. Our users need to understand the criticality of carefully handling data from both a compliance and a customer retention and reputation perspective. 8 6. Companies that have annual training have found very low retention Passwords Passwords are an area in which we can easily enforce a technical control, to a certain extent, to force users to handle passwords appropriately, but then fail entirely in another. In most operating systems and tools, enforce certain levels of password strength: – at least eight characters. – at least one upper case and at least one lower case. – at least one symbol and at least one number. This would produce a password something along the lines of P@ssw0rd. The key is to balance the complexity of the password with the importance of what is being protected. Eight characters is probably fine for a site that stores family photos, but not recommend for a bank account. 9 Passwords Expiration  We can generally force password expiration and make the user reset their password at some interval, say 90 days.  The new passwords cannot be a variation of the previous 10 passwords used, in order to prevent a user from doing something along the lines of incrementing a number or changing one letter.  This should ensure that we don’t have passwords trivially guessed by an attacker, although these will still not stand up against a determined and skilled attacker with sufficient access to resources. 10 Passwords Syncing  Potentially one of the more damaging user behaviors is manually syncing passwords between systems or applications.  For example:  We might force a strong password on a given system in the workplace.  The user attempting to make their life easier might manually synchronize all other systems in the organization to the same password (including their VPN credentials) and then proceed to go home and do the same with their Internet forum credentials, e- mail, online gaming passwords, and so forth.  At this point, the user has one strong password everywhere and life is much easier for them.  Unfortunately, not so great for the organization at which the user is employed. 11 Passwords Misuse 1. To continue our example, the password database for an online forum is compromised and published to the Internet, containing the username (e-mail address here) and decrypted password. 2. At this point, the attacker compromised the webmail of our user and now has full access to a truly disturbing amount of information, including the instructions for connecting to the company VPN that the user e-mailed to their home address. 3. We can see consequences very quickly where this is likely to go. 4. That they should not use the same password repeatedly across multiple systems or applications. 12 Social engineering Social engineering is a technique that relies on the willingness of people to help others, particularly when the target is faced with someone that appears to be in distress, someone that is intimidating, or someone that we would normally expect to see in a given situation. Common examples of social engineering:  Pretexting.  Phishing and spear phishing.  Tailgating.  Baiting.  Others. For example, if someone is attempting to gain unauthorized access to a building where a proximity badge is normally required to enter, this could pose a problem of such a badge were not available; not so for our social engineer. 13 Pretexting In pretexting, we often assume the guise of a manager, customer, reporter, or even a co- worker’s family member. Using a fake identity, we create a believable scenario that elicits the target to give us sensitive information or perform some action which they would not normally do for a stranger. 14 Pretexting Scenario  Walking up to a security guard without any detailed knowledge of the target organization and convincing the guard that they need to allow us access to their facility is quite a challenge, and one that probably won’t succeed, unless the guard is incompetent or the social engineer is very skilled.  Pretexting gives us an edge when trying to social engineer a victim; if we can drop names, provide details on the organization, and give the victim sufficient cause to believe we deserve access to the information or access for which we are asking, or for that matter already have it, our chances of success increase substantially. 15 Phishing 1. Phishing is a particular social engineering technique and is largely employed through the use of electronic communications such as e-mail, texting, or phone calls. 2. Most phishing attacks are very broad in nature and involve convincing the potential victim to click on a link in the e-mail, in order to send the victim to a fake site designed to collect personal information or credentials, or to have the victim install malware on their system. 16 Phishing Spears  phishing attacks do not count on careful inspection by the recipient, they count on a very small percentage of success over hundreds of thousands or millions of attempts.  In order to work with better odds of success, attackers may turn to spear phishing.  Spear phishing is a targeted attack against a specific company, organization, or person.  A spear phishing attack requires advanced reconnaissance so that the vehicle for the attack will be seen as legitimate and directs the potential victim to a fake site that the victim would expect, and see as valid.  In addition, our e-mail must be seen to come from a valid sender —someone the victim would trust, such as someone from human resources, a manger, the corporate IT support team, a peer, or friend. 17 Phishing example 18 Tailgating Physical tailgating, also known as “piggybacking,” is what most people think of when they hear the term used. Quite simply, this is the act of following someone through an access control point, such as secure door, without having the proper credentials, badge, or key, normally needed to enter the door. 19 Tailgating cont. Tailgating is a problem endemic to locations which use technical access controls. In almost any location, unless strong steps have been taken to prevent it, we can see people tailgating. This is partly an issue of laziness and partly an issue of the desire to avoid confrontation. A few tricks of equipment, such as knowing which props to use, and the use of psychology to allow attacker to play on the sympathies of others, will aid them in their tailgating efforts. 20 Malware  Malware, or malicious software, is any program or file that is intentionally harmful to a computer, network or server.  Types of malware include computer viruses, worms, Trojan horses, ransomware and spyware. Some of the common Malware sources: E-mail attachments from people that you do not know E-mail attachments containing certain file types (exe, zip, pdf, etc.) Web links using shortened URLs such as http://bit.ly Smart phone applications from non-official download sites Pirated software 21 Thank You

Lecture 08 - Human Element Security PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue