Copyright © 2011 IsecT Ltd.

Securing people

Security awareness seminarfor IT professionals

Information Security Awareness

September 2011

2Copyright © 2011 IsecT Ltd.

Introduction

• Do you use Facebook, MySpace, Flickr, Linked In, Blogger or Twitter?

• Do your colleagues, friends or family use them?

• Do you tend to trust the people you know?

• Are you human?

3Copyright © 2011 IsecT Ltd.

The risks

Negligible ExtremeHuman factors risk-control spectrum

Risks

Mino

r misu

nder

stand

ings

Terro

rism

Trivial

mist

akes

Fraud

, iden

tity th

eft

Crimina

l gan

gs

Coerc

ion

Sabot

age,

crim

inal

d

amag

e

Blackm

ail

Social

eng

ineer

ing

Casua

lly e

xploi

ting

vu

lnera

bilitie

s

Delibe

rate

ly ex

ploitin

g

vu

lnera

bilitie

s

Proac

tively

crea

ting

&

e

xploi

ting

vulne

rabil

ities

Seriou

s mist

akes

Cyber

warfa

re

4Copyright © 2011 IsecT Ltd.

Low-end risk

5Copyright © 2011 IsecT Ltd.

High-end risk?

“Personal information on as many as 35 million users of a South Korean social network site may have been exposed as the result of what has been described as the country's biggest ever hack attack … Names, phone numbers, email addresses, and other details may have been exposed through the Cyworld hack, which follows previous attacks against South Korean government sites and financial service firms. North Korea has been implicated in some of these hacks. …”

The Register 28th July 2011

6Copyright © 2011 IsecT Ltd.

Leveraging information

Search onlinee.g. Myspace &

Linkedin

Ask the victim’s friends & colleagues

Gather personal information about

the victim

Hack the victim’s PC

Use a virus

Exploit the informatione.g. to commit identity

theft

7Copyright © 2011 IsecT Ltd.

Social engineering

Socialengineering

Attack

methods

& tools

Target people

Lie, persuade, connive, bribe

Push/threaten or flirt

Collate and re-use info

Email, online, phone or visit

Blend-in with localsBuild rapport, persist

Malware, APTs

Dumpster diving

8Copyright © 2011 IsecT Ltd.

Social engineering

Socialengineering

Attack

methods

& toolsPrevention

DetectionCorrection

Target people

Lie, persuade, connive, bribe

Push/threaten or flirt

Collate and re-use info

Email, online, phone or visit

Blend-in with localsBuild rapport, persist

Malware, APTs

Policies, standards

& guidelines

Physical access controls

Dumpster diving

Technical security controls

Information classification

Vigilant employees

Incident reporting &

response procedures

Logging & alerting

Be “guarded”

Contingency plans

Disciplinary &

legal action

Hotline

9Copyright © 2011 IsecT Ltd.

Social engineering

Socialengineering

Security awareness

DART

10Copyright © 2011 IsecT Ltd.

Delay

Authenticate

Resist

Transfer

Dealing with social engineers

Generalemployees

Front-line employees

11Copyright © 2011 IsecT Ltd.

Other controls

Negligible ExtremeHuman factors risk-control spectrum

Risks

Controls

Self-correction

Red teams

Information security &

privacy laws & regulations

Black ops

Mino

r misu

nder

stand

ings

Security awareness,

training & education

Terro

rism

Trivial

mist

akes

Fraud

, iden

tity th

eft

Crimina

l gan

gs

Coerc

ion

Sabot

age,

crim

inal

d

amag

e

Blackm

ail

Social

eng

ineer

ing

Information security & privacy

policies, procedures & guidelines

Dual control

Formal com

pliance assessments

Ethics, peer pressure, norms

Casua

lly e

xploi

ting

vu

lnera

bilitie

s

Delibe

rate

ly ex

ploitin

g

vu

lnera

bilitie

s

Proac

tively

crea

ting

&

e

xploi

ting

vulne

rabil

ities

Seriou

s mist

akes

Defined security rôles &

responsibilities

Codes of conduct

Informal com

pliance activities

Compliance clauses in

employm

ent contracts

Human factors engineering

Surveillance, entrapment

Cyber

warfa

re

Divisions of responsibility

12Copyright © 2011 IsecT Ltd.

Conclusion

You may believe you are immune to the kinds of attacks we have discussed … but are your colleagues, friends, bosses, family members, suppliers …?

Please help us raise awareness: knowing that we might be attacked, what forms attacks may take, and how to respond (remember DART) are important controls

13Copyright © 2011 IsecT Ltd.

Further information• Speak to colleagues

• Visit the intranet Security Zone

• Contact the Information Security Manager

• Read these books …