1. Rajiv Gandhi Institute of Technology February 24, 2009Information Security the profession; concepts, risks and more..Presented by: Dinesh O Bareja CISA, CISM, ITILOpen Security Alliance(www.opensecurityalliance.org)

2. About MeWarming Up Dinesh Bareja BA, CISA, CISM, ITIL, BS 7799 (LA, Imp)Engaged in continuous study and learning Work in Information Security consulting, advisory and technicalservices; identifying emerging opportunities; strategic businessplanning; training, mentoring and awareness & more Past life (pre-.com) was spent in mfg, trdg, exports..Co founder of Indian Honeynet Project, Open Security Alliance andactively involved with DSCI and other Information Security groups. RGIT, Mumbai 02/24www.opensecurityalliance.org 3. A Starting ThoughtWarming Up ..... every human endeavour operates partly inlight and partly in shadow; and, especially, in thosefields that delve deeply into shadow, somesuccumb to temptation.- Richard Power (Computerworld)RGIT, Mumbai 02/24www.opensecurityalliance.org 4. Covering your mistakes Warming Up RGIT, Mumbai 02/24www.opensecurityalliance.org 5. Some more (simpler) thoughts Warming Up We have sidewalks but cannot walk on them ! In parks they say keep off the grass! Cars at home but driving is a killer Using computers . and there is the risk of everything going wrong .. Rules rules and more rules !!RGIT, Mumbai 02/24www.opensecurityalliance.org 6. My Rules Warmed Up Dont be shy ask questions (we have a lot of time) Feel free to interrupt me Nod intelligently even if you fall asleep Correct me if I make a mistake (remember I am in a continuous learning mode) Hijack this presentation and change it into a debate ! Dont take notes, this slide deck will be available on our website (or on the college file server) There is no test at the end of this session You get marks for being a good and interactive audience Finally please make sure your cellphones are in shivering mode ! It is bad manners to make any odd sounds when people around you are trying to learn something RGIT, Mumbai 02/24www.opensecurityalliance.org 7. The What and Why of Information Security Information Security Domains and Concepts Standards, Guidelines and Frameworks Proposition Infosec Profession / Careers Risks and Awareness RGIT, Mumbai 02/24 www.opensecurityalliance.org 8. What Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy andforproprietary informationprotecting information and informationsystems from Guarding against improper information unauthorized access, Confidentialitymodification or Ensuring timely destruction, anduse, and reliableincludes ensuring access to and information non-disclosure,repudiation and use of disruption, information.authenticity; modification, ordestruction Availability IntegrityRGIT, Mumbai 02/24 www.opensecurityalliance.org 9. CIA in more detailConfidentiality Sensitive information must be available only to a set ofpredefined individuals. Unauthorized transmission and usage of informationshould be restricted. For example, confidentiality of information ensures that acustomer's personal or financial information is not obtained by an unauthorizedindividual for malicious purposes such as identity theft or credit fraud. Integrity Information should not be altered in ways that render it incompleteor incorrect. Unauthorized users should be restricted from the ability to modifyor destroy sensitive information. Availability Information should be accessible to authorized users any timethat it is needed. Availability is a warranty that information can be obtained withan agreed-upon frequency and timeliness. This is often measured in terms ofpercentages and agreed to formally in Service Level Agreements (SLAs) usedby network service providers and their enterprise clients. Continuity Information should be continuously available to the businessuser and this is ensured thorough appropriate business continuity and disasterpreparedness. RGIT, Mumbai 02/24www.opensecurityalliance.org 10. The Need for IT Security, GovernanceSecurity KeepingIT Running AligningManagingIT withComplexity BusinessRegulatoryValue/Cost ComplianceOrganizations require a structured approach for managing these and other challenges. ISACA RGIT, Mumbai 02/24 www.opensecurityalliance.org 11. Why Information Security Ensure Availability of Business Take care of the risk of loss of Confidentiality, Integrity and Availability of Information Assets Protect Data and Information Systems Brand and Reputation Loss Increased Productivity through best practices Higher levels of assurance Competitive advantage Enable Business Continuity and Disaster RecoveryAnd for this we need Security Controls RGIT, Mumbai 02/24www.opensecurityalliance.org 12. Security Controls Computer security is often divided into three distinct master categories, commonly referred to as controls:PhysicalTechnicalAdministrative Physical Controls - is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material. Examples of physical controls are: Closed-circuit surveillance cameras Motion or thermal alarm systems Security guards Picture IDs Locked and dead-bolted steel doors Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals) Administrative Controls - define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information by such means as: Training and awareness Disaster preparedness and recovery plans Personnel recruitment and separation strategies Personnel registration and accounting Technical Controls - use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network. Technical controls are far-reaching in scope and encompass such technologies as: Encryption Smart cards Network authentication Access control lists (ACLs) File integrity auditing softwareRGIT, Mumbai 02/24www.opensecurityalliance.org 13. Key Information Security Program ElementsTechnologyProcessPeopleRGIT, Mumbai 02/24 www.opensecurityalliance.org 14. Key Information Security Program Elements- TrainingTechnology- Awareness Process- HR Policies- Background Checks- Roles /responsibilities- Mobile Computing- Social Engineering- Social Networking- Acceptable Use- Policies- Performance Mgt - System Security- Risk Management- UTM. Firewalls - Asset Management- IDS/IPS- Data Classification- Data Center- Info Rights Mgt- Physical Security- Data Leak Prevention- Vulnerability Assmt- Access Management- Penetration Testing- Change Management-Application Security- Patch Management- Secure SDLC- Configuration Mgmt- SIM/SIEM - Incident Response- Managed Services - Incident ManagementPeopleRGIT, Mumbai 02/24www.opensecurityalliance.org 15. Essential Information Security PracticesMANAGEMENT COMMITMENT RISK MANAGEMENT ASSET INVENTORY AND MANAGEMENT CHANGE MANAGEMENT INCIDENT RESPONSE AND MANAGEMENT CONFIGURATION MANAGEMENT TRAINING AND AWARENESS CONTINUOUS AUDIT METRICS AND MEASUREMENTRGIT, Mumbai 02/24 www.opensecurityalliance.org 16. Essential Information Security PracticesVULNERABILITY ASSESSMENT PENETRATION TESTING APPLICATION SECURITY TESTING DEVICE MANAGEMENT LOG MONITORING, ANALYSIS AND MANAGEMENT SECURE DEVELOPMENT RGIT, Mumbai 02/24 www.opensecurityalliance.org 17. Defining Information AssetsTangible or intangible corporate assetsHardware Software Data Intellectual Property Patents Processes Device Configurations Plans Designs / Blueprints RGIT, Mumbai 02/24 www.opensecurityalliance.org 18. Risk Management Risk is defined in ISO 31000 as the effect of uncertainty on objectives (whether positive or negative). Risk management : the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Strategies to manage risk : Avoidance (eliminate, withdraw from or not become involved) Reduction (optimise - mitigate) Sharing (transfer - outsource or insure) Retention (accept and budget) RGIT, Mumbai 02/24 www.opensecurityalliance.org 19. Information Risks, Threats, Vulnerabilities Web Application Botnets Vulnerabilities Spam / Targeted mails Social Networks Malware / Virus Murder DDOS attacks (Denial of Reputation Loss Service)Scams Phishing, Vishing, Spear- Identity Theft Phishing Privacy Violation Social Engineering Insider Threat Software Vulnerabilities Wireless RGIT, Mumbai 02/24www.opensecurityalliance.org 20. The driver Malicious Motivation CriminalIntent Coercion Greed Show OffRevengeAttackCuriosityRGIT, Mumbai 02/24 www.opensecurityalliance.org 21. Hackers n Crackers During the 1960s, the word "hacker" grew to prominence describing a person with strong computer skills, an extensive understanding of how computer programs worked, and a driving curiosity about computer systems. True hackers are computer programming enthusiasts who pushed computer systems to their limits without malicious intent and followed a hacker code of ethics. They believed technical information should be freely available to any person, and they abided by a code of ethics that looked down upon destroying, moving, or altering information in a way could cause injury or expense. Hacking, however, soon became nearly synonymous with illegal activity. Negative publicity surrounding hackers continued to grow.RGIT, Mumbai 02/24 www.opensecurityalliance.org 22. Hackers n Crackers While the first incidents of hacking dealt with breaking into phone systems, hackers also began diving into computer systems as technology advanced. Hacking became increasingly problematic during the 1980s and as a result, in the US the Computer Fraud and Abuse Act was created, imposing more severe punishments for those caught abusing computer systems. In the early 1980s, the FBI made one of its first arrests related to hacking. As a result, several hacker groups coined the term 'cracker' in 1985 to define a person who broke into computer systems and ignored hacker ethics; however, the media continued to use the word hacker.RGIT, Mumbai 02/24www.opensecurityalliance.org 23. Profiling . the color of your hat ! Black HatAlso known as crackers these are the White Hat ones to watch out for, they send and Also known as friendly hackers are always make viruses, destroy data, and using their knowledge for good reasonsdeface websites along with other illegal activity and break into peoples machines. This type of hacker has a bad reputation. Grey Hat Are borderline white/black hats. TheyNot to forget the sometimes prank unsuspecting users and hatless.. cause general mayhem. While they think this kind of activity is harmless, they may- Script Kiddies face long periods of jail time if they ever get- The Hobbyist found out.- Insider- CountriesRGIT, Mumbai 02/24www.opensecurityalliance.org 24. Information Security is implemented in organizations based on Standards, Guidelines, Frameworks, Other factors are Laws and Regulations, Customer requirements Standards etc All require the adoption of best practices RGIT, Mumbai 02/24 www.opensecurityalliance.org 25. Common Standards / Frameworks / Guidelines / Regulatory ISO:27001 2005 IT Act and applicable Criminal / PCI-DSS Civil legislation CobiT HIPAA BS:25999 GLBA ISO 2000 Sarbanes Oxley ITIL Basel II Clause 49 (SEBI Guideline, PCAOB Government of India) SAS 70 CTCL Privacy Laws (e.g.PIPEDA) NERC-CIP many more.. Data Protection ActRGIT, Mumbai 02/24 www.opensecurityalliance.org 26. ISO 27001, BS 25999, CobiT, IIL or ISO 20000 These are the most widely used and recognized standard for Information Security globallyISO 27001, CobiT etc Form the foundation of security for various other framework and regulatory requirements RGIT, Mumbai 02/24www.opensecurityalliance.org 27. ISO 27001: 2005 Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.RGIT, Mumbai 02/24 www.opensecurityalliance.org 28. ISO 27001 Fundamental PrinciplesMaintain andEstablish ISMSImprove the Context and RiskISMSAssessmentAct Plan Development, Improvement and MaintenanceCycleCheckDoMonitor and Design andReview theImplement theISMSISMS RGIT, Mumbai 02/24www.opensecurityalliance.org 29. ISO 27001 Fundamental PrincipleActPlan CheckDo RGIT, Mumbai 02/24www.opensecurityalliance.org 30. ITIL The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for managing Information Technology (IT) services (ITSM), IT development and IT operations. ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs. ITIL is published in a series of books, each of which covers an IT management topic. Service Strategy Service Design Service Transition Service Operation Continual Service ImprovementRGIT, Mumbai 02/24www.opensecurityalliance.org 31. CobiT : Control Objectives for Information and related Technology IT resources are managed by IT processes to achieve IT goals that respond to the business requirements. This is the basic principle of the COBIT framework, as illustrated by the COBIT cube. Business-focused Process-oriented Controls-based Measurement-driven IT Governance InstituteRGIT, Mumbai 02/24 www.opensecurityalliance.org 32. CobiT FrameworkBUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVESC O B I TME1Monitor and evaluate ITFRAMEWORK PO1Define a strategic IT plan. performance.INFORMATION PO2Define the informationME2Monitor and evaluatearchitecture. internal control.Efficiency Integrity PO3 Determine technologicalME3Ensure compliance withEffectivenessAvailability direction. external requirements.Compliance PO4 Define the IT processes,ME4Provide IT governance. Confidentialityorganisation and Reliabilityrelationships. MONITORPLAN PO5 Manage the IT investment. ANDANDPO6 Communicate management EVALUATE ORGANISEaims and direction. ITPO7 Manage IT human resources.DS1Define and manage service RESOURCES PO8 Manage quality. levels. PO9 Assess and manage IT risks.DS2Manage third-party services. PO10 Manage projects.DS3Manage performance and capacity.DS4Ensure continuous service. ApplicationsInformationDS5Ensure systems security.AI1 Identify automated solutions. InfrastructureDS6Identify and allocate costs.PeopleAI2 Acquire and maintainDS7Educate and train users.application software.DELIVERACQUIREDS8Manage service desk andANDAI3 Acquire and maintain AND incidents. SUPPORT IMPLEMENTtechnology infrastructure.DS9Manage the configuration. AI4 Enable operation and use.DS10 Manage problems.AI5 Procure IT resources.DS11 Manage data.AI6 Manage changes.DS12 Manage the physical AI7 Install and accredit solutions environment.and changes.DS13Manage operations. IT Governance InstituteRGIT, Mumbai 02/24www.opensecurityalliance.org 33. BS 25999 The standard for Business Continuity Management. Part 1 : Code of Practice Section 1 - Scope and Applicability. Section 2 - Terms and Definitions. Section 3 - Overview of Business Continuity Management. Section 4 - The Business Continuity Management Policy. Section 5 - BCM Programme Management. Section 6 - Understanding the organization. Section 7 - Determining BCM Strategies. Section 8 - Developing and implementing a BCM response. Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. Section 10 - Embedding BCM into the organizations culture. Part 2 : Specification Section 1 - Scope. Section 2 - Terms and Definitions. Section 3 - Planning the Business Continuity Management System (PLAN). Section 4 - Implementing and Operating the BCMS (DO) Section 5 - Monitoring and Reviewing the BCMS (CHECK) Section 6 Maintaining and Improving the BCMS (ACT)RGIT, Mumbai 02/24 www.opensecurityalliance.org 34. Essential Information Security PracticesMANAGEMENT COMMITMENT RISK MANAGEMENT ASSET INVENTORY AND MANAGEMENT CHANGE MANAGEMENT INCIDENT RESPONSE AND MANAGEMENT CONFIGURATION MANAGEMENT TRAINING AND AWARENESS CONTINUOUS AUDIT METRICS AND MEASUREMENTRGIT, Mumbai 02/24 www.opensecurityalliance.org 35. General information about data loss and breaches Snapshot of CERT reportedData Loss Statistics incidences: 2003 - 137,529 2002 - 82,094 2001 - 52,658 RGIT, Mumbai 02/24 www.opensecurityalliance.org 36. Internet Users Internet User GrowthRGIT, Mumbai 02/24www.opensecurityalliance.org 37. http://www.bankinfosecurity.com/articles.php?art_id=1766 RGIT, Mumbai 02/24www.opensecurityalliance.org 38. Data Breach Timeline RGIT, Mumbai 02/24 www.opensecurityalliance.org 39. Size / Business Does Not MatterData Breach by industry type Number of Employees by Percent of Breaches13 percent of organizations had recently been merged or acquiredSource: Verizon Data Breach Incident Report 2009RGIT, Mumbai 02/24 www.opensecurityalliance.org 40. RGIT, Mumbai 02/24 www.opensecurityalliance.org 41. Statistics for online habits Some common risks What can you do for yourself, the college and the community Profession and CareerRGIT, Mumbai 02/24 www.opensecurityalliance.org 42. Information Security CertificationsISACA - Information Systems Audit and Control Association CISA - Certified Information Systems Auditor CISM - Certified Information Security Manager CGEIT - Certified in the Governance of Enterprise IT CRISC - Certified in Risk and Information Systems Control (ISC) CISSP - Certified Information Systems Security Professional SSCP - Systems Security Certified Practitioner Institute of Internal Auditors CIA - Certified Internal Auditor (CGAP) - The Certified Government Auditing Professional CFSA - Certified Financial Services Auditor CCSA Certification in Control Self-Assessment PMI PMP The Security Industry Association (SIA) CSPM - Certified Security Project Manager (CSPM) RGIT, Mumbai 02/24 www.opensecurityalliance.org 43. Information Security Certifications[ITIL] ITIL Service Management Foundations Certificate ITIL Service Manager ITIL Practitioner DRI - Institute for Continuity Management ABCP - Associate Business Continuity Professional CBCP - Certified Business Continuity Professional CFCP - Certified Functional Continuity MBCP - Master Business Continuity Association of Certified Fraud Examiners (ACFE) CFE - Certified Fraud Examiner Forensics - EnCase EnCE - EnCase Certified Examiner (EnCE) CISCO CCSP Cisco Certified Security ProfessionalRGIT, Mumbai 02/24 www.opensecurityalliance.org 44. Career Specializations 1. Computer forensics Learn forensic investigation tools and techniques to investigate cyber crimes and financialcrimes. 2. IT security auditor Focus on auditing capabilities. As part of this, you must explore platforms like mainframes,SAP, and core banking platforms as your areas of expertise. 3. Application security specialist Specialize in areas like secure coding, security testing tools and techniques,secure design of web applications, and threat modelling. 4. Compliance specialist Focus on helping organizations comply to standards and regulations such as ISO 27001,PCI DSS, HIPAA, FDA and Sarbanes-Oxley. 5. Security solutions architect Specialize in secure network architecture, security solutions procurement anddeployment, and hardening of infrastructure. 6. Security trainer Focus on spreading knowledge about information security, and create awareness at all levels. 7. Cyber law expert Combine knowledge of the Indian IT Act 2008 with IT knowledge and forensics know-how. RGIT, Mumbai 02/24www.opensecurityalliance.org 45. Some Required Skills or Traits 1. High level of passion - Security changes on an almost daily basis there are new tools, attackvectors, and vulnerabilities being discovered almost hourly. A security professional can remain aheadof the game only by constantly updating himself, and this requires a high amount of passion for thefield. A security professional should not only be well-versed with a wide range of technologies,but also be reasonably acquainted with the basics of psychology, economics, finance, andphysical security. 2. Creativity - Be it a penetration test or developing an automated way to carry out a particular activity,a high level of creativity is a must in every aspect of a security professional's job. Thinking out of thebox is an almost daily activity for a security professional. 3. A never-say-die attitude - Security issues are typically complex, and often there are no easysolutions. Quite often, the situations are also very high-pressure the client's been hacked, orsomeone inside leaked out critical internal data, or systems have to be hardened before going live. Aseasoned security professional knows that there is a solution on the other side of every problem. Andhe is willing to do what it takes to be as resourceful in finding the right solution. 4. Grasp of a wide range of subjects - Security is not just about policies and procedures or bufferoverflows or SQL injection. Most security issues stem from, and can be resolved, by humanintervention. A security professional should not only be well-versed with a wide range of technologies,but should also be reasonably acquainted with the basics of psychology, economics, finance, andphysical security. RGIT, Mumbai 02/24www.opensecurityalliance.org 46. Technology SkillsApplication Development Secure SDLC Networking Vulnerability Assessment Penetration TestingOn any given day, there are approximately 225 System Hardening major incidences of security breach Device Supportreported to the CERT Coordination Center at Wireless Security Carnegie Mellon University. RGIT, Mumbai 02/24 www.opensecurityalliance.org 47. Common and uncommon Risks Statistics about online habits What can you do for yourself, the college and the communityRisks and Awareness RGIT, Mumbai 02/24www.opensecurityalliance.org 48. What Can You Do Cyber Security (virus, online habits, filesharing etc) Cyberethics (copying and use of IP) Cybersafety (identify protection, cyber bullying etc) Educate your friends and family (trojans, keyloggers, phishing, scams Secure home computers and for family/friends (wireless, backup etc) Take care of your Social Networking risks RGIT, Mumbai 02/24 www.opensecurityalliance.org 49. Securing Yourself Common Sense Awareness Regularly Update Patches Anti Virus, anti spyware Be careful on P2P filesharing .. what you download Read the computer message(s) Dont blindly click next > next > next Be careful when you read email especially if it belongs to someone else Dont try to open every attachment Keep your password to yourself CybeSecurity Cyberethics CybersafetyRGIT, Mumbai 02/24 www.opensecurityalliance.org 50. In Simple Words NoticeboredRGIT, Mumbai 02/24 www.opensecurityalliance.org 51. Refer TOI today Noticebored RGIT, Mumbai 02/24 www.opensecurityalliance.org 52. How many friends are online and in real life RGIT, Mumbai 02/24 www.opensecurityalliance.org 53. So what have you done online lately I have connected with old friends online Rekindled a relationship online Share a secret or two or some personal stuff onlineRGIT, Mumbai 02/24 www.opensecurityalliance.org 54. Some online habitsRGIT, Mumbai 02/24 www.opensecurityalliance.org 55. Noticebored RGIT, Mumbai 02/24 www.opensecurityalliance.org 56. RGIT, Mumbai 02/24 www.opensecurityalliance.org 57. What Can You Do Cyber Security (virus, online habits, filesharing etc) Cyberethics (copying and use of IP) Cybersafety (identify protection, cyber bullying etc) Educate your friends and family (trojans, keyloggers, phishing, scams Secure home computers and for family/friends (wireless, backup etc) Take care of your Social Networking risks RGIT, Mumbai 02/24 www.opensecurityalliance.org 58. What Can You Do (2)Think out of the box Evaluate tools and technologies as part of your projects Develop tools and scripts Share findings with industry, government and lawenforcement Research and study malware trends, defense methods Create a virtual library of your work so your peers andfollowers will also benefit Institutional security policies and procedures Conduct network assessments in the college from time totime and share the findings with all RGIT, Mumbai 02/24www.opensecurityalliance.org 59. Future trends / opportunitiesSocial networking compliance assurance Unified communication Microblogging Intelligent search Mobile apps RGIT, Mumbai 02/24 www.opensecurityalliance.org 60. Case Study Factual Facebook Hack Case Study http://snosoft.blogspot.com/2009/02/facebook-from-hackers-perspective.html Twitter Hack Hotmail Outage leads to malware offering sites Clicking Blindly RGIT, Mumbai 02/24 www.opensecurityalliance.org 61. Some information about Open Security AllianceAbout UsRGIT, Mumbai 02/24 www.opensecurityalliance.org 62. Open Security Alliance A small group of professionals working in Information Security gottogether to discuss life beyond technical stuff which non-techies finddifficult to understand.So these guys got together to work under the OSA banner to presentrisks, threats and vulnerabilities in an easy and understandablelanguage. Just to make sure the non-geek understands the problemsas well and gets as scared as the IS guy. OSA - an open community of individuals who are committed to providing the benefit of their knowledge and expertise to community. OSA - individual initiatives to undertake research and studies in Information Security (India centric) then provide learning to community. . The underlying thought is to Be The Change. RGIT, Mumbai 02/24www.opensecurityalliance.org 63. Contact Information Dinesh O Bareja M: +91.9769890505 E: dineshbareja@gmail.com E: dinesh@opensecurityalliance.org Twitter: @bizsprite Linked In (India Information Security Community) RGIT, Mumbai 02/24 www.opensecurityalliance.org 64. Conclusion Questions and Discussion Thank You !RGIT, Mumbai 02/24 www.opensecurityalliance.org 65. Disclaimer All logos and brand names belong to their respective owners and we do not claim any relationship orassociation, implied or otherwise, with them. Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly. We have taken care to attribute all sources for external materials used in this presentation, and anyoversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of thesematerials kindly communicate the same to us at issues AT opensecurityalliance DOT org Any omissions, in terms of attribution, may be due to an error on our part and not intentional. This document is a creation of securians.com and is released in the public domain under Creative Commons License (Attribution-Noncommercial 2.5 India) http://creativecommons.org/licenses/by-nc-sa/2.5/in/.Disclaimer: The practices listed in the document are provided as is and as guidance and the authors donot claim that these comprise the only practices to be followed. The readers are urged to makeinformed decisions in their usage. Feedback is solicited and you can access other topics at ourwebsite www.securians.comContributors: Dinesh O BarejaReviewers: Vicky ShahTitle: Information Security the profession; concepts, risks and more..Version: 1.0 / February 2010 RGIT, Mumbai 02/24 www.opensecurityalliance.org 66. References Educause Video Contest http://www.educause.edu/SecurityVideoContest CERT India CERT NIST OWASP SANSRGIT, Mumbai 02/24 www.opensecurityalliance.org 67. Social Networking Case Study : Facebook Hack The threat from social networks comes from socialengineering employees post company informationthe attackers collects during reconnaissance theninfiltrates the social network that exists between theemployees then uses that trust to phish for VPNpasswords or any other information.The Facebook hack case study is for an assignment carried out by SnoSoft and presents a unique insight into the threats and Case Study risks exposed on such sitesRGIT, Mumbai 02/24www.opensecurityalliance.org 68. Facebook Hack Step 1 : Reconnaissance Conduct Social and Technical Reconnaissance Social 1400 employees identified through the internet of which 900 used social networking sites like Facebook, Orkut, LinkedIn, MySpace etc. Studied about 200 profiles and created a false identity Technical Probed the corporate website and identified Cross Side Scripting vulnerabilities (which the researchers expected and hoped to find) Cross-site scripting ("XSS") vulnerability ismost frequently discovered in websites that donot have sufficient input validation or data Case Studyvalidation capabilities. XSS vulnerabilitiesallow an attacker to inject code into a websitethat is viewed by other users. This injectioncan be done sever side by saving the injectedcode on the server (in a forum, blog, etc) or itcan be done client side by injecting the codeinto a specially crafted URL that can bedelivered to a victim. RGIT, Mumbai 02/24www.opensecurityalliance.org 69. Facebook Hack Step 2: Setup Used a client side attack as opposed to a server side attack because it enabledthe select ion of only those users that we are interested in attacking. Serverside attacks are not as surgical and usually affect any user who views thecompromised server page. A payload is created and was designed to render a legitimate looking httpssecured web page that appeared to be a component of the customer's web site. When a victim clicks on the specially crafted link the payload is executed andthe fake web page is rendered. In this case our fake web page was an alert that warned users that theiraccounts may have been compromised and that they should verify theircredentials by entering them into the form provided. When the users credentials are entered the form submitted them to Case Studyhttp://www.netragard.com and were extracted by an automated tool that hadbeen created.RGIT, Mumbai 02/24www.opensecurityalliance.org 70. Facebook Hack Step 3: Create Profile After the payload was created and tested we started the process ofbuilding an easy to trust facebook profile. Because most of the targeted employees were male between theages of 20 and 40 we decided that it would be best to become avery attractive 28 year old female. A fitting photograph was found by searching google images and usedfor the fake Facebook profile. The profile was populated with information about our experiences atwork by using combined stories that were collected from real employeefacebook profiles. Case Study RGIT, Mumbai 02/24 www.opensecurityalliance.org 71. Facebook Hack Step 3: Create Profile After the payload was created and tested we started the process ofbuilding an easy to trust facebook profile. Because most of the targeted employees were male between theages of 20 and 40 we decided that it would be best to become avery attractive 28 year old female. A fitting photograph was found by searching google images and usedfor the fake Facebook profile. The profile was populated with information about our experiences atwork by using combined stories that were collected from real employeefacebook profiles. Case Study RGIT, Mumbai 02/24 www.opensecurityalliance.org 72. Facebook Hack Step 4: Attack Launch Upon completion we joined the company facebook group. Joining request was approved in a matter of hours and within twentyminutes of accepted as group members, legitimate customeremployees began sending friendship requests. In addition we made hundreds of outbound requests. The friends list grew very quickly and included managers, executives,secretaries, interns, and even contractors. Having collected a few hundred friends, we began chatting. Case StudyRGIT, Mumbai 02/24 www.opensecurityalliance.org 73. Facebook Hack Step 5: Attack On Conversations were based on work related issues that we were ableto collect from legitimate employee profiles. After a period of three days of conversing and sharing links, weposted our specially crafted link to our facebook profile.The title of the link was "Omigawd have you seen this I think we got hacked! . and people started clicking on the link and verifying their credentials. Ironically, the first set of credentials that we got belonged to thehiring manager. Case StudyRGIT, Mumbai 02/24 www.opensecurityalliance.org 74. Facebook Hack Step 6: Success Using those credentials one had access to the web-vpn which inturn gave access to the network. Those credentials also allowed access to a majority of systems onthe network including the Active Directory server, the mainframe,pump control systems, the checkpoint firewall console, etc. The Facebook hack has worked. Case Study RGIT, Mumbai 02/24www.opensecurityalliance.org 75. Hotmail Outage Tuesday, February 16, 2010 Hotmail Users Look for Answers in Dangerous Places An outage of the Windows Live ID service affected a large number of MSN users today including users of the popular Hotmail email service. Hotmail is one of the largest web based email outlets and not surprisingly news of the outage spread quickly as users were not able to access their email.Those hoping to find more information on Google may have ended up with more than they bargained for. Blackhats have once again worked their magic to infect users looking for news related to the outage. In fact, 8 out of the top 10 results for hotmail service unavailable returned dangerous URLs. RGIT, Mumbai 02/24 www.opensecurityalliance.org 76. RGIT, Mumbai 02/24 www.opensecurityalliance.org 77. RGIT, Mumbai 02/24 www.opensecurityalliance.org 78. Le Twitter hack RGIT, Mumbai 02/24 www.opensecurityalliance.org 79. Le Twitter Hack From lalawaq.comRGIT, Mumbai 02/24 www.opensecurityalliance.org 80. Clicking Blindly Case Study : Clicking blindly ! Settled in for a nice bit of surfing in the library!Study ! Ah hah ! Just dont click the link blindly ! Whoops ! Thats a big load of malware you just gotFrom EDUCAUSEwith sound effects !RGIT, Mumbai 02/24www.opensecurityalliance.org 81. You dont want to look like this ! Case Study : Clicking blindly !RGIT, Mumbai 02/24 www.opensecurityalliance.org 82. Case Study : Clicking blindly ! RGIT, Mumbai 02/24 www.opensecurityalliance.org