Cyber-Security: An Eye Cyber-Security: An Eye Opener to the SocietyOpener to the Society

Presented by Ms. Edith Turuka

Telecommunications Engineer – Ministry of Communications Science and Technology

11th June, 2012

AgendaAgenda

Introduction;Reconnaissance and

Countermeasures;Corporate IT Security policy;Conclusion and

Recommendations.

Introduction – Cyber-Introduction – Cyber-SecuritySecurityBefore discussing about cyber-security lets take a quick glance at the following:

Do we need to know about cyber crimeWhat exactly cybercrime isWho can do cyber crimeWhy conduct cyber crimeTypes of cyber crimeImpacts of cyber crime

Introduction – Cyber-Introduction – Cyber-SecuritySecurity

• Protecting information from unauthorized access or destruction / abuse.

3 aspects under consideration (CIA triad)ConfidentialityIntegrity Availability

How careless are How careless are weweHow vulnerable are How vulnerable are wewe

Reconnaissance Reconnaissance techniques - Low tech techniques - Low tech methodsmethodsSocial Engineering

Reconnaissance Reconnaissance techniques – techniques – Low tech methods Low tech methods cont…cont…Physical Break-In

Reconnaissance techniques Reconnaissance techniques – – Low tech methods Low tech methods cont…cont…

Dumpster Diving

Reconnaissance Reconnaissance techniques - Low tech techniques - Low tech methods countermeasuresmethods countermeasures

User awarenessSecurity badges / biometrics e.g Iris scan, hand geometry, motion detectors, voice, blood vessels / Tailgate detection system

Monitor devises taken in / out Use locks on cabinets containing sensitive information, servers

Use automatic password-protected screen servers

Encrypt stored files, HDD, DBPaper shredder, destroy devises e.g HDD before discarding

Other Reconnaissance Other Reconnaissance techniques techniques General web searchesThe use of databases e.g Whois, DNSDifferent Reconnaissance tools are

available!Wireshack, keylogger, Nmap, Samspade e.t.c

CountermeasuresSecurity policyInformation on public database - keep to

minimum

Notable quotes….Notable quotes….Notorious hacker Kevin Mitnick said,

"The weakest link in the security chain is the human element," 6

According to a March 2000 article in the Washington Post. He went on to say that in more than half of his successful network exploits he gained information about the network, sometimes including access to the network, through social engineering. 6

“You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” 6

Case study….Case study….

Social EngineeringSocial EngineeringMonday morning, 6am; the electric

rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off.  On the way to work you're thinking of all you need to accomplished this week. 

Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoff's are floating around.

Social EngineeringSocial Engineering

You arrive at the office and stop by the restroom to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it.  The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk.  It looks like your associate has good reasons for concern, and you're about to find out for your self.

And soAnd soThe Game Is In Play: People Are The

Easiest Target

You make it to your desk and insert the CD-ROM.  You find several files on the CD, including a spreadsheet which you quickly open.  The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain".  You quickly search for your name but cannot find it.  In fact, many of the names don't seem familiar.  Why would they, this is pretty large company, you don't know everyone.

Since your name is not on the list you feel a bit of relief.  It's time to turn this over to your boss. Your boss thanks you and you head back to your desk.

Let's Take A Step Back In Let's Take A Step Back In TimeTime

The CD you found in the restroom, it was not left there by accident.  It was strategically placed there by me, or one of Security Consulting employees. 

You see, a firm has been hired to perform a Network Security Assessment on your company. 

In reality, they have been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.

Bingo - GotchaBingo - GotchaThe spreadsheet you opened was not

the only thing executing on your computer.

The moment you open that file you caused a script to execute which installed a few files on your computer. 

Those files were designed to call home and make a connection to one of our servers on the Internet.  Once the connection was made the software on the Security firms servers responded by pushing (or downloading) several software tools to your computer. 

Tools designed to give the team complete control of your computer.  Now they have a platform, inside your company's network, where they can continue to hack the network.  And, they can do it from inside without even being there.

This is what we call a 180 degree This is what we call a 180 degree attack.attack.

Meaning, the security consulting team did not have to defeat the security measures of your company's firewall from the Internet. 

You took care of that for us.  Many organizations give their employees

unfettered access (or impose limited control) to the Internet. 

Given this fact, the security firm devised a method for attacking the network from within with the explicit purpose of gaining control of a computer on the private network.

All we had to do is get someone inside to do it for us.

Welcome to Social Welcome to Social EngineeringEngineering

What would you have done if you found a CD with this type of information on it?

Yes it is people who are the weakest link in any security system and Social Engineering Exploits that ---

Corporate IT Security PolicyCorporate IT Security Policy

IT Security PolicyIT Security Policy

Identifies the rules and procedures that all persons accessing computer resources must adhere to in order to ensure the confidentiality, integrity, and availability of data and resources

A good IT Security PolicyA good IT Security PolicyAmongst other things,Provides sufficient guidance for development of specific procedures;Balances protection with productivity;Identifies how incidents will be handled; andShould not impede an organization from meeting its mission and goals. A good policy will provide the organization with the assurance and the “acceptable” level of asset protection from external and internal threats.Is enacted by a senior official (e.g., CEO).

Components of a good Components of a good security policysecurity policy

Security Definition Enforcement Physical Security of ICT Components Access Control to the System Security of specific components such as Servers Internet Use and Security Virus Protection Wide Area Network Issues Voice related Services Back Ups and Recovery

A working IT Security Policy is one of the A working IT Security Policy is one of the MUST HAVE pillar in any organization !!!MUST HAVE pillar in any organization !!!

EPOCA – Sections on ICT EPOCA – Sections on ICT SecuritySecurityThe Electronic and Postal

Communications Act, CAP 306 of the laws of Tanzania

Section 124 of EPOCA prohibits Unauthorized access or use of computer systems.

Section 98 of EPOCA creates a duty of confidentiality to the information received by virtue of the Communications laws.

Section 99 of EPOCA states that disclosure of such information should be authorized by the person for official duties such as operational of the laws.

Conclusion and Conclusion and RecommendationsRecommendationsWorthy noting initiatives towards a safe

cyberspace in Tanzania e.g Laws, National CERT & simcard registration

While the ICT infrastructure is protected by built in state-of-the-art security technology and solutions, it is extremely important that national capacity to safeguard its ICT assets is built, as built in protection is not sufficient and sustainable.

Security mindset / being cautious / suspicious / not taking everything for granted /awareness need be created

Important for every Organization to have an IT Security Policy and all employees comply to the terms in it.

ASANTENI SANA KWA

KUSIKILIZA