nete46301 people layer security lecture 9 supakorn kungpisdan [email protected]
TRANSCRIPT
Outline
• Attacking People Layer
• Defending People Layer
• Risk Management
NETE46302
Introduction
• OSI 7-layer reference model is a framework for data communications
• Security can be breached by exploiting the flaws and weaknesses of protocols and their implementation, at each layer of the OSI model
• Hardware and software behaviors are repeatable• But people are not consistent as machines; some
refuses to follow basic security rules e.g. do not read necessary manuals, take shortcuts, and so on
• The people layer (layer 8) has been added to address impact of human error
NETE46303
Attacking the People Layer
• Hacking needs to attack where the information is stored– Computers or People??– Which one is easier to get the information?
• 80% of a corporation’s knowledge resides with its employees
• This helps attackers in two ways:– Employees have a treasure trove of information– Humans are easier targets than computers
NETE46304
Attacking the People Layer (cont.)
• “Whatever the potential of the Internet, most observers recognize that information collection today is more widespread offline and online”
US Federal Trade Commission chairman, Timothy J. Muris
• “The greatest risk of misuse of your personal information is from lost or stolen wallets and purses, not online information, as many think”
Jan Dulney, president of Better Business Bureau of Western Ontario
NETE46305
Social Engineering
• Social engineering is the process of using psychology to encourage people to give you the information or access that you want
• Involves deceit and manipulation, and can be done face-to-face, remotely but still interactively (e.g. by phone), or indirectly through technology
NETE46306
Social Engineering (cont.)
• Authority Pretend as being in a position o authority
• Linking A social engineer appears likeable; most people will react to him or her in a positive way
• Reciprocation When someone gives us a gift or does us a favor, we want to give something in return
• Social Validation People want to be accepted, and the best way to belong is to be like everyone else
• Scarcity People want things that are in short supply or only available for a short time. If offerred, he or she is motivated to accept it.
NETE46307
In Person
• It is safer to use social engineering from afar (e.g. over the phone)
• Suitable if the goal is to gain physical access to a computer system or to obtain materials that are not in electronic form
• People are often more suspicious of unusual requests made over the phone, than by someone presenting a request in person
• Examples: unauthorized entry, theft
NETE46308
Unauthorized Entry
• Piggybacking (aka Tailgating): follow an authorized person through entrance or door
• Making a fake ID is available online at www.myoids.com • If a door requires a personal identification number (PIN)
for entry, try shoulder surfing• Once the unauthorized entry is achieved, the attacker
can do many things, including install a hardware keystroke logger
• Two types of keystroke loggers: hardware and software
NETE46309
Hardware Keyloggers
• Completely undetectable by software, can record all keystrokes, and can record keystrokes before the OS is loaded (e.g. BIOS password)
• But the attacker has to return to retrieve the hardware keylogger.
NETE463010
Software Keyloggers
• Can be installed through social engineering• Can tell which program the user is executing• Can categorize the keystrokes for the attacker• Can send the captured keystorkes to the attacker via
email, IRC, or other communication channel
NETE463011
Spector360
NETE463012
http://www.spector360.com/overview/record.htm
Spector360 (cont.)
NETE463013
Spector360 (cont.)
NETE463014
Spector360 (cont.)
NETE463015
Spector360 (cont.)
NETE463016
Spector360 (cont.)
NETE463017
Spector360 (cont.)
NETE463018
Spector360 (cont.)
NETE463019
Spector360 (cont.)
NETE463020
Spector360 (cont.)
NETE463021
Spector360 (cont.)
NETE463022
Spector360 (cont.)
NETE463023
Spector360 (cont.)
NETE463024
Detecting Hardware Keyloggers
• Can only be done by inspecting keyboard connection• They don’t run inside the computer as a program; there’s
no information in memory• KeyGhost Ltd. makes a keyboard with built-in keystroke
logger, so that even visual inspection is insufficient
NETE463025
Detecting Software Keyloggers
• Using scanning software to inspect files, memory, and the registry for signatures of known keyloggers and other spyware
• Some programs that detect keyloggers are:– FaceTime Enterprise Edition– Windows Defender– Ad-Aware– Spybot Search & Destroy– Webroot Spy Sweeper Enterprise– Spyware Doctor
NETE463026
Theft
• A 2005 survey conducted by the Computer Security Institute and FBI found that laptop theft is the second greatest security threat (after viruses), tied only with insider abuse of network access.
• Irwin Jacobs, the founder and CEO of Qualcomm lost his laptop after a presentation. Unfortunately, the laptop containing sensitive information was gone.
NETE463027
MOM
• There are three components of theft: means, opportunity, and motive (MOM).
• The means for this theft was having a scheme
• The motive was the value of the computer and its data
• The opportunity came from poor protection of the computer.
NETE463028
Defending Against Theft
• STOP Security Plate
NETE463029
http://www.computersecurity.com/stop/index_b.html
Motion Sensor Alarm Lock
• Sounds 110 db alarm if cable is cut
• When motion sensor is on it also sounds alarm if moved
• Heavy duty construction suitable for computers and A/V equipment in laboratories and public areas
NETE463030
www.securitykit.com/drive_locks.htm#alarms
Defending Against Theft (cont.)
• To recover a stolen laptop, you can use a program that will phone home when your laptop is connected to the Internet, such as:– www.securitykit.com/pc_phonehome.htm– www.absolute.com/public/computraceplus/laptop-security.asp– www.xtool.com/p_computertracker.asp– www.ztrace.com/zTraceGold.asp
NETE463031
Dumpster Diving
• Searching trash for useful information• Dumpster diving depends on a human weakness: the
lack of security knowledge. • Many things can be found dumpster diving (e.g., CDs,
DVDs, hard drives, company directories, and so forth).
NETE463032
Example
• The most famous example of dumpster diving was performed by Jerry Schneider in southern California.
• While in high school in 1968, Jerry found documentation regarding Pacific Telephone’s automated equipment ordering and delivery system, which he produced the equipments and sold it as “refurbished”.
• He accumulated hundreds of thousands of dollars worth of telephone equipment and established Creative Systems Enterprises to sell it; some of it was sold back to Pacific Telephone.
NETE463033
Example (cont.)
• In January, 1972, he was arrested • Police raid CSE's offices and warehouse. The District
Attorney estimates the found equipment is worth $8,000. • At this time, they learn that Schneider had made off with
$125,000 worth of gear. Schneider later admits to nearly $900,000.
• At the age of 21, he started a security company in 1973 that he left in 1977.
NETE463034
Password Management
• Users are given a lot of advice about setting passwords: make them long, complex, unique, and change them frequently.
• Ironically, users that try to heed this advice sometimes fall into another pitfall: they write their passwords down and protect them poorly.
• Post-it notes are left on monitors or under keyboards• Forms of password attacks:
– finding passwords and – guessing passwords
NETE463035
Password Management (cont.)
• With physical access to a computer, additional opportunities become available.
• If an attacker doesn’t mind being detected, he or she can change the administrator’s password instead of cracking it.
• This type of attack involves booting the system from an alternate operating system (e.g., Linux) via CD, equipped with a New Technology File System (NTFS) driver for Windows.
NETE463036
Password Management (cont.)
• Some programs that reset the password this way are:– Windows Password Recovery– Petter Nordahl-Hagen’s Offline NT Password &
Registry Editor– Emergency Boot CD– Austrumi
NETE463037
Password Management (cont.)
• People have multiple passwords for various things (e.g., bank accounts, investment sites, e-mail accounts, instant messaging accounts, and so forth).
• How can a person remember so many unique passwords without writing them down?
NETE463038
Phone
• Social engineering by phone has one advantage over in-person attacks: an easy getaway. – As long as the call isn’t traceable, all an attacker has to do is
hang up.
• Another advantage is that people only have to sound, not look, authentic on the phone.
• Having the caller’s spoofed ID on the target’s phone display an internal extension or the name and number of another company location, gives the attacker credibility as an insider.
NETE463039
Fax
• Generally, a fax is a poor communication medium for social engineering, because there is no personal interaction.
• However, a fax does show the telephone number of the sending fax machine, which comes from the configuration of the sending fax machine.
• Combine this with authentic-looking stationery, and it is easy to fool people.
• Fax machines located out in the open are vulnerable, because passersby can take documents that are left on top of the machine.
NETE463040
Fax (cont.)
• There aren’t many fax machines being used anymore that use an ink ribbon or Mylar ink sheet; however, if you do find one, you might be able to read what was printed on the ribbon.
• The waste basket nearest to the fax machine is also a good place to look for interesting discarded faxes.
• Fax servers also deliver faxes to e-mail inboxes. • E-mail accounts usually use insecure protocols such as
SMTP and POP that transfer passwords in clear text; therefore, they are quite vulnerable.
NETE463041
Internet
• Social engineering can also be conducted over the Internet.
• E-mail messages and fraudulent Web sites might carry an air of legitimacy and authority that is lacking on the telephone.
• It is easy to spoof the e-mail address of a sender to make it look legitimate.
• E-mail messages can contain Hypertext Markup Language (HTML) to make them look professional. Armed with false legitimacy, several popular scams can occur.
NETE463042
Internet (cont.)
• One such scam involves a person claiming to be a Nigerian government official who asks the reader for help transferring money out of his or her country.
• If the reader agrees to allow monetary transfers into his or her bank account, he or she is supposed to receive a substantial fee.
• Once the reader agrees to participate, the scammer asks him or her to pay various bribes and fees, which actually goes to the scammer.
• Of course, the big transfer never occurs and the reader never gets paid.
NETE463043
Internet (cont.)
• The “You have already won one of these three great prizes!” scam works by the user sending the scammer a “handling fee” who in turn is supposed to forward the prize.
• The amount of the handling fee is unspecified and is usually greater than the value of the prize.
NETE463044
Phreaking
• Before cellular phones (also known as cell phones), there were pay phones and phone cards.
• All of these items could be obtained surreptitiously by shoulder-surfing the card owner while he or she entered the digits on the payphone.
• Another way to get free telephone services is to use electronic devices known as Phreak Boxes (also known as blue boxes).
• Phreak boxes work by sending special tones over a communication channel that is established for a voice conversation
NETE463045
Phreak Boxes
NETE463046
Phreak Boxes (cont.)
• Joe Engressia (a.k.a. joybubbles) discovered that the telephone network reacted to whistling into the phone at exactly 2600 Hertz (Hz).
• He learned that that particular tone signaled a long-distance trunk line (i.e., free long distance).
• Joe passed this information on to John Draper, who took that information and his knowledge of electronics and created the first phreak box, which played the 2600Hz tone onto a phone line.
NETE463047
Caller ID Spoofing and Cell Phones
• Using TeleSpoof or some other type of caller ID-spoofing Web service, an attacker accessed Paris Hilton’s T-Mobile Sidekick account and downloaded all of her data.
• Her account authenticated her on the basis of caller ID instead of a password
• Even though her Sidekick account was password-protected, an attack on T-Mobile’s Web site reset Hilton’s password.
• A social engineering attack was used by an adversary claiming to be with T-Mobile customer service.
• The caller ID display on her phone verified this.
NETE463048
Short Message Service
• The Short Message Service (SMS) permits a cell phone or Web user to send a short text message to another person’s cell phone.
• If the recipient’s cell phone is Web-enabled, clicking on a hyperlink appearing in a SMS message will cause the cell phone to surf to the Web site addressed by that hyperlink.
• The Web site could download malicious content to the cell phone, which could cause a number of problems (e.g., revealing the phone’s contact list).
NETE463049
Disguising Programs
• Default setting in Windows XP is to hide extensions. • The attacker can create a malicious program and name
it syngress.jpg.exe or something similar.• When Windows hides the .exe filename extension, syngress.jpg appears to have a filename extension, but is considered to be a filename without an extension.
• Because the bogus extension does not indicate an executable file, the recipient feels safe in opening it.
NETE463050
Phishing
• Another attack that combines social engineering and technology is called phishing.
• An e-mail message is sent that appears to be from a company that the recipient has an account with
• The message contains some pretext for needing the recipient’s account identification and authentication credentials (usually a password).
• To verify the recipient’s account, the target is asked to click on a hyperlink in the e-mail message.
• The displayed address looks like a legitimate address, but the actual address links to the attacker’s Web site
NETE463051
Phishing (cont.)
NETE463052
SSL MITM Attacks
• Because the communications are secured with SSL, the intercepted information would not be readable.
• An attacker could replace the website certificate with his or her own certificate and send it to a user, but the certificate would have problems
• The attacker’s certificate could be for the wrong domain name, or it could have the correct domain name but not be issued by a known or trusted CA
• Most users would not know what to do with this. They are less likely to heed the warning and more likely to click OK.
NETE463053
SSL MITM Attacks (cont.)
• Attacker creates his or her own certificate• On any other document, the signature would be detected
as a forgery. • However, if the attacker makes up a convincing name of
a CA that he or she controls, the digital signature on the certificate will belong with that certificate.
• The only problem is that the identity of the attacker’s CA is unknown to the browser, and therefore, the browser warns the user that there is no root certificate for the signer of this certificate
NETE463054
Outline
• Attacking People Layer
• Defending People Layer
• Risk Management
NETE463055
Defending the People Layer
• People appear to be the weakest link in the security chain.
• Once a computer is programmed to behave a certain way, it behaves that way consistently.
• However, the same can’t be said about people, who can be a major source of risk.
• However, there are things that can be done to ameliorate that risk.
• The first line of defense is security policies.
NETE463056
Policies, Procedures, and Guidelines
• All security flows from policies, which expresses the general way that a company operates and is the basis for all decision making.
• A policy tells employees what is expected of them in the corporate environment.
• Most company’s have a mission statement that defines the organization’s purpose.
• Policies should be written consistent with the organization’s mission statement.
• The mission statement and policies must also comply with all applicable laws.
NETE463057
Policies, Procedures, and Guidelines (cont.)
• General policies are broad. • A procedure gives detailed instructions of how to
accomplish a task in a way that complies with policy.• A practice is similar to a procedure, but not as detailed. • A standard specifies which technologies and products
to use in to comply with policy. • Guidelines explain the spirit of policies, so that in the
absence of appropriate practices and procedures, an employee can infer what management would like him or her to do in certain situations.
NETE463058
Types of Policies
• General policies cover broad topics (e.g., the secure use of company property and computing facilities).
• Information security policy is restricted to protecting information.
• Issue-specific security policies cover narrower topics such as the appropriate use of the e-mail system.
• System-specific security policies cover the differences between how MACs and PCs should be used and secured
NETE463059
Policies, Guidelines, and Procedures
NETE463060
Who Creates Security Policy?
• Effective policies must come from the highest levels of management.
• A Chief Information Security Officer (CISO) should be appointed to write policies that make information security an integral part of business practices.
• Business managers must be included in developing the policies to understand security measures
• You will get the benefit of their knowledge in their respective business areas, while also instilling in them some ownership of the policies, which will motivate them to enforce the policies.
NETE463061
Data Classification
• Public: Anyone inside or outside the company can obtain this information.
• Internal: This information is not made available outside the company.
• Limited Distribution: This information is only given to the individuals named on the distribution list. Each copy is uniquely identified; additional copies are never made.
• Personal: This information pertains to an employee’s individual status (e.g. employment terms, appraisals, benefit claim, and so forth).
NETE463062
US Military Classification
• Unclassified: Information that can be copied and distributed without limitation.
• Sensitive But Unclassified (SBU): “Any information of which the loss, misuse, or unauthorized access to, or modification of might adversely affect U.S. National interests, the conduct of Department of Defense (DoD) programs, or the privacy of DoD personnel.”
• Confidential: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
NETE463063
US Military Classification (cont.)
• Secret: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.
• Top Secret: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.
NETE463064
Education, Training, and Awareness Program
• Security is not intuitive; most people do not think in those terms (e.g., a help desk analyst is trained to be helpful, not suspicious).
• Therefore, if everyone is a potential vulnerability and employees do not have the necessary outlook and knowledge, there is a clear need for education, training, and awareness programs
NETE463065
Education
• Only countermeasure to social engineering is education. • Employees should know what social engineering attacks
look like. • Short educational demonstrations depicting an employee
and a social engineer can provide a good introduction to the principles of social engineering attacks, which include authority, liking, reciprocation, consistency, social validation, and scarcity.
NETE463066
Education (cont.)
• All employee should:– Know to challenge people trying to enter the building without a
badge– Understand data classification labels and data handling
procedures– Know what to do with attachments to received e-mail messages– Know not to bring in software from home
• Some employees need specialized security training:– Programmers need to learn how to develop secure applications
– Information security personnel need to know the procedures for selecting and applying safeguards to assets
– Network infrastructure specialists need to know how to deploy network components securely
NETE463067
Education (cont.)
• Upper management plays an important role in information security– Management funds the security projects– Management is responsible for due care and due diligence– Data owners are officers of the company and must classify data– Data custodians implement and maintain the management data
classification decisions– Management ensures that everyone in the company (including
them) does their part to secure the enterprise– Management sets an example and adheres to security policies
NETE463068
Due Care and Due Diligence
• Due care Steps taken to show that a company has taken responsibility for the activities that occur within the corporation and has taken the necessary steps to help protect the company, its resources, and employees.
• Due diligence The process of systematically evaluating information to identify vulnerabilities, threats, and issues relating to an organization’s overall risk.
NETE463069
Training
• Education is about principles; it’s more general. • Training is about procedures; it’s more specific.• There should be separate training programs for general
employees, programmers, security professionals, and management
• Training is necessary because people benefit from repetition, it shows the ongoing commitment to security, and because the security situation of the company changes as the company and the world around it change.
NETE463070
Security Awareness Programs
• Once an employee has been trained, we must continue to reinforce the messages to make them stick, and to increase the employee’s understanding
NETE463071
Security Awareness Tools
• A column in the weekly or monthly company periodical
• A security newsletter—on paper or in e-mail
• A sticker on the employee’s keyboard
• Posters in the common area
• Contests that reward employees for positive behavior with respect to security
• Banner messages that appear when a user logs onto their computer, or when they start a specific program such as e-mail
• A note in their paycheck envelope
• An announcement on the public address system
• A special mailing to the employees’ homes
• A measured goal on the employee’s performance plan, to be evaluated in the employee’s appraisal
• Employees should sign an agreement to follow the policies when hired, and then annually
NETE463072
Evaluation
• Only attendance in the classes is not sufficient.• Evaluation can tell us if the knowledge is present in the
employee. • Evaluation can be broken down into levels.• It allows an employee to have some success even
before he’s able to master all the things that we want him to know
NETE463073
Testing
• Written evaluations measure knowledge, but what we want most is to measure performance.
• How well will individuals, and the enterprise as a whole, perform when faced with a threat?
• Companies should perform periodic penetration tests.• If several individuals are involved, then this group is
called a tiger team or a red team.• The pen test is only conducted with the written
permission of management.
NETE463074
Penetration Testing
• A full pen test attacks the following areas:– Technical Controls Firewalls, servers, applications– Physical Controls Guards visitor log, surveillance
cameras– Administrative Controls Policies and procedures– Personnel Compliance with policies and procedures,
awareness of social engineering
NETE463075
White-box VS Black-box Pen Test
• A white-box test could be performed by company insiders and takes advantage of all the documentation for the network architecture, the policies and procedures, the company directory, etc.
• A black-box penetration test must be done by outsiders, since it requires that the testers have no advance knowledge of the company’s internal workings.
NETE463076
Outline
• Attacking People Layer
• Defending People Layer
• Risk Management
NETE463077
Risk Management
• Risk management is the process of identifying risks to an organization’s assets and then implementing controls to mitigate the effects of those risks
• An asset is a person or object that adds value to an organization.
• We also need to know how to protect assets from threats (e.g., theft, hurricane, and sabotage).
• This determination measures our vulnerability to the threat.
• Then we begin thinking about specific protection mechanisms, called controls
NETE463078
Risk Management (cont.)
• Once the controls are in place, we evaluate them using vulnerability assessments to see how vulnerable our systems and processes remain.
• We conduct penetration tests to emulate the identified threats; if the results fall short of our expectations, we get better or additional controls
NETE463079
General Risk Management Model
NETE463080
Asset Identification
• Personnel• Buildings• Equipment• Furniture• Software (purchased and home-grown)• Intellectual property• Inventory• Cash• Processes• Reputation
NETE463081
Asset Valuation
• The cost to design and develop or acquire, install, maintain, protect the asset
• The cost of collecting and processing data for information assets• The value of providing information to customers• The cost to replace or repair the asset• Depreciation; most assets lose value over time• Acquired value; information assets may increase in value over
time• The value to a competitor• The value of lost business opportunity if the asset is
compromised• A reduction in productivity while the asset is unavailable
NETE463082
Threat Assessment
• Quantitative assessment: try to assign accurate numbers to such things as the seriousness of threats and the frequency of occurrence of those threats.
• Qualitative assessment: utilize the experience and wisdom of our personnel to rank and prioritize threats.
NETE463083
Quantitative Assessment
• Single Loss Expectancy (SLE)
SLE = asset value x exposure factor
• The percentage of the asset value that would be lost is the exposure factor (EF)
• SLE can be greater than 100%
• Likelihood of the incident frequency of threats each year is the Annualized Rate of Occurrence (ARO)
• If we expect a threat to occur three times per year on average, then the ARO equals 3.
NETE463084
Annual Loss Expectancy
• The ALE represents the yearly average loss over many years for a given threat to a particular asset
ALE = SLE x ARO
NETE463085
Annual Loss Expectancy
• Some risk assessment professionals add another factor: uncertainty
ALE = SLE x ARO x uncertainty
where uncertainty ranges from 1 for completely certain, to numbers greater than one for more uncertainty
NETE463086
Quantitative Assessment (cont.)
NETE463087
Qualitative Assessment
• A qualitative assessment is based on the experience, judgment, and wisdom of the members of the assessment team.
• Delphi Method A procedure for a panel of experts to reach consensus without meeting face-to-face.
• Modified Delphi Method May include extra steps such as validating the expertise of panel members, or allowing some personal contact.
• Brainstorming Somewhat less structured. A group leader establishes ground rules and guides the experts through the process
NETE463088
Qualitative Assessment (cont.)
• Storyboarding Processes are turned into panels of images depicting the process, so that it can be understood and discussed.
• Focus Groups Employ panels of users who can evaluate the user impact and state their likes and dislikes about the safeguard being evaluated.
• Surveys Used as an initial information-gathering tool. The results of the survey can influence the content of the other evaluation methods.
• Questionnaires Limit the responses of participants more than surveys, so they should be used later in the process when you know what the questions will be
NETE463089
Qualitative Assessment (cont.)
• Checklists Used to make sure that the safeguards being evaluated cover all aspects of the threats.
• Interviews Useful in the early stages of evaluation.
They usually follow the surveys to get greater detail from participants, and to give a free range of responses.
• These techniques are used to rank the risks in order to determine which should be handled first, and which should get the largest budget for countermeasures.
NETE463090
Control Design and Evaluation
• Deterrent Make it not worth it to the attacker to intrude• Preventive Prevent incidents from occurring• Detective Detect incidents when they occur• Recovery Mitigate the impact of incidents when they
occur• Corrective Restore safeguards and prevent future
incidents
NETE463091
Residual Risk Management
• Avoidance Reduce the probability of an incident• Transference Give someone else (insurance company)
the risk• Mitigation Reduce the impact (exposure factor) of an
incident• Acceptance Determine that the risk is acceptable
without additional controls
NETE463092
Residual Risk Management
• Risk cannot be eliminated; it can only be reduced and handled.
• After reducing risk through avoidance, transference, or mitigation, whatever risk remains is known as residual risk.
• If the residual risk is at a level which the company can live with, then the company should accept the risk, and move on to the next threat.
• If the residual risk is too large to accept, then additional controls should be implemented to avoid, transfer, and mitigate more risk.
NETE463093
Question?
NETE4630 94