social engineering: protecting yourself on the campus network
TRANSCRIPT
IT ServicesOpen Forum
Social Engineering Forum: Protecting Yourself on the Campus Network
April 16, 2009
IT Services Open Forum
Agenda1. What is Social Engineering
2. Examples & Risks– Virus and other malware scams
– Telephone calls
– Unauthorized personnel visits
3. What technology is in place to help reduce risks
4. How you can avoid being a victim
5. What you should do if you are a victim
6. Questions and Answers
IT Services Open Forum
What is Social Engineering
Social engineering is the act of manipulating people into
performing actions or divulging confidential
information. The term typically applies to trickery or
deception for the purpose of information gathering,
fraud or computer system access. In some cases,
the hacker never comes face-to-face with the victim.
IT Services Open Forum
What is Social Engineering
The basic goals of social engineering are the same as
hacking in general: to gain unauthorized access to
systems or information in order to commit fraud,
network intrusion, industrial espionage, identity theft,
or simply to disrupt the system or network.
IT Services Open Forum
What is Social EngineeringAnother aspect of social engineering relies on people's inability to keep up
with a culture that relies heavily on information technology. Social
engineers rely on the fact that people are not aware of the value of the
information they possess and are careless about protecting it. Frequently,
social engineers will search dumpsters for valuable information, memorize
access codes by looking over someone's shoulder (shoulder surfing), or
take advantage of people's natural inclination to choose passwords that
are meaningful to them but can be easily guessed. Security experts
propose that as our culture becomes more dependent on information,
social engineering will remain the greatest threat to any security system.
Prevention includes educating people about the value of information,
training them to protect it, and increasing people's awareness of how
social engineers operate.
IT Services Open Forum
ExamplesYou arrive at the office and stop by the restroom to make sure you look
your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it. The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for your self.
What would you do?
IT Services Open Forum
Examples• Email from help desk asking you for your password• Email from your bank asking you for your account
number • Email from your email provider (such as Hotmail)
asking you to verify your account information• Phone call from your telephone company asking for
your account information• Floppy disk that is tossed in trash that once
contained confidential data (deleted data can be recovered with specialized software)
IT Services Open Forum
Virus & Malware Attacks
Various past and current examples given in presentation. For examples, contact CIU IT Help Desk.
IT Services Open Forum
Risks• Violation of data security policies with FERPA, PCI,
Federal, etc. which may incur fines, embarrassment, or future business growth consequences.
• Loss of financial resources.• Compromise of donor information.• Loss of personal information (anything done
personally from your work computer such as online banking, etc.)
IT Services Open Forum
What IT has in place to help reduce risks
• The Help Desk is the first line of defense for all IT related issues.
• Poweruser accounts do not allow viruses to be installed on your local machine. However, it does not prevent email account from being compromise especially if password is given out as a response to the email.
• Password criteria as well as periodic password reset requirements.
• Data breach response plan.
IT Services Open Forum
How do you avoid being a victim• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking
about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. Also be suspicious of emails requesting an action (such clicking on attachment).
– Do not give/send passwords via email– Do not give passwords to co-workers or anyone else (especially those you do not know)– Do not allow anyone from IT to work on your computer or phone unless they are wearing an IT
name badge
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Don't send sensitive information over the Internet before checking a web site's security.• Shred disks as well as other paper documents that once contained sensitive information.• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this
traffic.
IT Services Open Forum
What do you do if you think you are a victim
• If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including the IT Help Desk (5199). Alert us immediately of any suspicious activity or email.
• If the breach involves a visitor, contact IT as well as Security immediately.
• Reset your password immediately (just the password suspected of being compromised)
IT Services Open Forum
Questions and AnswersQ: How do you know if your site is secure?A: Look for a small padlock in the lower right corner of your browser window (illustration below) or in the website address box (not on the actual site itself). Also look for HTTPS:// in the website address on secure sites instead of just HTTP://.
Q: Do I need to be concerned with a website that does not have a “log out” button?A: Yes, a little. Site’s that do not have a “log out” button may cache (or keep) your account open so that others can view your account by simply opening the web browser. A safe practice is to lock your computer when leaving or to restart your computer to clear the session if a “log out” button is not available.