Chapter 4 Outline I. People – A Security Problem A. Poor security practices 1. Password selection a) For many years, computer intruders have relied on users selecting poor passwords to help them in their attempts to gain unauthorized access to a system or network. (1) Users choose passwords that are easy to remember and similar to the sequence of characters of their userids. (2) The passwords are usually the names of family members, pets, or their favorite sports team. (3) The more the attacker knows an individual, the better his chances of guessing the individual’s password. b) In an attempt to complicate the attacker’s job, organizations encourage users to mix uppercase and lowercase characters and include numbers and special characters in their passwords. However, users still choose something that is easy for them to remember. (1) To complicate the attacker’s job, organizations have instituted additional policies and rules relating to password selection such as requiring users to change their passwords frequently. Most often it results in a new password that adds a number at the end. (2) The more an organization forces frequent password changes, the more it is difficult for the attackers to guess. However, the more difficult the passwords are for the authorized users to remember, the more is the tendency to write them. (3) An average Internet user has multiple accounts and usually has the same or similar passwords for all the accounts. If any one of the accounts is compromised, all other accounts become vulnerable to attack. c) Most people have at least one Personal Identification Number (PIN) like that of their automated teller machine or a security code to gain physical access to a room. Even for such purposes, users will invariably select numbers that are easy to remember. 2. Piggybacking and shoulder surfing a) People are often in a hurry and do not frequently follow good physical security practices and procedures. Attackers know this and try to exploit this trait. b) Piggybacking is the tactic of closely following a person who has just used an access card or PIN to gain physical access to a room or building. c) Shoulder surfing is the procedure in which attackers position themselves in such a way as to be able to observe the authorized user entering the correct access code. 3. Dumpster diving. a) It is the process of going through a target’s trash to obtain information. b) If the attackers are fortunate, and the target’s security procedures very poor, they may find the user IDs and passwords. The attacker may gather pieces of information that can be useful in a social engineering attack. c) Hardware or software user manuals also provide information about the vulnerabilities on the target’s computer systems and networks. 4. Installing unauthorized hardware and software. a) Organizations should have a policy that restricts the ability of normal users to install software and new hardware on their systems. For example, individuals may install communication software and a modem to connect to their machine at work from their home. By doing this, they create a backdoor into the network, which an attacker can use to circumvent all of the other security mechanisms in place. c) Users can download numerous small programs from the Internet, without being sure of the source of the software and its effects on their systems. d) Many organizations also restrict downloading file attachments received through e-mails. This is because users may unwittingly execute a hostile program that could be a virus or worm. 5. Access by non-employees. a) If an attacker gains physical access to a facility, it is possible to obtain information to penetrate computer systems and networks. b) An easy method is to implement identification badges. It is an effective way to distinguish between employees and non-employees. However, it is important that the employees actively challenge individuals who are not wearing the required identification badges. c) Another aspect that must be considered is that some personnel may have legitimate access to a facility but may not have the same loyalty or regard for the intellectual property rights of the organization as other employees. (1) Contractors, consultants, and partners may not only have frequent physical access to the facility but also have network access. (2) Nighttime custodial crewmembers and security guards are given unrestricted access to the facility at such times when nobody else is around to monitor their activities. As these services are mostly contracted, attackers are known to use them for gaining access into the organization’s facility. B. Social engineering is the technique in which an attacker uses various deceptive practices to obtain unauthorized information. It is also a technique to convince the target of the attack to do something that they normally would not do. Social engineering is successful because of the following reasons: 1. Many people have a basic desire to be helpful. The attacker can use this trait to extract information. 2. Individuals normally try to avoid confrontation and trouble. 3. Sometimes the insiders may also attempt to gain unauthorized information. Many a times, insiders may be more successful as they already have a certain level of information regarding the organization. If caught, they can get away with a believable excuse. 4. Stanley Mark Rifkin (1978), an employee of the Security Pacific Bank in Los Angeles, learned details on how money could easily be transferred to accounts anywhere in the United States. He used the electronic funds transfer (EFT) code to impersonate a fellow bank officer to transfer $ 10.2 million to another account in Switzerland in a different name. 5. Reverse social engineering. a) In this technique, the attacker tries to convince the target to initiate the contact. b) This attack is successful because the target is the one initiating the contact, and attackers do not have to convince the target of their authenticity. c) The possible methods to convince the target to make that initial contact include sending out a spoofed e-mail claiming to be from a reputable source giving bogus e-mail addresses, telephone numbers, or Web sites that seem authentic. d) This may be especially successful if accomplished while the organization is in the process of installing a new software or hardware platform or when there is a significant change in the organization, such as a merger. II. People as a Security Tool A. To fight potential social engineering attacks, companies should formulate the policies and procedures that establish the roles and responsibilities for the security administrators and all other users. B. Security awareness. 1. Once the security policies and goals are established, organizations must develop an active security awareness program to counter potential social engineering attacks effectively. 2. The extent of the training will vary depending on the organization’s environment and the level of threat. However, it is a good practice to conduct trainings on social engineering attacks at the time of hiring a person and following up with periodic refresher trainings. 3. An important element to be stressed in trainings on social engineering is the type of information that the organization considers sensitive and how it can be vulnerable to attack. C. Individual user responsibilities. 1. While specific duties of users may vary between organizations and the type of business the organization conducts, there are certain basic responsibilities that all users should adopt. These include: a) Locking the door to the office or workspace. b) Not leaving sensitive information unprotected. c) Storing sensitive information in a secure storage device. d) Shredding paper containing sensitive information before discarding. e) Not divulging sensitive information to unauthorized individuals. f) Not discussing sensitive information with family members. g) Protecting laptops that contain sensitive or important organizational information. h) Being aware of the people in the vicinity while discussing sensitive corporate information. i) Enforcing corporate access control procedures. j) Being aware of the correct procedures to report suspected or actual violations of security policies. k) Establishing procedures to enforce good password security practices and ensure that employees follow these procedures. D. Corporate security officers must cultivate an environment of trust in their office and an understanding of the importance of security. 1. Security personnel actually need the help of all users and should strive to cultivate an environment where users, when faced with a security situation, will not hesitate to call them.