Chapter 4 Outline

advertisement
Chapter 4 Outline
I.
People – A Security Problem
A. Poor security practices
1.
Password selection
a)
For many years, computer intruders have relied on users selecting poor
passwords to help them in their attempts to gain unauthorized access to
a system or network.
(1) Users choose passwords that are easy to remember and similar to
the sequence of characters of their userids.
(2) The passwords are usually the names of family members, pets, or
their favorite sports team.
(3) The more the attacker knows an individual, the better his chances
of guessing the individual’s password.
b) In an attempt to complicate the attacker’s job, organizations encourage
users to mix uppercase and lowercase characters and include numbers
and special characters in their passwords. However, users still choose
something that is easy for them to remember.
(1) To complicate the attacker’s job, organizations have instituted
additional policies and rules relating to password selection such
as requiring users to change their passwords frequently. Most
often it results in a new password that adds a number at the end.
(2) The more an organization forces frequent password changes, the
more it is difficult for the attackers to guess. However, the more
difficult the passwords are for the authorized users to remember,
the more is the tendency to write them.
(3) An average Internet user has multiple accounts and usually has
the same or similar passwords for all the accounts. If any one of
the accounts is compromised, all other accounts become
vulnerable to attack.
c)
Most people have at least one Personal Identification Number (PIN)
like that of their automated teller machine or a security code to gain
physical access to a room. Even for such purposes, users will invariably
select numbers that are easy to remember.
2.
Piggybacking and shoulder surfing
a)
People are often in a hurry and do not frequently follow good physical
security practices and procedures. Attackers know this and try to
exploit this trait.
b) Piggybacking is the tactic of closely following a person who has just
used an access card or PIN to gain physical access to a room or
building.
c)
Shoulder surfing is the procedure in which attackers position
themselves in such a way as to be able to observe the authorized user
entering the correct access code.
3.
Dumpster diving.
a)
It is the process of going through a target’s trash to obtain information.
b) If the attackers are fortunate, and the target’s security procedures very
poor, they may find the user IDs and passwords. The attacker may
gather pieces of information that can be useful in a social engineering
attack.
c)
Hardware or software user manuals also provide information about the
vulnerabilities on the target’s computer systems and networks.
4.
Installing unauthorized hardware and software.
a)
Organizations should have a policy that restricts the ability of normal
users to install software and new hardware on their systems. For
example, individuals may install communication software and a modem
to connect to their machine at work from their home. By doing this,
they create a backdoor into the network, which an attacker can use to
circumvent all of the other security mechanisms in place.
c)
Users can download numerous small programs from the Internet,
without being sure of the source of the software and its effects on their
systems.
d) Many organizations also restrict downloading file attachments received
through e-mails. This is because users may unwittingly execute a
hostile program that could be a virus or worm.
5.
Access by non-employees.
a)
If an attacker gains physical access to a facility, it is possible to obtain
information to penetrate computer systems and networks.
b) An easy method is to implement identification badges. It is an effective
way to distinguish between employees and non-employees. However, it
is important that the employees actively challenge individuals who are
not wearing the required identification badges.
c)
Another aspect that must be considered is that some personnel may
have legitimate access to a facility but may not have the same loyalty or
regard for the intellectual property rights of the organization as other
employees.
(1) Contractors, consultants, and partners may not only have frequent
physical access to the facility but also have network access.
(2) Nighttime custodial crewmembers and security guards are given
unrestricted access to the facility at such times when nobody else
is around to monitor their activities. As these services are mostly
contracted, attackers are known to use them for gaining access
into the organization’s facility.
B. Social engineering is the technique in which an attacker uses various deceptive
practices to obtain unauthorized information. It is also a technique to convince
the target of the attack to do something that they normally would not do. Social
engineering is successful because of the following reasons:
1.
Many people have a basic desire to be helpful. The attacker can use this trait
to extract information.
2.
Individuals normally try to avoid confrontation and trouble.
3.
Sometimes the insiders may also attempt to gain unauthorized information.
Many a times, insiders may be more successful as they already have a
certain level of information regarding the organization. If caught, they can
get away with a believable excuse.
4.
Stanley Mark Rifkin (1978), an employee of the Security Pacific Bank in
Los Angeles, learned details on how money could easily be transferred to
accounts anywhere in the United States. He used the electronic funds
transfer (EFT) code to impersonate a fellow bank officer to transfer $ 10.2
million to another account in Switzerland in a different name.
5.
Reverse social engineering.
a)
In this technique, the attacker tries to convince the target to initiate the
contact.
b) This attack is successful because the target is the one initiating the
contact, and attackers do not have to convince the target of their
authenticity.
c)
The possible methods to convince the target to make that initial contact
include sending out a spoofed e-mail claiming to be from a reputable
source giving bogus e-mail addresses, telephone numbers, or Web sites
that seem authentic.
d) This may be especially successful if accomplished while the
organization is in the process of installing a new software or hardware
platform or when there is a significant change in the organization, such
as a merger.
II. People as a Security Tool
A. To fight potential social engineering attacks, companies should formulate the
policies and procedures that establish the roles and responsibilities for the
security administrators and all other users.
B. Security awareness.
1.
Once the security policies and goals are established, organizations must
develop an active security awareness program to counter potential social
engineering attacks effectively.
2.
The extent of the training will vary depending on the organization’s
environment and the level of threat. However, it is a good practice to
conduct trainings on social engineering attacks at the time of hiring a person
and following up with periodic refresher trainings.
3.
An important element to be stressed in trainings on social engineering is the
type of information that the organization considers sensitive and how it can
be vulnerable to attack.
C. Individual user responsibilities.
1.
While specific duties of users may vary between organizations and the type
of business the organization conducts, there are certain basic responsibilities
that all users should adopt. These include:
a)
Locking the door to the office or workspace.
b) Not leaving sensitive information unprotected.
c)
Storing sensitive information in a secure storage device.
d) Shredding paper containing sensitive information before discarding.
e)
Not divulging sensitive information to unauthorized individuals.
f)
Not discussing sensitive information with family members.
g) Protecting laptops that contain sensitive or important organizational
information.
h) Being aware of the people in the vicinity while discussing sensitive
corporate information.
i)
Enforcing corporate access control procedures.
j)
Being aware of the correct procedures to report suspected or actual
violations of security policies.
k) Establishing procedures to enforce good password security practices
and ensure that employees follow these procedures.
D. Corporate security officers must cultivate an environment of trust in their office
and an understanding of the importance of security.
1.
Security personnel actually need the help of all users and should strive to
cultivate an environment where users, when faced with a security situation,
will not hesitate to call them.
Download