Vous êtes sur la page 1sur 32

Security Awareness

Why this course


Trends in hacking are changing: Attacks on the individual, not just
the system
Significant risk to company security, operations and reputation
Improved awareness = improved defense
Why this course

Wall Street Journal


Desired Outcomes
Things you need to know
Social Engineering
Phishing & Spear phishing
Behaviors you need to adopt
Safe Internet Use
Privacy
Locking Workstations & Mobile Devices
Password management

Connection between personal and corporate security


Social Engineering
Social engineering is the art of manipulating people so that
they perform actions that leads to them giving up
confidential information.
Criminals use social engineering tactics because it is
usually easier to exploit your natural inclination to trust
than it is to discover ways to hack into your software.
In most cases the attacker never comes face-to-face with
the victims.
The Social Engineering Cycle
Research: May include readily available information such as
SEC filings and annual reports, marketing brochures, press Research
clippings, industry magazines, Web site content as well as
dumpster diving.
Developing Rapport and Trust: Use of insider information,
Developing
misrepresenting identity, using those that are known to victim, Utilize
Rapport
Information
showing need for help, or authority. and Trust

Exploiting Trust: Asking for information or an


action on the part of the victim, or manipulating victim to ask
attacker for help. Exploiting
Trust
Utilize Information: If the information obtained is only a step
to a final goal, attacker returns to earlier steps in cycle till goal
is reached.
Warning Signs of an attack
Refusal to give callback number
Out-of-ordinary request
Claim of authority
Stresses urgency
Threatens negative consequences
of noncompliance
Shows discomfort when questioned
Name dropping
Compliments or flattery
Flirting
Common Targets of attack
Unaware of Value of Information: Receptionists, telephone
operators, administrative assistants, security guards.
Special Privileges: Help desk or technical support system
administrators, computer operators, telephone system
administrators.
Manufacturer/vendor: Computer hardware, software
manufacturers, voice mail systems vendors.
Specific Departments: Accounting, Finance, human resources
Vulnerability Factors
Large number of employees
Multiple facilities
Information on employee whereabouts left in voice mail
greetings
Phone extension information made available
Lack of security training
Self-advertisement
Online Privacy
How Your Information Gets On The Internet
Businesses, governments, and other organizations gather data when :
You set up an online account, make a purchase in an online store
Others publish information about you
You add your own information on social sites
Records of government agencies are searched
You register for a contest, take part in a survey, etc
Surf the web, download free software
Businesses use this information to help complete a transaction, remember your preferences,
deliver personalized content or special offers, or save you time.
Online Privacy
So Why Should I Care If There Is Information About Me Online?
The information that is available about you online is important for two reasons:
Companies and recruiters may use this information, your online reputation, to gauge your suitability for
a job
Criminals may use data about you online to target
you to steal your identity, gain access to confidential
data or commit other crimes
Online information is searchable

Once data is published online, it is effectively there forever


and, depending on the privacy policy of the company
holding the data, may ultimately be seen by anyone on the
Internet.
5 Simple Steps to Help Prevent Identity
Theft
1. Dont just throw away important documents,
at work or at home.

Shredders are cheap and easy to use at home.


Most office workplaces will offer a document disposal
box or shredder, which you should use for documents
you throw away at work. Dumpster diving is a popular
mechanism for garnering personal information.
5 Simple Steps to Help Prevent Identity
Theft
2. Dont use public or unsecured computers when
accessing sensitive information.
If a computer is not secured then it is possible to have a
keylogger or other spying software installed in the
background. This way, even if you use secure
connections, someone can get access to what you write
and impersonate you.
5 Simple Steps to Help Prevent Identity
Theft
3. Never click on links that are sent to you in emails, and never go
to websites that you are not sure about.
This includes clicking on banner ads that you are not sure about.
The Internet is like a city, if you stay in the safe parts
of town, you can be reasonably sure of your safety
and the safety of your identity. But if you go to the
more out-of-the-way places, you run a higher risk
of encountering those who are out to steal from you.
Just the act of going to a bad site and then visiting a
good site may enable the bad guys to steal your
information or login for the good site
5 Simple Steps to Help Prevent Identity
Theft
4. Consider using credit cards over debit cards,
especially online.
Debit cards provide less protection than credit cards
A debit card can be the gateway to your finances.
A thief who uses your debit card instantly withdraws
money from your bank account.
5 Simple Steps to Help Prevent Identity
Theft
5. Use multiple passwords.
If you lose one or it gets exposed, it doesnt allow access
to all of the rest of your accounts.
Overuse of single passwords can get even security
companies in trouble one recently had its entire email
database stolen when hackers found that one password
opened multiple administrator accounts.
Email Phishing
A type of social engineering attack in which fraudulent
communications are used to trick the user into giving out
sensitive information, such as passwords, account information
and other details. Phishing is a criminal activity in many
jurisdictions.
'Phishing' is pronounced the same as "fishing".
How Phishing Attacks Are Done
usually uses an alarming pretext such as "restoring access to a
bank account
to pressure the user into providing their sensitive details.
Phishing attempts are most commonly done via e-mail, but
attempts made by instant messages and SMSes are also known.
New Phishing Scams Prey on Fear of
Phishing Scams
Online crooks and scam artists are convincing victims that they
need watch out for people trying to steal their account details.
The victims are essentially welcoming in the enemy, believing
that he is there to get rid of the problem, when in fact he is the
problem.
In these scams, the recipient is told his bank account has been
"locked," or that he's made an "unauthorized transaction" and
must now submit all his personal information in order to
"unlock" the account or "verify" his identity
Cybercrooks favor these social engineering attacks because
they play directly into the victim's fear, especially the scams
that promote themselves as security from the recipient's bank.
Spear Phishing
SpearPhishing is a targeted version of phishing that usually
focuses on a specific company and combines tactics such as
sender impersonation, personalization of the intended victim,
enticement and access-control bypass techniques such as email
filters, antivirus, and IDS/IPS evasion. The goal of a
spearphishing attack is ultimately the same as a phishing
attackto coerce a target into opening an attachment or
clicking an embedded linkbut it is much more sophisticated
and elaborate.
Spearphishing focuses on specific individuals within specific
organizations. Attackers will mine social media sites such as
LinkedIn or Facebook and personalize or impersonate users so
that the spearphishing email is extremely accurate and
compelling. Once a link is clicked or an attachment is opened,
the door to the network is established, allowing the attacker to
move forward with the advanced targeted attack.
Spear Phishing
Spearphishing attacks can also be viewed within the context of
an Advanced Persistent Threat (APT). Cybercriminals conduct
APT attacks via spearphishing through the introduction of
malware, Trojans, key loggers, port listeners and multi-vector
attacks. The goal of an APT is to establish sustainable, long-term
access to an organizations information assets, and a successful
spearphishing attack can readily achieve that goal.
Public Breaches fill in current
Honda Canada has security breach that TJX, parent company of discount stores T.J.
affects approximately 280,000 Canadian Maxx and Marshalls, discloses that thieves
customers. have stolen information on tens of millions
of credit and debit cards.
Heartland, a credit card payment MasterCard announces that up to 40
processor for more than 250,000 million credit card holders were at risk of
businesses, reveals that tens of millions of having their data stolen -- and 200,000
transactions might have been definitely had -- because of a Trojan on the
compromised. computers of a credit card processing
company.
Backup tape lost containing social security Computer discs holding personal
numbers and bank account information on information on 25 million British citizens --
4.5 million customers. all UK families with children under 16 --
had been lost in the mail.
8.5 million customers affected by AT&T and Apple have suffer a major
employee thefts of records, including privacy breach, exposing the email
credit card, bank account, and other addresses and ICC-IDs of over 114,000 iPad
personal information. 3G customers possibly many more.
Nasdaq's Directors Desk service, a
web-based application where some 5,000
companies store documents for board
members, is breached.
Regular Joe 116
Targets of Social Tactics by % of Breaches Within Social
Regular employee/end-user 80%
Finance/accounting staff 33%
Human resources staff 30%
Customer (B2C) 8%
Executive/upper management 5%
Helpdesk staff 3%
System/network administrator 1%
Unknown 1%
Protecting Against Data Breaches
How to Protect Yourself from Data Breaches
Use disposable email addresses
Use disposable credit-card numbers if possible
Use a new password for every account
Dont provide any nonessential personal information
Never give out your SIN/Social Security number
Security Social Media Story
Lets look for a Well I know he has
Senior IT an alarm system.
Administrator at a Lets find more info. From Street View I
bank. Pictures have GPS see
Found one. Minimal security Tags. I now know that he has a lot of
I need access to a
bank. The bank
and pictures. where he lives trees.
security is too
strong? Easy to get in.
What should I try?

He is also selling
watches.

Great alibi.

Cant wait to feel


the heat
of Jamaica next
week!
Online Shopping
Online criminals make their money from unprotected or careless shoppers who dont follow basic security
measures.
Buy from reputable sources
Make sure that your computer, Internet connection
and web browser are all as secure as possible
Remember that its always risky to send personal
information over the unsecured wireless networks
found in cafs, libraries, airports or other local hotspots
Pay by credit card
Internet Use - Social Media Adoption
Social Media has overtaken adult content as the #1 activity on
the Web
The average American Internet user watches 30 minutes of
video online per day
2.1B social media users
18-25 year olds send 95% of electronic communications via
text messaging average 3,982 per user per month
57% of people talk to people more online than they do in real
life
48% of young Americans said they find out about news
through Facebook
Internet Use - Social Media Adoption
Facebook
By 2015 40% of large enterprises will have a
corporate "Facebook," for circulating both business
and personal data
People spend over 700 billion minutes per month
on Facebook
650 million accounts or 1 in every 13 people on earth
There are more than 200 million active users currently
accessing Facebook through their mobile devices
About 70% of Facebook users are outside the United States
Facebook tops Google for weekly traffic in the U.S.
Internet Use - Social Media Adoption
Twitter
75M users in 2010; 175M users in 2011
95M tweets per day

LinkedIn
100 million users
Adding a new member every second
80% of companies use social media for recruitment;
95% of these use LinkedIn
Internet Use - Social Media Adoption
YouTube
70% of YouTube traffic comes from outside the U.S.
700 billion playbacks in 2010
More video is uploaded in 60 days than the
major US networks have created in 60 years
Social Media Risks
Would you tell a complete stranger all about your family, work, love life, hobbies
and interests?
And give them some personal photos to look at too?
Danger Of Revealing Too Much
At the heart of the social networking phenomenon are the personal profile pages
that users create about themselves. These can be linked to their friends pages, the
friends of their friends, and so on.
Of course, its up to you what to reveal about your personal life.
The reality is that the more information you give online, the more vulnerable you
also become with possibly far-reaching consequences on your life outside the
Internet.
Social Media Risks
Identity theft
Information extracted from social networking sites used by criminals
Predators and pedophiles searching for possible victims
Fake or hijacked profiles
Social Media Safety Measures
Maintain a Good Reputation
Its worth remembering that whatever you post on your profile
page, or other community forum, remains in the public sphere.
Protect your reputation. Think twice before posting statements or photos that may one day show you in
a bad light.
Resist the temptation to impress your friends with a profile that gives away too much. It may end up
being abused by people who really should know nothing about you.
A momentary lack of judgment can still come to haunt in years to come. Employers do a web search on
everyone they are thinking of hiring. So do potential life partners!