Keeping Personal Information Personal – Defeating Social Networking Attacks Presented By: Ian...
-
Upload
dwight-rodgers -
Category
Documents
-
view
220 -
download
0
Transcript of Keeping Personal Information Personal – Defeating Social Networking Attacks Presented By: Ian...
DEFINITIONS
Social Engineering are two new words to describe a very old (2nd oldest)
profession in the world:
• Governments call “Social Engineers” Spies, or Intelligence Operatives
• Spies and Intelligence Operators are trying to conduct espionage
• Counter-Intelligence prevents espionage
2
ASSUMPTIONS
Our personal information in today's world is frequently linked to our
business information:• Passwords used at home are frequently used at
work• Social Networking is a valuable business tool• Personal information can be leveraged• Work and Home computers are interchangable
SOCIAL ENGINEERS
The con artists of the electronic age, social engineers will play any game to
get their hands on:
• Passwords that provide access to networks• Identities that get them into restricted facilities• Hard copies of sensitive data
4
OBJECTIVES
At the end of this session, you will know:
• Why social engineers target employees• How to recognize when you are being ‘conned’• How to deflect a social engineer
5
OBJECTIVES
At the end of this session you will also know how a security program can help
you safeguard your personnel and business IT resources through:
• Policies, Standards, Guidelines & Best Practices• Threat Risk Assessments• Security Awareness program• Other Information Security Professionals
6
A NEW BREED OF COMPUTER CRIMINAL
Social engineers are known to use non-technical tactics to gather information
about:
• The organization• Its projects and products• Its people• You and your position in the organization
7
YOU ARE THE WEAKEST LINK!
Social engineers prey upon the human desire to be helpful and trust those around us.
• Follow your instincts and err on the side of caution• Educate yourself and use common sense• Don’t be paranoid• Threat Intelligence and Risk Assessments are extremely
effective in defeating social engineering attacks
8
RECOGNIZE THE SIGNS
Social engineers study the human psyche to develop effective
manipulation tactics:
• Diffusing responsibility• Ingratiation• Building false trust• Appealing to strong morals
10
WHAT ARE THEY AFTER?
Anything that might be valuable to cyber criminals, other organizations, or that
could be used for blackmail:• Research secrets• Project schedules• Collaborator lists• Financial, legal, and licensing information• Personal and system information
12
HOW DO THEY GET IT?
Collecting corporate knowledge is usually the first step:
• Ply employees for information• Pose as a consultant or technician• Apply for work inside the organization• Apply for work with a third-party collaborator• Social Networking and Internet Research
13
HOW DO THEY GET IT?
Once inside, social engineers will hand-pick information…literally:
• Searching file cabinets, grabbing paper files from desks
• Staking out printers, fax machines, and photocopiers
• Collecting the garbage especially from shredding bins
14
HOW DO THEY GET IT?
• Smart Phones, USB sticks, keys, car GPS• Tapping telephones and video conference
rooms• Taking advantage of open workstations • Hacking systems, installing malware, installing
rogue wireless devices, USB stick modems • Stealing laptops and backup tapes/hard drives
15
BEHAVIOUR MODIFICATION
Keeping private information where it belongs is everyone’s responsibility:
• Buy time• Verify identity and authority• Respect restrictions• Handle hard copies with care
16
BEHAVIOUR MODIFICATION
Commit yourself to using the tools already in place:
• Follow your organizations security program• Identify computer support people• Create a security alert system.• Subscribe to IT security newsletters/RSS feeds
17
BE CONSISTENT—EVEN WITH COLLEAGUES
Up to 80% of attacks are carried out by insiders:*
• Exercise caution• Cross-check staff lists• Verify ‘need to know’• Be aware of unauthorized activity
*The Computer Security Institute, San Francisco
18
FINDING THE WEAK SPOT
Identify possible leaks before the dam breaks:
• Physical Security• IT Security• Personal Safety• Control Access to secure areas• Meet your co-workers• Pick up the phone
19
JOIN THE SECURITY TEAM
Every employee is part of the IT security team.
• No technical knowledge required• Must have an eye for detail• Must be willing to play active role• Will keep your personal life secure as well
20
It Security is Here to Help
Being a target of an attack personally, or professionally is daunting to say the least:
• Seek expert advice• Tell your story• Talk to the Police• Reduce your online presence• Be mindful of your physical security, especially if an
electronic attack is thwarted• Keep your home and work computer up to date
21
What IT Security Does
IT Security professionals should be a central point of contact for all IT security matters and
usually hold responsibility for:
• Certification, Accreditation and Risk Management• Security Policy and Procedures• Verification and Review• Problem Management• IT security awareness, education, and training
22
Food For Thought
• What is already known about you on the Internet?
• What information is useful for identity theft?• What is your personal risk or professional
liability?• Is the nature of your work or partner’s work or
children’s activities sensitive?• What information needs to be on the Internet?
23
Where Does Information Live?
• Everywhere, but it can be hard to find or easy to find depending on several factors.
• Social networking sites give context to the information, making it easier to identify you.
• Social networking sites make it easy to gain your trust (Linkedin & Facebook Spam).
• Social networking sites are a “one-stop-shop” for the complete collection about you.
24
Be Informed
• Facebook is the number one social networking site. Facebook is an all-purpose, come-as-you-are social medium.
• LinkedIn is a social networking platform specifically targeting the business community.
• Search engines like Google, Pippl, archive.org and many others can point to data about you.
• Social networking sites make it easy to find data about you.
25
Be Aware of the Tools
• Identity thieves and intelligence operators have sophisticated data mining and analytical software tools (I2, Facebook Visualizer).
• Your relationships can be identified and can be used to confirm your activities and associations.
26
Personal Risk
• Your personal circumstance should inform your decisions to put stuff on a social networking site (Divorce, Separation, Litigation, etc).
• Anything posted by you or anyone else is available to the court.
• However, it is also necessary to be able to communicate and form personal or business relationships.
27
Safety First
• Do not display your full birth date.• Do not post a child's name. • Do not mention being away from home. • Restrict searches for your information. • Do not permit youngsters to use social
networks unsupervised. • Think about whom you are allowing to
become your online friend.
28
More Safety
• Make sure you have an up-to-date web browser and comprehensive security software on your computer.
• Adjust your privacy settings to help protect your identity.
• Set and review your privacy settings regularly.
• Make only a cut-down version of your profile visible to everyone.
29
Still More Safety
• Disable options, and then add them in one by one.
• Join groups and networks cautiously. • Understand what happens when you quit the
site.
But, I am LinkedIn!
30
LinkedIn Cautions
• Remove phone numbers and specific address information.
• Understand the business oriented audience of LinkedIn.
• Recommendations can haunt you. • Be honest on your professional profile. • Beware of the reference check tool.
31
Final Thoughts
• Protection of your personal information is your responsibility.
• All bets are off if your subject to criminal or civil court investigation.
• If you are unsure, talk to a professional or review the FAQ’s on social networking sites.
• Keep in mind that, the act of posting information makes you potentially liable for the accuracy of the information.
32
LEARN MORE ABOUT IT!
Additional information about dealing with social engineers is available from a variety
of sources:• ‘Social Engineering Simulation’
www.nwfusion.com/newsletters/sec/2000/00292157.html?nf
• The Human Firewall www.humanfirewall.org/
• SecurityFocus Online www.securityfocus.com/infocus/1527
33
LEARN MORE ABOUT IT!
Additional tutorials on topics such as will be beneficial and contribute to organizational
and personal security as well.• Copyright and computer piracy
• E-mail security and SPAM
• Laptop security
• Peer-to-peer security
• Web surfing and privacy
34