*RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62...

16
, 1 ) , Q I R U P D W L R Q 6 H F X U L W \ / H F W X U H , Q I R U P D W L R Q 6 H F X U L W \ 0 D Q D J H P H Q W + X P D Q )D F W R U V I R U, Q I R U P D W L R Q 6 H F X U L W \ $ X G X Q -¡VD Q J 8 Q L Y H U VL W \ R I 2 VO R $ X W X P Q 6 H FX U L W \ 0 D Q D J H P H Q W / H YH O V 8 L 2 $ X W X P Q / , 1 , 7 6 H FX U L W \ 2 S H U D W L R Q V U L I WD G P L Q D Y L QI R U P D V M RQ V V L N N H U K H W , Q I R U P D W L R Q 6 H FX U L W \ 0 D Q D J H P H Q W /H GH O V H D Y L QI RU P D V M RQV V L N N H U KH W , Q W H U Q N RQW U RO O , Q I R U P D W L R Q 6 H FX U L W \ * R YH U Q D Q FH 6 W \ U L QJ D Y L QI RU P D V M R Q V V L N N H U KH W 6 H W H Q W H U S U L VH R E M H FW L Y H V % D O D Q FH VW D NH K R O G H U YD O X H S U R S R V L W L R Q V $ FK L H YH H Q W H U S U L VH R E M H FW L Y H V , Q I R U P D W L R Q 6 H FX U L W \ * R YH U Q D Q FH 6 W \U L Q J D Y L Q I R U P D VM R Q VVL NNH U K H W , 6 J R YH U Q D Q F H S U R YL G H V VW U D W H J L F G L U H F W L R QH Q V X U H V R E M H FW L YH V D U H D F K L H YH G P D Q D J H V U L V N D S S U R S U L D W H O \ X V H V R U J D Q L ] D W L R Q D O U H VR X U F H V U H V S R Q VL E O \ D Q G P R Q L W R U V W K H VX F F H VV R UI D L O X U H R I W K H H Q W H U S U L V H V H F X U L W \ S U R J U D P P H , 7 * R YH U Q D Q FH , Q VW L W X W H 0 H U N % H J U H S H W R YH U V H W W H V R I I L V L H O W VR P O H G H O VH D Y L Q I R U P D VM R Q VVL NNH U K H W H U P H G ND Q , 6 0 6 R YH U V H W W H V VR P / 6 , 6 / H G H O V H VV\VW H P I R UL Q I R U P D VM R Q VVL NNH U K H W 1 R H Q R U J D Q L VD VM R Q H U I H NV 1 6 0 L J Q R U H U H U 6 1 VL Q R YH U V H W W H O VH R J R YH U V H W W H U VR P VW \U L Q J D Y L Q I R U P D VM R Q VVL NNH U K H W R J R YH U V H W W H U G H U P H G R J V n , 6 0 6 VR P 6 W \U L Q J VV\ VW H P I R U L Q I R U P D VM R Q VVL NNH U K H W Q R H VR P VND S H U I R U YL U U L Q J 7L O VD P P H Q O L J Q L Q J R YH U V H W W H V R I I L V L H O W VR P U L VL NR VW \U L Q J K YR U D O O H E U X NH U G H Q R YH U V H W W H O VH Q 8 L 2 $ X W X P Q / , 1 6 H F X U L W \ * R Y H U Q D Q F H % H Q H I L W V R I , 7 6 H FX U L W \ * R YH U Q D Q FH P r ot e c t i n g a s s e t s c r e a t i ng v a l ue 7U X VW I U R P F X V W R P H U V S D U W Q H U V L Q YH V W R U V R Z Q VW D I I 5 H S X W D W L R QE U D Q G L P D J H & R P S H W L W L Y H D G Y D Q W D J H 3 U H Y H Q W L R Q D Q G U H G X F W L R Q R I O R V V H V % X VL Q H VV F R Q W L Q X L W \U H VL O L H Q FH , Q F D VH R I G L VD VW H U V D Q G P D M R U L Q FL G H Q W V , Q F U H D VH VK D U H K R O G H U Y D O X H 8 L 2 $ X W X P Q / , 1 6 H F X U L W \ * R Y H U Q D Q F H

Transcript of *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62...

Page 1: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

INF2120 Information Security

Lecture 05: - Information Security Management- Human Factors for Information Security

Audun Jøsang

University of Oslo, Autumn 2019

Security Management Levels

UiO Autumn 2019 L05 - IN2120 2

IT Security OperationsDrift/admin av informasjonssikkerhet

Information Security ManagementLedelse av informasjonssikkerhet

(Internkontroll)

InformationSecurity

GovernanceStyring

av informasjonssikkerhet

Set enterprise objectives.

Balance stakeholder

value propositions.

Achieve enterprise objectives

Information Security GovernanceStyring av informasjonssikkerhet

IS governance provides strategic direction, ensures objectives are achieved, manages risk appropriately, uses organizational resources responsibly, and monitors the success or failure of the enterprise security programme.

- IT Governance InstituteMerk:

Begrepet: oversettes offisielt somledelse av informasjonssikkerhet Dermed kan

ISMS oversettes som LSIS (Ledelsessystem for informasjonssikkerhet

Noen organisasjoner (f.eks. NSM) ignorerer SN sin oversettelse ogoversetter som styring av informasjonssikkerhet og oversetter dermed også ISMS somStyringssystem for informasjonssikkerhet noe som skaper forvirring.

Til sammenligning oversettes offisielt somrisikostyring hvor alle bruker den oversettelsen.

UiO Autumn 2019 L05 - IN2120 3SecurityGovernance

Benefits of IT Security Governance

Protecting assets = creating valueTrust from customers, partners, investors, own staffReputation, brand, imageCompetitive advantagePrevention and reduction of lossesBusiness continuity & resilience

In case of disasters and major incidents

Increase shareholder value

UiO Autumn 2019 L05 - IN2120 4SecurityGovernance

Page 2: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

Goals of information security governanceas defined by COBIT and ISACA

1. Strategic alignment of the security program2. Risk management3. Value delivery4. Resource management5. Performance measurement

www.isaca.org/knowledge-center/research/documents/information-security-govenance-for-board-of-directors-and-executive-management_res_eng_0510.pdf

UiO Autumn 2019 L05 - IN2120 5SecurityGovernance

ISACA - Mål for styring av IT-sikkerhet1. Strategisk tilpasning av sikkerhetsprogrammet

IS-aktiviteter skal støtte organisasjonens helhetlige strategi.

2. RisikohåndteringAvdekke trusler, sårbarheter og risiko. Deretter bruke adekvate virkemidler for å redusere risiko til et akseptabelt nivå.

3. VerdiskapningSøk optimal balanse mellom reduksjon av risiko og tap, og kostnader forbundet med sikkerhetsvirkemidler.

4. RessursbrukArbeidet med informasjonssikkerhet skal gjøres effektivt

5. MålbarhetEffekten av sikkerhetsarbeidet skal måles

UiO Autumn 2019 L05 - IN2120 6Styring avIT-sikkerhet

Characteristics of good IS GovernanceManaged as a business-wide issue

Alignment of frameworks, policies and activities

Viewed as business requirementSeen as essential for sustainable business operations

Leaders are informedLeaders understand security risks and get regular reviews

Leaders take responsibilityVisible leaders who set clear goals and priorities

Risk-based prioritiesTolerances to risk understood and established

Roles & responsibilities definedClear segregation of duties

UiO Autumn 2019 L05 - IN2120 7SecurityGovernance

Information security managementIncludes:

Development and maintenance of security policiesGoals, rules and practice for IS

Planning and organisation of the security activities Information Security Management System (ISMS)

Inventory and classification of resources and Information

Threat and risk assessment

Reporting and coordination with top level management

Deployment and maintenance of security controls

Security education and training

Incident response and business continuity planning

Begrepet: oversettes offisielt somledelse av informasjonssikkerhet noen somstyring av informasjonssikkerhet noe som kan skape forvirring.

Det særnorske begrepet internkontroll er omtrent ekvivalent med ledelseav informasjonsikkerhet

UiO Autumn 2019 L05 - IN2120 8

Security Management

Page 3: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

UiO Autumn 2019 L05 - IN2120 9

IS Management StandardsISO/IEC 27K security standards:

ISO: International Standards OrganizationISO 27001: Information Security Management System (ISMS)ISO 27002: Code of practice for information security controls+ many moreISO/IEC standards cost money

USA NIST (National Institute for Standards and Technology) Special Publications 800 , Cover similar topics as ISO27KNIST standards are free

Norge NSMVeileder i sikkerhetsstyringRisikovurdering for sikring

https://www.nsm.stat.no/globalassets/dokumenter/veiledninger/veileder-i-sikkerhetsstyring--endelig.pdf

L05 - IN2120 10UiO Autumn 2019

Evolution of ISO 27001 & 27002 Standards

UiO Autumn 2019 L05 - IN2120 11

1995BS 7799: Code of Practice for Information Security Management

1999BS 7799-2: Information Security Management System (ISMS)

2001BS 7799 ISO/IEC 17799BS 7799-2 ISO/IEC 17799-2

2005ISO/IEC 17799 ISO/IEC 27001

ISO/IEC 17799-2 ISO/IEC 27002

2013ISO Management Standards Alignment- ISO/IEC 27001: ISMS- ISO/IEC 27002: Code of Practice for

Information Security Controls

2019 Major changes to ISO/IEC 27001: ISMS planned

UiO Autumn 2019 L05 - IN2120 12

ISO/IEC 27001:2013- What is it?

ISO 27001 specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization.ISMS is a holistic approach to IS management

While the ISO 27002 (code of practice) defines a set of security goals and controls, ISO 27001 (ISMS) defines how to manage the implementation of security controls.Organizations can be certified against ISO 27001

ISO 27001 is to be used in conjunction with ISO 27002

Page 4: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

ISMS Cycle

IS Management System CycleThe ISMS cycle is an interpretation of ISMS (ISO 27001).Source: NSM (Nasjonal Sikkerhets-myndighet).

The steps in the cycle are done in parallel.

Good IS management requires that all steps are implemented

UiO Autumn 2019 L05 - IN2120 13

Planning

Security Controls

Evaluation

ReportingRisk

Assessment

CISSP 8th Ed. IS Program Phases

UiO Autumn 2019 L05 - IN2120 14

CISSP 7th Ed. (p.41) IS program phases

Description

1. Plan and organise Establish mgmt commitment and high level IS policyDefine roles and committees,Assess threats, vulnerabilities and riskIdentify and plan security solutions and controls

2. Implement Assign roles and responsibilitiesDevelop specific IS policies and proceduresImplement security solutions and controls

3. Operate and maintain

Execute security operations tasksCarry out internal and external auditDevelop monitoring and metrics for security controls

4. Monitor and evaluate

Review audits, monitoring and metricsAssess goal accomplishmentIdentify areas for improvement, and integrate in phase 1.

UiO Autumn 2019 L05 - IN2120 15

ISO/IEC 27002 What is it?Code of practice for information security controls

ISO 27002 provides a checklist of general security controls to be considered implemented/used in organizations

Contains 14 categories (control objectives) of security controlsEach category contains a set of security controlsIn total, the standard describes 113 generic security controls

Not all controls are relevant to every organisationObjective of ISO 27002:

management practices including the selection, implementation and management of controls taking into

environment(s)

L05 - IN2120Operations

security

Cryptography

UiO Autumn 2019 16

The 14 Control Objectives of ISO/IEC 27002:2013

Accesscontrol

Asset management

Security Organization

Human resourcessecurity

Physical and environmental

security

Communications security

Compliance

Business continuity

Incident management

Supplier relationships

System acq., develop. & maint.

Information security policy

Security Controls

Page 5: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

20 CSC: Critical Security ControlsAlternative to ISO/IEC 27002https://www.cisecurity.org/controls/Description of each control:

Why control is criticalHow to implement controls

Specific tasksProcedures and tools

Advice on implementationEffectiveness metricsAutomation metrics

How to automate effectiveness metricsEffectiveness testsSystem entity relationship diagram

Relevant architecture integration

UiO Autumn 2019 L05 - IN2120 17

Data Recovery Capabilities

Email and Browser Protections

UiO Autumn 2019 L05 - IN2120 18

Secure Configuration

Control of Admin. Privileges

Inventory of Software

Continuous Vulnerability Management

Control of Ports, Protocols and

Services

Wireless Access Control

Data Protection

Boundary Defense

Inventory of Hardware

20 Critical Security Controls

Need-to-know Access Control

Account Control

Analysis of Audit Logs

Configuration of Firewalls, Routers,

and Switches

Security Awareness

Malware Defences

Application Security

Pentesting

Incident Response

Grunnprinsipper for IKT-sikkerhetOversettelse og sammendrag av ISO/IEC 27002

https://www.nsm.stat.no/publikasjoner/rad-og-anbefalinger/grunnprinsipper-for-ikt-sikkerhet/

UiO Autumn 2019 L05 - IN2120 19

Evaluation of the ISMS throughSecurity Measurements

What is the effectiveness of a security control ?You have to measure it to know it.

Security measurements provideinfo about how well security controls workbasis for comparing effect of controls on risksbenchmark for assessing security investments

UiO Autumn 2019 L05 - IN2120 20

Page 6: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

Why do we care: Example

The CEO asks,

Without metrics:

With metrics:

intrusion statistics before and after we completed that

UiO Autumn 2019 L05 - IN2120 21

IS Measurement Model (ISO 27004)

UiO Autumn 2019 L05 - IN2120 22

1) Information needs about:Security ControlsSecurity ProcessesPolicy and awarenessCompliance

2) Select data sources and collect relevant data*:

Logs from systemsQuestions to peopleObservationsData mining

3) Analyse data:Manage raw dataSanitize dataCategorize dataApply analytical model:

4) Measurement results:Discover new knowledgeIdentify new info needsMake decisionsPresent results

*) Called Objects of measurement in ISO 27004

Measurement ISMS integration

UiO Autumn 2019 L05 - IN2120 23

Information needs

Data collection

Data analysis

Measurementresults

Planning

Risk Assessmt

Security ControlsEvaluation

Reporting

ISMS Cycle

CMMI Capability Maturity Model Integrationfor Information Security Management

UiO Autumn 2019 L05 - IN2120 24

0: No security processes

Considerable time and effort needed to reach each next level in the maturity model for IS management.

Managed

2: Repeatable but intuitive processes

3: Defined processes

4: Managed and measurable

5: Optimized / Cultural

1: Initial / Ad Hoc processesChaotic

Page 7: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

CMM levels 1 - 3

1. Initial / Ad Hoc+ Processes are ad-hoc and disorganised.+ Risks are considered on an ad hoc basis, but no formal processes

exist.

2. Repeatable but intuitive+ Processes follow a regular pattern.+ Emerging understanding of risk and the need for security

3. Defined process+ Processes are documented and communicated.+ Company-+ Awareness of security and security policy

UiO Autumn 2019 L05 - IN2120 25

CMM levels 4 - 5

4. Managed and measurable+ Processes are monitored and measured.+ Risks assessment standard procedures+ Roles and responsibilities are assigned+ Policies and standards are in place

5. Optimized+ Security culture permeates organisation+ Organisation-wide security processes are implemented, monitored

and followed

UiO Autumn 2019 L05 - IN2120 26

UiO Autumn 2019 L05 - IN2120 27

The human factor in information security

Personnel integrityMaking sure personnel do not become insider attackers

Personnel as defenceMaking sure personnel do not fall victim to social engineering attacks

Cybersecurity Culture in OrganisationsStimulate behaviour which strengthens security

Security usabilityMaking sure users operate security correctly

UiO Autumn 2019 28

Personnel IntegrityPreventing employees from becoming attackers

Consider:EmployeesExecutivesCustomersVisitorsContractors & Consultants

All these groups obtain some form of access privilegesHow to make sure privileges are not abused?

L05 - IN2120

Page 8: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

UiO Autumn 2019 29

Personnel crime statistics

Organisations report that a large proportion of computer crimes originate from inside

US Statistics (PWC) 2014, 2015, 2016http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf

https://insights.sei.cmu.edu/insider-threat/2017/01/2016-us-state-of-cybercrime-highlights.html

28% had insider attacks, 32% very concerned about insider threats

Australian Statistics (CERT Australia) 2015 http://apo.org.au/research/cyber-crime-and-security-survey-report-2013

14% had insider attacks, 60% very concerned about insider threats

Kriminalitets- og sikkerhetsundersøkelsen i Norge (KRISINO 2015)

https://www.nsr-org.no/krisino/

28% of enterprises had experienced insider attacks.

L05 - IN2120 UiO Autumn 2019 30

Strengthening employee integrity

Difficult to determine long term integrity of staff at hiringIntegrity can change, influenced by events

All personnel should follow security awareness trainingReminders about security policy and warnings about consequences of intentional breach of policy

Will strengthen power of judgment

Personnel in highly trusted positions must be supported, trained and monitoredSupport and monitor employees in difficult situations:

conflict, loss of job, personal problemsAlways try to stay on good terms with staff.

L05 - IN2120

UiO Autumn 2019 31

Personnel DepartureDifferent reasons for departure

VoluntaryRedundancyTermination

Different types of actionsFormer employee may keep some privilegesRevoke all privilegesEscort to the exit.

Staff who lose their job due to redundancy are at greater risk to become insider attackers. To mitigate this risk:

The redundancy process must be seen as fairTry to keep a good dialogue

During exit interview, review the original employment agreement (i.e. non-compete, wrongful disclosure, etc.

L05 - IN2120

Social engineering attacks

Where people are the defence

UiO Autumn 2019 L05 - IN2120 32

Page 9: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

UiO Autumn 2019 33

Social Engineering Attacks

According to Kevin Mitnick:

a computer virus, an unpatched hole in a program, or a badly installed firewall. In fact the biggest threat could

to manipulate people rather than technology. Most of

L05 - IN2120

Types of Social Engineering Attacks

Technical Social-Engineering AttacksElectronic contact with victimsEmail, telephone, messaging, social networks, websitesMulti-channel attacks

In-Person Social-Engineering AttacksManipulate people face-to-face in personConvince victims to perform actions which compromise securityOpen doors, give physical access, provide IT resources

UiO Autumn 2019 L05 - IN2120 34

Phishing Attacks

A kind of social-engineering attack in which criminals use spoofed emails to trick people into sharing sensitive information or installing malware on their computerPhases1. Sending phishing email, getting through spam-filters, and landing in

Increasingly difficult to get through email filtering (SPF, DKIM, DMARC)Content must be sufficiently credible to trick the user

2. The victim taking the suggested action in the messageGot to a fake websiteReplying with sensitive informationInstalling malware

3. The criminals exploiting and monetizing the stolen information

UiO Autumn 2019 L05 - IN2120 35

Types of Phishing

Mass Phishing Mass, large-volume attack intended to reach as many people as possibleSpear Phishing Targeted attack directed at specific individuals or companies using gathered information to personalize the message and make the scam more difficult to detectWhalingincluding high-profile individuals or those with a great deal of authority or accessClone Phishing Spoofed copy of a legitimate and previously delivered email, with original attachments or hyperlinks replaced with malicious versions, which is sent from a forged email address so it appears to come from the original sender or another legitimate source

UiO Autumn 2019 L05 - IN2120 36

Page 10: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

Detect a Phishing Scam

poor grammarHyperlinked URL differs from the one displayed, or it is hiddenThreatening language that calls for immediate actionRequests for personal informationAnnouncement indicating you won a prize or lotteryRequests for donations

Be skeptical, use common sense

UiO Autumn 2019 L05 - IN2120 37

Protect Yourself Refuse the Bait

STOP. THINK. CONNECT.Before you click, look for common baiting tactics, ask colleagues

Be extremely careful about clicking on links in an emailUser your computer mouse to hover over each link to verify its actual destination, even if the message appears to be from a trusted sourcePay attention to the URL and look for a variation in spelling or different domain (e.g., ndsu.edu vs. ndsu.com)Consider navigating to familiar sites on your own instead of using links within messages

Examine websites closelyMalicious websites may look identical to legitimate sites

any sensitive information on a website

UiO Autumn 2019 L05 - IN2120 38

In case you took the bait:Protect Yourself Take Action Now

If you suspect that You should

You interacted with, or replied to a phishing scam

Immediately contact your help desk, or other relevant entity.

You might have revealed or shared personal or financial information

Immediately change the password(s) for your account(s). If you use the same password for multiple accounts and sites, change it for each account. Do not reuse that password in the future.

Watch for signs of identity theft by reviewing your bank and credit card statements for unauthorized charges and activity. If you notice anything unusual,immediately contact your credit card or bank.

Consider reporting the attack to the police.

UiO Autumn 2019 L05 - IN2120 39

Neuro-Linguistic Programming (NLP)Develop TrustInduce strong affectInformation overloadReciprocationDiffusion of responsibility and moral dutyAuthorityCommitment creep

UiO Autumn 2019 L05 - IN2120 40

Page 11: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

UiO Autumn 2019 41

SE Tactics: Neuro-Linguistic Programming (NLP)

Match the voice, tone and body language of their victim.Match the breathing rate, voice and vocabularyUse common industry or company jargon

Produces an affective connection with the target on a subconscious levelFrequently used by salespeople to get clients to like them

L05 - IN2120 UiO Autumn 2019 42

SE Tactics: Develop Trust

People are naturally helpful and trustingAsk during seemingly innocent conversationsSlowly ask for increasingly important informationLearn company lingo, names of key personnel, names of servers and applicationsCause a problem and subsequently offer your help to fix it (aka. reverse social engineering)Talk negatively about common enemyTalk positively about common hero

L05 - IN2120

UiO Autumn 2019 43

SE Tactics: Induce strong affect

Heightened emotional state makes victimLess alertLess likely to analyse deceptive arguments

Triggered by attacker by creating

Confusion (contradictory statements)

L05 - IN2120 UiO Autumn 2019 44

SE Tactics: Information overload

proposed by the attackerTriggered by

Providing large amounts of information to produce sensory overloadProviding arguments from an unexpected angle, which forces the victim to analyse the situation from new perspective, which requires additional mental processing

L05 - IN2120

Page 12: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

UiO Autumn 2019 45

SE Tactics: Reciprocation

Exploits our tendency to return a favourEven if the first favour was not requestedEven if the return favour is more valuable

Double disagreementIf the attacker creates a double disagreement, and gives in on one, the victim will have a tendency to give in on the other

ExpectationIf the victim is requested to give the first favour, he will believe that the attacker becomes a future ally

L05 - IN2120 UiO Autumn 2019 46

SE Tactics:Diffusion of responsibility and moral duty

Make the target feel the he or she will not be held responsible for actions

moral duty

L05 - IN2120

UiO Autumn 2019 47

SE Tactics: Authority

People are conditioned to obey authorityMilgram and other experimentsConsidered rude to even challenge the veracity of authority claim

Triggered byFaking credentialsFaking to be a director or superiorSkilful acting (con artist)

L05 - IN2120 UiO Autumn 2019 48

SE Tactics: Commitment creep

People have a tendency to follow commitments, even when recognising that it might be unwise.

integrityTriggered e.g. by creating a situation where one commitment naturally or logically follows another.

First request is harmlessSecond request causes the damage

L05 - IN2120

Page 13: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

UiO Autumn 2019 49

Multi-Level Defence againstSocial Engineering Attacks

6: Offensive Level

3: Fortress Level

2: Awareness Level

Incident Response

Social Engineering Detectors

Ongoing Reminders

Resistance Training for Key Personnel

Security Awareness Training for all Staff

1: Foundation Level Security Policy to Address SE Attacks

4: Persistence Level

5: Gotcha Level

Source: David Gragg: http://www.sans.org/rr/whitepapers/engineering/

L05 - IN2120 UiO Autumn 2019 50

SE Defence: Foundation

The security policy must address SE attacksPolicy is always the foundation of information security

Address e.g.: Shredding, Escorting, Authority obedience

Ban practice that is similar to social attack patternsAsking for passwords over phone is a typical SE attack method

Calling a user and pretending to represent IT department is a typical SE attack

to authenticate the IT DepartmentCalling IT dep. and pretending to be user is a typical SE attack

authenticate the user

L05 - IN2120

UiO Autumn 2019 51

SE Defence: AwarenessSecurity awareness training for all staff

Understanding SE tacticsLearn to recognise SE attacks

Know what is sensitiveUnderstand their responsibilityUnderstand the danger of casual conversationFriends are not always friendsPasswords are personalUniforms are cheap

Awareness of policy shall make personnel feel that the only choice is to resist SE attempts

L05 - IN2120 UiO Autumn 2019 52

SE Defence: Fortress

Resistance training for key personnel Consider: Reception, Help desk, Sys.Admin., Customer service,

Fortress training techniquesInoculation

Expose to SE arguments, and learn counterarguments

Forewarmingof content and intent

Reality check: Realising own vulnerability,

L05 - IN2120

Page 14: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

UiO Autumn 2019 53

SE Defence: Persistence

Ongoing reminders SE resistance will quickly diminish after a training sessionRepeated trainingReminding staff of SE dangers

PostersMessagesTests

L05 - IN2120 UiO Autumn 2019 54

SE Defence: GotchaSocial Engineering Detectors

Filters and traps designed to expose SE attackers

Consider:The justified Know-it-all

Person who knows everybody

Centralised log of suspicious eventsCan help discover SE patterns

Call backs mandatory by policyKey questions, e.g. personal details

Time to think and log event

DeceptionBogus question

L05 - IN2120

UiO Autumn 2019 55

SE Defence: Offensive

Incident responseWell defined process for reporting and reacting to

Possible SE attack events,Cases of successful SE attacks

Reaction should be vigilant and aggressiveGo after SE attackerProactively warn other potential victims

L05 - IN2120

Cybersecurity Culture in Organisations

UiO Autumn 2019 L05 - IN2120 56

Page 15: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

Cybersecurity CultureDigital sikkerhetskultur

Definition: (ISACA) The knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest themselves in

The objective of developing a cybersecurity culture is to behaviour to support cybersecurity

in the organisation.

57UiO Autumn 2019 L05 - IN2120

Behaviour for Cybersecurity

Types of human behavior which affects securityYour understanding of cyber threatsYour perception of the value and sensitivity of informationYour perception of riskYour awareness of security policiesYour ability and willingness to follow security policiesYour attitude to policy breaches by colleaguesHow you report / deal with security incidentsHow you manage passwordsHow you handle devices (exclusive use or sharing with family/friends)Your motivations and fearsYour integrity

58UiO Autumn 2019 L05 - IN2120

Behaviour Model

UiO Autumn 2019 L05 - IN2120 59

Ability = (Capability+

Opportunity)

Motivation

Behaviour

Stimulation of Security Culture

UiO Autumn 2019 L05 - IN2120 60

Factor General Action Example Action

Capability Redesign policies & toolsEducation Skill-building Restrict

Review & change policies & toolsBuild employee security skillsPractical training Remove admin rights

Motivation Awareness campaigns Incentives

Nudge/PromptOrganisational response

Security culture programme.

Security performance as KeyPerformance Indicator.Alerts & remindersVisible organisational reaction to all policy breaches & errors

Opportunity Engage employees in security review/designSecurity champion

Identify policies & tools that cause friction Identify & support employees who want to build security skills

Audit of results(Revisjon)

ISO/IEC 27001 / 27002 Audit Audits are the most common metrics, but do not cover the full spectrum of social and psychological items that influence human behavior.

Page 16: *RYHUQDQFH,606 &\FOH,6 0DQDJHPHQW 6\VWHP &\FOH 7KH ,606 F\FOH LV DQ LQWHUSUHWDWLRQ RI ,606 ,62 6RXUFH 160 1DVMRQDO 6LNNHUKHWV P\QGLJKHW 7KH VWHSV LQ WKH F\FOH DUH GRQH LQ SDUDOOHO

Security Usability

UiO Autumn 2019 L05 - IN2120 61

Security LearningGood and intuitive security metaphors facilitate learning

Bad metaphors can be misleading

E.g.: ?, better to say

Security usability is different from traditional usability

securelyoperate it.

Security can not be made totally transparent to the userThe user must understand certain security concepts and be able to make informed security decisions.

Security learning can be difficultIt takes time to thoroughly understand security

62UiO Autumn 2019 L05 - IN2120

Stages of security learning(Security is often more complex than you think)

Expert and disillusioned

3. first thought. I realise that it can

Unaware and disinterested

1.

Educated and optimistic

2. and I know how to make it

63UiO Autumn 2019 L05 - IN2120

End of Lecture

UiO Autumn 2019 L05 - IN2120 64