bai514 – security i. social engineering social engineering involves obtaining protected...

Social Engineering and Physical Security

BAI514 – Security I

Social EngineeringSocial engineering involves obtaining protected

information from individuals by establishing relationships with them and manipulating them

Two types of social engineeringHuman-basedComputer-based

Social EngineeringHuman-Based Social Engineering (Person-to-Person)

Impersonation (masquerading) Attacker pretends to be someone else

eg. repairman, employee, student, etc.

In Person Attacker gathers information in person on the premises of the

organization Dumpster diving Shoulder surfing

Social EngineeringHuman-Based Social Engineering (cont.)

Important user posing Attacker pretends to be an individual in a position of

authority to intimidate usersTechnical support (help desk)

Attacker poses as a technical support personAuthorization by a third party

Attacker convinces an unsuspecting individual that he or she is authorized by a third party in a position of authority

Social EngineeringComputer-Based Social Engineering

Mail / IM attachments When opened install a Trojan

Pop-up windows Simulate an urgent condition on the users system and

instruct the user to perform an actionSpam mail

Initiate fraud by a variety of meansWebsites

Fake website appears legitimate but collects user credentials

Social EngineeringReverse Social Engineering

Attacker convinces a target individual that he or she is having a problem or may have one soon and the attacker is ready and willing to help

Uses three steps Sabotaging the target’s equipment Ensuring the target is aware that the attacker is a person of

authority and has the skills needed to repair the equipment Providing assistance in solving the problem and, in doing

so, gaining the trust of the target and obtaining access or information

Social EngineeringPhishing

The process of obtaining sensitive personal data, usually financially related, under false pretenses from unsuspecting individuals for fraudulent purposes Bank account numbers PINs SINs etc

Social EngineeringPhishing (cont.)

Phishing messages and Web hosting can be based on servers whose organizations tolerate phishing activity computers that have been compromised reputable Web hosting providers that are unaware of the

content

Social EngineeringPhishing (cont.)

A typical phishing attack Hacker will send a fraudulent email with false headers to

indicate the email is from a bank Message will ask for confirmation of the victim’s account

information and password Message will contain a link to a web server that generates a

windows that looks like the bank’s site User will be prompted to enter userid and password

Social EngineeringHidden Frames

Used to maintain the state of a web site without using cookies to store session variables

Store data until requiredAttacker can define two frames

Primary visible frame Hidden frame containing the running attack

Social EngineeringURL Obfuscation

Used to obscure a fake web site’s URL Representing characters in URL as hex format Expressing the domain name as decimal IP address in

different formats hex octal decimal dword

Adding irrelevant text after “http://” and before the @ symbol e.g.

http://login.citibank.com/secure_login/login@attacker.com

Social EngineeringHTML image mapping

Allows the ability to link different parts of a single image to different hyperlinks (i.e. other websites) Entire text of email might be represented as an image

no matter where you click, you’re going to the attackers website!

Social EngineeringIdentity Theft

Stealing another person’s personal information and using that information to assume that person’s identity Once obtained, attacker can start making purchases or

signing up for services Credit card fraud Mail fraud Other financial transactions

Social EngineeringIdentity Theft (cont.)

Attack vectors Phishing Stealing information from financial institutions Dumpster diving Stealing email Stealing credit card numbers Stealing wallet or purse

Social EngineeringIdentity Theft (cont.)

Warning signs Unauthorized or unknown long distance calls on victim’s

phone Phone calls from collection agencies regarding unknown

accounts Denial of credit when applying for new accounts You wake up one morning and realize you’re not who you

think you are

Social EngineeringDefending Against Social Engineering Attacks

Best defenses are personnel relatedPolicies and Procedures

Must have comprehensive, up-to-date information security policies

Personnel must read the policies and be able to recognize potential social engineering attacks

Physical SecurityPhysical security is a necessary countermeasure to

hackingConcerned with

Physical accessEnvironmental issuesPower source(s)BiometricsFire protectionInventory controlMedia erasure/destructionetc.

Physical SecurityThreats to physical security

Human actions War Labor strikes Sabotage Theft Vandalism

Natural events Storms Earthquakes etc.

Disasters Release of toxic gases Fire Power outage Water damage Equipment failure

Physical SecurityPhysical Security Implementation (cont.)

Facility controls Must be an integral part of planning and design of data facilities

Issues Heights Fire ratings of walls and ceilings Weight ratings Electrical conductivity of floors (to reduce static electricity) Window security Door security Emergency exits Fire suppression Shut-off switches Air conditioning positive air pressure (to protect against airborne particles entering the building) UPS

Physical SecurityPhysical Security Implementation (cont.)

Facility controls (cont.) Site selection considerations

Local environment Security situation, types of other facilities in area

Joint tenancy Restrictions/complications/vulnerabilities caused by other tenants

Visibility Prominence of building

Transportation Accessibility, congestion, etc

Emergency services availability of police, fire, medical

Physical SecurityPhysical Security Implementation (cont.)

Facility controls (cont.) Access logs for facility entry

Violations Modification of access privileges and by whom Time and date of access attempt Successful/Unsuccessful attempts Point of entry Name of individual attempting access

Physical SecurityPhysical Security Implementation (cont.)

Company Personnel Controls Procedures related to HR such as hiring, termination,

background checks, performance reviews, etc. Employment background, reference, and education reviews Security clearances Personnel performance reviews Non-disclosure agreements Exit interviews Return of company property Change of passwords and encryption keys

Physical SecurityPhysical Security Implementation (cont.)

Environmental Controls Electrical power Heating Ventilation Air conditioning (HVAC) Humidity

Physical SecurityPhysical Security Implementation (cont.)

Fire Safety Controls Principal life safety control Impacts

Personnel safety Economic impact from losses Loss of critical documents/data

Physical SecurityPhysical Security Implementation (cont.)

Fire Safety Controls (cont.) Combustible Material Classes

FIRE CLASS

MATERIALS

A Wood, cloth, paper, rubber, most plastics, etc.

B Flammable liquids and gasses, oils, grease fires, tars, oil-based paints, lacquers, etc.

C Energized electrical equipment

D Flammable chemicals such as magnesium and sodium

Physical SecurityPhysical Security Implementation (cont.)

Fire Safety Controls (cont.) Fire Suppression Classes

CLASS DESCRIPTION EXTINGUISHING AGENTS

A Common combustibles Water or soda acid

B Liquid CO2, soda acid, Halon, FM-200

C Electrical CO2, Halon, FM-200

Physical SecurityPhysical Security Implementation (cont.)

Fire Safety Controls (cont.) Fire Detection

Critical to life safety Heat Detectors

Respond to either rate of temp change or actual temperature

Flame Detectors Respond flame pulsation or infrared emissions

Smoke Detectors Respond to smoke interference Interference with ionization current

Physical SecurityPhysical Security Implementation (cont.)

Fire Safety Controls (cont.) Fixed fire extinguishing

Water sprinkler system Wet pipe Dry pipe Deluge Preaction

Combines wet and dry pipe

Physical SecurityPhysical Security Implementation (cont.)

Access Controls Applies to both physical and data entities Access cards

Dumb – simple id card with picture Smart – embedded intelligence

CARD TYPE DESCRIPTION

Photo ID Picture

Magnetic Stripe

Data encoded on magnetic material on card

Passive electronic

Card responds to magnetic field of reader

Active electronic

Card responds under its own power

Physical SecurityPhysical Security Implementation (cont.)

Access Controls (cont.) Biometric

Provides an automated means of identifying and authenticating a living person based on physiological or behavioral characteristics

Finger prints Face recognition Retina scan Gait Hand geometry Voice Signature dynamics

Physical SecurityPhysical Security Implementation (cont.)

Access Controls (cont.) Intrusion Detection Systems

DEVICES DESCRIPTION

Photoelectric sensors

Beams of light, broken by an intruder

Dry contact mechanism

Switches or metal foil tape that open a ciruit

Motion sensors Sonic, ultrasonic, or microwave radiation disturbed by intruder

Capacitance detectors

Detecting changes in an electric field

Sound detectors Detect sound anomalies

Voice Voice patterns captured

Facial recognition Facial features and geometry acquired

Physical SecurityPhysical Security Implementation (cont.)

FAX machines Place in secure, restricted access area Protect FAX servers with security hardware and software

Physical SecurityPhysical Security Implementation (cont.)

Physical Facility Controls Guards Guard dogs Fences Mantrap Bollards Lights Video cameras PC/laptop controls

Tethers, etc.

Physical SecurityPhysical Security Implementation (cont.)

Physical Facility Controls (cont.) Locks

Warded locks common padlock opened with a key

Tumbler locks more secure locks that use pin tumblers, lever tumblers, or wafer

tumblers Combination locks

dials or series of wheels that require correct combination Programmable locks

electronic or mechanical keypad or card-key Device locks

used to secure equipment (cables, port block, etc.)

Physical SecurityPhysical Security Implementation (cont.)

Storage Media Controls Data encryption Cable locks (for laptops) Secure storage of paper and magnetic media Backing up data Storing critical data offsite Destroying paper documents and magnetic media Auditing media use and storage

Physical SecurityPhysical Security Implementation (cont.)

Storage Media Controls (cont.) Data Remanence and Object Reuse

Data remanence is the data that remains on magnetic media following erasure

Object reuse is the reusing of data storage media Data remanence safeguards

Clearing – overwriting magnetic medium, usually done when media remain in the original environment

Purging – degaussing or overwriting media intended to be removed from a monitored environment

Destroying – physical destruction of the media

FIN