bai514 – security i. social engineering social engineering involves obtaining protected...
TRANSCRIPT
Social Engineering and Physical Security
BAI514 – Security I
Social EngineeringSocial engineering involves obtaining protected
information from individuals by establishing relationships with them and manipulating them
Two types of social engineeringHuman-basedComputer-based
Social EngineeringHuman-Based Social Engineering (Person-to-Person)
Impersonation (masquerading) Attacker pretends to be someone else
eg. repairman, employee, student, etc.
In Person Attacker gathers information in person on the premises of the
organization Dumpster diving Shoulder surfing
Social EngineeringHuman-Based Social Engineering (cont.)
Important user posing Attacker pretends to be an individual in a position of
authority to intimidate usersTechnical support (help desk)
Attacker poses as a technical support personAuthorization by a third party
Attacker convinces an unsuspecting individual that he or she is authorized by a third party in a position of authority
Social EngineeringComputer-Based Social Engineering
Mail / IM attachments When opened install a Trojan
Pop-up windows Simulate an urgent condition on the users system and
instruct the user to perform an actionSpam mail
Initiate fraud by a variety of meansWebsites
Fake website appears legitimate but collects user credentials
Social EngineeringReverse Social Engineering
Attacker convinces a target individual that he or she is having a problem or may have one soon and the attacker is ready and willing to help
Uses three steps Sabotaging the target’s equipment Ensuring the target is aware that the attacker is a person of
authority and has the skills needed to repair the equipment Providing assistance in solving the problem and, in doing
so, gaining the trust of the target and obtaining access or information
Social EngineeringPhishing
The process of obtaining sensitive personal data, usually financially related, under false pretenses from unsuspecting individuals for fraudulent purposes Bank account numbers PINs SINs etc
Social EngineeringPhishing (cont.)
Phishing messages and Web hosting can be based on servers whose organizations tolerate phishing activity computers that have been compromised reputable Web hosting providers that are unaware of the
content
Social EngineeringPhishing (cont.)
A typical phishing attack Hacker will send a fraudulent email with false headers to
indicate the email is from a bank Message will ask for confirmation of the victim’s account
information and password Message will contain a link to a web server that generates a
windows that looks like the bank’s site User will be prompted to enter userid and password
Social EngineeringHidden Frames
Used to maintain the state of a web site without using cookies to store session variables
Store data until requiredAttacker can define two frames
Primary visible frame Hidden frame containing the running attack
Social EngineeringURL Obfuscation
Used to obscure a fake web site’s URL Representing characters in URL as hex format Expressing the domain name as decimal IP address in
different formats hex octal decimal dword
Adding irrelevant text after “http://” and before the @ symbol e.g.
http://login.citibank.com/secure_login/[email protected]
Social EngineeringHTML image mapping
Allows the ability to link different parts of a single image to different hyperlinks (i.e. other websites) Entire text of email might be represented as an image
no matter where you click, you’re going to the attackers website!
Social EngineeringIdentity Theft
Stealing another person’s personal information and using that information to assume that person’s identity Once obtained, attacker can start making purchases or
signing up for services Credit card fraud Mail fraud Other financial transactions
Social EngineeringIdentity Theft (cont.)
Attack vectors Phishing Stealing information from financial institutions Dumpster diving Stealing email Stealing credit card numbers Stealing wallet or purse
Social EngineeringIdentity Theft (cont.)
Warning signs Unauthorized or unknown long distance calls on victim’s
phone Phone calls from collection agencies regarding unknown
accounts Denial of credit when applying for new accounts You wake up one morning and realize you’re not who you
think you are
Social EngineeringDefending Against Social Engineering Attacks
Best defenses are personnel relatedPolicies and Procedures
Must have comprehensive, up-to-date information security policies
Personnel must read the policies and be able to recognize potential social engineering attacks
Physical SecurityPhysical security is a necessary countermeasure to
hackingConcerned with
Physical accessEnvironmental issuesPower source(s)BiometricsFire protectionInventory controlMedia erasure/destructionetc.
Physical SecurityThreats to physical security
Human actions War Labor strikes Sabotage Theft Vandalism
Natural events Storms Earthquakes etc.
Disasters Release of toxic gases Fire Power outage Water damage Equipment failure
Physical SecurityPhysical Security Implementation (cont.)
Facility controls Must be an integral part of planning and design of data facilities
Issues Heights Fire ratings of walls and ceilings Weight ratings Electrical conductivity of floors (to reduce static electricity) Window security Door security Emergency exits Fire suppression Shut-off switches Air conditioning positive air pressure (to protect against airborne particles entering the building) UPS
Physical SecurityPhysical Security Implementation (cont.)
Facility controls (cont.) Site selection considerations
Local environment Security situation, types of other facilities in area
Joint tenancy Restrictions/complications/vulnerabilities caused by other tenants
Visibility Prominence of building
Transportation Accessibility, congestion, etc
Emergency services availability of police, fire, medical
Physical SecurityPhysical Security Implementation (cont.)
Facility controls (cont.) Access logs for facility entry
Violations Modification of access privileges and by whom Time and date of access attempt Successful/Unsuccessful attempts Point of entry Name of individual attempting access
Physical SecurityPhysical Security Implementation (cont.)
Company Personnel Controls Procedures related to HR such as hiring, termination,
background checks, performance reviews, etc. Employment background, reference, and education reviews Security clearances Personnel performance reviews Non-disclosure agreements Exit interviews Return of company property Change of passwords and encryption keys
Physical SecurityPhysical Security Implementation (cont.)
Environmental Controls Electrical power Heating Ventilation Air conditioning (HVAC) Humidity
Physical SecurityPhysical Security Implementation (cont.)
Fire Safety Controls Principal life safety control Impacts
Personnel safety Economic impact from losses Loss of critical documents/data
Physical SecurityPhysical Security Implementation (cont.)
Fire Safety Controls (cont.) Combustible Material Classes
FIRE CLASS
MATERIALS
A Wood, cloth, paper, rubber, most plastics, etc.
B Flammable liquids and gasses, oils, grease fires, tars, oil-based paints, lacquers, etc.
C Energized electrical equipment
D Flammable chemicals such as magnesium and sodium
Physical SecurityPhysical Security Implementation (cont.)
Fire Safety Controls (cont.) Fire Suppression Classes
CLASS DESCRIPTION EXTINGUISHING AGENTS
A Common combustibles Water or soda acid
B Liquid CO2, soda acid, Halon, FM-200
C Electrical CO2, Halon, FM-200
Physical SecurityPhysical Security Implementation (cont.)
Fire Safety Controls (cont.) Fire Detection
Critical to life safety Heat Detectors
Respond to either rate of temp change or actual temperature
Flame Detectors Respond flame pulsation or infrared emissions
Smoke Detectors Respond to smoke interference Interference with ionization current
Physical SecurityPhysical Security Implementation (cont.)
Fire Safety Controls (cont.) Fixed fire extinguishing
Water sprinkler system Wet pipe Dry pipe Deluge Preaction
Combines wet and dry pipe
Physical SecurityPhysical Security Implementation (cont.)
Access Controls Applies to both physical and data entities Access cards
Dumb – simple id card with picture Smart – embedded intelligence
CARD TYPE DESCRIPTION
Photo ID Picture
Magnetic Stripe
Data encoded on magnetic material on card
Passive electronic
Card responds to magnetic field of reader
Active electronic
Card responds under its own power
Physical SecurityPhysical Security Implementation (cont.)
Access Controls (cont.) Biometric
Provides an automated means of identifying and authenticating a living person based on physiological or behavioral characteristics
Finger prints Face recognition Retina scan Gait Hand geometry Voice Signature dynamics
Physical SecurityPhysical Security Implementation (cont.)
Access Controls (cont.) Intrusion Detection Systems
DEVICES DESCRIPTION
Photoelectric sensors
Beams of light, broken by an intruder
Dry contact mechanism
Switches or metal foil tape that open a ciruit
Motion sensors Sonic, ultrasonic, or microwave radiation disturbed by intruder
Capacitance detectors
Detecting changes in an electric field
Sound detectors Detect sound anomalies
Voice Voice patterns captured
Facial recognition Facial features and geometry acquired
Physical SecurityPhysical Security Implementation (cont.)
FAX machines Place in secure, restricted access area Protect FAX servers with security hardware and software
Physical SecurityPhysical Security Implementation (cont.)
Physical Facility Controls Guards Guard dogs Fences Mantrap Bollards Lights Video cameras PC/laptop controls
Tethers, etc.
Physical SecurityPhysical Security Implementation (cont.)
Physical Facility Controls (cont.) Locks
Warded locks common padlock opened with a key
Tumbler locks more secure locks that use pin tumblers, lever tumblers, or wafer
tumblers Combination locks
dials or series of wheels that require correct combination Programmable locks
electronic or mechanical keypad or card-key Device locks
used to secure equipment (cables, port block, etc.)
Physical SecurityPhysical Security Implementation (cont.)
Storage Media Controls Data encryption Cable locks (for laptops) Secure storage of paper and magnetic media Backing up data Storing critical data offsite Destroying paper documents and magnetic media Auditing media use and storage
Physical SecurityPhysical Security Implementation (cont.)
Storage Media Controls (cont.) Data Remanence and Object Reuse
Data remanence is the data that remains on magnetic media following erasure
Object reuse is the reusing of data storage media Data remanence safeguards
Clearing – overwriting magnetic medium, usually done when media remain in the original environment
Purging – degaussing or overwriting media intended to be removed from a monitored environment
Destroying – physical destruction of the media
FIN