j. a. drew hamilton, jr., ph.d. - mississippi state...
TRANSCRIPT
Mississippi State University Center for Cyber Innovation 1
J. A. “Drew” Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation
Professor, Computer Science & Engineering
CCI Post Office Box 9627 Mississippi State, MS 39762
Voice: (662) 325-2294 Fax: (662) 325-7692 [email protected]
Mississippi State University Center for Cyber Innovation 2
Section Objectives
• Define social engineering • Describe different types of social engineering
techniques and attacks • Describe identity theft • List social engineering countermeasures • Describe physical security measures
Mississippi State University Center for Cyber Innovation 3
Social Engineering and Physical Security
Dr. Drew Hamilton Reference: Dr. Marc Rogers Reference: Josef Onuoha
Mississippi State University Center for Cyber Innovation 4
Social Engineering in the News
Mississippi State University Center for Cyber Innovation 5
What is Social Engineering? • “Hello. This is Dr. Burnett of the cardiology
department at Balboa Naval Medical Center in San Diego. Your patient, General Simmons, has just been admitted here unconscious. He has an unusual ventricular arrhythmia. Can you tell me if there is anything relevant in his record?”
• “Hi, I lost my password, can you reset it and tell me what it is?”
From: [email protected] Sent: Sunday, March 28, 2004 8:10 AM To: [email protected] Subject: Re: Flag Briefing Attached Please read the attached file.
Mississippi State University Center for Cyber Innovation 6
On 7 October 2001. “Singer Britney Spears Killed in Car Accident.”
Due to a bug in CNN’s software, when people at the spoofed site clicked on the “E-mail This” link, the real CNN system distributed a real CNN e-mail to recipients with a link to the spoofed page.
With each click at the bogus site, the real site’s tally of most popular stories was incremented for the bogus story. Allegedly this hoax was started by a researcher who sent the spoofed story to three users of AOL’s Instant Messenger chat software. Within 12 hours more than 150,000 people had viewed the spoofed page.
Mississippi State University Center for Cyber Innovation 7
Why is Social Engineering so Effective? • 2 Primary Factors
– Basic Human Nature & Business Environment • Human Nature:
– Helpful – Trusting – Naïve
• Business Environment – Service Oriented – Time Crunch/Multitasking – Distributed Locations – Virtual Offices – Transient Workforce
Mississippi State University Center for Cyber Innovation 8
ECC Social Engineering Steps
1. Research (dumpster dive, visit websites, tour the company, and so on).
2. Select the victim (identify frustrated employee or other promising targets).
3. Develop a relationship. 4. Exploit the relationship (collect sensitive
information). • Shoulder surfing • Tailgating • Piggybackers • RFID Skimming
Mississippi State University Center for Cyber Innovation 9
Social Engineering Attack Phases
• Very similar to how Intelligence Agencies infiltrate their targets
• 3 Phased Approach – Phase 1- Intelligence Gathering – Phase 2- “Victim” Selection – Phase 3 -The Attack
• Phase 1 -Intelligence Gathering • Primarily Open Source Information
– Dumpster Diving – Web Pages – Ex-employees – Contractors – Vendors – Strategic Partners
• The foundation for the next phases
Mississippi State University Center for Cyber Innovation 10
Social Engineering Attack Phases (2)
• Phase 2 - Victim Selection • Looking for weaknesses in the organization’s personnel
– Help Desk – Tech Support – Reception – Admin. Support – Etc.
• Phase 3 - The Attack • Commonly known as the “con” • Primarily based on “peripheral” routes to persuasion
– Authority – Liking & Similarity – Reciprocation – Commitment & Consistency
• Uses emotion/empathy as a form of distraction
Mississippi State University Center for Cyber Innovation 11
Social Engineering Attack Categories • Technical Attacks
– No direct interpersonal contact with victims – Attacker forges e-mail messages, pop ups, web sites, or some other
medium – Pretends to be an authorized support or system admin. person
legitimizes the request – Tries to obtain sensitive account information from users (e.g.,
passwords, user-ids, CC #s, PINs etc.) • “PHISHING”
– Has been very successful to date • Ego Attacks
– Attacker appeals to the vanity, or ego of the victim – Usually targets someone they sense is frustrated with their current job
position – The victim wants to prove how smart or knowledgeable they are and
provides sensitive information or even access to the systems or data – Attacker may pretend to be law enforcement, the victim feels honored to be
helping – Victim usually never realizes
Mississippi State University Center for Cyber Innovation 12
Social Engineering Attack Categories (2) • Sympathy Attacks
– Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc.
– There is some urgency to complete some task or obtain some information
– Needs assistance or they will be in trouble or lose their job etc. – Plays on the empathy & sympathy of the victim – Attackers “shop around” until they find someone who will help – Very successful attack
• Intimidation Attacks – Attacker pretends to be someone influential (e.g., authority figure,
law enforcement) – Attempt to use their authority to coerce the victim into cooperation – If there is resistance they use intimidation, and threats (e.g., job
sanctions, criminal charges etc.) – If they pretend to be Law Enforcement they will claim the
investigation is hush-hush and not to be discussed etc.
Mississippi State University Center for Cyber Innovation 13
Social Engineering Risk Conclusion • The Impact of SE is usually high • The ease of the Attack is high • Technical controls alone will not prevent the attack • Operational/Administrative controls alone will not prevent it • Environmental controls alone will not prevent it
– A combination of Operational/Administrative, Technical (logical), & Environmental (Physical) Control Principles
• Technology • Policies • Education • Awareness • Training
• Information Assurance/Security is a hardware, software, firmware, and “peopleware” problem
• The best defense is proper education and awareness training combined with technical approaches
Mississippi State University Center for Cyber Innovation 14
Mobile-Based Social Engineering • Publishing malicious apps
– An attacker creates an app that looks like, acts like, and is namely similarly to a legitimate application.
• Repackaging legitimate apps – An attacker takes a legitimate app from an app store and modifies it to
contain malware, posting it on a third-party app store for download. – For example, recently a version of Angry Birds was repackaged to
contain all sorts of malware badness. • Fake security applications
– This one actually starts with a victimized PC: the attacker infects a PC with malware and then uploads a malicious app to an app store. Once the user logs in, a malware pop-up advises them to download bank security software to their phone. The user complies, thus infecting their mobile device.
• SMS – An attacker sends SMS text messages crafted to appear as legitimate security
notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response. Per EC-Council, this is known as “smishing.”
Mississippi State University Center for Cyber Innovation 15
Social Engineering Odds and Ends
• RFID skimming • Reverse engineering
– Victim calls the attacker and provides information • Social media mining
– Computer-based attacks • Defenses
– Verify phone numbers – Verify actual links and email addresses – Check grammar and spelling
Mississippi State University Center for Cyber Innovation 16
Phishing
• “Fraudulent e-mail messages designed to fool the recipients into divulging personal authentication data.
• account usernames and passwords, credit card numbers, social security numbers, ATM card PINs,
• These e-mails look “official” and recipients trust the brand, they often respond to them, resulting in financial losses, identity theft, and other fraudulent activity.
• Social engineering via phone can be known as “vishing.”
Mississippi State University Center for Cyber Innovation 17
Phishing
Mississippi State University Center for Cyber Innovation 18
Phishing
• A Closer Look! • Complete email Headers:
– Received: from customer-201-133-75-84.prod-infinitum.com.mx ([201.133.75.84]) by exchange.purdue.edu with Microsoft SMTPSVC(6.0.3790.0); Mon, 6 Sep 2004 18:05:57 -0500
– Whois on this domain: • Registered to a company on the Island of Curacao
Mississippi State University Center for Cyber Innovation 19
Phishing
Real site: www.citizensbank.com
Mississippi State University Center for Cyber Innovation 20
Definitions of Physical Security DoDI 5200.8-R
• Physical Security - That part of security concerned with physical measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against espionage, sabotage, damage, and theft.
• Identity Protection and Management is a key element that enables the physical security specialist to execute the DoD physical security program.
Mississippi State University Center for Cyber Innovation 21
Phishing: Source View
• Snippet of the source: </A></a></font></p><p><font = color=3D"#FFFFFA">in 1847 Windows Me All the
best you are stupid Napster = Kid Rock Costumes in 2005 ?????? smart in 1861 Hold on in 1822 Pokemon =
Gold It's not for me Temptation Island Big Brother I can't answer it's = beautiful Just tonight no more Terra in 1861 going to Wrong number = </font></p></html>
Mississippi State University Center for Cyber Innovation 22
Physical Security Requirements
• Physical Security Requirements can be segmented into 11 different sections
1. Documentation 7. Mobile Computing Devices
2. Safety 8. Sensitive Data 3. Physical Access 9. Hard Copy Output 4. Facilities 10. Marking 5. Environmental 11. Incident Response 6. Human Threat
Mississippi State University Center for Cyber Innovation 23
Physical Security Measures • alarms • building construction • cabling • communications centers • environmental controls (humidity and air conditioning) • filtered power • fire safety controls • information systems centers • physical access control systems (key cards, locks and alarms) • power controls (regulator, uninterrupted power service (UPS), and
emergency power-off switch) • protected distributed systems • shielding • stand-alone systems and peripherals • storage area controls
Mississippi State University Center for Cyber Innovation 24
Physical Security Initiatives Proponent: USD (I)
• Physical Security Program Regulation (DOD 5200.8R - 9 April 2007, ch1 27 May 2009) – Defense in Depth – Vulnerability Assessment – Chapter 6: Security of Communications Systems
• Ensure overall policy conformance – HSPD 12 – HSPD 12 Policy for Common Federal ID Standard (ID
assurance) – Nothing in this reg abrogates the authority or
responsibility of commanders to apply more stringent security standards required by other DoD Issuances during emergencies, increased threat level or high risk determinations, or as the commander/director deems necessary.\
• Re-enforce migration to CAC
Mississippi State University Center for Cyber Innovation 25
Types of Physical Security
• Physical Measures – Locks, Walls
• Technical Measures – Smartcards – Biometrics
• Operational Measures – Policies and procedures – Risk assessment – Key management
Mississippi State University Center for Cyber Innovation 26
Goals of Physical Security
• Prevent unauthorized access to equipment, installations, material, and documents
• Safeguard against espionage, sabotage, damage, and theft
• Safeguard personnel
Mississippi State University Center for Cyber Innovation 27
Perimeter Protection
• Standoff distance – The maintained distance between where a
vehicle bomb is allowed and the target • Exclusive Standoff Zone
– Vehicles are not allowed within perimeter unless they have been searched and cleared
• Nonexclusive Standoff Zone – Established when a facility or location permits
a mixture of trucks and cars. – Includes inner and outer perimeters
Mississippi State University Center for Cyber Innovation 28
Perimeter Protection
Mississippi State University Center for Cyber Innovation 29
Perimeter Protection
• Speed Control – Controls the speed
of vehicles used for bombs
Mississippi State University Center for Cyber Innovation 30
• Vehicle barriers
Perimeter Protection
Mississippi State University Center for Cyber Innovation 31
Perimeter Protection
• Perimeters should also protect against Standoff weapons such as riffles, shot guns, pistols
• Primary defense is to obstruct Line Of Sight (LOS) from vantage point outside the site – Use a Predetonation Screen
Mississippi State University Center for Cyber Innovation 32
Perimeter Protection
Mississippi State University Center for Cyber Innovation 33
Perimeter Protection
• Surveillance – aggressors remain outside of controlled areas and try to
gather information from within those areas – Designers must eliminate or control vantage points from
which aggressors can surveil or eavesdrop on assets or operations.
• Trees, bushes, fences, other buildings etc
Mississippi State University Center for Cyber Innovation 34
Perimeter Protection
Mississippi State University Center for Cyber Innovation 35
Perimeter Protection • Lighting
– Discourage or deter attempts at entry by intruders.
– Prevent glare that may temporarily blind the guards.
– Different types • Continuous, standby, movable
– Different applications • Entrances, Parking areas, Critical areas
• Staffing – Security Guards – Patrols – Dogs
Mississippi State University Center for Cyber Innovation 36
Physical Access Control
• Locks – Preset Locks and Keys
• Typical door looks – Programmable Locks
• Mechanical (Cipher Locks) • Electronic (Keypad Systems): Digital Keyboard
– Number of Combinations – Number of Digits in Code – Frequency of Code Change
Mississippi State University Center for Cyber Innovation 37
Physical Access Control
• Cards – Photo-ID cards – Wireless Proximity readers – Magnetic Strip cards – Smart Cards
• Often Require Use of PIN Number with Card • Readers: Card Insertion, Card Swipe & Proximity
Mississippi State University Center for Cyber Innovation 38
Physical Access Control
• DOD Smart Cards (Common Access Cards)
Mississippi State University Center for Cyber Innovation 39
Physical Access Control
• Biometric Devices – Fingerprint/Thumbprint Scan – Retina Scan – Hand Geometry – Facial Recognition – Voice Verification – Problems
• Cost • Speed • Accuracy
Mississippi State University Center for Cyber Innovation 40
Physical Access Control
• Typical verification times for entry-control devices
Mississippi State University Center for Cyber Innovation 41
Physical Access Control
• Visitor identification and control – Visitors, Cleaning teams, Civilians in work
areas after normal work hours, Government contractors
• Personnel – Position Sensitivity Designation – Management Review of Access Lists – Background Screening/Re-Screening – Termination/Transfer Controls – Disgruntled Employees
Mississippi State University Center for Cyber Innovation 42
Physical Access Control
• Movement Control – Escorts – Two-person rule
Mississippi State University Center for Cyber Innovation 43
Distributed Computing
• Threats – To Confidentiality
• Sharing Computers • Sharing Diskettes
– To Availability • User Errors
– To Data Integrity • Malicious Code • Version Control
Mississippi State University Center for Cyber Innovation 44
Physical Security of Distributed Computing
• Office Area Controls – Entry Controls – Office Lay-Out – Property controls – Electronic Media Controls – Clean-Desk Policy – Space protection devices
• Heat/Humidity considerations
Mississippi State University Center for Cyber Innovation 45
Stand-alone Systems and Peripherals
• PC Physical Control – Cable locks
• Vinyl-covered steel cable anchoring the PC or peripheral to desk
– Port controls – Devices that secure data ports (such as
USB ports) and prevent their use
Mississippi State University Center for Cyber Innovation 46
Stand-alone Systems and Peripherals
• PC Physical Control (cont) – Switch Controls
• A cover for the on/off switch, which prevents a user from switching off the file server’s power
– Peripheral switch controls • Lockable switches that prevent a keyboard from being
used – Electronic Security Boards
• Boards inserted into an expansion slot in the PC and force a user to enter a password when the unit is booted
Mississippi State University Center for Cyber Innovation 47
Environment and Life Safety Controls
• Environment considerations to physical security include the following
• Electric Power • RFI, EMI
– Implement TEMPEST • Humidity
– Humidity of < 40% increases static elec. Damage potential • Emergency power off controls • Voltage monitoring/recording • Surge protection
Mississippi State University Center for Cyber Innovation 48
Environment and Life Safety Controls
• Electric Power (cont) – Backup power
• Backup feeders, UPS – Emergency power generators
Mississippi State University Center for Cyber Innovation 49
Environment and Life Safety Controls
• Temperature – Temperatures When Damage Occurs
• Paper Products: 350o
• Computer Equipment: 175o
• Disks: 150o
• Magnetic Media: 100o
• Fire detection – Heat-sensing – Flame-actuated – Smoke-actuated – Automatic dial-up fire alarm
Mississippi State University Center for Cyber Innovation 50
Environment and Life Safety Controls
• Fire Extinguishing Systems – Wet pipe – Dry pipe – Deluge
• Suppression mediums – Halon
• Excellent for vaults, equipment cabinets, etc – Carbon IV Oxide
• Great for unattended facilities. Potentially dangerous
Mississippi State University Center for Cyber Innovation 51
Information System Centers
• Site selection – Low visibility – Low natural disaster threat – Easy access to external services such as police, fire,
hospitals, etc
Mississippi State University Center for Cyber Innovation 52
Information System Centers
• Infrastructure – Servers, switches, routers, should be placed in looked
racks and looked rooms – Wiring and cables should be routed through walls,
floors, etc to avoid tampering – Uninterrupted power supply should exist for computing
facility
Mississippi State University Center for Cyber Innovation 53
Tamper Resistance
• A device is said to be tamper-resistant if it is difficult to modify or subvert, even for an assailant who has physical access to the system.
• Specialized materials used to make tampering difficult – One-way screws, epoxy encapsulation, torx
• Closely tied to tamper detection and response
Mississippi State University Center for Cyber Innovation 54
Tamper Detection
• The ability of a device to sense that it is under physical attack and includes – Switches to detect opening of device covers – Sensors to detect changes in light or pressure within
the device – Barrier to detect drilling or penetration of physical
boundary – Paint
Mississippi State University Center for Cyber Innovation 55
Tamper Response
• Tamper Response is the counter measure taken upon the detection of tampering
• Ex.: Erase memory, shutdown/disable device, enable logging
• This is especially very important in the case of cryptographic keys stolen or lost
• This is especially very important in the case of cryptographic keys stolen or lost – Computational errors introduced into a smart card can
deduce the values of cryptographic keys hidden in the smart card
– layers of a chip can be uncovered by etching, discerning chip behavior by advanced infrared probing, and reverse-engineering chip logic
Mississippi State University Center for Cyber Innovation 56
OPSEC
• Operations security (OPSEC) is an analytic process used to deny an adversary information - generally unclassified
• Trains people on the handling of information • We can apply OPSEC in our daily lives
– “What could an adversary glean from the knowledge of this activity?”
Mississippi State University Center for Cyber Innovation 57
Resources
• Physical Security Requirements For NSA/CSS Sensitive Compartmented Information Facilities
• FM 3-19.30 Physical Security, Department of the Army
• AR 380-5 Appendix H Classified document and Material Storage
• Smart Card/Common Access Card Program http://www.don-ebusiness.navsup.navy.mil/portal/page?_pageid=36,74750,48_72991&_dad=pebiz&_schema=PEBIZ
Mississippi State University Center for Cyber Innovation 58
Mississippi State University Center for Cyber Innovation 59
Biometrics
• “Something you are”
Mississippi State University Center for Cyber Innovation 60
Mantraps
Mississippi State University Center for Cyber Innovation 61
Authentication Using Biometrics
A device for measuring finger length.
Mississippi State University Center for Cyber Innovation 62
Summary – Section Objectives
• Define social engineering • Describe different types of social engineering
techniques and attacks • Describe identity theft • List social engineering countermeasures • Describe physical security measures