j. a. drew hamilton, jr., ph.d. - mississippi state...

Mississippi State University Center for Cyber Innovation 1

J. A. “Drew” Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation

Professor, Computer Science & Engineering

CCI Post Office Box 9627 Mississippi State, MS 39762

Voice: (662) 325-2294 Fax: (662) 325-7692 [email protected]


Section Objectives

•  Define social engineering •  Describe different types of social engineering

techniques and attacks •  Describe identity theft •  List social engineering countermeasures •  Describe physical security measures


Social Engineering and Physical Security

Dr. Drew Hamilton Reference: Dr. Marc Rogers Reference: Josef Onuoha


Social Engineering in the News


What is Social Engineering? •  “Hello. This is Dr. Burnett of the cardiology

department at Balboa Naval Medical Center in San Diego. Your patient, General Simmons, has just been admitted here unconscious. He has an unusual ventricular arrhythmia. Can you tell me if there is anything relevant in his record?”

•  “Hi, I lost my password, can you reset it and tell me what it is?”

From: [email protected] Sent: Sunday, March 28, 2004 8:10 AM To: [email protected] Subject: Re: Flag Briefing Attached Please read the attached file.


On 7 October 2001. “Singer Britney Spears Killed in Car Accident.”

Due to a bug in CNN’s software, when people at the spoofed site clicked on the “E-mail This” link, the real CNN system distributed a real CNN e-mail to recipients with a link to the spoofed page.

With each click at the bogus site, the real site’s tally of most popular stories was incremented for the bogus story. Allegedly this hoax was started by a researcher who sent the spoofed story to three users of AOL’s Instant Messenger chat software. Within 12 hours more than 150,000 people had viewed the spoofed page.


Why is Social Engineering so Effective? •  2 Primary Factors

– Basic Human Nature & Business Environment • Human Nature:

– Helpful – Trusting – Naïve

• Business Environment – Service Oriented – Time Crunch/Multitasking – Distributed Locations – Virtual Offices – Transient Workforce


ECC Social Engineering Steps

1.  Research (dumpster dive, visit websites, tour the company, and so on).

2.  Select the victim (identify frustrated employee or other promising targets).

3.  Develop a relationship. 4.  Exploit the relationship (collect sensitive

information). •  Shoulder surfing •  Tailgating •  Piggybackers •  RFID Skimming


Social Engineering Attack Phases

•  Very similar to how Intelligence Agencies infiltrate their targets

•  3 Phased Approach –  Phase 1- Intelligence Gathering –  Phase 2- “Victim” Selection –  Phase 3 -The Attack

•  Phase 1 -Intelligence Gathering •  Primarily Open Source Information

–  Dumpster Diving –  Web Pages –  Ex-employees –  Contractors –  Vendors –  Strategic Partners

•  The foundation for the next phases


Social Engineering Attack Phases (2)

•  Phase 2 - Victim Selection •  Looking for weaknesses in the organization’s personnel

–  Help Desk –  Tech Support –  Reception –  Admin. Support –  Etc.

•  Phase 3 - The Attack •  Commonly known as the “con” •  Primarily based on “peripheral” routes to persuasion

–  Authority –  Liking & Similarity –  Reciprocation –  Commitment & Consistency

•  Uses emotion/empathy as a form of distraction


Social Engineering Attack Categories •  Technical Attacks

–  No direct interpersonal contact with victims –  Attacker forges e-mail messages, pop ups, web sites, or some other

medium –  Pretends to be an authorized support or system admin. person

legitimizes the request –  Tries to obtain sensitive account information from users (e.g.,

passwords, user-ids, CC #s, PINs etc.) •  “PHISHING”

–  Has been very successful to date •  Ego Attacks

–  Attacker appeals to the vanity, or ego of the victim –  Usually targets someone they sense is frustrated with their current job

position –  The victim wants to prove how smart or knowledgeable they are and

provides sensitive information or even access to the systems or data –  Attacker may pretend to be law enforcement, the victim feels honored to be

helping –  Victim usually never realizes


Social Engineering Attack Categories (2) •  Sympathy Attacks

–  Attacker pretends to be a fellow employee (new hire), contractor, or a vendor, etc.

–  There is some urgency to complete some task or obtain some information

–  Needs assistance or they will be in trouble or lose their job etc. –  Plays on the empathy & sympathy of the victim –  Attackers “shop around” until they find someone who will help –  Very successful attack

•  Intimidation Attacks –  Attacker pretends to be someone influential (e.g., authority figure,

law enforcement) –  Attempt to use their authority to coerce the victim into cooperation –  If there is resistance they use intimidation, and threats (e.g., job

sanctions, criminal charges etc.) –  If they pretend to be Law Enforcement they will claim the

investigation is hush-hush and not to be discussed etc.


Social Engineering Risk Conclusion •  The Impact of SE is usually high •  The ease of the Attack is high •  Technical controls alone will not prevent the attack •  Operational/Administrative controls alone will not prevent it •  Environmental controls alone will not prevent it

–  A combination of Operational/Administrative, Technical (logical), & Environmental (Physical) Control Principles

•  Technology •  Policies •  Education •  Awareness •  Training

•  Information Assurance/Security is a hardware, software, firmware, and “peopleware” problem

•  The best defense is proper education and awareness training combined with technical approaches


Mobile-Based Social Engineering •  Publishing malicious apps

–  An attacker creates an app that looks like, acts like, and is namely similarly to a legitimate application.

•  Repackaging legitimate apps –  An attacker takes a legitimate app from an app store and modifies it to

contain malware, posting it on a third-party app store for download. –  For example, recently a version of Angry Birds was repackaged to

contain all sorts of malware badness. •  Fake security applications

–  This one actually starts with a victimized PC: the attacker infects a PC with malware and then uploads a malicious app to an app store. Once the user logs in, a malware pop-up advises them to download bank security software to their phone. The user complies, thus infecting their mobile device.

•  SMS –  An attacker sends SMS text messages crafted to appear as legitimate security

notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response. Per EC-Council, this is known as “smishing.”


Social Engineering Odds and Ends

•  RFID skimming •  Reverse engineering

–  Victim calls the attacker and provides information •  Social media mining

–  Computer-based attacks •  Defenses

–  Verify phone numbers –  Verify actual links and email addresses –  Check grammar and spelling


Phishing

•  “Fraudulent e-mail messages designed to fool the recipients into divulging personal authentication data.

•  account usernames and passwords, credit card numbers, social security numbers, ATM card PINs,

•  These e-mails look “official” and recipients trust the brand, they often respond to them, resulting in financial losses, identity theft, and other fraudulent activity.

•  Social engineering via phone can be known as “vishing.”


Phishing


Phishing

•  A Closer Look! •  Complete email Headers:

–  Received: from customer-201-133-75-84.prod-infinitum.com.mx ([201.133.75.84]) by exchange.purdue.edu with Microsoft SMTPSVC(6.0.3790.0); Mon, 6 Sep 2004 18:05:57 -0500

–  Whois on this domain: •  Registered to a company on the Island of Curacao


Phishing

Real site: www.citizensbank.com


Definitions of Physical Security DoDI 5200.8-R

•  Physical Security - That part of security concerned with physical measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against espionage, sabotage, damage, and theft.

•  Identity Protection and Management is a key element that enables the physical security specialist to execute the DoD physical security program.

Phishing: Source View

•  Snippet of the source: </A></a>in 1847 Windows Me All the

best you are stupid Napster = Kid Rock Costumes in 2005 ?????? smart in 1861 Hold on in 1822 Pokemon =

Gold It's not for me Temptation Island Big Brother I can't answer it's = beautiful Just tonight no more Terra in 1861 going to Wrong number = </html>


Physical Security Requirements

•  Physical Security Requirements can be segmented into 11 different sections

1. Documentation 7. Mobile Computing Devices

2. Safety 8. Sensitive Data 3. Physical Access 9. Hard Copy Output 4. Facilities 10. Marking 5. Environmental 11. Incident Response 6. Human Threat


Physical Security Measures •  alarms •  building construction •  cabling •  communications centers •  environmental controls (humidity and air conditioning) •  filtered power •  fire safety controls •  information systems centers •  physical access control systems (key cards, locks and alarms) •  power controls (regulator, uninterrupted power service (UPS), and

emergency power-off switch) •  protected distributed systems •  shielding •  stand-alone systems and peripherals •  storage area controls


Physical Security Initiatives Proponent: USD (I)

•  Physical Security Program Regulation (DOD 5200.8R - 9 April 2007, ch1 27 May 2009) –  Defense in Depth –  Vulnerability Assessment –  Chapter 6: Security of Communications Systems

•  Ensure overall policy conformance – HSPD 12 –  HSPD 12 Policy for Common Federal ID Standard (ID

assurance) –  Nothing in this reg abrogates the authority or

responsibility of commanders to apply more stringent security standards required by other DoD Issuances during emergencies, increased threat level or high risk determinations, or as the commander/director deems necessary.\

•  Re-enforce migration to CAC


Types of Physical Security

•  Physical Measures –  Locks, Walls

•  Technical Measures –  Smartcards –  Biometrics

•  Operational Measures –  Policies and procedures –  Risk assessment –  Key management


Goals of Physical Security

•  Prevent unauthorized access to equipment, installations, material, and documents

•  Safeguard against espionage, sabotage, damage, and theft

•  Safeguard personnel


Perimeter Protection

•  Standoff distance –  The maintained distance between where a

vehicle bomb is allowed and the target •  Exclusive Standoff Zone

–  Vehicles are not allowed within perimeter unless they have been searched and cleared

•  Nonexclusive Standoff Zone –  Established when a facility or location permits

a mixture of trucks and cars. –  Includes inner and outer perimeters



•  Speed Control –  Controls the speed

of vehicles used for bombs


•  Vehicle barriers




•  Perimeters should also protect against Standoff weapons such as riffles, shot guns, pistols

•  Primary defense is to obstruct Line Of Sight (LOS) from vantage point outside the site –  Use a Predetonation Screen



•  Surveillance –  aggressors remain outside of controlled areas and try to

gather information from within those areas –  Designers must eliminate or control vantage points from

which aggressors can surveil or eavesdrop on assets or operations.

•  Trees, bushes, fences, other buildings etc


Perimeter Protection •  Lighting

–  Discourage or deter attempts at entry by intruders.

–  Prevent glare that may temporarily blind the guards.

–  Different types •  Continuous, standby, movable

–  Different applications •  Entrances, Parking areas, Critical areas

•  Staffing –  Security Guards –  Patrols –  Dogs


Physical Access Control

•  Locks –  Preset Locks and Keys

•  Typical door looks –  Programmable Locks

•  Mechanical (Cipher Locks) •  Electronic (Keypad Systems): Digital Keyboard

–  Number of Combinations –  Number of Digits in Code –  Frequency of Code Change



•  Cards –  Photo-ID cards –  Wireless Proximity readers –  Magnetic Strip cards –  Smart Cards

•  Often Require Use of PIN Number with Card •  Readers: Card Insertion, Card Swipe & Proximity



•  DOD Smart Cards (Common Access Cards)



•  Biometric Devices –  Fingerprint/Thumbprint Scan –  Retina Scan –  Hand Geometry –  Facial Recognition –  Voice Verification –  Problems

•  Cost •  Speed •  Accuracy



•  Typical verification times for entry-control devices



•  Visitor identification and control –  Visitors, Cleaning teams, Civilians in work

areas after normal work hours, Government contractors

•  Personnel –  Position Sensitivity Designation –  Management Review of Access Lists –  Background Screening/Re-Screening –  Termination/Transfer Controls –  Disgruntled Employees



•  Movement Control –  Escorts –  Two-person rule


Distributed Computing

•  Threats – To Confidentiality

•  Sharing Computers •  Sharing Diskettes

– To Availability •  User Errors

– To Data Integrity • Malicious Code •  Version Control


Physical Security of Distributed Computing

•  Office Area Controls –  Entry Controls –  Office Lay-Out –  Property controls –  Electronic Media Controls –  Clean-Desk Policy –  Space protection devices

•  Heat/Humidity considerations


Stand-alone Systems and Peripherals

•  PC Physical Control –  Cable locks

•  Vinyl-covered steel cable anchoring the PC or peripheral to desk

–  Port controls – Devices that secure data ports (such as

USB ports) and prevent their use


Stand-alone Systems and Peripherals

•  PC Physical Control (cont) –  Switch Controls

•  A cover for the on/off switch, which prevents a user from switching off the file server’s power

–  Peripheral switch controls •  Lockable switches that prevent a keyboard from being

used –  Electronic Security Boards

•  Boards inserted into an expansion slot in the PC and force a user to enter a password when the unit is booted

Environment and Life Safety Controls

•  Environment considerations to physical security include the following

•  Electric Power •  RFI, EMI

–  Implement TEMPEST •  Humidity

–  Humidity of < 40% increases static elec. Damage potential •  Emergency power off controls •  Voltage monitoring/recording •  Surge protection



•  Electric Power (cont) –  Backup power

•  Backup feeders, UPS –  Emergency power generators



•  Temperature –  Temperatures When Damage Occurs

•  Paper Products: 350o

•  Computer Equipment: 175o

•  Disks: 150o

•  Magnetic Media: 100o

•  Fire detection –  Heat-sensing –  Flame-actuated –  Smoke-actuated –  Automatic dial-up fire alarm



•  Fire Extinguishing Systems –  Wet pipe –  Dry pipe –  Deluge

•  Suppression mediums –  Halon

•  Excellent for vaults, equipment cabinets, etc –  Carbon IV Oxide

•  Great for unattended facilities. Potentially dangerous


Information System Centers

•  Site selection –  Low visibility –  Low natural disaster threat –  Easy access to external services such as police, fire,

hospitals, etc


Information System Centers

•  Infrastructure –  Servers, switches, routers, should be placed in looked

racks and looked rooms –  Wiring and cables should be routed through walls,

floors, etc to avoid tampering –  Uninterrupted power supply should exist for computing

facility


Tamper Resistance

•  A device is said to be tamper-resistant if it is difficult to modify or subvert, even for an assailant who has physical access to the system.

•  Specialized materials used to make tampering difficult –  One-way screws, epoxy encapsulation, torx

•  Closely tied to tamper detection and response


Tamper Detection

•  The ability of a device to sense that it is under physical attack and includes –  Switches to detect opening of device covers –  Sensors to detect changes in light or pressure within

the device –  Barrier to detect drilling or penetration of physical

boundary –  Paint


Tamper Response

•  Tamper Response is the counter measure taken upon the detection of tampering

•  Ex.: Erase memory, shutdown/disable device, enable logging

•  This is especially very important in the case of cryptographic keys stolen or lost

•  This is especially very important in the case of cryptographic keys stolen or lost –  Computational errors introduced into a smart card can

deduce the values of cryptographic keys hidden in the smart card

–  layers of a chip can be uncovered by etching, discerning chip behavior by advanced infrared probing, and reverse-engineering chip logic


OPSEC

•  Operations security (OPSEC) is an analytic process used to deny an adversary information - generally unclassified

•  Trains people on the handling of information •  We can apply OPSEC in our daily lives

–  “What could an adversary glean from the knowledge of this activity?”


Resources

•  Physical Security Requirements For NSA/CSS Sensitive Compartmented Information Facilities

•  FM 3-19.30 Physical Security, Department of the Army

•  AR 380-5 Appendix H Classified document and Material Storage

•  Smart Card/Common Access Card Program http://www.don-ebusiness.navsup.navy.mil/portal/page?_pageid=36,74750,48_72991&_dad=pebiz&_schema=PEBIZ


Biometrics

•  “Something you are”


Mantraps


Authentication Using Biometrics

A device for measuring finger length.


Summary – Section Objectives

•  Define social engineering •  Describe different types of social engineering

techniques and attacks •  Describe identity theft •  List social engineering countermeasures •  Describe physical security measures

j. a. drew hamilton, jr., ph.d. - mississippi state...

Documents