people layer security lecture 9 supakorn kungpisdan [email protected]

People Layer Security

Lecture 9Supakorn Kungpisdan

[email protected]

Outline

Attacking People Layer Defending People Layer Risk Management

NETE4630 Advanced Network Security and Implementation 2

Introduction

OSI 7-layer reference model is a framework for data communications Security can be breached by exploiting the flaws and weaknesses of

protocols and their implementation, at each layer of the OSI model Hardware and software behaviors are repeatable But people are not consistent as machines; some refuses to follow

basic security rules e.g. do not read necessary manuals, take shortcuts, and so on

The people layer (layer 8) has been added to address impact of human error


Attacking the People Layer

Hacking needs to attack where the information is stored Computers or People?? Which one is easier to get the information?

80% of a corporation’s knowledge resides with its employees

This helps attackers in two ways: Employees have a treasure trove of information Humans are easier targets than computers


Attacking the People Layer (cont.)

“Whatever the potential of the Internet, most observers recognize that information collection today is more widespread offline and online” US Federal Trade Commission chairman, Timothy J. Muris

“The greatest risk of misuse of your personal information is from lost or stolen wallets and purses, not online information, as many think”Jan Dulney, president of Better Business Bureau of Western Ontario


Social Engineering

Social engineering is the process of using psychology to encourage people to give you the information or access that you want

Involves deceit and manipulation, and can be done face-to-face, remotely but still interactively (e.g. by phone), or indirectly through technology


Social Engineering (cont.)

Authority Pretend as being in a position o authority

Linking A social engineer appears likeable; most people will react to him or her in a positive way

Reciprocation When someone gives us a gift or does us a favor, we want to give something in return

Social Validation People want to be accepted, and the best way to belong is to be like everyone else

Scarcity People want things that are in short supply or only available for a short time. If offerred, he or she is motivated to accept it.


In Person

It is safer to use social engineering from afar (e.g. over the phone)

Suitable if the goal is to gain physical access to a computer system or to obtain materials that are not in electronic form

People are often more suspicious of unusual requests made over the phone, than by someone presenting a request in person

Examples: unauthorized entry, theft


Unauthorized Entry

Piggybacking (aka Tailgating): follow an authorized person through entrance or door

Making a fake ID is available online at www.myoids.com , www.phidentity.com

If a door requires a personal identification number (PIN) for entry, try shoulder surfing

Once the unauthorized entry is achieved, the attacker can do many things, including install a hardware keystroke logger

Two types of keystroke loggers: hardware and software


Hardware Keyloggers

Completely undetectable by software, can record all keystrokes, and can record keystrokes before the OS is loaded (e.g. BIOS password)

But the attacker has to return to retrieve the hardware keylogger.


Software Keyloggers

Can be installed through social engineering Can tell which program the user is executing Can categorize the keystrokes for the attacker Can send the captured keystorkes to the attacker via

email, IRC, or other communication channel


Spector360


http://www.spector360.com/overview/record.htm

Spector360 (cont.)


Detecting Hardware Keyloggers

Can only be done by inspecting keyboard connection They don’t run inside the computer as a program; there’s

no information in memory KeyGhost Ltd. makes a keyboard with built-in keystroke

logger, so that even visual inspection is insufficient


Detecting Software Keyloggers

Using scanning software to inspect files, memory, and the registry for signatures of known keyloggers and other spyware

Some programs that detect keyloggers are: FaceTime Enterprise Edition Windows Defender Ad-Aware Spybot Search & Destroy Webroot Spy Sweeper Enterprise Spyware Doctor


Theft

A 2005 survey conducted by the Computer Security Institute and FBI found that laptop theft is the second greatest security threat (after viruses), tied only with insider abuse of network access.

Irwin Jacobs, the founder and CEO of Qualcomm lost his laptop after a presentation. Unfortunately, the laptop containing sensitive information was gone.


MOM

There are three components of theft: means, opportunity, and motive (MOM).

The means for this theft was having a scheme The motive was the value of the computer and its data The opportunity came from poor protection of the

computer.


Defending Against Theft

STOP Security Plate


http://www.computersecurity.com/stop/index_b.html

Motion Sensor Alarm Lock Sounds 110 db alarm if cable is cut When motion sensor is on it also sounds

alarm if moved Heavy duty construction suitable for

computers and A/V equipment in laboratories and public areas


www.securitykit.com/drive_locks.htm#alarms

Defending Against Theft (cont.)

To recover a stolen laptop, you can use a program that will phone home when your laptop is connected to the Internet, such as: www.securitykit.com/pc_phonehome.htm www.absolute.com/public/computraceplus/laptop-security.asp www.xtool.com/p_computertracker.asp www.ztrace.com/zTraceGold.asp


Dumpster Diving

Searching trash for useful information Dumpster diving depends on a human weakness: the lack

of security knowledge. Many things can be found dumpster diving (e.g., CDs,

DVDs, hard drives, company directories, and so forth).


Example

The most famous example of dumpster diving was performed by Jerry Schneider in southern California.

While in high school in 1968, Jerry found documentation regarding Pacific Telephone’s automated equipment ordering and delivery system, which he produced the equipments and sold it as “refurbished”.

He accumulated hundreds of thousands of dollars worth of telephone equipment and established Creative Systems Enterprises to sell it; some of it was sold back to Pacific Telephone.


Example (cont.)

In January, 1972, he was arrested Police raid CSE's offices and warehouse. The District

Attorney estimates the found equipment is worth $8,000. At this time, they learn that Schneider had made off with

$125,000 worth of gear. Schneider later admits to nearly $900,000.

At the age of 21, he started a security company in 1973 that he left in 1977.


Password Management

Users are given a lot of advice about setting passwords: make them long, complex, unique, and change them frequently.

Ironically, users that try to heed this advice sometimes fall into another pitfall: they write their passwords down and protect them poorly.

Post-it notes are left on monitors or under keyboards Forms of password attacks:

finding passwords and guessing passwords


Password Management (cont.)

With physical access to a computer, additional opportunities become available.

If an attacker doesn’t mind being detected, he or she can change the administrator’s password instead of cracking it.

This type of attack involves booting the system from an alternate operating system (e.g., Linux) via CD, equipped with a New Technology File System (NTFS) driver for Windows.



Some programs that reset the password this way are: Windows Password Recovery Petter Nordahl-Hagen’s Offline NT Password & Registry Editor Emergency Boot CD Austrumi



People have multiple passwords for various things (e.g., bank accounts, investment sites, e-mail accounts, instant messaging accounts, and so forth).

How can a person remember so many unique passwords without writing them down?


Phone

Social engineering by phone has one advantage over in-person attacks: an easy getaway. As long as the call isn’t traceable, all an attacker has to do is

hang up. Another advantage is that people only have to sound, not

look, authentic on the phone. Having the caller’s spoofed ID on the target’s phone

display an internal extension or the name and number of another company location, gives the attacker credibility as an insider.


Fax

Generally, a fax is a poor communication medium for social engineering, because there is no personal interaction.

However, a fax does show the telephone number of the sending fax machine, which comes from the configuration of the sending fax machine.

Combine this with authentic-looking stationery, and it is easy to fool people.

Fax machines located out in the open are vulnerable, because passersby can take documents that are left on top of the machine.


Fax (cont.)

There aren’t many fax machines being used anymore that use an ink ribbon or Mylar ink sheet; however, if you do find one, you might be able to read what was printed on the ribbon.

The waste basket nearest to the fax machine is also a good place to look for interesting discarded faxes.

Fax servers also deliver faxes to e-mail inboxes. E-mail accounts usually use insecure protocols such as

SMTP and POP that transfer passwords in clear text; therefore, they are quite vulnerable.


Internet

Social engineering can also be conducted over the Internet.

E-mail messages and fraudulent Web sites might carry an air of legitimacy and authority that is lacking on the telephone.

It is easy to spoof the e-mail address of a sender to make it look legitimate.

E-mail messages can contain Hypertext Markup Language (HTML) to make them look professional. Armed with false legitimacy, several popular scams can occur.


Internet (cont.)

One such scam involves a person claiming to be a Nigerian government official who asks the reader for help transferring money out of his or her country.

If the reader agrees to allow monetary transfers into his or her bank account, he or she is supposed to receive a substantial fee.

Once the reader agrees to participate, the scammer asks him or her to pay various bribes and fees, which actually goes to the scammer.

Of course, the big transfer never occurs and the reader never gets paid.


Internet (cont.)

The “You have already won one of these three great prizes!” scam works by the user sending the scammer a “handling fee” who in turn is supposed to forward the prize.

The amount of the handling fee is unspecified and is usually greater than the value of the prize.


Phreaking

Before cellular phones (also known as cell phones), there were pay phones and phone cards.

All of these items could be obtained surreptitiously by shoulder-surfing the card owner while he or she entered the digits on the payphone.

Another way to get free telephone services is to use electronic devices known as Phreak Boxes (also known as blue boxes).

Phreak boxes work by sending special tones over a communication channel that is established for a voice conversation


Phreak Boxes


Phreak Boxes (cont.)

Joe Engressia (a.k.a. joybubbles) discovered that the telephone network reacted to whistling into the phone at exactly 2600 Hertz (Hz).

He learned that that particular tone signaled a long-distance trunk line (i.e., free long distance).

Joe passed this information on to John Draper, who took that information and his knowledge of electronics and created the first phreak box, which played the 2600Hz tone onto a phone line.


Caller ID Spoofing and Cell Phones

Using TeleSpoof or some other type of caller ID-spoofing Web service, an attacker accessed Paris Hilton’s T-Mobile Sidekick account and downloaded all of her data.

Her account authenticated her on the basis of caller ID instead of a password

Even though her Sidekick account was password-protected, an attack on T-Mobile’s Web site reset Hilton’s password.

A social engineering attack was used by an adversary claiming to be with T-Mobile customer service.

The caller ID display on her phone verified this.


Short Message Service

The Short Message Service (SMS) permits a cell phone or Web user to send a short text message to another person’s cell phone.

If the recipient’s cell phone is Web-enabled, clicking on a hyperlink appearing in a SMS message will cause the cell phone to surf to the Web site addressed by that hyperlink.

The Web site could download malicious content to the cell phone, which could cause a number of problems (e.g., revealing the phone’s contact list).


Disguising Programs

Default setting in Windows XP is to hide extensions. The attacker can create a malicious program and name it syngress.jpg.exe or something similar.

When Windows hides the .exe filename extension, syngress.jpg appears to have a filename extension, but is considered to be a filename without an extension.

Because the bogus extension does not indicate an executable file, the recipient feels safe in opening it.


Phishing

Another attack that combines social engineering and technology is called phishing.

An e-mail message is sent that appears to be from a company that the recipient has an account with

The message contains some pretext for needing the recipient’s account identification and authentication credentials (usually a password).

To verify the recipient’s account, the target is asked to click on a hyperlink in the e-mail message.

The displayed address looks like a legitimate address, but the actual address links to the attacker’s Web site


Phishing (cont.)


SSL MITM Attacks

Because the communications are secured with SSL, the intercepted information would not be readable.

An attacker could replace the website certificate with his or her own certificate and send it to a user, but the certificate would have problems

The attacker’s certificate could be for the wrong domain name, or it could have the correct domain name but not be issued by a known or trusted CA

Most users would not know what to do with this. They are less likely to heed the warning and more likely to click OK.


SSL MITM Attacks (cont.)

Attacker creates his or her own certificate On any other document, the signature would be detected as a

forgery. However, if the attacker makes up a convincing name of a CA that

he or she controls, the digital signature on the certificate will belong with that certificate.

The only problem is that the identity of the attacker’s CA is unknown to the browser, and therefore, the browser warns the user that there is no root certificate for the signer of this certificate


Outline



Defending the People Layer

People appear to be the weakest link in the security chain. Once a computer is programmed to behave a certain way,

it behaves that way consistently. However, the same can’t be said about people, who can be

a major source of risk. However, there are things that can be done to ameliorate

that risk. The first line of defense is security policies.


Policies, Procedures, and Guidelines

All security flows from policies, which expresses the general way that a company operates and is the basis for all decision making.

A policy tells employees what is expected of them in the corporate environment.

Most company’s have a mission statement that defines the organization’s purpose.

Policies should be written consistent with the organization’s mission statement.

The mission statement and policies must also comply with all applicable laws.


Policies, Procedures, and Guidelines (cont.)

General policies are broad. A procedure gives detailed instructions of how to accomplish a

task in a way that complies with policy. A practice is similar to a procedure, but not as detailed. A standard specifies which technologies and products to use

in to comply with policy. Guidelines explain the spirit of policies, so that in the absence

of appropriate practices and procedures, an employee can infer what management would like him or her to do in certain situations.


Types of Policies

General policies cover broad topics (e.g., the secure use of company property and computing facilities).

Information security policy is restricted to protecting information.

Issue-specific security policies cover narrower topics such as the appropriate use of the e-mail system.

System-specific security policies cover the differences between how MACs and PCs should be used and secured


Policies, Guidelines, and Procedures


Who Creates Security Policy?

Effective policies must come from the highest levels of management. A Chief Information Security Officer (CISO) should be appointed

to write policies that make information security an integral part of business practices.

Business managers must be included in developing the policies to understand security measures

You will get the benefit of their knowledge in their respective business areas, while also instilling in them some ownership of the policies, which will motivate them to enforce the policies.


Data Classification

Public: Anyone inside or outside the company can obtain this information.

Internal: This information is not made available outside the company.

Limited Distribution: This information is only given to the individuals named on the distribution list. Each copy is uniquely identified; additional copies are never made.

Personal: This information pertains to an employee’s individual status (e.g. employment terms, appraisals, benefit claim, and so forth).


US Military Classification

Unclassified: Information that can be copied and distributed without limitation.

Sensitive But Unclassified (SBU): “Any information of which the loss, misuse, or unauthorized access to, or modification of might adversely affect U.S. National interests, the conduct of Department of Defense (DoD) programs, or the privacy of DoD personnel.”

Confidential: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.


US Military Classification (cont.)

Secret: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.

Top Secret: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.


Education, Training, and Awareness Program

Security is not intuitive; most people do not think in those terms (e.g., a help desk analyst is trained to be helpful, not suspicious).

Therefore, if everyone is a potential vulnerability and employees do not have the necessary outlook and knowledge, there is a clear need for education, training, and awareness programs


Education

Only countermeasure to social engineering is education. Employees should know what social engineering attacks

look like. Short educational demonstrations depicting an employee

and a social engineer can provide a good introduction to the principles of social engineering attacks, which include authority, liking, reciprocation, consistency, social validation, and scarcity.


Education (cont.)

All employee should: Know to challenge people trying to enter the building without a badge Understand data classification labels and data handling procedures Know what to do with attachments to received e-mail messages Know not to bring in software from home

Some employees need specialized security training: Programmers need to learn how to develop secure applications Information security personnel need to know the procedures for selecting and

applying safeguards to assets Network infrastructure specialists need to know how to deploy network

components securely


Education (cont.)

Upper management plays an important role in information security Management funds the security projects Management is responsible for due care and due diligence Data owners are officers of the company and must classify data Data custodians implement and maintain the management data

classification decisions Management ensures that everyone in the company (including

them) does their part to secure the enterprise Management sets an example and adheres to security policies


Due Care and Due Diligence

Due care Steps taken to show that a company has taken responsibility for the activities that occur within the corporation and has taken the necessary steps to help protect the company, its resources, and employees.

Due diligence The process of systematically evaluating information to identify vulnerabilities, threats, and issues relating to an organization’s overall risk.


Training

Education is about principles; it’s more general. Training is about procedures; it’s more specific. There should be separate training programs for general

employees, programmers, security professionals, and management

Training is necessary because people benefit from repetition, it shows the ongoing commitment to security, and because the security situation of the company changes as the company and the world around it change.


Security Awareness Programs

Once an employee has been trained, we must continue to reinforce the messages to make them stick, and to increase the employee’s understanding


Security Awareness Tools A column in the weekly or monthly company periodical A security newsletter—on paper or in e-mail A sticker on the employee’s keyboard Posters in the common area Contests that reward employees for positive behavior with respect to security Banner messages that appear when a user logs onto their computer, or when they

start a specific program such as e-mail A note in their paycheck envelope An announcement on the public address system A special mailing to the employees’ homes A measured goal on the employee’s performance plan, to be evaluated in the

employee’s appraisal Employees should sign an agreement to follow the policies when hired, and then

annually


Evaluation

Only attendance in the classes is not sufficient. Evaluation can tell us if the knowledge is present in the

employee. Evaluation can be broken down into levels. It allows an employee to have some success even before

he’s able to master all the things that we want him to know


Testing

Written evaluations measure knowledge, but what we want most is to measure performance.

How well will individuals, and the enterprise as a whole, perform when faced with a threat?

Companies should perform periodic penetration tests. If several individuals are involved, then this group is called

a tiger team or a red team. The pen test is only conducted with the written permission

of management.


Penetration Testing

A full pen test attacks the following areas: Technical Controls Firewalls, servers, applications Physical Controls Guards visitor log, surveillance cameras Administrative Controls Policies and procedures Personnel Compliance with policies and procedures, awareness

of social engineering


White-box VS Black-box Pen Test

A white-box test could be performed by company insiders and takes advantage of all the documentation for the network architecture, the policies and procedures, the company directory, etc.

A black-box penetration test must be done by outsiders, since it requires that the testers have no advance knowledge of the company’s internal workings.


Outline



Risk Management

Risk management is the process of identifying risks to an organization’s assets and then implementing controls to mitigate the effects of those risks

An asset is a person or object that adds value to an organization.

We also need to know how to protect assets from threats (e.g., theft, hurricane, and sabotage).

This determination measures our vulnerability to the threat.

Then we begin thinking about specific protection mechanisms, called controls


Risk Management (cont.)

Once the controls are in place, we evaluate them using vulnerability assessments to see how vulnerable our systems and processes remain.

We conduct penetration tests to emulate the identified threats; if the results fall short of our expectations, we get better or additional controls


General Risk Management Model


Asset Identification

Personnel Buildings Equipment Furniture Software (purchased and home-grown) Intellectual property Inventory Cash Processes Reputation


Asset Valuation

The cost to design and develop or acquire, install, maintain, protect the asset

The cost of collecting and processing data for information assets The value of providing information to customers The cost to replace or repair the asset Depreciation; most assets lose value over time Acquired value; information assets may increase in value over time The value to a competitor The value of lost business opportunity if the asset is compromised A reduction in productivity while the asset is unavailable


Threat Assessment

Quantitative assessment: try to assign accurate numbers to such things as the seriousness of threats and the frequency of occurrence of those threats.

Qualitative assessment: utilize the experience and wisdom of our personnel to rank and prioritize threats.


Quantitative Assessment

Single Loss Expectancy (SLE)

SLE = asset value x exposure factor

The percentage of the asset value that would be lost is the exposure factor (EF)

SLE can be greater than 100% Likelihood of the incident frequency of threats each year is the

Annualized Rate of Occurrence (ARO) If we expect a threat to occur three times per year on average, then

the ARO equals 3.


Annual Loss Expectancy

The ALE represents the yearly average loss over many years for a given threat to a particular asset

ALE = SLE x ARO


Annual Loss Expectancy

Some risk assessment professionals add another factor: uncertainty

ALE = SLE x ARO x uncertainty

where uncertainty ranges from 1 for completely certain, to numbers greater than one for more uncertainty


Quantitative Assessment (cont.)


Qualitative Assessment

A qualitative assessment is based on the experience, judgment, and wisdom of the members of the assessment team.

Delphi Method A procedure for a panel of experts to reach consensus without meeting face-to-face.

Modified Delphi Method May include extra steps such as validating the expertise of panel members, or allowing some personal contact.

Brainstorming Somewhat less structured. A group leader establishes ground rules and guides the experts through the process


Qualitative Assessment (cont.)

Storyboarding Processes are turned into panels of images depicting the process, so that it can be understood and discussed.

Focus Groups Employ panels of users who can evaluate the user impact and state their likes and dislikes about the safeguard being evaluated.

Surveys Used as an initial information-gathering tool. The results of the survey can influence the content of the other evaluation methods.

Questionnaires Limit the responses of participants more than surveys, so they should be used later in the process when you know what the questions will be


Qualitative Assessment (cont.)

Checklists Used to make sure that the safeguards being evaluated cover all aspects of the threats.

Interviews Useful in the early stages of evaluation. They usually follow the surveys to get greater detail from participants, and to give a free range of responses.

These techniques are used to rank the risks in order to determine which should be handled first, and which should get the largest budget for countermeasures.


Control Design and Evaluation

Deterrent Make it not worth it to the attacker to intrude Preventive Prevent incidents from occurring Detective Detect incidents when they occur Recovery Mitigate the impact of incidents when they occur Corrective Restore safeguards and prevent future

incidents


Residual Risk Management

Avoidance Reduce the probability of an incident Transference Give someone else (insurance company)

the risk Mitigation Reduce the impact (exposure factor) of an

incident Acceptance Determine that the risk is acceptable without

additional controls


Residual Risk Management

Risk cannot be eliminated; it can only be reduced and handled. After reducing risk through avoidance, transference, or

mitigation, whatever risk remains is known as residual risk. If the residual risk is at a level which the company can live with,

then the company should accept the risk, and move on to the next threat.

If the residual risk is too large to accept, then additional controls should be implemented to avoid, transfer, and mitigate more risk.


Question?

people layer security lecture 9 supakorn kungpisdan [email protected]

Documents

people layer cont

repeatablebut people

people layerhacking

onthe people

elsescarcity people

people layer securitylecture

basic security rules

returnsocial validation