Social EngineeringJero-Jewo

Case study• Social engineering is the act of manipulating

people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim. – www.wikipedia.org

• As a service provider, Duo Consulting helps clients manage the publication of critical business information on their web sites.

• Integrity and availability are important considerations for Duo when processing requests for changes

Case Study

•There is currently a communication process in place to receive and manage requests

•99% of requests come from known contacts

•How should we handle requests from contacts that are not known?

Real World•New request comes in from an

unknown contact at Setton Farms for ftp access to their web server on a Saturday

•Contact explains that there is an immediate need to publish critical information about a recall on their site and they have hired a designer to make the updates to their site.

•This contact is not known to Duo

•Need to question identity

•Need to question authenticity of request

What’s missing?•We do not have a policy or process in

place to confirm identity of contacts making requests

•We do not have a list of authorized contacts

•There is a service level agreement in place for managed hosting - but nothing defined about emergency requests from clients that do not have a services support contract in place

Proposed Solution

•We need a policy to address unknown and unauthorized customer contacts

•The delivery stages of this policy must include planning, design, implementation, rollout, and operation of such policy

Proposed Solution (Continued)

• The policy must be integrated into our business and it must address the following:

• People: a team must address the planning, design, implementation, rollout and operation

• Technology: the proper technology must be in place to implement such policy (i.e. ticketing system, electronic approvals of users, escalation, etc.)

• Process: there must be a living process to address such incidents and that ensures enforcement of the policy

• Business value: business value of establishing this policy will clearly protect the customer as well as Duo in the legal and availability aspect

• IT Strategy: the four pillars of security must be addressed, including authenticity, confidentiality, integrity and availability

People• Duo understands the need to assemble a team to address the

development of the policy through the different stages

• Planning: the team must establish the strategy, initial approximation of the effort, plan for releases for delivery, perform a preliminary risk assessment, develop policy organization, and establish leadership.

• Design: the team ensures that the policy is meeting the goals and that it serves the intended goal. Feasibility is addressed here, as well as estimates of implementation (time and effort)

• Implementation: the team must ensure the policy is tested and approved. The team ensures management approval, and re-assesses risk

• Test: all aspects of the policy must be tested, including process, sign-offs, technology, etc

• Rollout: the team ensures prior to rollout that all training and legal aspects are covered

• Operate: periodically review the policy to ensure its enforceability and effectiveness

Technology•The policy will have a technology

aspect which ensures that there is an electronic list of authorized contacts

•Privileges will be honored accordingly:

•Content contributor

•Publisher

•Employee access will be via a portal

Technology (Continued)

•Create a system of records for authorized contacts

•SalesForce.com

•Contains customer database with privilege levels

•Granular control of access

•Change/version control and user logs

Process•A process ensures the policy is

working for Duo:

•Usable

•Enforceable

•Effective

•Legal

Business Value

•What’s in it for Duo?

•Prevention of unauthorized work

• Policy provides legal protection from liability lawsuits including:

•Unauthorized changes

• Inaccurate content

•Site downtime

•Leakage of information

Business Value (Continued)

•What’s in it for Duo’s customers? The Four Pillars:

•Integrity

•Authenticity

•High availability

•Confidentiality

IT Strategy• Integrity and availability were cited as

top most concerns for our particular problem

•However, Duo must address all four cornerstones of security:

•Availability

• Integrity

•Confidentiality

•Authenticity

Policy Contents•Authenticity:

•Who is authorized to make requests?

•How do we determine that the request is legitimate?

• Is the person making the request authorized to perform the operation requested? Develop and maintain a list of authorized contacts

•Designate 1 or more authoritative contacts and require them to approve all requests

•Maintain a secret pass phrase to authenticate users who make requests

Policy Contents (Continued)

• Integrity

• Integrity is maintained by only performing operations which are assigned to authorized, authenticated contacts

• Each contact will have specific operations defined

• Confidentiality

• Establish appropriate level of confidentiality of request based upon client input

• Availability

• Ensure that proper client contact communication information is available and up to date

• Enforce policies in regards to authentication, integrity, confidentiality and availability

Questions?•Thank you!