(Kinverg) Cyber Security Summit 2012


2/40

WorkshopAgendaWorkshopAgenda

Does social engineering really has any role in

cyber security ?

What are key social engineering vulnerabilities forcyber security?

What are the controls for social engineeringvulnerabilities ?


3/40

DoesSocialEngineeringReallyHasAnyDoesSocialEngineeringReallyHasAny

RoleinCyberSecurity?RoleinCyberSecurity?


4/40

The ability to protect or defend the use of cyberspacefrom cyber attacks

NIST IR 7298

SOURCE: CNSSI-4009

NIST : National Institute ofStandards and Technology

CNSSI : Committee for National Security Systems Instruction


5/40

A global domain within the information environmentconsisting of the interdependent network of

information systems infrastructures including the

Internet, telecommunications networks, computer

systems, and embedded processors and controllers.

NIST IR 7298

SOURCE: CNSSI-4009


6/40

An attack, via cyberspace, targeting an enterprises use

of cyberspace for the purpose of disrupting, disabling,

destroying, or maliciously controlling a computing

environment/infrastructure; or destroying the integrity

of the data or stealing controlled information.

NIST IR 7298SOURCE: CNSSI-4009


7/40

A general term for attackers trying to trick people into

revealing sensitive information or performing certain

actions, such as downloading and executing files that

appear to be genuine but are actually malicious.

NIST IR 7298SOURCE: SP 800-114


8/40

Cyber SpaceA global domain within the information environment consisting of theinterdependent network ..

Social EngineeringA general term for attackers trying to trick people .

Cyber Attack

An attack, via cyberspace.

PEOPLEPEOPLE

PEOPLEPEOPLE


9/40

TheWeakestLink!TheWeakestLink!

Amateurs hack systems ; Professionals hack people

Bruce Schneier, CTO

Counterpane Internet Security, Inc.

PEOPLEPEOPLE


10/40

KeyIndicatorsKeyIndicators

Cybercrime is costing the

UAEs economy more than$600 million per year

Source :

The Internet Security Report by Symantec

Kaspersky Lab says it has

seen nearly 3.5 million socialengineered malware attacks

in the UAE

38.3% of users from the

UAE were attacked by web-

borne threats during this

period. This ranks

the UAE 31st worldwide for

malware threats of this type.

Source :

Kaspersky Lab Report

51% of social engineering

attacks are motivated by

financial gain

30% of large companies cite

a per incident cost of over

100,000 USDSource :

Dimensional Research UK


11/40

KeyIndicatorsKeyIndicators

SourceInternet Crime Compliant Centre IC3

2011 Internet Crime Report

Supported by BJA ,NWCCC, FBI


12/40

TheConfessionofKevinTheConfessionofKevin

In more than half of my successful network exploits

I gained information about the network,

sometimes including access to the network,

through social engineering

Kevin Mitnick

Convicted Criminal and Hacker

3 March 2000 Article in the Washington Post


13/40

SOCIAL ENGINEERING

HAS KEY ROLE INCYBER SECURITY


14/40

WhatareKeySocialEngineeringWhatareKeySocialEngineering

VulnerabilitiesforCyberSecurity?VulnerabilitiesforCyberSecurity?


15/40

Social Engineering VulnerabilitiesA general term for attackers trying to trick people .

Planning

the CyberAttack

Launchingthe Cyber

Attack

Cyber Attack


16/40

SocialMediaSocialMedia

Celebrity

Profiles

Anonymous

Friends

Status and

Check-In

Linkedin

Account

Hacking

Idle Account

Hacking


17/40

EmployeesEmployees

Friends of

Employees

Network & SystemAdministrators /

CIOs / IT Directors

Janitorial& House

Keeping Staff

C-Levels


18/40

ImpersonationImpersonation

Government

Official

Senior

Management

Employee

Third Party

Maintenance/Support Staff


19/40

EmailEmail

Email With

Download Link

Email from

Compromised

Accounts

Email fromCompromised

Devices

Email from

Legitimate

Entities


20/40

MaliciousSoftwaresMaliciousSoftwares

The Apps!Drivers & OS

Updates

Code-Bomb in

Business IS

Social Media

Applications


21/40

DefaultDeviceConfigurationDefaultDeviceConfiguration

Device Default

Configurations


22/40

Telephone/IVRTelephone/IVR

Call fromSupport Staff


23/40

SocialEngineeringScenarioandDiscussionSocialEngineeringScenarioandDiscussion


24/40

Challenge A (5 Minutes)

Put your self in the Role of Cyber Hacker and ConsiderYour Current Orginisation or any other orginisation in

your mind

List at least 3 Social Engineering Vulnaribities which canbe used to launch a Cyber Attack on that orginisation.

Challenge B (5 Minutes)

List the Law (s) and Regulation (s) by UAE Government forgoverning Internet & Cyber Crimes


25/40

WhataretheControlsforSocialEngineeringWhataretheControlsforSocialEngineering

Vulnerabilities?Vulnerabilities?


26/40

SEControlsDesignFrameworkSEControlsDesignFramework

INDIVIDUAL

ORGANIZATIONAL

COUNTRY

GLOBAL

Awareness , Education and Training

for educating about Social

engineering

Laws , Regulatory Compliance

Joining Global Consortiums ,

Orgnisation's and Communication

between Governments for Cyber

Crimes. Global Legislations

Technical Controls to prevent Social

Engineering Attacks


27/40

RiskBasedApproachRiskBasedApproach

> Justifies investment on Cyber

Security

> Help analyze the control

requirements

> Prioritize information security efforts

and investments

> Helps in preparing business case for

Cyber Security

> Helps in aligning Cyber Security

efforts to the Organizations overallbusiness objectives

> Defines what needs to be measures

in Cyber Security

RISKRISK


28/40

EducationandAwarenessEducationandAwareness

Continuous education and awareness about socialengineering

Education and awareness starts from the TOP

Along with traditional trainings ; participative methodsof training must be adapted

Social engineering penetration audits should beperformed with equal importance to technical andapplication audits


29/40

ISO/IEC27001ISO/IEC27001--20052005

Generic Controls

4.2.1.d Risk Identification

A.5.1.1 Information Security Policy

A.6.1.6 Confidentiality Agreements

A.6.1.7 Contact with Special Interest Group A.6..2.1 Identification of risks related to external parties

A.6.2.2 Addressing security with customers

A.6.2.1 Addressing security in third party agreements

A.13.1.1- Reporting IS Events

A.15.1.1 Applicable Legislations

A.15.3.2 Protection of Information Systems Audit Tools


30/40

ISO/IEC27002ISO/IEC27002--20052005

Email WithDownload Link

Email from

Compromised

Accounts

Email from

Compromised

Devices

Email from

Legitimate

Entities

A.8.3.3 Removal of Access Rights

A.9.1.3 Securing Offices , rooms and facilities

A.10.4.1 Control against malicious code

A.10.4.2 Control against mobile code

A.10.8.4 Electronic messagingA.11.5.3 Password Management

A.11.7.1 Mobile Computing and

Communications

A.12.3.2 Key Management


31/40

MaliciousSoftwaresMaliciousSoftwares

The Apps!

Drivers & OS

Updates

Code-Bomb in

Business IS

A.10.4.1 Control against malicious codeA.10.4.2 Control against mobile code

A.12.1.1 Security requirements analysis

and specification

A.12.4.3 Access control to program source

control

A.12.5.5 Outsourced Software

Development


32/40

EmployeesEmployees

Friends of

Employees

Network & System

Administrators /

CIOs / IT Directors

Janitorial& House

Keeping Staff

C-Levels

A.7.1.3 Acceptable Use of Assets

A.8.1.2 ScreeningA.8.2.3 Disciplinary Process

A.8.3.3 Removal of Access Rights


A.10.1.3 Segregation of DutiesA.10.8.4 Electronic messaging

A.10.10.4 Administrator and operator logs

A.11.4.2 User authentication for external

connection

A.11.5.3 Password Management

A.11.7.1 Mobile Computing and

Communications

A.11.5.2 User identification and authentication


33/40

ImpersonationImpersonation

GovernmentOfficial

Senior

Management

Employee

Third Party

Maintenance

/Support Staff


A.9.1.6 Public access , delivery and loading

areas

A.9.2.6 Secure disposal or reuse of equipment

A.10.1.3 Segregation of DutiesA.10.7.2 Disposal of media

A.10.8.3 Physical media in transit

A.10.10.4 Administrator and operator logs


34/40

SocialMediaSocialMedia

Celebrity

Profiles

Anonymous

Friends

Status and

Check-In

Linkedin

Account

Hacking

Idle Account

Hacking

A.7.1.3 Acceptable Use of Assets


35/40

DefaultDeviceConfigurationDefaultDeviceConfiguration

Device Default

Configurations

A.11.5.3 Password Management


36/40

Telephone/IVRTelephone/IVR

Call fromSupport Staff

Generic Controls


37/40

PCIDSSPCIDSS

Generic Controls

Requirement12Maintain a policy that addressinformation security for all personals


38/40

PCIDSSControlsPCIDSSControls

Requirement 2 - Do not use vendor supplieddefaults for systems passwords and other

security parameters

Requirement 7Restricts acees to Cardholder

Data by business need to know

Device DefaultConfigurations

Employees


39/40

QuestionsQuestions
http://localhost/var/www/apps/conversion/tmp/scratch_1/kinverg.com


40/40

Office No. 11 , Level. 10 , Arfa Software Technology Park , 346-B

Ferozepur Road Lahore 54000 PakistanPhone: +92-423-597-2112

Fax: +92-423-595-8117

Email :info [at] kinverg.com

URL : kinverg.com

Facebook.com/ kinverg

Linkedin.com/company/ kinverg

Twitter.com/ kinverg

PAKISTAN | KSA
http://localhost/var/www/apps/conversion/tmp/scratch_1/Facebook.com/kinverghttp://localhost/var/www/apps/conversion/tmp/scratch_1/twitter.com/kinverghttp://localhost/var/www/apps/conversion/tmp/scratch_1/linkedin.com/company/kinverg

(Kinverg) Cyber Security Summit 2012

Documents

Transcript of (Kinverg) Cyber Security Summit 2012