An Image/Link below is provided (as is) to download presentation
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim. – www.wikipedia.org
As a service provider, Duo Consulting helps clients manage the publication of critical business information on their web sites.
Integrity and availability are important considerations for Duo when processing requests for changes
There is currently a communication process in place to receive and manage requests
99% of requests come from known contacts
How should we handle requests from contacts that are not known?
New request comes in from an unknown contact at Setton Farms for ftp access to their web server on a Saturday
Contact explains that there is an immediate need to publish critical information about a recall on their site and they have hired a designer to make the updates to their site.
This contact is not known to Duo
Need to question identity
Need to question authenticity of request
We do not have a policy or process in place to confirm identity of contacts making requests
We do not have a list of authorized contacts
There is a service level agreement in place for managed hosting - but nothing defined about emergency requests from clients that do not have a services support contract in place
We need a policy to address unknown and unauthorized customer contacts
The delivery stages of this policy must include planning, design, implementation, rollout, and operation of such policy
Proposed Solution (Continued)
The policy must be integrated into our business and it must address the following:
People: a team must address the planning, design, implementation, rollout and operation
Technology: the proper technology must be in place to implement such policy (i.e. ticketing system, electronic approvals of users, escalation, etc.)
Process: there must be a living process to address such incidents and that ensures enforcement of the policy
Business value: business value of establishing this policy will clearly protect the customer as well as Duo in the legal and availability aspect
IT Strategy: the four pillars of security must be addressed, including authenticity, confidentiality, integrity and availability
Duo understands the need to assemble a team to address the development of the policy through the different stages
Planning: the team must establish the strategy, initial approximation of the effort, plan for releases for delivery, perform a preliminary risk assessment, develop policy organization, and establish leadership.
Design: the team ensures that the policy is meeting the goals and that it serves the intended goal. Feasibility is addressed here, as well as estimates of implementation (time and effort)
Implementation: the team must ensure the policy is tested and approved. The team ensures management approval, and re-assesses risk
Test: all aspects of the policy must be tested, including process, sign-offs, technology, etc
Rollout: the team ensures prior to rollout that all training and legal aspects are covered
Operate: periodically review the policy to ensure its enforceability and effectiveness
The policy will have a technology aspect which ensures that there is an electronic list of authorized contacts
Privileges will be honored accordingly:
Employee access will be via a portal
Create a system of records for authorized contacts
Contains customer database with privilege levels
Granular control of access
Change/version control and user logs
A process ensures the policy is working for Duo:
What’s in it for Duo?
Prevention of unauthorized work
Policy provides legal protection from liability lawsuits including:
Leakage of information
Business Value (Continued)
What’s in it for Duo’s customers? The Four Pillars:
Integrity and availability were cited as top most concerns for our particular problem
However, Duo must address all four cornerstones of security:
Who is authorized to make requests?
How do we determine that the request is legitimate?
Is the person making the request authorized to perform the operation requested? Develop and maintain a list of authorized contacts
Designate 1 or more authoritative contacts and require them to approve all requests
Maintain a secret pass phrase to authenticate users who make requests
Policy Contents (Continued)
Integrity is maintained by only performing operations which are assigned to authorized, authenticated contacts
Each contact will have specific operations defined
Establish appropriate level of confidentiality of request based upon client input
Ensure that proper client contact communication information is available and up to date
Enforce policies in regards to authentication, integrity, confidentiality and availability