Social engineering
1 / 17

Social Engineering - PowerPoint PPT Presentation

  • Updated On :
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Social Engineering' - happy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Case study l.jpg
Case study

  • Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim. –

  • As a service provider, Duo Consulting helps clients manage the publication of critical business information on their web sites.

  • Integrity and availability are important considerations for Duo when processing requests for changes

Case study3 l.jpg
Case Study

  • There is currently a communication process in place to receive and manage requests

  • 99% of requests come from known contacts

    • How should we handle requests from contacts that are not known?

Real world l.jpg
Real World

  • New request comes in from an unknown contact at Setton Farms for ftp access to their web server on a Saturday

  • Contact explains that there is an immediate need to publish critical information about a recall on their site and they have hired a designer to make the updates to their site.

    • This contact is not known to Duo

    • Need to question identity

    • Need to question authenticity of request

What s missing l.jpg
What’s missing?

  • We do not have a policy or process in place to confirm identity of contacts making requests

  • We do not have a list of authorized contacts

  • There is a service level agreement in place for managed hosting - but nothing defined about emergency requests from clients that do not have a services support contract in place

Proposed solution l.jpg
Proposed Solution

  • We need a policy to address unknown and unauthorized customer contacts

  • The delivery stages of this policy must include planning, design, implementation, rollout, and operation of such policy

Proposed solution continued l.jpg
Proposed Solution (Continued)

  • The policy must be integrated into our business and it must address the following:

    • People: a team must address the planning, design, implementation, rollout and operation

    • Technology: the proper technology must be in place to implement such policy (i.e. ticketing system, electronic approvals of users, escalation, etc.)

    • Process: there must be a living process to address such incidents and that ensures enforcement of the policy

    • Business value: business value of establishing this policy will clearly protect the customer as well as Duo in the legal and availability aspect

    • IT Strategy: the four pillars of security must be addressed, including authenticity, confidentiality, integrity and availability

People l.jpg

  • Duo understands the need to assemble a team to address the development of the policy through the different stages

    • Planning: the team must establish the strategy, initial approximation of the effort, plan for releases for delivery, perform a preliminary risk assessment, develop policy organization, and establish leadership.

    • Design: the team ensures that the policy is meeting the goals and that it serves the intended goal. Feasibility is addressed here, as well as estimates of implementation (time and effort)

    • Implementation: the team must ensure the policy is tested and approved. The team ensures management approval, and re-assesses risk

    • Test: all aspects of the policy must be tested, including process, sign-offs, technology, etc

    • Rollout: the team ensures prior to rollout that all training and legal aspects are covered

    • Operate: periodically review the policy to ensure its enforceability and effectiveness

Technology l.jpg

  • The policy will have a technology aspect which ensures that there is an electronic list of authorized contacts

  • Privileges will be honored accordingly:

    • Content contributor

    • Publisher

  • Employee access will be via a portal

Technology continued l.jpg
Technology (Continued)

  • Create a system of records for authorized contacts


    • Contains customer database with privilege levels

    • Granular control of access

    • Change/version control and user logs

Process l.jpg

  • A process ensures the policy is working for Duo:

    • Usable

    • Enforceable

    • Effective

    • Legal

Business value l.jpg
Business Value

  • What’s in it for Duo?

    • Prevention of unauthorized work

    • Policy provides legal protection from liability lawsuits including:

      • Unauthorized changes

      • Inaccurate content

      • Site downtime

      • Leakage of information

Business value continued l.jpg
Business Value (Continued)

  • What’s in it for Duo’s customers? The Four Pillars:

    • Integrity

    • Authenticity

    • High availability

    • Confidentiality

It strategy l.jpg
IT Strategy

  • Integrity and availability were cited as top most concerns for our particular problem

  • However, Duo must address all four cornerstones of security:

    • Availability

    • Integrity

    • Confidentiality

    • Authenticity

Policy contents l.jpg
Policy Contents

  • Authenticity:

    • Who is authorized to make requests?

    • How do we determine that the request is legitimate?

    • Is the person making the request authorized to perform the operation requested? Develop and maintain a list of authorized contacts

    • Designate 1 or more authoritative contacts and require them to approve all requests

    • Maintain a secret pass phrase to authenticate users who make requests

Policy contents continued l.jpg
Policy Contents (Continued)

  • Integrity

    • Integrity is maintained by only performing operations which are assigned to authorized, authenticated contacts

    • Each contact will have specific operations defined

  • Confidentiality

    • Establish appropriate level of confidentiality of request based upon client input

  • Availability

    • Ensure that proper client contact communication information is available and up to date

    • Enforce policies in regards to authentication, integrity, confidentiality and availability

Questions l.jpg

  • Thank you!