social engineering l.
Skip this Video
Loading SlideShow in 5 Seconds..
Social Engineering PowerPoint Presentation
Download Presentation
Social Engineering

Loading in 2 Seconds...

play fullscreen
1 / 17

Social Engineering - PowerPoint PPT Presentation

  • Uploaded on

Social Engineering. Jero-Jewo. Case study.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Social Engineering' - happy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
case study
Case study
  • Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim. –
  • As a service provider, Duo Consulting helps clients manage the publication of critical business information on their web sites.
  • Integrity and availability are important considerations for Duo when processing requests for changes
case study3
Case Study
  • There is currently a communication process in place to receive and manage requests
  • 99% of requests come from known contacts
    • How should we handle requests from contacts that are not known?
real world
Real World
  • New request comes in from an unknown contact at Setton Farms for ftp access to their web server on a Saturday
  • Contact explains that there is an immediate need to publish critical information about a recall on their site and they have hired a designer to make the updates to their site.
    • This contact is not known to Duo
    • Need to question identity
    • Need to question authenticity of request
what s missing
What’s missing?
  • We do not have a policy or process in place to confirm identity of contacts making requests
  • We do not have a list of authorized contacts
  • There is a service level agreement in place for managed hosting - but nothing defined about emergency requests from clients that do not have a services support contract in place
proposed solution
Proposed Solution
  • We need a policy to address unknown and unauthorized customer contacts
  • The delivery stages of this policy must include planning, design, implementation, rollout, and operation of such policy
proposed solution continued
Proposed Solution (Continued)
  • The policy must be integrated into our business and it must address the following:
    • People: a team must address the planning, design, implementation, rollout and operation
    • Technology: the proper technology must be in place to implement such policy (i.e. ticketing system, electronic approvals of users, escalation, etc.)
    • Process: there must be a living process to address such incidents and that ensures enforcement of the policy
    • Business value: business value of establishing this policy will clearly protect the customer as well as Duo in the legal and availability aspect
    • IT Strategy: the four pillars of security must be addressed, including authenticity, confidentiality, integrity and availability
  • Duo understands the need to assemble a team to address the development of the policy through the different stages
    • Planning: the team must establish the strategy, initial approximation of the effort, plan for releases for delivery, perform a preliminary risk assessment, develop policy organization, and establish leadership.
    • Design: the team ensures that the policy is meeting the goals and that it serves the intended goal. Feasibility is addressed here, as well as estimates of implementation (time and effort)
    • Implementation: the team must ensure the policy is tested and approved. The team ensures management approval, and re-assesses risk
    • Test: all aspects of the policy must be tested, including process, sign-offs, technology, etc
    • Rollout: the team ensures prior to rollout that all training and legal aspects are covered
    • Operate: periodically review the policy to ensure its enforceability and effectiveness
  • The policy will have a technology aspect which ensures that there is an electronic list of authorized contacts
  • Privileges will be honored accordingly:
    • Content contributor
    • Publisher
  • Employee access will be via a portal
technology continued
Technology (Continued)
  • Create a system of records for authorized contacts
    • Contains customer database with privilege levels
    • Granular control of access
    • Change/version control and user logs
  • A process ensures the policy is working for Duo:
    • Usable
    • Enforceable
    • Effective
    • Legal
business value
Business Value
  • What’s in it for Duo?
    • Prevention of unauthorized work
    • Policy provides legal protection from liability lawsuits including:
      • Unauthorized changes
      • Inaccurate content
      • Site downtime
      • Leakage of information
business value continued
Business Value (Continued)
  • What’s in it for Duo’s customers? The Four Pillars:
    • Integrity
    • Authenticity
    • High availability
    • Confidentiality
it strategy
IT Strategy
  • Integrity and availability were cited as top most concerns for our particular problem
  • However, Duo must address all four cornerstones of security:
    • Availability
    • Integrity
    • Confidentiality
    • Authenticity
policy contents
Policy Contents
  • Authenticity:
    • Who is authorized to make requests?
    • How do we determine that the request is legitimate?
    • Is the person making the request authorized to perform the operation requested? Develop and maintain a list of authorized contacts
    • Designate 1 or more authoritative contacts and require them to approve all requests
    • Maintain a secret pass phrase to authenticate users who make requests
policy contents continued
Policy Contents (Continued)
  • Integrity
    • Integrity is maintained by only performing operations which are assigned to authorized, authenticated contacts
    • Each contact will have specific operations defined
  • Confidentiality
    • Establish appropriate level of confidentiality of request based upon client input
  • Availability
    • Ensure that proper client contact communication information is available and up to date
    • Enforce policies in regards to authentication, integrity, confidentiality and availability
  • Thank you!