Lesson 4 general security concepts
1 / 35

Lesson 4-General Security Concepts - PowerPoint PPT Presentation

  • Updated On :

Lesson 4-General Security Concepts. The Role of People in Security. This presentation discusses: The human element and the role that people play in security. User practices that help in securing an organization. Vulnerabilities that users can introduce. Background.

Related searches for Lesson 4-General Security Concepts

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Lesson 4-General Security Concepts' - shadow

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

The role of people in security l.jpg
The Role of People in Security

  • This presentation discusses:

    • The human element and the role that people play in security.

    • User practices that help in securing an organization.

    • Vulnerabilities that users can introduce.

Background l.jpg

  • The operational model of computer security acknowledges that absolute protection of computer systems and networks is not possible.

  • People need to be prepared to detect and respond to attacks that were able to circumvent the security mechanisms.

Background4 l.jpg

  • Technology alone will not solve the security problem.

    • No matter how advanced the technology is, it will ultimately be deployed in an environment where humans exist.

    • The human element is the biggest problem to security.

Defense in depth l.jpg

Information Assurance



ALL People-Centric



Fundamentally, only THREE countermeasures are

available to protect critical information infrastructures.

Background6 l.jpg

  • It is difficult to compensate for all the ways humans can deliberately or accidentally cause security problems or circumvent security mechanisms.

  • Despite the technology, security procedures, and security training provided, some people will not do what they are supposed to, and will create vulnerability in an organization’s security posture.

Objectives l.jpg

  • Upon completion of this lesson, the learner will be able to:

    • Define basic terminology associated with Social Engineering.

    • Describe the number of poor security practices that may put an organization’s information at risk.

    • Describe methods attackers may use to gain information about an organization.

    • List and describe ways in which users can aid instead of detract from security.

People l.jpg

  • Prevention technologies are not sufficient since every network and computer system has at least one human user.

  • A significant portion of security problems that humans can cause result from poor security practices.

Password selection l.jpg
Password Selection

  • Computer intruders rely on poor passwords to gain unauthorized access to a system or network.

Passwords l.jpg

  • Password Problems

    • Users choose passwords that are easy to remember and often choose the same sequence of characters as they have for their userIDs.

    • Users also frequently select names of family members, their pets, or their favorite sports team for their passwords.

Improving passwords l.jpg
Improving Passwords

  • To complicate the attacker’s job:

    • Mix uppercase and lowercase characters.

    • Include numbers and special characters in passwords.

Policy l.jpg

  • Organizations have instituted additional policies and rules relating to password selection to complicate an attacker’s effort.

  • Organizations may require users to change their passwords frequently.

    • This means if an attacker is able to guess a password, it is valid only for a limited time before the attacker is locked out.

Notes on the monitor l.jpg
Notes on the Monitor

  • Another policy or rule for password selection adopted by an organization is that passwords should not be written.

  • To make the passwords more difficult for attackers to guess, users need to change the passwords frequently.

Increasing problem l.jpg
Increasing Problem

  • Users frequently use the same password for all accounts on many systems.

  • If one account is broken, all other accounts are subsequently also vulnerable to attack.

Slide15 l.jpg

  • Most people have at least one Personal Identification Number (PIN).

  • They are associated with things such as their automated teller machine or a security code to gain physical access to a room. Users invariably select numbers that are easy to remember.

Human attacks l.jpg
Human Attacks

  • Piggybacking and shoulder surfing

  • Dumpster diving

  • Installing unauthorized hardware and software

  • Access by non-employees

  • Social engineering

  • Reverse social engineering

Piggybacking and shoulder surfing l.jpg
Piggybacking and Shoulder Surfing

  • Piggybacking is the tactic of closely following a person who has just used an access card or PIN to gain physical access to a room or building.

  • Shoulder surfing is a procedure in which attackers position themselves in such a way as to be able to observe the authorized user entering the correct access code.

Dumpster diving l.jpg
Dumpster Diving

  • Attackers need some information before launching an attack.

  • A common place to find this information is to go through the target’s trash.

  • This process, of going through a target’s trash, is known as dumpster diving.

Dumpster diving19 l.jpg
Dumpster Diving

  • If the attackers are fortunate and the target’s security procedures are very poor, attackers may find userids and passwords.

  • Manuals of hardware or software purchased may also provide a clue as to what vulnerabilities might be present on the target’s computer systems and networks.

Unauthorized hardware and software l.jpg
Unauthorized Hardware and Software

  • Organizations should have a policy to restrict normal users from installing software and hardware on their systems.

    • Communication software and a modem may allow individuals to connect to their machines at work using a modem from home.

      • This creates a backdoor into the network and can circumvent all the other security mechanisms.

  • There are numerous small programs that can be downloaded from the Internet.

    • Users cannot always be sure where the software originally came from and what may be hidden inside.

E mail l.jpg

  • Tasks that can be performed using received e-mails can be controlled.

  • This helps prevent users from executing a hostile program that was sent as part of a worm or virus.

Access by non employees l.jpg
Access by Non-employees

  • If an attacker gains access to a facility, there are chances of obtaining enough information to penetrate computer systems and networks.

    • Many organizations require employees to wear identification badges at work.

    • This method is easy to implement and may be a deterrent to unauthorized individuals.

    • It also requires that employees challenge individuals not wearing identification badges.

Access by non employees23 l.jpg
Access by Non-employees

  • One should examine who has legitimate access to a facility.

  • Non-employees may not have the same regard for the intellectual property rights of the organization that employees have.

    • Contractors, consultants, and partners may frequently not only have physical access to the facility but also have network access.

  • Nighttime custodial crewmembers and security guards have unrestricted access to the facility when no one is around.

Social engineering l.jpg
Social Engineering

  • Using social engineering, the attacker deceives to:

    • Obtain privileged information.

    • Convince the target to do something that they normally would not.

Social engineering25 l.jpg
Social Engineering

  • Social engineering is successful because of two reasons.

    • The first is the basic human nature to be helpful.

    • The second reason is that individuals normally seek to avoid confrontation and trouble.

Variations l.jpg

  • A variation on social engineering uses means other than direct contact between the target and the attacker.

  • Insiders may also attempt to gain unauthorized information.

  • The insider may be more successful.

    • They have a level of information regarding the organization.

    • They can better spin a story that may be believable to other employees.

Stanley mark rifkin 1978 l.jpg
Stanley Mark Rifkin (1978)

  • In 1978, when Stanley Mark Rifkin stole $10.2 million from the Security Pacific Bank in Los Angeles:

    • He was working as a computer consultant for the bank.

    • He learned details on how money could easily be transferred to accounts anywhere in the United States.

    • He transferred the money to another account in Switzerland under a different name.

  • The crime might have gone undetected if he had not boasted of his exploits to an individual.

Reverse social engineering l.jpg
Reverse Social Engineering

  • An alternate approach to social engineering is called reverse social engineering.

  • Here, the attacker hopes to convince the target to initiate the contact.

    • The attack may be successful because the target initiates the contact.

    • Attackers may not have to convince the target of their authenticity.

Reverse social engineering29 l.jpg
Reverse Social Engineering

  • Methods of convincing the target to make the initial contact include:

    • Sending out a spoofed e-mail claiming to be from a reputable source that provides another e-mail address or phone number to call for “tech support.”

    • Posting a notice or creating a bogus Web site for a legitimate company that also claims to provide “tech support.”

  • This may be successful in conjunction with the deployment of a new software or hardware platform or when there is a significant change in the organization itself.

People as a security tool l.jpg
People as a Security Tool

  • A paradox of social engineering attacks is that people are not only the biggest problem and security risk, but also the best tool to defend against these attacks.

  • Organizations must fight social engineering attacks by establishing policies and procedures that define roles and responsibilities for all users and not just security personnel.

Security awareness l.jpg
Security Awareness

  • Organizations can counter potential social engineering attacks by conducting an active security awareness program for the organization’s security goals and policies.

    • The training will vary depending on the organization’s environment and the level of threat.

Security awareness32 l.jpg
Security Awareness

  • An important element that should be stressed in the training on social engineering is the type of information that the organization considers sensitive and that may be the target of a social engineering attack.

Individual user responsibilities l.jpg
Individual User Responsibilities

  • Certain responsibilities that should be adopted by all users include:

    • Locking the door to the office or workspace.

    • Not leaving sensitive information unprotected inside the car.

    • Securing storage media containing sensitive information.

    • Shredding paper containing organizational information before discarding it.

Individual user responsibilities34 l.jpg
Individual User Responsibilities

  • Certain responsibilities that should be adopted by all users include (continued):

    • Not divulging sensitive information to unauthorized individuals.

    • Not discussing sensitive information with family members.

    • Protecting laptops that contain sensitive or important organization information.

    • Being aware of who is around when discussing sensitive corporate information.

    • Enforcing corporate access control procedures.

Individual user responsibilities35 l.jpg
Individual User Responsibilities

  • Certain responsibilities that should be adopted by all users include (continued):

    • Being aware of the procedures to report suspected or actual violations of security policies.

    • Enforcing good password security practices, which all employees should follow.

    • Cultivating an environment of trust in the office and an understanding of the importance of security.