Transcription
Securing the Weakest Link
InstructorJay FerronCEHI, CISM, CISSP, CWSP, MCITP, MCT, MVP, NSA-IAM [email protected] 2010 Global Knowledge Training LLC. All rights reserved.
Section ObjectivesAfter completing this section, you will be able to: Discuss the issue of social media in securityDescribe and show examples of phishingShow methods of discovering and processing onlineattacks 2010 Global Knowledge Training LLC. All rights reserved.2-2
Security FundamentalsSecurity Importance To protect yourTo protect yourTo protect yourTo protect yourTo protect yourTo protect yourfinancesdatacountryjobway of lifelife 2010 Global Knowledge Training LLC. All rights reserved.1-3
Security FundamentalsHuman Influence in Security“People are the underlying causeof the need for security.”Donn Parker, Fighting Computer Crime 2010 Global Knowledge Training LLC. All rights reserved.1-4
VulnerabilitiesSocial Engineering Dumpster diving and shoulder surfing Organizational charts, passwords, access codes,and log files Use of tools Google, Bing, Yahoo!, etc. www.learnwebskills.com/company www.whitepages.com Hoover’s, Inc. EDGAR Online, Inc. 2010 Global Knowledge Training LLC. All rights reserved.1-7
Demo 2010 Global Knowledge Training LLC. All rights reserved.
u tdata?computer?readby ayourHowvirus?often?e-mail?How often?ifcomputer(DSL,so, whatcable,atages?home?or dial-up)? 2010 Global Knowledge Training LLC. All rights reserved.
Social MediaTypes Social networking sites BloggingFacebook Twitter Videosharing YouTubesites Xanga LiveJournal Bookmarking sitesDigg Photosharing Flickr 2010 Global Knowledge Training LLC. All rights reserved.2-3
DemonstrationSocial Networking: Help Desk 2010 Global Knowledge Training LLC. All rights reserved.2-4
2010 Global Knowledge Training LLC. All rights reserved.
Social MediaVulnerabilitiesProfile InformationName:John DoeAddress:1234 Main StreetCapital City, USAPhoneNumber:000-555-1110Date of Birth: 06/15/1972 2010 Global Knowledge Training LLC. All rights reserved.2-5
VulnerabilitiesItems At Stake Social security numberMother’s maiden nameBirth dateBilling addressesE-mail addressesAccount numbersPasswordSystem informationCompany or government dataWho, what, and where you work 2010 Global Knowledge Training LLC. All rights reserved.2-6
Now that I have your ID Let Search about you Let create a New you 2010 Global Knowledge Training LLC. All rights reserved.
VulnerabilitiesAttacker Mentality They look for holesThey think creativelyThey think outside of the box 2010 Global Knowledge Training LLC. All rights reserved.
Social Networking SitesBilly Bob, Jr. 2010 Global Knowledge Training LLC. All rights reserved.Not in Book
Social Networking SitesBilly Bob, Jr. 2010 Global Knowledge Training LLC. All rights reserved.
Social Networking SitesBilly Bob, Jr. 2010 Global Knowledge Training LLC. All rights reserved.
Social Networking SitesProfile Management Social networking profilesKoobface outbreak Hoax applications Profile information compromised 2010 Global Knowledge Training LLC. All rights reserved.2-8
Social MediaSocial EngineeringEagerly talkativeemployeesDesk call personnelJanitorialDumpster diving 2010 Global Knowledge Training LLC. All rights reserved.CorporateContract staffDelivery personnel2-9
DemonstrationDumpster Diving video 2010 Global Knowledge Training LLC. All rights reserved.2-10
2010 Global Knowledge Training LLC. All rights reserved.
DiscussionE-mail Phishing 2010 Global Knowledge Training LLC. All rights reserved.2-11
Phishing Fraudulent process to acquire:User names Passwords Credit card details Appears to be a trustworthy source BanksSocial Web sitesAuction sitesOnline payment processorsIT administrators 2010 Global Knowledge Training LLC. All rights reserved.Username:Password:OKCancelOptions2-12
DemonstrationInternet Phishing 2010 Global Knowledge Training LLC. All rights reserved.2-13
PhishingPhishing via E-mailOnline security alert:To protect your First Tennessee Internet Banking account from unauthorized access, we have set limit of failedlogin attempts. Unfortunately, you have just reached critical number of attempts, so your access to Online Bankinghas been limited for the security purposes.This measure doesn’t affect to your access to ATM machines.To restore your account access, please follow the link tb/index.html?BID 0170Thank you for using First Tennessee Bank 2010 Global Knowledge Training LLC. All rights rvlet/ftb/index.html? 01702-14
PhishingSSL 2010 Global Knowledge Training LLC. All rights reserved.
PhishingPhishing Result 2010 Global Knowledge Training LLC. All rights reserved.2-15
Online AttacksStatistical Data 491,815,456 records containing personal informationcompromised since January 2005 Example: TJ retail stores (TJX) 45,700,000 credit and debit card account numberscompromised TJMaxx Marshalls HomeSense AJWright TKMaxx Winners and HomeGoods stores in Canada 48 million more people affected, according to latest records 2010 Global Knowledge Training LLC. All rights reserved.2-16
Online AttacksSecurity Breach Sources Lack of commitment from management No social motivation Incorrect assumptions Not part of job descriptionNot part of performance appraisalNo economic motivation 2010 Global Knowledge Training LLC. All rights reserved.2-17
Exercise 1 2010 Global Knowledge Training LLC. All rights reserved.
Exercise 2 2010 Global Knowledge Training LLC. All rights reserved.
Exercise 3 2010 Global Knowledge Training LLC. All rights reserved.
Exercise 4 2010 Global Knowledge Training LLC. All rights reserved.
QuestionsThank you for attending if you have [email protected] 2010 Global Knowledge Training LLC. All rights reserved.
Desk call personnel Eagerly talkative employees Janitorial Contract staff Dumpster diving Delivery personnel. Corporate. . Example: TJ retail stores (TJX) . Securing the Weakest Link Keywords: FISSEA Conference 2011 Pres
