1 People By Jamie Sims February 13, 2003. 2 Outline Trusting other computers Trusting other computers Firewall Vulnerabilities Firewall Vulnerabilities.

11

PeoplePeople

By Jamie SimsBy Jamie Sims

February 13, 2003February 13, 2003

22

OutlineOutline

Trusting other computersTrusting other computers Firewall VulnerabilitiesFirewall Vulnerabilities EmployeesEmployees ConsultantsConsultants OutsidersOutsiders

33

Trusting Other ComputersTrusting Other Computers

The question is how much each system should The question is how much each system should trust other systems it communicates with.trust other systems it communicates with.– Always insist on too much securityAlways insist on too much security– Even though it might make employees angry, you Even though it might make employees angry, you

will be protecting their workwill be protecting their work

44

Trusting Other ComputersTrusting Other Computers

Some Computers contain data so confidential Some Computers contain data so confidential that they should have no connection to the that they should have no connection to the Internet or company networkInternet or company network

55

Examples of Databases not to put on Examples of Databases not to put on the Networkthe Network

Ones that contain:Ones that contain:– Employee DataEmployee Data– Patient medical dataPatient medical data– Financial databases (banking, stock, etc…)Financial databases (banking, stock, etc…)– Legal CasesLegal Cases– Customer Information (credit cards, passwords)Customer Information (credit cards, passwords)– Security InformationSecurity Information

66

Firewall VulnerabilitiesFirewall Vulnerabilities1.1. Attacks from WithinAttacks from Within

a)a) Someone with access to internal systems Someone with access to internal systems initiates an attackinitiates an attack

2.2. End runs and tunnelingEnd runs and tunneling a) a) Intruder gets past the firewall and “has his Intruder gets past the firewall and “has his way with your systemsway with your systems b) b) All it takes is someone connecting a All it takes is someone connecting a modem to his/her desktop system to defeat modem to his/her desktop system to defeat the firewallthe firewall

77

Firewall VulnerabilitiesFirewall Vulnerabilities

3.3. Content-based attacksContent-based attacksa)a) Malicious email attachmentMalicious email attachmentb)b) MS word macrosMS word macrosc)c) Evil Web pagesEvil Web pages

4.4. Address spoofing attacksAddress spoofing attacksa)a) Any decent firewall will detect a packet Any decent firewall will detect a packet

originating from outside the agency, originating from outside the agency, spoofing an address of an inside machine spoofing an address of an inside machine and drop itand drop it

88

Firewall VulnerabilitiesFirewall Vulnerabilities5.5. DOS attacksDOS attacks

a)a) The attacker can flood your firewall with The attacker can flood your firewall with more traffic than it can handle, burying more traffic than it can handle, burying legitimate packetslegitimate packets

6.6. Misplaced Server attacksMisplaced Server attacksa)a) Vulnerable services should be provided by Vulnerable services should be provided by

systems in the DMZ (web server configs, systems in the DMZ (web server configs, externally accessible DNS, sendmail)externally accessible DNS, sendmail)

7.7. Configuration Error attacksConfiguration Error attacksa)a) Analyze any changes to firewall Analyze any changes to firewall

configuration carefullyconfiguration carefully

99

““...the human factor is truly security’s ...the human factor is truly security’s weakest link.” Kevin D. Mitnick weakest link.” Kevin D. Mitnick

The FBI claims that more than The FBI claims that more than 80%80% of of all computer intrusions are from within.all computer intrusions are from within.

1010

EmployeesEmployees Hacking tools used by employees within organizations may be Hacking tools used by employees within organizations may be

the biggest security threat to emerge this year, leading to the biggest security threat to emerge this year, leading to increased vulnerabilities, lost data, and wasted time and increased vulnerabilities, lost data, and wasted time and resources resources

Websense, the worldwide leader of employee Internet Websense, the worldwide leader of employee Internet management (EIM) solutions, reports that the number of management (EIM) solutions, reports that the number of hacking Web sites has increased 45 percent in the last 12 hacking Web sites has increased 45 percent in the last 12 months, now totaling approximately 6,000 Web sites, months, now totaling approximately 6,000 Web sites, encompassing more than 1 million pages of content encompassing more than 1 million pages of content

Nearly 90 percent of U.S. businesses and government agencies Nearly 90 percent of U.S. businesses and government agencies suffered hacker attacks in the last year, according to suffered hacker attacks in the last year, according to Newsbytes, while 80 percent of network security managers Newsbytes, while 80 percent of network security managers claim their biggest security threat comes from their own claim their biggest security threat comes from their own employees, according to a survey conducted at this year's employees, according to a survey conducted at this year's Gartner Information Security Conference.Gartner Information Security Conference.

http://www.websense.com/company/news/pr/02/121702.cfmhttp://www.websense.com/company/news/pr/02/121702.cfm

1111

The Social EngineerThe Social Engineer

Social EngineeringSocial Engineering is the hacker term for a con is the hacker term for a con game: persuade the other person to do what you game: persuade the other person to do what you wantwant

Bypasses:Bypasses:– CryptographyCryptography– Computer SecurityComputer Security– Network SecurityNetwork Security– Everything else technologicalEverything else technological

1212

EmployeesEmployees Companies need to prepare for social engineering Companies need to prepare for social engineering

attacks from current or former employees who may attacks from current or former employees who may have an axe to grind.have an axe to grind.

Background checks may be helpful to weed out Background checks may be helpful to weed out prospects who may have a propensity toward this prospects who may have a propensity toward this type of behavior. But in most cases, these people type of behavior. But in most cases, these people will be extremely difficult to detect. will be extremely difficult to detect.

The only reasonable safeguard in these cases is to The only reasonable safeguard in these cases is to enforce and audit procedures verifying identity, enforce and audit procedures verifying identity, including the person’s employment status, prior to including the person’s employment status, prior to disclosing any information to anyone not personally disclosing any information to anyone not personally known to be with the company.known to be with the company.

1313

EmployeesEmployees

New EmployeesNew Employees

Current EmployeesCurrent Employees

Former EmployeesFormer Employees

Disgruntled EmployeesDisgruntled Employees

1414

New EmployeesNew Employees New Employees are ripe targets for attackersNew Employees are ripe targets for attackers

o Do not know company proceduresDo not know company procedureso Eager to show how cooperative and quick to respond Eager to show how cooperative and quick to respond

they can be, so they will give out any information anyone they can be, so they will give out any information anyone asks them for!asks them for!

o Unaware of the value of specific company information or Unaware of the value of specific company information or of the possible results of certain actions.of the possible results of certain actions.

o Tend to be easily influenced by some of the more Tend to be easily influenced by some of the more common social engineering approaches:common social engineering approaches:

o a caller who invokes authoritya caller who invokes authorityo a person who seems friendly and likeablea person who seems friendly and likeableo a person who appears to know people in the a person who appears to know people in the

company who are know to the victimcompany who are know to the victimo a request that the attacker claims is urgenta request that the attacker claims is urgento the inference that the victim will gain some the inference that the victim will gain some

kind of favor or recognitionkind of favor or recognition

1515

New EmployeesNew Employees

Andrea in HRAndrea in HR

1616

Former EmployeesFormer Employees

Need to have ironclad procedures when a departing Need to have ironclad procedures when a departing employee has had access to sensitive information, employee has had access to sensitive information, passwords, dial-in numbers, etc…passwords, dial-in numbers, etc…– Your security procedures need to provide a way to keep Your security procedures need to provide a way to keep

track of who has authorization to various systems.track of who has authorization to various systems.

Change passwords for accessing systems Change passwords for accessing systems (administrator passwords if applicable). (administrator passwords if applicable).

For companies that need very high security, it needs For companies that need very high security, it needs to be required that all employees in the same to be required that all employees in the same workgroup as the person leaving change their workgroup as the person leaving change their passwordspasswords

1717

Disgruntled/Fired EmployeesDisgruntled/Fired Employees

Story about employee who was transferred to a Story about employee who was transferred to a different department within the city offices.different department within the city offices.

1818

Policies for All EmployeesPolicies for All Employees1. Reporting suspicious calls1. Reporting suspicious calls

Employees who suspect that they may be the subject Employees who suspect that they may be the subject of a security violation must immediately report the of a security violation must immediately report the event to the company’s incident reporting groupevent to the company’s incident reporting group

When a social engineer fails to convince his or her When a social engineer fails to convince his or her target, they will try someone else.target, they will try someone else.

2. Documenting suspicious calls2. Documenting suspicious calls The employee shall, to the extent practical, draw out The employee shall, to the extent practical, draw out

the caller to learn details that might reveal what the the caller to learn details that might reveal what the attacker is attempting to accomplish and make notesattacker is attempting to accomplish and make notes

Such details can help the incident reporting group Such details can help the incident reporting group spot the object or pattern of an attackspot the object or pattern of an attack

1919

Policies for All EmployeesPolicies for All Employees3. Disclosure of dial-up numbers3. Disclosure of dial-up numbers

Company personnel must not disclose company Company personnel must not disclose company modem telephone numbers, but should always refer modem telephone numbers, but should always refer such requests to the help desk.such requests to the help desk.

Treat dial up numbers an internal information, only to Treat dial up numbers an internal information, only to be given to employees who need to know such be given to employees who need to know such informationinformation

4. Corporate ID badges4. Corporate ID badges Except in their immediate office area, all company Except in their immediate office area, all company

personnel, including management and executive staff, personnel, including management and executive staff, must wear badges at all timesmust wear badges at all times

All employees who arrive at work without their badge All employees who arrive at work without their badge should be required to stop at the lobby desk or security should be required to stop at the lobby desk or security office to obtain a temporary badgeoffice to obtain a temporary badge

2020

Polices for All EmployeesPolices for All Employees5. Challenging ID badge violations5. Challenging ID badge violations

All employees must immediately challenge any All employees must immediately challenge any unfamiliar person who is not wearing an employee unfamiliar person who is not wearing an employee badge or visitor’s badge.badge or visitor’s badge.

6. Piggybacking6. Piggybacking Employees entering a building must not allow anyone Employees entering a building must not allow anyone

not personally known to them to follow behind them not personally known to them to follow behind them when they have used a secure means to gain entrance when they have used a secure means to gain entrance into an areainto an area

Carrying boxes so the worker will hold the Carrying boxes so the worker will hold the door open for them to be nicedoor open for them to be nice

2121

Policies for All EmployeesPolicies for All Employees7. Shredding sensitive documents7. Shredding sensitive documents

cross-shred sensitive documents and destroy hard cross-shred sensitive documents and destroy hard drives and disks that contained sensitive informationdrives and disks that contained sensitive information

8. Personal identifiers8. Personal identifiers Never used employee numbers, social security Never used employee numbers, social security

numbers, driver’s license’s numbers, date and place numbers, driver’s license’s numbers, date and place of birth and mother’s maiden name for verifying of birth and mother’s maiden name for verifying identityidentity These are not secret and can be obtained numerous These are not secret and can be obtained numerous

waysways

2222

Policies for All EmployeesPolicies for All Employees

9. Organizational charts9. Organizational charts A company’s organization chart details should never A company’s organization chart details should never

be released to anyone outside the companybe released to anyone outside the company This includes positions, contact numbers, This includes positions, contact numbers,

extensions, emailsextensions, emails

10. Audit access to sensitive files, like payroll files, 10. Audit access to sensitive files, like payroll files, unless the employee is allowed to have access to unless the employee is allowed to have access to these files for job reasonsthese files for job reasons

Employees have been know to write a program where Employees have been know to write a program where they will receive a raise every few monthsthey will receive a raise every few months

2323

Malicious InsidersMalicious Insiders

A dangerous and insidious adversaryA dangerous and insidious adversary Can be impossible to stop because they’re the Can be impossible to stop because they’re the

same people we’re forced to trustsame people we’re forced to trust Know how system works and where the weak Know how system works and where the weak

points arepoints are

2424

ConsultantsConsultants

Insiders are not always employees, they can be Insiders are not always employees, they can be consultantsconsultants

Consultants have access to sensitive Consultants have access to sensitive information and are trusted by the company’s information and are trusted by the company’s employees, so they could easily attack a employees, so they could easily attack a systemsystem

Stanley Mark Rifkin storyStanley Mark Rifkin story

2525

OutsidersOutsiders

Someone who does not have security clearance Someone who does not have security clearance to access informationto access information

The “unverified” personThe “unverified” person

2626

What to do when confronted by an What to do when confronted by an

OutsiderOutsider1.1. Verify that the person is who he or she claims to Verify that the person is who he or she claims to

bebe2.2. CallbackCallback3.3. VouchingVouching4.4. Shared SecretShared Secret5.5. Employee’s SupervisorEmployee’s Supervisor6.6. Secure EmailSecure Email7.7. Personal Voice RecognitionPersonal Voice Recognition8.8. Dynamic Password VerificationDynamic Password Verification9.9. In person with IDIn person with ID

2727

OutsidersOutsiders Michael Parker figured out that people with Michael Parker figured out that people with

college degrees got better paying jobs….college degrees got better paying jobs….

2828

ReferencesReferences

Mitnick, K.D & Simon W.L. Mitnick, K.D & Simon W.L. The Art of Deception Controlling The Art of Deception Controlling the Human Element of Securitythe Human Element of Security. 2002. Wiley Publishing, Inc., . 2002. Wiley Publishing, Inc., Indianapolis, INIndianapolis, IN

Schneier, B. Schneier, B. Secrets & Lies Digital Security in a Networked Secrets & Lies Digital Security in a Networked WorldWorld. 2000. John Wiley & Sons, Inc. New York, NY. 2000. John Wiley & Sons, Inc. New York, NY

Toxen, B. Toxen, B. Real World Linux SecurityReal World Linux Security. 2002 2. 2002 2ndnd Ed. Pearson Ed. Pearson Education. Upper Saddle River, New JerseyEducation. Upper Saddle River, New Jersey