Docstoc

Social Engineering

Document Sample
Social Engineering Powered By Docstoc
					Social Engineering
      Jero-Jewo
            Case study
•   Social engineering is the act of manipulating
    people into performing actions or divulging
    confidential information. While similar to a
    confidence trick or simple fraud, the term typically
    applies to trickery or deception for the purpose of
    information gathering, fraud or computer system
    access; in most cases the attacker never comes
    face-to-face with the victim. – www.wikipedia.org
•   As a service provider, Duo Consulting helps
    clients manage the publication of critical business
    information on their web sites.
•   Integrity and availability are important
    considerations for Duo when processing requests
    for changes
        Case Study
• There is currently a communication
  process in place to receive and
  manage requests
• 99% of requests come from known
  contacts
 • How should we handle requests from
   contacts that are not known?
             Real World
•   New request comes in from an unknown
    contact at Setton Farms for ftp access to
    their web server on a Saturday
•   Contact explains that there is an
    immediate need to publish critical
    information about a recall on their site and
    they have hired a designer to make the
    updates to their site.
    •   This contact is not known to Duo
    •   Need to question identity
    •   Need to question authenticity of request
     What’s missing?
•   We do not have a policy or process in
    place to confirm identity of contacts
    making requests
•   We do not have a list of authorized
    contacts
•   There is a service level agreement in place
    for managed hosting - but nothing defined
    about emergency requests from clients
    that do not have a services support
    contract in place
  Proposed Solution

• We need a policy to address unknown
  and unauthorized customer contacts
• The delivery stages of this policy must
  include planning, design,
  implementation, rollout, and operation of
  such policy
        Proposed Solution
•
           (Continued)
    The policy must be integrated into our business and it
    must address the following:
    •   People: a team must address the planning, design,
        implementation, rollout and operation
    •   Technology: the proper technology must be in place to
        implement such policy (i.e. ticketing system, electronic
        approvals of users, escalation, etc.)
    •   Process: there must be a living process to address such
        incidents and that ensures enforcement of the policy
    •   Business value: business value of establishing this
        policy will clearly protect the customer as well as Duo in
        the legal and availability aspect
    •   IT Strategy: the four pillars of security must be
        addressed, including authenticity, confidentiality,
        integrity and availability
                               People
•   Duo understands the need to assemble a team to address the development
    of the policy through the different stages
    •   Planning: the team must establish the strategy, initial approximation of
        the effort, plan for releases for delivery, perform a preliminary risk
        assessment, develop policy organization, and establish leadership.
    •   Design: the team ensures that the policy is meeting the goals and that it
        serves the intended goal. Feasibility is addressed here, as well as
        estimates of implementation (time and effort)
    •   Implementation: the team must ensure the policy is tested and
        approved. The team ensures management approval, and re-assesses risk
    •   Test: all aspects of the policy must be tested, including process, sign-offs,
        technology, etc
    •   Rollout: the team ensures prior to rollout that all training and legal
        aspects are covered
    •   Operate: periodically review the policy to ensure its enforceability and
        effectiveness
         Technology
• The policy will have a technology
  aspect which ensures that there is an
  electronic list of authorized contacts
• Privileges will be honored accordingly:
 • Content contributor
 • Publisher
• Employee access will be via a portal
Technology (Continued)
• Create a system of records for
  authorized contacts
• SalesForce.com
 • Contains customer database with
   privilege levels
 • Granular control of access
 • Change/version control and user logs
             Process
• A process ensures the policy is working
  for Duo:
 • Usable
 • Enforceable
 • Effective
 • Legal
            Business Value
•   What’s in it for Duo?
    •   Prevention of unauthorized work
    •    Policy provides legal protection from
        liability lawsuits including:
        •   Unauthorized changes
        •   Inaccurate content
        •   Site downtime
        •   Leakage of information
     Business Value
      (Continued)
• What’s in it for Duo’s customers?
  The Four Pillars:
 • Integrity
 • Authenticity
 • High availability
 • Confidentiality
              IT Strategy
•   Integrity and availability were cited as top
    most concerns for our particular problem
•   However, Duo must address all four
    cornerstones of security:
    •   Availability
    •   Integrity
    •   Confidentiality
    •   Authenticity
           Policy Contents
•   Authenticity:
    •   Who is authorized to make requests?
    •   How do we determine that the request is
        legitimate?
    •   Is the person making the request authorized
        to perform the operation requested? Develop
        and maintain a list of authorized contacts
    •   Designate 1 or more authoritative contacts
        and require them to approve all requests
    •   Maintain a secret pass phrase to
        authenticate users who make requests
Policy Contents (Continued)
•   Integrity
    •   Integrity is maintained by only performing operations
        which are assigned to authorized, authenticated
        contacts
    •   Each contact will have specific operations defined
•   Confidentiality
    •   Establish appropriate level of confidentiality of
        request based upon client input
•   Availability
    •   Ensure that proper client contact communication
        information is available and up to date
    •   Enforce policies in regards to authentication, integrity,
        confidentiality and availability
        Questions?
• Thank you!

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:13
posted:9/3/2012
language:English
pages:17