Social Engineering by dfhdhdhdhjr


									Social Engineering
            Case study
•   Social engineering is the act of manipulating
    people into performing actions or divulging
    confidential information. While similar to a
    confidence trick or simple fraud, the term typically
    applies to trickery or deception for the purpose of
    information gathering, fraud or computer system
    access; in most cases the attacker never comes
    face-to-face with the victim. –
•   As a service provider, Duo Consulting helps
    clients manage the publication of critical business
    information on their web sites.
•   Integrity and availability are important
    considerations for Duo when processing requests
    for changes
        Case Study
• There is currently a communication
  process in place to receive and
  manage requests
• 99% of requests come from known
 • How should we handle requests from
   contacts that are not known?
             Real World
•   New request comes in from an unknown
    contact at Setton Farms for ftp access to
    their web server on a Saturday
•   Contact explains that there is an
    immediate need to publish critical
    information about a recall on their site and
    they have hired a designer to make the
    updates to their site.
    •   This contact is not known to Duo
    •   Need to question identity
    •   Need to question authenticity of request
     What’s missing?
•   We do not have a policy or process in
    place to confirm identity of contacts
    making requests
•   We do not have a list of authorized
•   There is a service level agreement in place
    for managed hosting - but nothing defined
    about emergency requests from clients
    that do not have a services support
    contract in place
  Proposed Solution

• We need a policy to address unknown
  and unauthorized customer contacts
• The delivery stages of this policy must
  include planning, design,
  implementation, rollout, and operation of
  such policy
        Proposed Solution
    The policy must be integrated into our business and it
    must address the following:
    •   People: a team must address the planning, design,
        implementation, rollout and operation
    •   Technology: the proper technology must be in place to
        implement such policy (i.e. ticketing system, electronic
        approvals of users, escalation, etc.)
    •   Process: there must be a living process to address such
        incidents and that ensures enforcement of the policy
    •   Business value: business value of establishing this
        policy will clearly protect the customer as well as Duo in
        the legal and availability aspect
    •   IT Strategy: the four pillars of security must be
        addressed, including authenticity, confidentiality,
        integrity and availability
•   Duo understands the need to assemble a team to address the development
    of the policy through the different stages
    •   Planning: the team must establish the strategy, initial approximation of
        the effort, plan for releases for delivery, perform a preliminary risk
        assessment, develop policy organization, and establish leadership.
    •   Design: the team ensures that the policy is meeting the goals and that it
        serves the intended goal. Feasibility is addressed here, as well as
        estimates of implementation (time and effort)
    •   Implementation: the team must ensure the policy is tested and
        approved. The team ensures management approval, and re-assesses risk
    •   Test: all aspects of the policy must be tested, including process, sign-offs,
        technology, etc
    •   Rollout: the team ensures prior to rollout that all training and legal
        aspects are covered
    •   Operate: periodically review the policy to ensure its enforceability and
• The policy will have a technology
  aspect which ensures that there is an
  electronic list of authorized contacts
• Privileges will be honored accordingly:
 • Content contributor
 • Publisher
• Employee access will be via a portal
Technology (Continued)
• Create a system of records for
  authorized contacts
 • Contains customer database with
   privilege levels
 • Granular control of access
 • Change/version control and user logs
• A process ensures the policy is working
  for Duo:
 • Usable
 • Enforceable
 • Effective
 • Legal
            Business Value
•   What’s in it for Duo?
    •   Prevention of unauthorized work
    •    Policy provides legal protection from
        liability lawsuits including:
        •   Unauthorized changes
        •   Inaccurate content
        •   Site downtime
        •   Leakage of information
     Business Value
• What’s in it for Duo’s customers?
  The Four Pillars:
 • Integrity
 • Authenticity
 • High availability
 • Confidentiality
              IT Strategy
•   Integrity and availability were cited as top
    most concerns for our particular problem
•   However, Duo must address all four
    cornerstones of security:
    •   Availability
    •   Integrity
    •   Confidentiality
    •   Authenticity
           Policy Contents
•   Authenticity:
    •   Who is authorized to make requests?
    •   How do we determine that the request is
    •   Is the person making the request authorized
        to perform the operation requested? Develop
        and maintain a list of authorized contacts
    •   Designate 1 or more authoritative contacts
        and require them to approve all requests
    •   Maintain a secret pass phrase to
        authenticate users who make requests
Policy Contents (Continued)
•   Integrity
    •   Integrity is maintained by only performing operations
        which are assigned to authorized, authenticated
    •   Each contact will have specific operations defined
•   Confidentiality
    •   Establish appropriate level of confidentiality of
        request based upon client input
•   Availability
    •   Ensure that proper client contact communication
        information is available and up to date
    •   Enforce policies in regards to authentication, integrity,
        confidentiality and availability
• Thank you!

To top