Social Engineering – The Basics

Social Engineering is a frequently heard term these days, isn’t it?

THIS ARTICLE from CSO Online provides you with a basic understanding of what it is, how it is in action and why you should be worried for yourself and your company.

 

 

 

The essence of the topic is the following: even if you believe you have put in place a state-of-the-art IT Security  infrastructure with all the bells and whistles in place (and with the hefty bill that comes with that), Social Engineering is something you cannot afford to overlook. The human factor is recognized today as the weakest link of the IT Security chain made by technology, processes and people. Don’t train your people to use technologies in an appropriate way and to follow processes and you’re out for a safe defeat in you battle with the cyber-threats (and not only those…). However also a well-trained workforce needs to be aware of the typical social engineering threats which are around. There are not so many types of those, after all, just many variations. So Security Awareness Training programs can do wonders in this field and you should never neglect the inclusion of those in any Security program; the stakes are way too high.

Social engineering attacks can be also perpetrated by non-remote users.

The typical social engineering attack is perpetrated by remote users who, most of the time, have little knowledge about you, your company and the industry you are in. They just try to grab credentials and other types of valuable personal information through email phishing attempts, rogue web sites or forms crafted to look as identical as possible (save in the url address, which will never be identical to the legit one). Those type of attacks are in general very impersonal because the attacker knows little or nothing about you.

One more personal type of attack is perpetrated by phone scammers, who tend to know more about you (they have managed to reach your phone, after all, so they might have conducted some preliminary research). Again, the objective is to trick you to release personal information and possibly access credentials while making you believe that the request is legit. My wife experienced a scam attempt of this type very recently. An anonymous caller identifying himself as “Apple technical support” requested her Apple ID to perform a necessary remote operation to keep her account alive “because we got notified that it got compromised”. The scam did not succeed as my wife easily smelled something rotten there; but how many users are falling for this scam every day?

An even more personal type of social engineering attack, less likely than the other 2 (because more risky for the attacker) is in person. Yes, the person standing in front of you asking for something really personal  may be not who he/she is pretending to be. Some of the most complete Penetration tests include attacks of this type because they are not so rare and their result reveal a lot to what extent of training the users had concerning IT Security and Social Engineering in particular. Say two fire inspectors show up at your office, show their badges and ask for a walkthrough—you’re legally required to give them access to do their job. They ask a lot of questions, they take electrical readings at various wall outlets, they examine wiring under desks. Thorough, aren’t they? Problem is, in this case they’re really security consultants doing a social engineering ‘penetration test’ and grabbing access cards, installing keystroke loggers, and generally getting away with as much of your business’s private information as they can get their hands on.

Do you see the threat and all its risk potential? If you still have doubts, read this other article:

How to rob a bank: A social engineering walkthrough

 

HOW DO THEY DO? 

Social engineering attempts are successful with victims who have not been trained for recognition of social engineering patterns of behavior.

This is how social engineers manage to trick people: Four basic principles.

• They project confidence. Instead of sneaking around, they proactively approach people and draw attention to themselves.
• They give you something. Even a small favor creates trust and a perception of indebtedness.
• They use humor. It’s endearing and disarming.
• They make a request and offer a reason. Psych 101 research shows people are likely to respond to any reasoned request.

You can read more in this article:  Mind games: How social engineers win your confidence

 

DEFENSIVE MEASURES:

Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used. And here is the good news: luckily, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.

 

I AM INTERESTED IN THE TOPIC AND I WANT TO KNOW MORE

Here you go the Ultimate guide to Social Engineering released by CSO Online

social-engineering-ultimate-guide

Security Awareness Training – 56% of the workforce will not receive any: why?

 

It is a well-known fact to all Information Security professionals that humans are the weakest link in the enterprise security chain. Yet a recent survey from Enterprise Management Associates (EMA) finds that more than half (56%) aren’t getting any security awareness training at all.

How this is possible? Let’s analyze some possible root causes.

Do all the executives of these companies providing no training at all think that having a firewall or 2 in place makes the company secure enough? This may be the classical case of lack of risk perception, and it could happen because us, ITSEC professionals, are not doing enough of a good job to pinpoint Information risks to decision makers. Perhaps we did not point out that more often than not a human mistake is the root cause of most successful data breaches which can cost the executives their seat (i.e. Target Corp. CEO). Nowadays hackers find easier to plan their attacks around social engineering, that is to say by tricking end-users into doing something they should not have done, like click a malicious link, enter a username and password into a rogue web form, open a malicious attachment, etc. In other words, the enemies are targeting the weakest link (as they should, strategically speaking), the end users, and more than half of the firms are doing nothing about it.

Do they think that training is not worth the time and expense, since all it takes is one person to click on a malicious link and the enterprise is compromised? Well, if that was the same view of Transportation Security Administration (TSA) screening at airports, when, “it only takes one terrorist to get through and blow up a plane”, we certainly would not have any line up to access the gates at the airports. While acknowledging that one mistake can cause a major problem, the goal of the programs is to reduce the attack surface and associated risk. Risk reduction is worth some expenditure if a minimal idea of the consequences is present. Accepting this risk seems simply irrational these days. To say, ‘we don’t do security training because someone will fail,’ is a defeatist attitude. That is like saying we will stop licensing drivers because someone crashed. Who would subscribe to that view?

And did those companies who do provide Security Awareness Training decided to do so only for compliance reasons? Do they see any value beyond that? Most companies do not really appreciate the value of Security Awareness Training beyond the goal of ensuring compliance. When this is the case, these companies tend to have poor trainings programs to start with. They do not use best practices and often take a ‘check-the-box’ approach. Awareness training performed as a seminar and ending with a checkbox list. Those training programs never get the attention and retention needed to affect change in the audience. And they send the message that the organization does not really care much about Security.

The good news is that, for enterprises that are interested, there is plenty of guidance available for developing effecting Security Awareness Programs. The Information Security Forum offers 10 principles to embed positive security behaviors into employees. They include:

– Make systems and processes as simple and user-friendly as possible;

– Help employees understand why their security habits are important;

– Motivate workers to protect the business, and empower them to make the decisions necessary to do so;

– Don’t simply give orders to employees – sell them on security habits;

– Use multiple departments, like marketing and human resources, to help embed security behaviors;

– Hold employees accountable by rewarding the good and confronting the bad.

 

---

 

You can read the full article HERE. And I also recommend to read this other one, focusing on why User Awareness Programs work.

Ebay hack 2014 – A case study of what NOT to do when data breaches occur

It’s bad enough that eBay’s 145 million customers were victimized by what may be the second largest security breach in history. Worse is the company’s response to the mess, which will also go down in history as a case study of what NOT to do when hackers succeed in their mission to grab your customers’ personal data.

READ FULL YAHOO ARTICLE

 

Some highlights of what should not have happened at Ebay after the data breach:

 

1.Fail to figure out precisely when you were victimized
According to eBay, its main user database was compromised sometime between late February and early March. Well… that is a large time-window!

It’s a telltale sign that not only were eBay’s security protocols so loose that they allowed the incursion in the first place, but the company’s backup systems and processes were similarly useless to the point that the alarm bells never even went off.

 

2. Wait a long time before bothering to tell your customers

The company admits learning about the break-in only in early May – which means those tasked with keeping eBay secure were asleep at the switch far longer than anyone has a right to – and even then took its sweet time going public, believing initially that user data was safe. This is not exactly unusual: Verizon’s Data Breach Investigations Report says 62 per cent of breaches remain undiscovered for months, with about an additional one-third caught within a month. But eBay isn’t just any company, and its customers deserve better.

 

3. Do your best to hide it

Even when eBay was ready to share the bad news with customers, it did so in an unacceptably low-key manner. The announcement was posted not on the flagship ebay.com website, but on ebayinc.com, which obviously doesn’t have quite the same name recognition. A note eventually went up on ebay.com, but it was a simple reminder for users to update their passwords. Too little, too late.

 

4. Don’t communicate directly

Email-based messaging allows companies to directly and proactively connect with users who may not necessarily visit the website on a regular basis. Unfortunately many users say they received no such message (or perhaps they did not notice it in their mailbox). Wouldn’t it be a better service to its members to display a warning message at their next login?

 

 

While stakeholders may cut companies like eBay some slack for being attacked in the first place, they won’t accept a slow, incomplete and clumsy response. They’ll punish companies that try to hide the truth, and they’ll increasingly choose to do business with – and invest in – organizations that build a culture that’s ready to respond to the next anticipated threat.

KPMG’s 2014 Global Audit Committee Survey Report suggests eBay is hardly alone in being behind the security curve, and its results confirm companies could do a better job adapting to the increasingly complex threat environment. Only 11 per cent of Canadian companies see cyber security as a growing company threat, compared to 27 per cent in the U.S. Worse: only 31 per cent of Canadian respondents feel company boards are spending enough time dealing with cyber security issues. In the U.S., it’s 57 per cent.

Watching eBay’s painful stumble through the post-breach minefield suggests the company may have crossed a line. Like Target before it, which continues to count the costs of its own botched responseto last year’s massive data theft, eBay is learning the hard way just how critical organizational security competency has become to its – and any other company’s – survival.

EU compliance and regulations for the IT Security Professional (Whitepaper by Bloor Research)

Data loss prevention technologies are becoming increasingly important as organizations face up to the consequences of unintended data loss. A data loss incident is no longer seen as an unfortunate accident; now it will be accompanied by significant reputational risk and the possibility of legal action against the organization and, even, executives personally.

Nowadays data loss is a legal issue and IT professionals need to be aware of their responsibilities.

This Whitepaper highlights key directives and legislation within the European Union that have an impact on IT security practitioners, IT managers and others with responsibility for IT systems.

As you might expect some legislation applies to all country members, while some of those have additional legislation which must be accounted for in case of doing business in those countries or collecting personal data belonging to people resident in those countries.

 

OPEN FULL WHITEPAPER

 

 

Certainly most useful is the summary table found on page 16, which I am pasting here below (click to enlarge):

 

BACKUPS – Top 10 endpoint mistakes and how to avoid them (Druva Whitepaper)

Backing up and protecting sensitive corporate data has become more challenging because of several trends: exponential data growth, the rise in endpoints, BYOD (Bring Your Own Device), and SaaS (Software as a Service) applications. This whitepaper presented by Druva recommends avoiding the following 10 endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.

1. Not backing up laptops and mobile devices

2. Thinking that legacy server backup solutions are adequate

3. Believing all deduplication technologies are created equal

4. Ignoring the end-user experience

5. Underestimating security

6. Thinking short-term and limited scalability

7. Picking the wrong deployment model

8. Not calculating the total cost of ownership (TCO)

9. Disregarding BYOD

10. Not looking beyond backup

 

Interested to read more? Here is the whole whitepaper:

Druva-Top-10-Endpoint-Backup-Mistakes

 

 

SOME FOOD FOR THOUGHT FROM THE WHITEPAPER:

a. With reference to point #1:  Did you know that only 35% of enterprise laptops are backed up (source: Gartner)?

b. With reference to point #1: Did you know that 28% of corporate data resides exclusively on laptops, smartphones, and tablets?

c. With reference to point #5: Did you know that the cost of data breach on a lost laptop is over $39,000 (source: Intel)?

 

 

The cost of data breaches – A study from the Ponemon Institute

If you are wondering what could be the cost of an unauthorized data breach (perhaps, such as often happens to me, to put together a benefit/cost analysis), here you go an interesting study published by the Ponemon Institute in collaboration with Symantec.

It is based on the actual data breach experiences of 277 companies operating in 16 industry sectors around the globe in 2013 and takes into account a wide range of direct and indirect business costs. Country reports are available for the United States, United Kingdom, France, Germany, Italy, India, Japan, Australia, and Brazil. Unfortunately Canada is not part of the list.

• Global report

Country-specific reports

• US
• UK
• France
• Italy
• Germany
• Australia
• India
• Japan
• Brazil

As you might expect, the cost of data breach varies country by country. Among the sample selected in the study, Germany is the country facing the highest cost of data breach, followed by US, France, Australia, U.K., Japan and Italy (the list goes on and it is shown in the diagram here below).

 

 

How the cost of data breach is calculated:

To calculate the average cost of data breach, the Ponemon Institute collects both the direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished acquisition rates.

 

 

Here are some further HIGHLIGHTS of the report:

• In this year’s global study, the average consolidated data breach cost increased from $130 to $136 per record.
• US and German companies experience the most expensive data breach incidents at $277 and $214 per compromised records, respectively.
• Countries that lose the most customers following a data breach: France and Australia
• Companies in Germany and US had the most costly data breaches ($199 and $188 per record, respectively)
• The average number of breached records per incident in 2013 was 23,647, which gives an average cost per incident of 3,215,992$. No less!
• German and Australian organizations spent the most on such detection and escalation activities as investigating and assessing the data breach ($1.3 million and $1.2 million, respectively). Organizations in India and Brazil spent the least on detection and escalation at $359,406 and $358,478, respectively.
• The average cost of data breaches varies a lot among different countries. US sampled companies experienced the highest total average cost at more than $5.4 million, followed by
  Germany at $4.8 million.

• Certain industries have higher data breach costs than others, Healthcare being the one experiencing the highest cost with an average 233$ per record.

•  Mistakes made by people and systems are the main causes of data breach.

 

•  A strong security posture, incident response planning CISO appointments and consulting support decreases the per capita cost of data breach (shown as negative numbers). Third party errors, lost or stolen devices and quick notification increases the per capita cost of data breach (shown as positive numbers).

 

• Average cost for lost business are highest in the US. Such costs include the abnormal turnover of customers, increased
  customer acquisition activities, reputation losses and diminished goodwill.

 

DISCUSSION QUESTIONS:

1. Do you think these data are useful for a cost/benefit analysis for your company (or for one of your clients)?
2. Do you think there is a general awareness among executives of what the cost of a data breach may be for their company?
3. Did you expect that the Healthcare industry experiences a higher unit cost (per record) of data breaches than the Financial or Consumer retail industry?
4. Do you think the Healthcare industry, in light of the fact that it experiences the highest unit cost (per record) of data breaches, spends more than the rest in Information Security?

Security Benefits of Windows 8.1

We all know that Microsoft products tend to be blamed for being less secure than others by the general audience.

In fact, it is more appropriate to say that given how widespread are products like Windows and Office, those are more likely targeted than the competitors by cyber-attacks.

It is however interesting to note that Security is no longer an after-thought at Microsoft: in fact, it is now embedded in the design of their products and Windows 8 is a good example of that.

Are you aware of all the Security benefits of Windows 8.1? This article will give you a quick overview of them.

 

http://www.xpupgrade.co.uk/windows-8-1-security-benefits/

 

One of the most striking and easy to understand new features is the Remote business data removal.

This Windows 8.1 feature allows administrators to perform a partial wipe of PCs/Tablets/Smartphones participating in bring-your-own-device (BYOD) programs. On these devices, data can be classified as ‘corporate’ or ‘user’, to partition information that should or shouldn’t be involved in wipe requests.

Administrators can also classify data to be encrypted, as well as whether certain data should be remotely removed from a device when the user’s employment or contractual relationship with the organisation has ended.

Admin teams can also use the Exchange ActiveSync protocol to instruct Windows to wipe corporate data, either by destructive rewrites or simply marking the data as ‘inaccessible’, but not deleting it.

 

QUESTION FOR YOU: WERE YOU AWARE OF ALL THESE SECURITY ENHANCEMENTS OF WINDOWS 8.1?