O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Cyber Security Awareness Month 2017-Nugget 5

411 visualizações

Publicada em

Combating Cyber Crimes 1 is Nugget 5 in the series Cyber Security Awareness Month 2017. Social Engineering Attacks are the most common and covers about 91% of all attacks. There is urgent need to combat the crimes against those bad guys....

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Cyber Security Awareness Month 2017-Nugget 5

  1. 1. Cyber Security Awareness Month 2017: Nugget 5 Combating Cyber Crimes 1 (Social Engineering) Chinatu Uzuegbu Cyber Security Consultant CISSP, CISM, CISA, CEH, ITIL, MCSE, MCDBA
  2. 2. Previous Nugget Recap • We looked at how the measures of protection could be ascertained using some Vulnerabilities/Risk Assessment Methodologies. • We discussed Vulnerabilities, Threats and Risks extensively. • We looked at how we could tie the cost of each Security measure with the actual value of the Assets. • We looked at the Risk Equation, Risk Responses and Risk Analysis. • We understood that Risks are attended to based on the result of the Risk Responses and The Risk Analysis. • We determined the Cost of Counter Measure which would be compared with the Actual Value of the Asset. Counter Measure is proffered if the Actual Value of the Asset and the Annual Loss Expectancy is less than the Cost of Counter Measures. • We finally looked at some basic facts in Risk Management.
  3. 3. In This Nugget: Combating Cyber Crimes • We would take it up from the previous Nugget where we discussed the Vulnerabilities, Threats and the Risks that the Vulnerabilities could be exploited and threatened. • We would now look at the various Cyber Threats and the corresponding Counter Measures to combat them. • The Counter Measures could be preventive, detective, deterrent, Corrective, Recovery, Restoration, Compensative and Directive. • The aim of the Counter Measures is to assure that the Assets are protected with adequate measures of the Confidentiality, Integrity and Availability(CIA Triad) as the case may be. • Most of the Threats we would look at are categorised into Social Engineering, Denial of Service, Malwares, Breaches on Unauthorised Accesses, Perimeter, breaches, Un-Authentications, Outbound and Inbound, Zero-Day and Others. • We would finally present the Threats with their corresponding Counter Measures on a Tabular Layout.
  4. 4. Combating Cyber Crimes : Social Engineering • Social Engineering is a way of being tricked by an Attacker to collect sensitive information from a Victim. • It can be referred to as a way of using legitimate means such as company’s website to innocently launch an illegitimate website by clicking on a link in the company’s website. • Social Engineering attacks do not require any technical know-how but little skills in tricking and playing on the intelligence of the victim. • Social Engineering Techniques is one of the easiest ways that an attacker gains access to an unauthorised information, in fact it has been steadily reported that Social Engineering attacks are the most common and successful Cyber attacks as they cover about 91% of the Cyber attacks. • It is important that in Cyber Security, no one should be trusted, a little psyching by any un- assumed hacker could unleash highly sensitive information into the hands of the Attacker. • It is also important to note that human(employees) are the weakest link in Cyber Security, they could be used and brain washed at any point in time. • Social Engineering Attacks include: Phishing, Spear Phishing, Pharming, Dumpster Diving, Shoulder Surfing, Watering Holes, Pretexts, Tailgating or Piggybacking, Whaling Baiting, Quid Pro Quo and Others. • We would discuss each of these attacks and their corresponding Counter Measures in the subsequent slides.
  5. 5. Combating Cyber Crimes: Phishing and Counter Measures • Phishing is an act of using emails, messages and any form of communication media to trick a victim into supplying personal information by clicking on a malicious link in the email. • The personal Information supplied would then be used by the attacker to infer information such as Log-in details which they would use for other malicious acts against the Victim. The information could be used to extract information from the Social Media. • The personal information could be the Credit/Debit card details of the Victim, the names of the Victim, the company details such as IP address and others. • The messages and emails are composed in such a tricky manner that the Victim would not have any choice than to be deceived into feeding in the requested Information. In most cases the attackers would use well known details of the company such as the domain name to get the victim more enticed. • The attackers in most cases would use a short web address or embed links to re-direct victims to the malicious site hosting scripts that would trigger further attacks and exploits. • The main Counter Measure on Phishing attacks is Training and Security Awareness Courses. • It is advisable to use Phishing campaigns to drill staff on the level of Security knowledge acquired. • Downloading Attachments or clicking on links on such emails should be avoided. • The company should deploy spam filters and firewall to filter out such emails and keep away from employees reach.
  6. 6. Combating Cyber Crimes Spear Phishing and Counter Measures • Spear Phishing Attack is more like the Phishing attack but this time more targeted and focused on a highly privileged employee of the company such as the CEO/Managing Director. • The scenario is to get some information about that highly profiled Executive and then use the details to impersonate the Executive to get a more targeted information for malicious intents. • The Counter Measures on Spear Phishing still boils down to Security Awareness. • Ensure an adequate non-disclosure undertakings are in place with all employees of the company. • Employees must be trained to question and validate unprompted links by calling the sender, sending a separate follow-up email or checking via services such as https:// • Do thorough background checks on the help desk Team or the Team members working with the highly profiled Officer such as the CEO/MD and others. A more targeted Non-disclosure undertaking should be done with each person on assuming duties. • Use Spear Phishing drills to test the level of knowledge of each staff. • A level of consciousness and smartness in discerning directions of un- assumed attackers both in Phone conversation and others.
  7. 7. Combating Cyber Crimes Dumpster Diving And Counter Measures • Dumpster Diving is a process of gathering unauthorised company Information from the garbage bin or trashed can for the purpose of using for either a malicious intent or to disclose further to an unauthorised third party. • The brain behind dumpster diving could be to source information for benchmarking or competing with another company. It could be an avenue of granting customer information to the competitor for all sorts of malicious intents. • Dumpster Diving in most cases is seen as legal but could be unethical. This could be because the information gathered in most cases are discarded and trashed. • Some consequences of Dumpster Diving could be to reduce customer base, destroy the image of the company with the information the attacker could have gotten. • To Counter Dumpster Diving, always ensure you engage your paper shredders. Shred your discarded hard copied information , it does not really matter whether they are deemed sensitive or not, just imbibe shredding as part of Corporate culture. • Security Awareness on keeping documents intact is also a non-negotiable key.
  8. 8. Combating Cyber Crimes : Watering Holes and Counter Measures • Watering Hole Attack is a more focused and sponsored attack, the attacker takes time to study the website of the targeted company for vulnerabilities with the intents of injecting malicious codes into the web pages of the website. • When the Users of the victim company launch the pages of the website as their usual job routine, the Malicious codes inserted would trigger Trojans which would spread like a botnet to other systems on the network. • The Attacker uses this as a way of exploiting unknown vulnerabilities detected by the Attacker. • The Potential Victim System that is used to spread the Trojan is known as Watering Hole. • The consequences of Watering Hole is that the Vulnerability is a Zero- day(unknown) and would be difficult for the Victim Company to find their footing back from the diffused Trojan. • To Counter the effect of Watering Hole, you ensure your systems are updated at both application and Operating System levels. Most Updates could bypass such Zero-day attacks. • Security Awareness is also a key here, the attackers target the careless and weak Users and use them to trigger and spread the malicious codes. • Carefulness and Non-disclosure of Log-in credentials should apply here.
  9. 9. Combating Cyber Crimes: Tail Gating(Piggybacking) and Counter Measures • Tailgating, also known as Piggybacking is a process where an attacker or unauthorised Person tries to use the entry access right of an authorised Person to gain entrance into a building or an Office. • The Unauthorised Person would in most cases pretend to be in a haste or carrying a heavy load and try to persuade the authorised Person to hold the door for him/her to join. • The Authorised Person in turn would play an innocent pity partying game and eventually allow the unauthorised entrance into the building or Office. • The Consequence is that the Unauthorised Person would gain an unauthorised access into the building and then launch his malicious intent thereof. It could be to steal or to get information from the innocent employees. • To Counter Tailgating attacks, use dead man doors that would only admit entrance to one person at a time. • Security Awareness is another key, employees should ensure that look back and sides before such entrances. • Electronic doors with finger print access rights or swipe cards should also be promoted, with this employees could easily be tracked and cautioned when allowing unauthorised accesses.
  10. 10. Combating Cyber Crimes: Pretexting and Counter Measures • Pretexting is a process where the Attacker uses partial scripts or an articulated scenario to pretend and deceive the Target User(Victim) to get further information that would make up the Attacker’s script and in turn grant the Attacker unauthorised access. • In Pretexting, the Attacker takes his time in building access script, manipulating the Victim with reasons to grant them the remaining information that would eventually land them to accessing their target system or building. • The intention of the Attackers is to have access to sensitive information by pretending to be an authorised User or Vendor. • The Attacker could impersonate himself probably as an External IT Vendor or a reputable agency and manipulate the Victims into believing the intents of the attacker is pure. • The Attacker could also try to get information of the Target Server and the necessary details Online and use the information to access the Server online and then further launches attacks. • A good example is the case of attackers pretending to be representatives from a Modelling agencies and escort services requesting nude pictures of the Victims who happened to be girls, deceived them into thinking they were doing them a sort of good but only for these bad guys to use the nude pictures for pornography and other evil acts.(https://www.washingtonpost.com/news/the-intersect/wp/2014/10/07/forget-celebgate- hackers-are-gunning-for-the-nude-photos-of-ordinary-women-and-underage- girls/?utm_term=.7e42bd145640). • The Consequence of Pretexting is Information Theft that could further affect the reputation of the company and other damages centred around their malicious aim. • To Counter Pretexting, harden your Online Platforms and train your employees accordingly.
  11. 11. Combating Cyber Crimes : Baiting and Counter Measures • Baiting is another form of tricking employees and individuals into allowing the Attacker unauthorised access to the systems through offering of a gift. • A Baiter could promise to offer a Victim a gift if the Victim supplies his Log-in details to a link provided by the Attacker. The gift could be to download a promising Mobile App or Music. • The aim is to use gifts to entice the Victim into acquiring an unauthorised information. • A good example is that of attackers that pretended to be promoting their customised USB devices but in the USB device is a malware script embedded in a well designed image in such a way that when the image is launched, it triggers the malware script which would in turn send the details of the Victim’s system including the Password and the Name of the System to the email address of the Attacker. As many that got the USB devices as a gift would supposedly launch the embedded script and had their systems details sent online to the Attacker.(http://web.archive.org/web/20060713134051/http://www.darkreading.com/d ocument.asp?doc_id=95556&WT.svl=column1_1). • The consequence of Baiting is to gain undue information that would be used to launch a more targeted and dangerous attack. • To Counter Baiting Attack, Users should be trained on Integrity, security consciousness, perimeter defences such as Firewalls. It is important to update the Anti Virus Software on the systems.
  12. 12. Combating Cyber Crimes: Quid Pro Quo and Counter Measures • Quid Pro Quo is more like Baiting but with the promise of a service or benefit from the Attacker after the Victims must have innocently granted them undue Access. • The Attacker could pretend to be an IT Service Provider that would deceive the Victim with IT support in his mind. • The Victim would further be deceived into uninstalling authentic systems such as Anti Virus from the Victim’s System with Malware or a fraudulent System as a guise for an Update. • The Quid Pro Quo Attackers could talk the Victims into disabling their Anti Virus Software. • The Consequence could be fraudulent and absolute shut down of systems. • To Counter Quid Pro Quo attacks, Users should be conscious and promote a level of culture of integrity and refuse to be enticed with benefits of any kind just to gain a service. • Companies should engage Service Providers and ensure the servicing of the systems are restricted to them. • On no condition should unauthorised external Parties be allowed to work on individual systems. • Un-disclosure undertakings should be highly in place.
  13. 13. Combating Cyber Crimes: In Summary Most Common Social Engineering Cyber Crimes • Phishing • Spear Phishing • Dumpster Diving • Tail Gating or Piggybacking • Watering Holes • Pretexting • Baiting • Quid Pro Quo • Whaling • Shoulder Surfing • Others Social Engineering Counter Measures • Social Engineering Counter Measures are more or less applied from the same perspective. • The Counter Measures are mostly preventive. • Adequate Training and good Integrity Culture driven employee would mitigate Social Engineering attacks faster. • Users should focus on using more secured web sites with https:// and not Http://. • Users should be drilled on Phishing Campaigns to enable easy assessment of their Cyber Security Consciousness. • Companies/Users should run with up-to-date security Policies Patches, Anti Malware. • Human wing is the weakest link in Cyber Security, Un- disclosure Undertakings and necessary background checks should apply. • Other Layers of Security and the Concept of Defence in depth should also apply in cases where the attackers could breach the preventive layer of the security Measure. • Spam Filters, Mail Relaying , Firewall and other Counter Measures should also apply. • A level of Sanction should apply in cases of breaches caused by the Employees.
  14. 14. See You in the Next Nugget! Thank You Chinatu Uzuegbu CISSP, CISM, CISA, CEH, ITIL, MCSE