Developing the Human Firewall - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Developing the Human Firewall

Description:

Social engineering can be used to gain access to any system, irrespective of the ... Physically destroy unused hard disks, CDs, USB sticks and other media ... – PowerPoint PPT presentation

Number of Views:203
Avg rating:3.0/5.0
Slides: 24
Provided by: peter764
Category:

less

Transcript and Presenter's Notes

Title: Developing the Human Firewall


1
Developing theHuman Firewall
Defending the enterprise with more than silver
bullets
  • Peter Wood
  • Chief of Operations
  • FirstBase Technologies

2
Who am I ?
  • Started in electronics in 1969
  • Worked in networked computers since 1976
  • Second microcomputer reseller in UK (1980)
  • First local area networks in business (1985)
  • Founded FirstBase Technologies in 1989
  • Conceived network security best practice (1991)
  • Presented BS 7799 throughout UK for BSI (1997)
  • First independent ethical hacking firm in UK
  • Founded white-hats.co.uk in 2002
  • Times 1000 / FTSE 100 and CNI clients

3
What is hacking?
  • Hacking is a way of thinking
  • A hacker is someone who thinks outside the box.
    It's someone who discards conventional wisdom,
    and does something else instead. It's someone who
    looks at the edge and wonders what's beyond. It's
    someone who sees a set of rules and wonders what
    happens if you don't follow them. Bruce
    Schneier
  • Hacking applies to all aspects of life and not
    just computers

4
Your response silver bullets
UltraDefense Enterprise Pro
  • Key features
  • Sexy name
  • Pretty diagrams
  • Complex technology
  • Flashing lights
  • Rack mountable
  • Reassuringly expensive

5
The criminals approach
  • Social engineering plus technology
  • Currently
  • Phishing
  • Trojans rootkits
  • Laptop theft
  • In person intrusion


6
Why social engineering?
  • Social engineering can be used to gain access to
    any system, irrespective of the platform.
  • Its the hardest form of attack to defend against
    because hardware and software alone cant stop it.

7
Remote worker hack
  • Buy a pay-as-you-go mobile phone
  • Call the target firms switchboard and ask for IT
    staff names and phone numbers
  • Overcome their security question Are you a
    recruiter?
  • Call each number until voicemail tells you they
    are out
  • Call the help desk claiming to be working from
    home
  • Say you have forgotten your password and need it
    reset now, as you are going to pick up your kids
    from school
  • Receive the username and password as a text to
    your mobile
  • Login remotely and access the network
  • Game over!

8
In person
  • Be an employee, visitor or maintenance staff
  • Look for information lying on desks and overhear
    conversations
  • Do some shoulder surfing
  • Plug in a sniffer or keylogger
  • Simply use a vacant desk workstation

9
  • Would you let this man into your building?

10
(No Transcript)
11
Hardware keylogger
  • Time to get admin password 10 minutes

12
Keystroke capture
Keystrokes recorded so far is 2706 out of 107250
... ltPWRgtltCADgtfsmithlttabgtlttabgtarabella xxxxxxx
lttabgtlttabgt Nonelttabgtlttabgt Nonelttabgtlttabgt
Nonelttabgtlttabgt ltCADgt arabella ltCADgt ltCADgt
arabella ltCADgt ltCADgt arabella exit tracert
192.168.137.240 telnet 192.168.137.240 cisco
13
A typical response
14
The difficult sell!
  • The money you spent on security products,
    patching systems and conducting audits could be
    wasted if you dont prevent social engineering
    attacks
  • You need to invest in
  • Awareness
  • and
  • Policies

15
Countermeasures
  • Physical aspect
  • in the workplace
  • over the phone
  • dumpster diving
  • on-line
  • Psychological aspect
  • persuasion
  • impersonation
  • conformity
  • friendliness

Countermeasures require action on physical and
psychological levels as well as traditional
technical controls
16
Staff awareness
  • Educate all employees - everyone has a role in
    protecting the organisation and thereby their own
    jobs
  • If someone tries to threaten them or confuse
    them, it should raise a red flag
  • Train new employees as they start
  • Give extra security training to security guards,
    help desk staff, receptionists, telephone
    operators
  • Keep the training up to date and relevant

17
Some ideas for staff awareness
  • Audio podcasts
  • Video podcasts
  • Intranet articles
  • Newsletters
  • Interactive quizzes
  • Awareness events(stand-up comedy, professional
    social engineers)
  • Live demonstrations of security issues
  • Seminars (live and recorded)

18
Workplace security policy
  • Shred important or sensitive documents provide
    cross-cut shredders!
  • Some documents will need to be locked away, so
    provide lockable storage!
  • Basic best practiceclear desk policy

19
End-point security policy
  • Use screen savers with password controls
  • Encrypt information on laptops and PDAs
  • Secure mobiles and PDAs(turn off infrared,
    bluetooth)
  • Secure wireless(strong encryption, short range)
  • Physically destroy unused hard disks, CDs, USB
    sticks and other media(store them securely
    before destruction)

20
Helpdesk policy
  • Password resets only with call-back and
    cross-authentication (cherished information or
    PINs)
  • Clear incident reporting and response procedures
  • Clear escalation procedures
  • Training on social engineering techniques
  • Help desk staff should be encouraged to withhold
    support when a call does not feel right
  • In other words just say no

21
Staff guidance
  • What can be discussed over the telephone
  • What can be discussed outside the building
  • What can (or cant) be written in an e-mail
  • How to look after laptops, PDAs and phones
  • Find an alternative to out of office mail
    responders and voicemail messages
  • Why are these things a problem?
  • What are the consequences of a breach?
  • How to report an incident and to whom!

22
Compliance
  • Have a security assessment test performed and
    heed the recommendations
  • Test the company's ability to protect its
    environment, its ability to detect the attack and
    its ability to react and repel the attack
  • Have the first test performed when the company is
    expecting it
  • Avoid blame and shame!
  • Do a blind test the second time around

23
Need more information?
  • Peter Wood
  • Chief of Operations
  • FirstBase Technologies
  • peterw_at_firstbase.co.uk
  • http//fbtechies.co.uk
  • http//white-hats.co.uk
  • http//peterwood.com
Write a Comment
User Comments (0)
About PowerShow.com