Friday, December 30, 2011

Social Engineering and Countermeasures

What is Social Engineering?

By definition, Social engineering is the attempt to trick or manipulate a person into disclosing confidential information to an individual that is not authorized to receive such information.
It is a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking people into breaching standard security procedures.
Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it.

Some major social engineering techniques include:

Pretext Calling
Pretext calling is a fraudulent means of obtaining an individual's personal information. Armed with limited information, such as a name, an address, job position etc… Pretext caller may pose as a client, an employee, a service provider "depending on the situation"
During this call the pretext caller attempts to convince you into giving him confidential information.
For example: A caller claiming that he is from the Internet Service provider tries to distract you by being over friendly in a effort to change and diverse your focus from the fact that he is seeking information about your work description, work habits, what time do you usually use your computer, what operating system do you have, what is your antivirus etc…..

Protection against Pretext calling:

A healthy dose of paranoia is certainly a good way to fight pretext calling, you shouldn't answer any question regarding issues that expose your private information and especially to unknown people.

Dumpster Diving
Dumpster diving simply involves searching through trash to collect sensitive information; the objective is to gather information that has been carelessly thrown away. (Sounds yucky! but believe me it's very effective)

Protection against dumpster driving:
  • Paper shredders: all documents that contain confidential or customer information must be shredded when no longer required.
  • Sanitization: all media CDs, floppies, USBs, Hard Disks that contain sensitive information should be destroyed prior to throwing these things in the dumpster.
Shoulder Surfing
Shoulder surfing is where someone may obtain information while standing close to you, skimming and scanning across your desk where you left your papers.

Note that "well trained people" may stand a little far away facing your keyboard and watch you login to your email or even e-banking webpage.
And bye-bye , you lost your email account.……
Protection against shoulder surfing:
  • Ensure that computer monitors are positioned in a way that prevents individuals from seeing confidential information.
  • When you want to type or enter sensitive text "such as username and passwords" make sure that no one is watching your typing, even if you consider yourself a fast typist.
  • Refrain from leaving sensitive information spread on your desk.

Baiting is my favorite social engineering technique, because I find it very effective and interesting at the same time.
In this attack, the attacker leaves a malware infected media device such as a CD ROM, or USB flash drive in a location sure to be found. (Bathrooms, elevators, parking lots), he also spares no effort in giving this media a legitimate look, and simply waits for the victim to use the device.

For example, an attacker might create a disk featuring a corporate logo, readily available from the target's web site, and sticks the labels "Salaries Increases 2011" on the front.
The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company.
Now who wouldn't take advantage of this opportunity and use this memory stick in order to view the salary increases file to satisfy their curiosity.
In case of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network.
Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.

"Quid pro quo" or "Something for Something"
An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help "solve the problem and in the process have the user type commands that give the attacker access or launch malware.

In the End, humans have proven to be the weakest link when it comes to information security. But with proper awareness and proper diligence staying safe is not that hard to achieve.

Thursday, December 29, 2011

First things First: What is information Security?

As a start I would like to explain what is information security? And why do we need information security?

Information Security is the act of safe guarding data from unauthorized access or modification whether accidental or intentional. As much as this is simple to say it is definitely hard to achieve.

We all agree that since the early 90s dependency on information systems increased drastically, and today these systems are an integrated part of our life. I mean who doesn't have a laptop, a Smartphone, an Ipad. I remember that I did see my 2 years old daughter holding "Her" Ipad; switching between applications and playing with the animals on display.

As our reliance on technology and information systems increase, the threat of personal and confidential information loss also increase. Understanding information security and how it is implemented and governed is the first step towards the correct direction.

Fundamental principles of Information Security:

As per definition: Information security is the process of protecting information.
The three fundamental principles of information security are the C. I. A:


Confidentiality is the concept of keeping private information away from individuals who should not have access to it. Any time there is either an intentional or unintentional release of information to unauthorized people, confidentiality is lost.

Confidentiality ensures that private information is accessed by only those that have the appropriate authorization to do so.

Example: Your hotmail, simple rule, no one should read your emails except yourselves. And of course the people you forward these emails to!

Integrity is about data consistency. When you seek data and information from the internet, are you certain that this information is true? You should be certain that the data generated or used is not being incorrectly modified (tampered) in any way by authorized or unauthorized people.

Integrity is preserved when information is complete, accurate, and valid. You should prevent unauthorized people from making modifications. (Hackers, Thieves)

Example: Your hotmail, when you receive email messages that you have won the Singaporean lottery. Or you inherited your deceased far relative "ruler of the Northern Hemisphere". This information has no integrity (These are called scams and I will address them in a future Post).

Availability is the reliable and timely access to the data and recourses a user is authorized to use. It is measured by the "response time "which is the time needed to respond to a business user request and by the "up time" which is the date and time during which the information is available for a business user.

Example: Your hotmail, (yeah hotmail suites everything). If you wake up at 3:00 Am feeling that you should check your email, Hotmail service should be there.

So In order to talk the information Security Language, you must keep in mind that it is all about protecting the C. I. A.

Welcome to infosec illustrated

As a start, I would like to welcome all readers to my information security website.
In this website I will address subjects and issues related to security, mainly information and data security. I will try to avoid complex and rough "terminology / expressions" used by "IT Geniuses", and instead I will use common ideas along with practical day to day examples.
I appreciate your feedback, and I will try to answer your questions regarding the topics posted in this blog.
Feel free to drop me an email regarding topics that you would like me to address.