1 / 17

Social Engineering

Social Engineering. Jero-Jewo. Case study.

happy
Télécharger la présentation

Social Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering • Jero-Jewo

  2. Case study • Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim. – www.wikipedia.org • As a service provider, Duo Consulting helps clients manage the publication of critical business information on their web sites. • Integrity and availability are important considerations for Duo when processing requests for changes

  3. Case Study • There is currently a communication process in place to receive and manage requests • 99% of requests come from known contacts • How should we handle requests from contacts that are not known?

  4. Real World • New request comes in from an unknown contact at Setton Farms for ftp access to their web server on a Saturday • Contact explains that there is an immediate need to publish critical information about a recall on their site and they have hired a designer to make the updates to their site. • This contact is not known to Duo • Need to question identity • Need to question authenticity of request

  5. What’s missing? • We do not have a policy or process in place to confirm identity of contacts making requests • We do not have a list of authorized contacts • There is a service level agreement in place for managed hosting - but nothing defined about emergency requests from clients that do not have a services support contract in place

  6. Proposed Solution • We need a policy to address unknown and unauthorized customer contacts • The delivery stages of this policy must include planning, design, implementation, rollout, and operation of such policy

  7. Proposed Solution (Continued) • The policy must be integrated into our business and it must address the following: • People: a team must address the planning, design, implementation, rollout and operation • Technology: the proper technology must be in place to implement such policy (i.e. ticketing system, electronic approvals of users, escalation, etc.) • Process: there must be a living process to address such incidents and that ensures enforcement of the policy • Business value: business value of establishing this policy will clearly protect the customer as well as Duo in the legal and availability aspect • IT Strategy: the four pillars of security must be addressed, including authenticity, confidentiality, integrity and availability

  8. People • Duo understands the need to assemble a team to address the development of the policy through the different stages • Planning: the team must establish the strategy, initial approximation of the effort, plan for releases for delivery, perform a preliminary risk assessment, develop policy organization, and establish leadership. • Design: the team ensures that the policy is meeting the goals and that it serves the intended goal. Feasibility is addressed here, as well as estimates of implementation (time and effort) • Implementation: the team must ensure the policy is tested and approved. The team ensures management approval, and re-assesses risk • Test: all aspects of the policy must be tested, including process, sign-offs, technology, etc • Rollout: the team ensures prior to rollout that all training and legal aspects are covered • Operate: periodically review the policy to ensure its enforceability and effectiveness

  9. Technology • The policy will have a technology aspect which ensures that there is an electronic list of authorized contacts • Privileges will be honored accordingly: • Content contributor • Publisher • Employee access will be via a portal

  10. Technology (Continued) • Create a system of records for authorized contacts • SalesForce.com • Contains customer database with privilege levels • Granular control of access • Change/version control and user logs

  11. Process • A process ensures the policy is working for Duo: • Usable • Enforceable • Effective • Legal

  12. Business Value • What’s in it for Duo? • Prevention of unauthorized work • Policy provides legal protection from liability lawsuits including: • Unauthorized changes • Inaccurate content • Site downtime • Leakage of information

  13. Business Value (Continued) • What’s in it for Duo’s customers? The Four Pillars: • Integrity • Authenticity • High availability • Confidentiality

  14. IT Strategy • Integrity and availability were cited as top most concerns for our particular problem • However, Duo must address all four cornerstones of security: • Availability • Integrity • Confidentiality • Authenticity

  15. Policy Contents • Authenticity: • Who is authorized to make requests? • How do we determine that the request is legitimate? • Is the person making the request authorized to perform the operation requested? Develop and maintain a list of authorized contacts • Designate 1 or more authoritative contacts and require them to approve all requests • Maintain a secret pass phrase to authenticate users who make requests

  16. Policy Contents (Continued) • Integrity • Integrity is maintained by only performing operations which are assigned to authorized, authenticated contacts • Each contact will have specific operations defined • Confidentiality • Establish appropriate level of confidentiality of request based upon client input • Availability • Ensure that proper client contact communication information is available and up to date • Enforce policies in regards to authentication, integrity, confidentiality and availability

  17. Questions? • Thank you!

More Related