Social Engineering
Jero-Jewo
Case study
•
•
•
Social engineering is the act of manipulating
people into performing actions or divulging
confidential information. While similar to a
confidence trick or simple fraud, the term typically
applies to trickery or deception for the purpose of
information gathering, fraud or computer system
access; in most cases the attacker never comes
face-to-face with the victim. – www.wikipedia.org
As a service provider, Duo Consulting helps
clients manage the publication of critical business
information on their web sites.
Integrity and availability are important
considerations for Duo when processing requests
for changes
Case Study
• There is currently a communication
process in place to receive and
manage requests
• 99% of requests come from known
contacts
• How should we handle requests from
contacts that are not known?
Real World
•
•
New request comes in from an unknown
contact at Setton Farms for ftp access to
their web server on a Saturday
Contact explains that there is an
immediate need to publish critical
information about a recall on their site and
they have hired a designer to make the
updates to their site.
•
•
•
This contact is not known to Duo
Need to question identity
Need to question authenticity of request
What’s missing?
•
•
•
We do not have a policy or process in
place to confirm identity of contacts
making requests
We do not have a list of authorized
contacts
There is a service level agreement in place
for managed hosting - but nothing defined
about emergency requests from clients
that do not have a services support
contract in place
Proposed Solution
• We need a policy to address unknown
and unauthorized customer contacts
• The delivery stages of this policy must
include planning, design,
implementation, rollout, and operation of
such policy
•
Proposed Solution
(Continued)
The policy must be integrated into our business and it
must address the following:
•
•
•
•
•
People: a team must address the planning, design,
implementation, rollout and operation
Technology: the proper technology must be in place to
implement such policy (i.e. ticketing system, electronic
approvals of users, escalation, etc.)
Process: there must be a living process to address such
incidents and that ensures enforcement of the policy
Business value: business value of establishing this
policy will clearly protect the customer as well as Duo in
the legal and availability aspect
IT Strategy: the four pillars of security must be
addressed, including authenticity, confidentiality,
integrity and availability
People
•
Duo understands the need to assemble a team to address the development
of the policy through the different stages
•
•
•
•
•
•
Planning: the team must establish the strategy, initial approximation of
the effort, plan for releases for delivery, perform a preliminary risk
assessment, develop policy organization, and establish leadership.
Design: the team ensures that the policy is meeting the goals and that it
serves the intended goal. Feasibility is addressed here, as well as
estimates of implementation (time and effort)
Implementation: the team must ensure the policy is tested and
approved. The team ensures management approval, and re-assesses risk
Test: all aspects of the policy must be tested, including process, sign-offs,
technology, etc
Rollout: the team ensures prior to rollout that all training and legal
aspects are covered
Operate: periodically review the policy to ensure its enforceability and
effectiveness
Technology
• The policy will have a technology
aspect which ensures that there is an
electronic list of authorized contacts
• Privileges will be honored accordingly:
• Content contributor
• Publisher
• Employee access will be via a portal
Technology (Continued)
• Create a system of records for
authorized contacts
• SalesForce.com
• Contains customer database with
privilege levels
• Granular control of access
• Change/version control and user logs
Process
• A process ensures the policy is working
for Duo:
• Usable
• Enforceable
• Effective
• Legal
Business Value
•
What’s in it for Duo?
•
•
Prevention of unauthorized work
Policy provides legal protection from
liability lawsuits including:
•
•
•
•
Unauthorized changes
Inaccurate content
Site downtime
Leakage of information
Business Value
(Continued)
• What’s in it for Duo’s customers?
The Four Pillars:
• Integrity
• Authenticity
• High availability
• Confidentiality
IT Strategy
•
•
Integrity and availability were cited as top
most concerns for our particular problem
However, Duo must address all four
cornerstones of security:
•
•
•
•
Availability
Integrity
Confidentiality
Authenticity
•
Policy Contents
Authenticity:
•
•
•
•
•
Who is authorized to make requests?
How do we determine that the request is
legitimate?
Is the person making the request authorized
to perform the operation requested? Develop
and maintain a list of authorized contacts
Designate 1 or more authoritative contacts
and require them to approve all requests
Maintain a secret pass phrase to
authenticate users who make requests
Policy Contents (Continued)
•
•
•
Integrity
•
•
Integrity is maintained by only performing operations
which are assigned to authorized, authenticated
contacts
Each contact will have specific operations defined
Confidentiality
•
Establish appropriate level of confidentiality of
request based upon client input
Availability
•
•
Ensure that proper client contact communication
information is available and up to date
Enforce policies in regards to authentication, integrity,
confidentiality and availability
Questions?
• Thank you!