MGMT 300 Chapter 17

Phishing Malware

- can do things like record passwords and keystrokes, copy vital data from your RAM or hard drive, provide hackers with deeper access to your corporate network, or enlist your PC as part of a botnet *spear phishing attacks* specifically target a given organization or group of users

A research scientist with a major pharmaceutical firm in New Jersey is caught passing on sensitive information, worth millions of dollars, regarding the composition and test results of his firm's latest drug to a rival company. What crime is he being held responsible for?

- corporate espionage

Optic Nerve (British Intelligence Agency GCHQ) code name

- allegedly collected Web cam images from millions of Yahoo users, regardless of whether they were suspected of illegal activity - 11% of collected images were thought to have been sexually explicit.

Ransomware

- allows criminals to move beyond extortion to take data assets hostage - will lock and encrypt infected computers, rendering them unusable and irrecoverable unless instructions are followed - *involves payment* in untraceable bitcoin - *IBM pins total losses* at more than $8 billion

User and Administrator Threats

*1) Bad Apples* - research firm Gartner estimates that 70% of loss-causing security incidents involve insiders - *are rogue employee that steal secrets, install malware, or hold a firm hostage* - Verizon claims that 85% of "insider" data theft cases were carried out "while in the office and right under the noses of their co-workers." *2) Social Engineering* - con games that trick employees into revealing information or performing other tasks that comprise a firm *3) Phishing* - *a con executed using technology, typically targeted at acquiring sensitive information or tricking someone into installing malicious software* - *goal is to* leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information - *examples* security alert from a bank or e-commerce site, messages from employers, or a notice from the government - Gartner estimates that these sorts phishing attacks cost consumers upward of $3.2 billion a year

Goals of Malware

*1) Botnets or zombie networks* - used in click fraud, sending spam, to decipher accounts that use CAPTCHAs *2) Malicious Adware* - programs installed without full user consent or knowledge that later serve unwanted advertisements *3) Spyware* - software that surreptitiously monitors user actions or network traffic, or scans for files. *4) Keylogger* - type of spyware that records user keystrokes. - can be either software based or hardware based, such as a recording "dongle" that is plugged in between a keyboard and a PC *5) Screen Capture* - variant of the keylogger approach - *records* the pixels that appear on a user's screen for later playback in hopes of identifying proprietary information. *6) Card Skimmer* - software program that secretly captures data from a swipe card magnetic strip. *7) RAM scraping or storage scanning software* - malicious code that scans computing memory (RAM, hard drives, or other storage) for sensitive data - *looking for* patterns such as credit card or Social Security numbers. *8) Ransomware* - malware that encrypts a user's files (threatening to delete them), with demands that a user pay to regain control of their data and/or device *9) Blended Threats* - attacks combining multiple malware or hacking exploits.

Physical Threats

*1) Dumpster Diving* - sifting through trash in an effort to uncover valuable data or insights that can be stolen or used to launch a security attack *examples* - include hunting for discarded passwords written on Post-it notes, recovering unshredded printed user account listings, scanning emails or program printouts for system clues, recovering tape backups, resurrecting files from discarded hard drives *2) Shoulder Surfing* - gaining compromising information through observation (as in looking over someone's shoulder) *example* - include looking over someone's shoulder to glean a password or see other proprietary information that might be displayed on a worker's screen.

Methods of Infecting Malware

*1) Viruses* - programs that infect other software or files. - *require* an executable (a running program) to spread, attaching to other executables. - *spread via* operating systems, programs, or the boot sector or auto-run feature of media such as DVDs or USB drives. *2) Worms* - programs that take advantage of security vulnerability to automatically spread - *do not require* an executable - scan for and install themselves on vulnerable systems with stunning speed - *example* the SQL Slammer worm infected 90% of vulnerable software worldwide within just 10 minutes *3) Trojans* - exploits that try to sneak in by masquerading as something they're not. - *payload is released* when the user is duped into downloading and installing the malware cargo, oftentimes via phishing exploits. *other types of malware include* - spy on users, enlist the use of computing assets for committing crimes, steal assets, destroy property, serve unwanted ads, and more.

ISO27K or the ISO 27000 series

- comes from the International Organization for Standards (ISO) - type of *framework* that can provide a road map to help organizations plan and implement an effective security regime. - an evolving set of standards that provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System

Steps End Users can engage in to improve information security

*Surf smart* (surfing smart) - think before you click—question links, enclosures, download requests, and the integrity of websites that you visit. *Stay vigilant* - an appropriate level of questioning applies not only to computer use, but also to personal interactions, be it in person, on the phone, or electronically. *Stay Updated* - turn on software update features for your operating system and any application you use (browsers, applications, plug-ins, and applets), and manually check for updates when needed *Stay armed* - install a full suite of security software *Be settings smart* - don't turn on risky settings like unrestricted folder sharing that may act as an invitation for hackers to drop off malware payloads - secure home networks with password protection and a firewall *Be password savvy* - change the default password on any new products that you install - update your passwords regularly - never save passwords in nonsecured files, e-mail, or written down in easily accessed locations *Be disposal smart* - shred personal documents. - wipe hard drives with an industrial strength software tool before recycling, donating, or throwing away - remember in many cases "deleted" files can still be recovered *Back up* - most likely threat to your data doesn't come from hackers; it comes from hardware failure. *Check with your administrator* - all organizations that help you connect to the Internet—your ISP, firm, or school—should have security pages - many provide free security software tool

Hacker

*a term that may be applied to either* 1) someone who breaks into computer systems 2) or a particularly clever programmer. *when referring to security issues* - media refers to *hackers* as bad guys who try to break into (hack) computer systems. *when referring to computer circles* - referred to a clever (often technical) solution and the term hacker referred to a particularly skilled programmer

Classify each weakness as a hardware or software weakness in a system.

*hardware weakness* - PC device theft - removable media - physical access *software weakness* - languages in applications - OS holes - poorly coded applications

Organization's Information Assets are vulnerable to attack from several points of weakness

*including* - users and administrators - hardware and software - networking systems - physical threats

An organization's information assets are vulnerable to attack from several points of weakness. Identify if this statement is true or false for the following.

*true* - users and administrators - hardware and software - networking systems *false* - server hardware

Russian Espionage Efforts

- *A 2018 indictment filed by the US Special Counsel* alleged a Russian government-linked conspiracy aimed at "impairing, obstructing and defeating the lawful governmental functions of the United States." - *indictment claims* a multi-year effort backed by 10s of millions of dollars aimed at influencing American opinion - *alleged efforts* were specifically designed to benefit campaigns of Bernie Sanders and underdog-turned-president Donald Trump - *russian-linked efforts included* an army of false-fact-spewing fake social media personas and social media groups posing as initiatives led by US citizen activists - these groups accrued over 100,000 followers.

Heartbleed

- *Heartbleed bug* is a vulnerability in the OpenSSL security software used by about 2/3s of websites and which is embedded into all sorts of Internet-connected products - *Heartbleed exploited a bug* in a common function that allowed servers to handshake or verify they exist and are open for communication

Audits

- *include* real-time monitoring of usage, announced audits, and surprise spot checks - *example* who's accessing what, from where, how, and why; sound the alarm if an anomaly is detected

Security Function Requires Multiple Levels of Employee Expertises

- *operations employees* are involved in the day-to-day monitoring of existing systems. - *group's R&D function* is involved in understanding emerging threats and reviewing, selecting, and implementing updated security techniques. - must work on broader governance issues - include representatives from general counsel, audit, public relations, and human resources

Push-Button Hacking

- *push button hacking* are tools created by hackers to make it easy for the criminally inclined to automate attacks - The exploit kit Angler was bringing in roughly $100 million in yearly sales.

VPN

- *virtual private network (VPN)* software can be used to encrypt transmissions over public networks, making it more difficult for a user's PC to be penetrated.

Which of the following are considered sources of information that can potentially be used by social engineers?

- Corporate directories - LinkedIn - Social media posts - Contests or surveys

Information Security is not simply a technical fix

- Education, Audit, and Enforcement regarding firm policies are critical - a *security team* is broadly skilled and constantly working to identify and incorporate new technologies and methods into their organizations - *involvement and commitment* is essential from the boardroom to frontline workers, and out to customers and partners.

NOTE

- Examples of attacks and scams launched through advertising on legitimate Web pages highlight the need for end-user caution, as well as for firms to ensure the integrity of their participating online partners.

Malware

- any accessible computing device is a potential target for infiltration by *malware* - stands for malicious software, which seeks to compromise a computing system without permission - *malware compromises* weaknesses in software such as either bugs, poor design, or poor configuration (now malware exploits have expanded to include browsers, plug-ins, and scripting languages used by software) - client PCs and a firm's servers are primary targets *with the spread of computing malware now threatens nearly any connected system running software* - including mobile phones, embedded devices, ATMs, point-of-sale equipment, and a firm's networking equipment.

Law Enforcement Agencies

- are underfunded, under resourced, and underskilled to deal with the growing hacker threats

Zero Day Exploits

- attacks that are so new that they haven't been clearly identified, and so they haven't made it into security screening systems.

Target

- In a 2013 incident, the Target logo was plastered across media reports across the country, depicted as a bull's-eye that lured cyber criminals - prior to Thanksgiving, hackers managed to install malware in Target's security and payments system - *the code was designed* to steal every credit card used in the company's 1,797 US stores (malware went operational on Nov 27th) - *target had previously paid roughly $1.6 million for software from the security firm FireEye* to detect breaches in real time, and the software worked. - FireEye notification went off after unauthorized software began collecting data, but Target ignored the warning. - the firm's security software has an option to automatically delete malware as it's detected, but Target's security team had turned that function off - *as a result hackers operating out of Odessa and Moscow* vacuumed up records on roughly 1/3 of US consumers for more than two weeks - disguising the code with the label *BladeLogic* the name of a legitimate data center management product *amount stolen* - 40 million cards used at Target were stolen - additional personal information on 70 million customers was exposed *cost of security breach for target* - the cost will be in the billions - 90 lawsuits had been filed within 90 days of the attack's public disclosure - target's holiday quarter profits fell 46% from the prior year *result of security breach* - target experienced the firms largest ever decline in transactions - falling profits - scores of lawsuits - CEO ouster

Which of the following is a valid statement on information security?

- Information security is everybody's responsibility.

everal surprising findings were revealed in the wake of the Target breach, providing a cautionary tale for all executives and security professionals. Which of the following was *not* thought to have occurred during the Target security breach?

- Target had security software, and paid close attention to the notification alerts from the software.

Voice Print

- Technology that identifies users via unique characteristics in speech.

Black Hat Hackers

- a computer criminal (*bad guys*), "crackers" - computer criminals who exploit a system's weakness for personal gain

Employees must know (Education, Audit, and Enforcement)

- a firm's policies and be regularly trained - understand the penalties for failing to meet their obligations

Government Surveillance

- a former CIA employee and NSA contractor, Edward Snowden, gathered over 1.7 million digital documents from US, British, and Australian agencies and began leaking them to the press - *Snowden disclosures* revealed that several US government agencies, including the NSA and FBI, had data-monitoring efforts far more pervasive *data monitoring mechanisms allowed for* - direct access to audio, video, photographs, e-mails, documents and connection logs" at nine major US Internet companies, including Google, Facebook, Yahoo!, Microsoft, and Apple - unlimited access to phone records from Verizon's US customers *XKeyscore data mechanism tool* - allows for the collection of data on nearly everything a typical user does on the Internet - enables analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals. - allowed US and British intelligence authorities to sift through some 21 million GB of data each day.

Rex Mundi

- a largely-French Cyber-extortionist group - extortionist group leverages botnets or hacked data to demand payment to avoid retribution. - *they performed a US-based extortion plot against the state of Virginia* in which they threatened to reveal names, Social Security numbers, and prescription information stolen from a medical records database - *these firms affected or hacked included* Domino's Pizza, Swiss Banks, and a European medical testing firm.

Hacktivists

- a protester seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage. *example* - Twitter was brought down and Facebook was hobbled as Russian-sympathizing hacktivists targeted the social networking and blog accounts of the Georgian blogger known as Cyxymu

HoneyPots

- a seemingly tempting, but bogus target meant to draw hacking attempts. *by monitoring infiltration attempts against a honeypot* - organizations may gain insight into the identity of hackers and their techniques and share this with partners and law enforcement.

Firewalls

- a system that acts as a control for network traffic, blocking unauthorized traffic while permitting acceptable use.

Intrusion Detection Systems (IDS)

- a system that monitors network use for potential hacking attempts. - may take preventative action to block, isolate, or identify attempted infiltration, and raise further alarms to warn security personnel.

Public Key Encryption

- a two-key system used for securing electronic transmissions *a key distributed publicly* - is used to encrypt (lock) data, but it cannot unlock data. *a key distributed privately* - is used to unlocking data - private key cannot be reverse engineered from the public key *by distributing public keys and keeping the private key* - internet services can ensure transmissions to their site are secure.

Shodan.io

- a website described as the "Scariest Search Engine on the Internet." - *shodan scans* the Internet using a standard known as RTSP (Real Time Streaming Protocol) and can reveal devices that do not have any security in place or have the default usernames and passwords - *web cams, printers, routers, and other devices that can be easily accessed* are served up for the nefarious, worldwide

Motivations for Computer Security Breaches

- account theft and illegal funds transfer - stealing personal or financial data - compromising computing assets for use in other crimes - extortion - intellectual property theft - espionage - cyberwarfare - terrorism - pranksters (griefers or trolls) - protest hacking (hacktivism) - revenge (disgruntled employees) *british insurance company Lloyd's* estimates that cybercrime and cyber espionage will cost the US economy $2 trillion by 2019

Social Media Sites may assist hackers in

- crafting phishing or social engineering threats, provide information to password crackers, and act as conduits for unwanted dissemination of proprietary information. *example* - Mark Zuckerberg's Facebook page fell victim to hackers who used a hole in a Facebook API that allowed unauthorized status update posts to public Facebook fan pages.

Heartland Breach

- credit card processor Heartland, would become one of the largest security breaches in history *Heartland* - was the nation's 5th largest payments processor - was responsible for handling the transfer of funds and information between retailers and cardholders' financial institutions *damage* - estimated that 100 million cards issued by more than 650 financial services companies may have been compromised during the breach - market capitalization plummeted over 75%, dropping over half a billion dollars in value.

Cash out Fraudsters

- criminals that purchase assets from data harvesters to be used for illegal financial gain. *actions include*: - using stolen credit card numbers to purchase goods - creating fake accounts via identity fraud - *these collection and resale operations* are efficient and sophisticated - *sites taken down by law enforcement* DarkMarket and ShadowCrew

Related Programming Exploits to SQL injection include

- cross-site scripting attacks - buffer overflow vulnerabilities - HTTP header injection *SQL injection* shows the perils of poor programming

Data Harvesters

- cybercriminals who infiltrate systems and collect data for illegal resale - *harvesters* sell to cash out fraudsters

An attack on the US power grid by terrorists or a foreign power is indicative of _____.

- cyberwarfare

Encryption

- data that is scrambled using a code or formula, known as a *cipher*, such that it is hidden from those who do not have the unlocking key - can render a firm's data assets unreadable, even if copied or stolen. - is a critical tool for securing an organization's electronic assets *key*: is the code that unlocks encryption - the larger the key, the more difficult it is for a brute-force attack to exhaust all available combinations and crack the code *brute force attacks* - an attack that exhausts all possible password combinations in order to break into an account - larger and more complicated a password or key, the longer a brute-force attack will take.

Firms suffering a security breach can experience

- direct financial loss - exposed proprietary information - fines - legal payouts - court costs - damaged reputations - plummeting stock prices

Have Failure and Recovery Plans

- employe recovery mechanisms to regain control if key administrators are incapacitated or uncooperative - broad awareness reduces organizational stigma in coming forward - share knowledge on hacking techniques with technology partners

Whitelists

- highly restrictive programs that permit communication only with approved entities and/or in an approved manner.

With the rise of *big data*, corporations have become data pack rats

- hoarding information in hopes of turning bits into bucks by licensing databases, targeting advertisements, or cross-selling products.

Botnets (zombie networks)

- hordes of surreptitiously infiltrated computers, linked and controlled remotely - *networks of infiltrated and compromised machines controlled by a central command* *activities used for* - sending spam from thousands of difficult-to-shut-down accounts - launching tough-to-track click fraud efforts - staging distributed denial of service (DDoS) - are capable of sending out 100 billion spam messages a day - botnets as large as 10 million zombies have been identified (control more computing power than the world's fastest supercomputers

Firms Disaster Recovery Plans

- include provisions to back up systems and data to off-site locales, to protect operations and provide a fallback in the case of disaster - plans increasingly take into account the potential impact of physical security threats such as terrorism or vandalism

Lock Down Partners

- insist on partner firms being compliant with security guidelines and audit them regularly - use access controls to control data access on a *need to know basis* - use recording, monitoring, and auditing to hunt for patterns of abuse - maintain multiple administrators to jointly control key systems

Security

- is a continued process that must be constantly addressed and deeply ingrained in an organization's culture - is about trade-offs, economic and intangible - *compliant is not equal to security*

Certificate Authority

- is a trusted third party that provides authentication services in public key encryption schemes.

Distributed Denial of Service (DDoS)

- is an attack where a firm's computer systems are flooded with thousands of seemingly legitimate requests - the sheer volume of which will slow or shut down the site's use. - *DDoS attacks* are often *performed by botnets*

Information Security

- is everyone's business and needs to be made a top organizational priority.

Equifax

- is one of the largest breaches ever and occurred in Summer 2017 - *equifax* is one of three leading firms whose business it is to monitor the creditworthiness of adults in the US and abroad - hackers exploiting a known vulnerability (apache struts) grabbed data on 143 million consumers - Equifax had 2 months to patch the vulnerability but the firm failed to do so - *everyone in the US* with a bank account or credit card was compromised, also affected 400,000 hit in the UK, and over 100,000 Canadians - *executive negligence* looked shady considering leaders sold roughly $2 million in stock before the hack was publicly exposed *stolen information included* addresses - Social Security numbers - tax IDs - driver's license numbers - hundreds of thousands of credit card numbers

NSA

- is required to obtain a warrant from the Foreign Intelligence Surveillance Court (or FISA) when specifically targeting surveillance in the United States - under US law - *no warrants are required for intercepting communication* between *US-based persons* and *foreign targets* - *FISA has rejected only* 11 of the more than 33,900 requests (less than 0.03 percent) made in over 3 decades

In security circles, the phrase "compliance" refers to

- legal or professionally binding steps that an organization must take

Compliance Requirements

- legal or professionally binding steps that must be taken - *failure to follow* results in fines, sanction, and other punitive measures *example at the federal level* - *HIPAA* (the Health Insurance Portability and Accountability Act), which regulates health data - *Gramm-Leach-Bliley Act*, which regulates financial data - *Children's Online Privacy Protection Act*, which regulates data collection on minors. US Government agencies must also comply with FISMA (the Federal Information Security Management Act

Cybersecurity Incidents in 2018

- more than 2 million cyber incidents in 2018, resulting in losses topping $45 billion - 95% of those attacks were seen as "preventable." - only 5% of retailers discover breaches through their own monitoring - *according to Accenture*, the average cost of a data breach is up 23 percent in a single year, to $11.7 million - *IBM claims* the average time to identify a breach is 201 days, and the average time to contain a breach was 70 days - *annual worldwide cybercrime costs* $600 billion per year

Network Threats

- network itself may also be a source of compromise *example Retailer TJX* - Marshalls, HomeGoods, and T. J. Maxx stores were hacked when a Wi-Fi access point was left open and undetected - the hacker stole at least 45.7 million credit and debit card numbers and pilfered driver's licenses and other private information from an additional 450,000 customers - breach inflicted over $1.35 billion in damages on the retailer

Which aspect of international law would enable a cyber-criminal operating across borders to evade prosecution?

- non-existent extradition agreements between two countries

What needs to be protected and how much is enough?

- only 33% of executives responded that their organizations kept accurate inventory of the locations and jurisdictions where data was stored - only 24% of executives kept inventory of all third parties using their customer data *information security should start with an* inventory-style auditing and risk assessment *risk assessment team* should consider vulnerabilities and countermeasure investments

Cybercriminals

- operate in an increasingly sophisticated ecosystem where data harvesters and tool peddlers leverage robust online markets to sell to cash-out fraudsters and other crooks.

Constant vigilance regarding security needs to be

- part of one's individual skill set - a key component in an organization's culture *security threats* can cme from both within a firm and outside a firm

Information security isn't just a technology problem. What other factors can contribute to a firm's vulnerability?

- personnel issues - technology problems - procedural factors - operational issues

A bank customer receives a message, ostensibly from the bank's Web site, asking her to provide her login information. Assuming the message is intended to defraud the customer, what type of infiltration technique is being used here?

- phishing

Lock Down Hardware

- prevent unapproved software installation - force files saving to hardened, back up, and monitored servers - reimage hard drives of end user PCs - disable boot capability of removable media - prevent WiFi use and require VPN encryption for network transmissions

Blacklists

- programs that deny the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions (*block known bad guys*)

CAPTCHAs

- scrambled character images to thwart automated account setup or ticket buying attempts - *stands for* Completely Automated Public Turing Test to tell Computers and Humans Apart

Which of the following types of infiltration techniques does one open up to by posting sensitive personal information and details about one's workplace on social networking sites?

- social engineering

Patches

- software updates that plug existing holes *One of the reasons organizations delay patches to plug holes in their security applications is:* - the fear that the new technology contains a change that will cause problems down the road

Compromising Poorly Designed Software

- some exploits directly target poorly designed and programmed websites. *example* - SQL injection technique, which zeros in on a sloppy programming practice where software developers don't validate user input. - *not trusting user input* is a *cardinal rule* of programming - *IBM study claimed* that over half a million SQL injection attack attempts are identified each day

White Hat Hackers

- someone who uncovers computer weaknesses without exploiting them. (*good guys*) - *goal* of the white hat hacker is to improve system security - *hired by many firms* to conduct "white hat" hacking expeditions on their own assets as part of their auditing and security process

Apple Pay and Android Pay

- systems encrypt credit cards on a mobile device rather than store them at retailers - *technique called tokenization* sends one-time-use representations of a credit card over the Internet - these tokens will buy your stuff, if stolen they can't be reused by bad guys. - *Apple Pay dramatically improve security for credit card transactions* by leveraging multi-factor authentication, single-use tokenization, encryption, and biometrics.

Biometrics

- technologies that measure and analyze human body characteristics for identification or authentication. - *include* fingerprint readers, retina scanners, and voice and face recognition - used to improve password security

SamSam Ransomware Attacks

- the city of Atlanta fell victim to a well-known, but crippling ransomware exploit known as SamSam *SamSam attack disrupted* - 5 government departments - hobbled the city's court system - blocking the payment of residential water bills - made it impossible for the city to collect parking fines - caused the police department to shift to inefficient paper instead of electronic reports. - *SamSam attacks on governments, hospitals, and non-profits have extorted* $850,000 in bitcoin payments from victims

Stuxnet

- the most notorious known act of cyberwarfare effort to date (shows that infrastructure can be destroyed without firing a shot) - *suspected to have been launched* by either US or Israeli intelligence - *cyberware infiltrated* Iranian nuclear facilities and reprogrammed the industrial control software operating hundreds of uranium-enrichment centrifuges - *stuxnet made the devices* spin so fast that the centrifuges effectively destroyed themselves setting back any Iranian nuclear ambitions *stuxnet design* - the worm appears to have been designed to target very specific systems - If it got onto a non-target machine, it would become inert - propagation was also limited, with each copy designed to infect only three additional machines - the virus was designed to self-destruct at a future date

Lock Down Systems

- these systems audit for SQL injection and other application exploits

Passwords

- typical Web user has 6.5 passwords, each of which is used at 4 sites, on average - *IEEE study* found acquaintances could correctly answer colleagues' secret questions 28% of the time, and those who did not know the person still guessed right at a rate of 17% - within 3 to 6 months, 16% of study participants forgot answers to their own security questions

Functions of Research and Development

- understand emerging threats and updating security techniques - working on broader governance issues

Spoofed (faked)

- used in security to refer to forging or disguising the origin or identity of an email - E-mail transmissions and packets that have been altered to seem as if they came from another source are referred to as being "spoofed."

Multi-Factor Authentication

- when identity is proven by presenting more than one item for proof of credentials. - *include* a password and some other identifier such as a unique code sent via e-mail or mobile phone text, a biometric reading (e.g., fingerprint or iris scan), a swipe or tap card, or other form of identification. *used by* Wells Fargo, PayPal, Google, and JP Morgan

Examples Methods Employed in Social Engineering

1) Impersonating senior management, a current or new end user needing help with access to systems, investigators, or staff (fake uniforms, badges) 2) Identifying a key individual by name or title as a supposed friend or acquaintance 3) Making claims with confidence and authority 4) Baiting someone to add, deny, or clarify information that can help an attacker 5) Using harassment, guilt, or intimidation 6) Using an attractive individual to charm others into gaining information, favors, or access 7) Setting off a series of false alarms that cause the victim to disable alarm systems 8) Answering bogus surveys (e.g., "Win a free trip to Hawaii—just answer three questions about your network.")

NOTE

Adversary ROI = Asset Value to Adversary - Adversary Cost *adversary cost* - include not only the resources, knowledge, and technology required for the exploit, but also the risk of getting caught

Information security policies would be ineffective without _____ and _____.

audit and enforcement