ISACA May 2006 When Things Go Wrong The
- Slides: 32
ISACA May 2006 When Things Go Wrong The Results of Losing your Common Sense By: Barak Engel, CISSP Principal, Engel & Associates
What will we talk about? ¨ The theory – Approaches – The role of the individual user – The gap ¨ The practice – Common and pervasive risk areas • Email (Viruses, Phishing and other diseases) • Web Browsing (“the free mug”) • Wireless connectivity (War Driving) ¨ Filling the gap
In Theory… ¨ Security controls… – Can be standardized – Can be applied uniformly – Can be identified and defined in advance – Can have their efficacy analyzed/determined – Can be audited ¨ Hidden assumptions – Level of accuracy – The issue of scale – Statistical equality of cost
The individual user ¨ Users… – Represent the largest install base – Completely lack standards – Cannot be controlled centrally (or otherwise) – Are only predictable in their unpredictability – Cannot be redesigned – Are all of us ¨ In the knowledge society, employees own the tools AND the means of production – Peter Drucker, 1994
The gap ¨ Knowledge – The awareness problem • Would this be useful to you? – The issue of relevancy – Cross-contamination ¨ Motivation – The role of open-source and freeware ¨ Least Effort and the path of least resistance
Common Risk Area – Email ¨ Public email service providers
Phishing for Fun and Profit
Anatomy of a Phishing Attempt. 1 ¨ Email from a trusted source
Anatomy of a Phishing Attempt. 2 ¨ “Clean” headers – and no virus
Anatomy of a Phishing Attempt. 3 ¨ Email text certainly looks odd ¨ Exploring deeper, we find…
Anatomy of a Phishing Attempt. 4 ¨ Analyzing the ASCII code: – Source: http: //%36%36%2 E%31%32%33%2 E%32%30 %33%2 E%31%35%32: %38%37/%63%69%74 /%69%6 E%64%65%78%2 E%68%74%6 D – Target: 66. 123. 203. 152: 87/cit/index. htm
Anatomy of a Phishing Attempt. 5 ¨ And that leads us… …Absolutely nowhere
Could the average user have figured this out? ¨Heard warnings ¨Has logo and a “legit” ¨Wording is slightly email address ¨Proper english awkward ¨Underlying text is weird ¨Maybe needed? And it comes from IT anyway ¨Virus-free (crosscontamination) ¨ Common sense must be “calibrated”!
Email – right or privilege? ¨ Corporate email can be controlled… – …but not so private email ¨ Controls – Updated anti virus (FW: AVG) – Encryption (FW: PGP) – Secure email client (FW: Thunderbird) – Spam blocker (FW: Spambayes) ¨ Motivation – Identity Theft
A cryptic code? 042103580, 062360749, 095073645, 128036045, 135016629, 141186941, 165167999, 165187999, 165207999, 165227999, 165247999, 189092294, 212097694, 212099999, 306302348, 308125070, 468288779, 549241889
Web Browsing ¨ To whom are you giving your personally identifiable information and why?
The Tradeshow Participant. 1
The Tradeshow Participant. 2 ¨ Oh, look, protected access! ¨ What are those files, I wonder?
The Tradeshow Participant. 3
The Tradeshow Participant. 4 ¨ Hey! They paid less than we did!
The Tradeshow Participant. 5 ¨ Some information can be more useful… …to certain people.
Information can end up anywhere
Web Browsing – Tool of Production ¨ Browsing habits are learned at home – not at work ¨ Web-based research is efficient and highly valuable ¨ Monitoring web access provides rapidly diminishing return
Good Habits in Browsing ¨ Some better habits are easy to acquire: – “Understanding” SSL – Different browser (FW: Firefox) – Limiting (personal) exposure – The concept of lying – Fighting spyware (FW: Spybot S&D, Spyware Blaster/Guard, Windows Defender) – Password Management (Keypass) ¨ Motivation – Identity Theft – Online Predators
Mrs. Hilda Schrader Whitcher ¨ 078051120 ¨ Actual SSN of E. H. Ferree’s Treasurer Douglas Patterson’s secretary ¨ An insert in wallets sold at Woolworth ¨ Used by over 40, 000 people
Wireless Connectivity ¨ A new attack vector ¨ “Invisible” infrastructure ¨ KISS – But only in basic mode ¨ Highly distributed
Is the network a free-for-all? ¨ The story of an afternoon visit to 7 -11
Wireless Behavior ¨ Explain basic concepts – defaults • Network name (SSID) • Channel • Beaconing – Encryption – MAC filtering ¨ Motivation – Personal information (…Identity Theft) – Job Security
Users = The X-Factor* ¨ Common sense can be taught ¨ It’s all about motivation – Close and personal ¨ Hidden assumption – People generally have good intentions ¨ We are all users! ¨ * (and that’s not a bad thing)
Thank You! http: //www. engelassociates. net/ barak@engelassociates. net (888) 509 3561
You put the wrong emphasis on the wrong syllable
Isaca business continuity
Isaca segregation of duties matrix
Cobit 5 vendor management
Itgi framework
Isaca new england
Isaca kenya
What is isaca
Csx nexus
Disaster recovery audit program isaca
Isaca blockchain fundamentals
It's a human time when things go wrong
May 25 2006
Mothers day 2006
School calendar 2005-2006
Blue things
Pictures of seven life processes
Hci patterns may or may not include code for implementation
Hươu thường đẻ mỗi lứa mấy con
Diễn thế sinh thái là
Vẽ hình chiếu vuông góc của vật thể sau
Công thức tính độ biến thiên đông lượng
Phép trừ bù
Tỉ lệ cơ thể trẻ em
Thế nào là mạng điện lắp đặt kiểu nổi
Lời thề hippocrates
Vẽ hình chiếu đứng bằng cạnh của vật thể
đại từ thay thế
Quá trình desamine hóa có thể tạo ra
Các môn thể thao bắt đầu bằng tiếng chạy
Hát kết hợp bộ gõ cơ thể
Khi nào hổ con có thể sống độc lập
Dạng đột biến một nhiễm là
