Protect Your WEAKEST SECURITY LINK - Info.microsoft

2y ago
9 Views
2 Downloads
2.36 MB
13 Pages
Last View : 22d ago
Last Download : 2m ago
Upload by : Maxton Kershaw
Transcription

Protect yourWEAKESTSECURITY LINK—end usersA GUIDE TO DEFENDING AGAINST SOCIAL ENGINEERING ATTACKS

AMATEURSHACK SYSTEMS.PROFESSIONALSHACK PEOPLE.— Bruce Schneier, CTOCounterpane Internet Security, Inc.12015 MARKED AN IMPORTANT YEARin the world of network security. Forthe first time, social engineering attacksoutnumbered attacks on softwarevulnerabilities and exploits. This is aserious problem.For companies to stay productive,they need employees to be able towork from anywhere on any device,often collaborating with peoplearound the world. This mobility drivesnot only the need for secure filesharing and email accounts but alsoa fundamental shift in our approachto computer security.Protect your weakest security link—end usersSince January 2015, the number ofvictims identified by the FBI hasincreased 270%, costing businessesmore than 2.3 billion2. The messageto network security professionals isclear. Hackers are targeting the weakestlink in any security perimeter—theend user.This book is your guide to helping youdetect and prevent social engineeringattacks, and to better understand howto defend your company from whathas grown to become the dominantglobal cyberthreat.1

what isSOCIALENGINEERING?Social engineering happenswhen someone uses manipulation, influence or deceptionto get another person to releaseinformation or to perform some sortof action that benefits a hacker.IDs over the phone. Social engineersgo to great lengths to gain access todata they can exploit, such as:PERSONAL INFOpasswords, account numbersCOMPANY INFOphone lists, identity badgesHackers will often take advantageof genuine security gaps in yournetwork. But at organizations of anysize, layers of sophisticated computersecurity can be undone in secondsbecause one employee—whetherbecause of trust, lack of awareness,or carelessness—reveals companyinformation to someone withmalicious intent.Familiarizing yourself with socialengineering techniques is your firstline of defense.Your employees could be tricked intoanything from allowing someone totailgate them into your data centerto giving up their passwords or userYou might believe that social engineerswould be easy to spot. But often enough,they sound like people you run into atwork every day.Protect your weakest security link—end usersSERVER INFOservers, networks, non-public URLsSo, what does a socialengineer sound like?ON THE PHONE“This is Kevin from IT. We've been notified of a viruson your department’s machines.”One of the most common scams—a hacker posesas an IT help desk worker to glean sensitive infosuch as a passwords from an unsuspecting employee.AT THE RECEPTION DESK“Hi, I’m the service tech from HP and I think Ellen isexpecting me at 1pm.”This is why it’s so important that well-meaning staffmembers and other insiders need to be educatedas to how and why they could be targeted—andwhat to do if they suspect a potential threat.AT THE BUILDING ENTRANCE“Oh! Wait, could you please hold the door?I left my key/access card in my car.”People want to be helpful, and they often downplaythe risks of engaging with someone they don’tknow—and that can be a perilous mix.2

tacticno.1SPEARPHISHINGSpear phishing is a targeted emailattack in which a hacker uses email tomasquerade as someone the targetknows and trusts. This is often as simpleas copying the name of a CEO from acompany website and then sendingan email using this name to anyoneon the company’s corporate domain.Spear phishing is the single mostcommon (and effective) social engineering tactic. You’ve likely seen subjectlines like these before and hopefullyhit “delete” right away:"Notice of pending layoff: Click hereto register for severance pay.""In an effort to cut costs, we’re sendingthis year’s W-2s electronically."Protect your weakest security link—end usersBut hackers are getting moreconvincing and creative with emailthat, when opened, infects yourmachine. Here are a few tactics towatch for USING THE NEWS AGAINSTYOU – Whatever’s getting attentionin the news can be used as socialengineering lures. For example, 2016has seen a rise in the number ofspam messages related to thepresidential campaign.ABUSING FAITH IN SOCIALNETWORKING SITES – Millionsof people use social networkingsites like Facebook and LinkedIndaily, so they develop a certain trustin them. Then, when an email says,“Your Facebook account is undergoingroutine maintenance, please click toupdate your information,” you don’tthink twice before you click.3

tacticno.2DUMPSTERDIVINGDumpster diving is exactly what itsounds like: A hacker digs through thetrash that unsuspecting employeeshave thrown away. Valuable findsmight include:Junk mail (especially credit cardoffers), which can contain personalidentification info that’s just the ticketto identity theft.Corporate letterhead that canbe used to fake official-lookingcorrespondence.Hackers will also buy refurbishedcomputers and will pull confidentialinformation from hard drives, evenafter users think they have deleted it.Company phone lists and orgcharts that offer numbers and locationsthat make it easier to impersonatemanagement-level team members.Protect your weakest security link—end users4

CYBER CRIME HOLDSTHE POTENTIAL TOCRIPPLE BUSINESSES.—Steven R. Chabinsky, Deputy Assistant Director, Cyber DivisionFederal Bureau of Investigation 3Protect your weakest security link—end users5

tacticno.310 OFSEPARATIONSocial engineers are clever, methodical, and patient. They oftenstart by building a rapport with moreaccessible people in an organization—like an administrative assistant or aguard at the gate—to get informationabout their ultimate target, whomay be as many as ten steps higherup on the corporate food chain.The criminal may begin by gatheringpersonal nuggets about team members, as well as other "social cues"to build trust or even successfullymasquerade as an employee. Someof their strategies are incrediblysimple, and insidious:Protect your weakest security link—end usersTHEY LEARN YOUR INDUSTRYSHORTHAND – A hacker will study theacronyms and jargon of your industryso she can build trust by speaking thelanguage you recognize.THEY BORROW YOUR 'HOLD'MUSIC – In this deceptively simplescheme, the criminal calls, gets puton hold, and records the music.Then, when he calls his victims andputs them on hold, the familiarmusic serves as a psychological cuethat the caller is trustworthy and onthe inside.THEY SPOOF YOUR PHONENUMBER – Criminals make an insidenumber show up on the victim’scaller ID, which makes the victimmore willing to offer confidentialinformation like passwords overthe phone.6

let's talk aboutIMPACTLegendary programmer and developer of the first commercial antivirus program, JohnMcAfee has said, “Social engineering has become about 75% of an average hacker's toolkit,and for the most successful hackers, it reaches 90% or more4.” Clearly, social engineering is avery real problem with very few real solutions. In addition to the obvious financial toll, a company’sreputation can take a major hit when a hack becomes public. Compromised personal data can erode thefaith and goodwill of its customer base—and that too affects the bottom line. Here's what we know 1Attackers are increasingly infecting computers bytricking people into doing it themselvesA mind-blowing 99.7% of docs used in attachment-based campaigns relied on social engineeringand macros. And 98% of URLs in malicious messages link to hosted malware.52On social media, phishing is 10 times more likelythan malwareBecause creating fake social media accounts for known brands is so easy, phishing is thefastest growing social media threat. Distinguishing the fraudulent from the legitimate istough too: 40% of accounts claiming to represent Fortune 100 companies on Facebook and20% on Twitter are unauthorized.63More than 2 billion mobile apps that steal personaldata have been willingly downloadedEmail and social media are not the only social engineering playgrounds—these criminalsdo big business via malicious mobile apps too. More than 12,000 have been discovered inapp stores alone.7Protect your weakest security link—end users7

social engineering attacksHAVE GONE GLOBALNo country is immune to social engineering attacks, no matter how sophisticated its technology.This graphic shows the distribution of top social engineering campaigns by geographical region.2015 WORLDWIDE8MALWARE ATTACKSProtect your weakest security link—end users8

how do youPROTECT YOURORGANIZATION?Social engineering is anundeniable and potentiallydisastrous reality. So, what canorganizations like yours do proactivelyto protect your vulnerable people andkeep valuable data out of the handsof scam artists with intent to do harm?REAL-WORLD PREVENTIONSTRATEGIESWhat follows is a list of tangiblechanges you can make and securitypolicies you can implement thatcan help. But remember, for any ofthis work to be effective, educationis absolutely crucial. To mitigateyour risk, start with new-employeetraining and follow through withregular threat assessments, policyupdates, and company-wide reviews.Also keep communication open andyour team members well informed.Protect your weakest security link—end usersClearly articulate aneasy-to-understandsecurity policy,which includes:Password management – Outlinerigorous standards for secure passwordsand insist on regular expiration andchange. Also ensure careful onsiteand remote access authorizationand accountability.Two-factor authentication – Usetwo-factor authentication rather thanfixed passwords to authenticate highrisk network services like VPNs.Antivirus/anti-phishing defenses –Layers of the latest antivirus defensesat vulnerable locations like mail gatewaysand end-user desktops aren’t going tosolve the problem, but they’re a goodplace to start.Change management – When yourteam is comfortable and familiar with awell-documented change-managementprocess (rather than reacting off thecuff), they’re less vulnerable to an attackthat relies on a false sense of urgency.Information classification – Ensurethat confidential information is clearlycalled out and handled as such.Document destruction – Confidentialinfo should be shredded rather thantossed into the trash or recycling.Physical security – Controls suchas visitor logs, electronic securitydevices, escort requirements, andbackground checks are key to acomprehensive security policy.Build a securityaware culturePromote an awareness of threatsand risky behavior – Educating employees on the real-world damage doneby such theft to other companies isparticularly impactful.Empower employees to recognizethreats and make smart securitydecisions on their own – Becausesocial engineering tactics change sofrequently, fostering a sensitivity torisk and the tools for addressing itimmediately and locally is key.Embed security awareness deeply inthe minds of your team members – You’veprobably heard of the “see something/say something” anti-terrorism campaign.Likewise, to counter cyber attacks of allkinds, ensure that employees at everyorganizational level feel comfortablewith reporting anything suspicious.9

THERE ARE TWO TYPESOF COMPANIES: THOSETHAT HAVE BEENHACKED, AND THOSEWHO DON'T KNOW THEYHAVE BEEN HACKED.— John Chambers, CEOCisco 9Protect your weakest security link—end users10

what'sYOUR EMPLOYEESCOULD BE THEBIGGEST RESOURCEYOU HAVE TO PROTECTYOUR SYSTEMS.— Brian Chappell, Director of Technical Services EMEAI and APACIdentity management firm BeyondTrust 10Protect your weakest security link—end usersFirst of all, no matter how strongyour technical security is, yourorganization’s people are often themost vulnerable link in the chain.But, with thorough, thoughtful, andregular education, they can also beyour biggest asset in your fightagainst social engineering. However,this is only possible when everyindividual in the organization clearlyunderstands the very real risks, thestrategies that can offer protection, andthe big-picture goals and limitationsof enterprise security.Finally, because the fight againstsocial engineering is so complex andchallenging, no ONE suggestion orstrategy outlined here will guaranteesecurity. But, by proactively attackingthe problem from all sides, adoptingviable prevention strategies, and promoting a security-aware culture, youcan help to protect your organization,your data, and your people from thisinsidious 21st century threat.11

ALL OVER THE GLOBE, SOCIAL ENGINEERING IS A DOMINANTAND GROWING THREAT TO ORGANIZATIONAL SECURITY.Microsoft invests over 1 billion a year in cybersecurity research, and has developed a state-of-theart Cyber Defense Operations Center, that brings together security response experts from across thecompany to help protect, detect and respond to threats in real time. 2016 Microsoft Corporation. All rights reserved.1. Bruce Schneier, CTO, Counterpane Internet Security, ls2. 9th Annual Report. Information Security Trends. -information-security-trends3. Steven R. Chabinsky, Deputy Assistant Director, Cyber Division, Federal Bureau of m4. John ntivirus-15073885. Proofpoint Report, 2016. The Human Factor6. Research Paper: The State of Social Media Infrastrucutre. NextGate7. Proofpoint Report, 2016. The Human Factor8. (Map) Proofpoint Report, 2016. The Human Factor9. Cisco CEO John es-as-cisco-ceo.html10. Brian Chappell, Director of Technical Services EMEAI and APAC. gy/security/123460760/2016-cybersecurity-roadmap

to giving up their passwords or user IDs over the phone. Social engineers go to great lengths to gain access to data they can exploit, such as: . say something” anti-terrorism campaign. Likewise, to counter cyber attacks of all kinds, ensure that employees at every organizational level feel comfortable

Related Documents:

Essentials of Community Cyber Security Who’s the Weakest Link? Social engineering cares less about how strong: –Firewalls –Intrusion Detection Systems –Anti-virus software –Cybersecurity posture The HUMANfactor is the weakest link. As long as there are feelings in involved, humansare more vulnerable than computers. Module 01 -18

jpeg/png/wmf/ti /. Four major graphic environments Low-level infrastructure R Base Graphics (low- and high-level) grid: Manual Link, Book Link High-level infrastructure lattice: Manual Link, Intro Link, Book Link ggplot2: Manual Link, Intro Link, Book Link Graphics and Data Visualization in R

11 I Blue Link User’s Manual Blue Link User’s Manual I 12 Using Blue Link in Your Car Standard Rearview Mirror Controls for Blue Link in-vehicle voice-response use are located on the rearview mirror. Press the Blue Link button for access to the voice-response menu of services: Service Link Roadside Assistance Blue Link Account Assistance

WIO Link/Node installieren (Android) 1. WIO Link App laden, starten und Account bei Seeed anlegen 2. WIO Link/Node per USB Kabel oder per Akku mit Strom versorgen 3. In der WIO Link App auf „Add your first device" oder den Plus-Bubon oben rechts drücken 4. WIO Link oder WIO Node auswählen 5. Am WIO Link den „Config/ Func-Bubon" 4 .

Go Fishing (Largemouth Bass) Helping Sea Turtles Survive . Indian River Lagoon Protect Florida Springs Protect Florida Whales . Protect Our Oceans Protect Our Reefs Protect the Panther . STATE WILDFLOWER Protect Wild Dolphins . Save Our Seas Save the Manatee . 6.

presents the rudiments of a satellite link design in a tutorial form with numerical examples. Index Term—Satellite communications, Link analysis, Link design, EIRP, SNR, CNR. I. INTRODUCTION The satellite link is essentially a radio relay link, much like the terrestrial microwave radio relay link with the singular

mechanism) o Crank rocker (drive link rotates 360 and drag link oscillates) o Double crank (both drive link and drag link rotate 360 ) o Double rocker (neither drive link or drag link can rotate 360 ) –If the inequality is not satisfied then no link can rotate

USB-Link IDSC Holdings LLC retains all ownership rights to the USB-Link and its documentati on. The USB-Link source code is a confidential trade secret of ID SC Holdings LLC. You may not decipher or decompile USB-Link software, develop source code for the USB-Link, or know ingly allow others to do so. The USB- Link and its documentation may .