7/30/2019 (Kinverg) Cyber Security Summit 2012
1/40
Role of Social Engineering in Cyber Space
ROLE OF SOCIAL ENGINEERING INROLE OF SOCIAL ENGINEERING IN
CYBER SECURITYCYBER SECURITY
Muhammad AliCEO - Kinverg
|BA | PMP | CISA | ITIL |
|ISO 27001 LI/IA |CMMI ATM |
| HND in Information Systems|
7/30/2019 (Kinverg) Cyber Security Summit 2012
2/40
WorkshopAgendaWorkshopAgenda
Does social engineering really has any role in
cyber security ?
What are key social engineering vulnerabilities forcyber security?
What are the controls for social engineeringvulnerabilities ?
7/30/2019 (Kinverg) Cyber Security Summit 2012
3/40
DoesSocialEngineeringReallyHasAnyDoesSocialEngineeringReallyHasAny
RoleinCyberSecurity?RoleinCyberSecurity?
7/30/2019 (Kinverg) Cyber Security Summit 2012
4/40
The ability to protect or defend the use of cyberspacefrom cyber attacks
NIST IR 7298
SOURCE: CNSSI-4009
NIST : National Institute ofStandards and Technology
CNSSI : Committee for National Security Systems Instruction
7/30/2019 (Kinverg) Cyber Security Summit 2012
5/40
A global domain within the information environmentconsisting of the interdependent network of
information systems infrastructures including the
Internet, telecommunications networks, computer
systems, and embedded processors and controllers.
NIST IR 7298
SOURCE: CNSSI-4009
7/30/2019 (Kinverg) Cyber Security Summit 2012
6/40
An attack, via cyberspace, targeting an enterprises use
of cyberspace for the purpose of disrupting, disabling,
destroying, or maliciously controlling a computing
environment/infrastructure; or destroying the integrity
of the data or stealing controlled information.
NIST IR 7298SOURCE: CNSSI-4009
7/30/2019 (Kinverg) Cyber Security Summit 2012
7/40
A general term for attackers trying to trick people into
revealing sensitive information or performing certain
actions, such as downloading and executing files that
appear to be genuine but are actually malicious.
NIST IR 7298SOURCE: SP 800-114
7/30/2019 (Kinverg) Cyber Security Summit 2012
8/40
Cyber SpaceA global domain within the information environment consisting of theinterdependent network ..
Social EngineeringA general term for attackers trying to trick people .
Cyber Attack
An attack, via cyberspace.
PEOPLEPEOPLE
PEOPLEPEOPLE
7/30/2019 (Kinverg) Cyber Security Summit 2012
9/40
TheWeakestLink!TheWeakestLink!
Amateurs hack systems ; Professionals hack people
Bruce Schneier, CTO
Counterpane Internet Security, Inc.
PEOPLEPEOPLE
7/30/2019 (Kinverg) Cyber Security Summit 2012
10/40
KeyIndicatorsKeyIndicators
Cybercrime is costing the
UAEs economy more than$600 million per year
Source :
The Internet Security Report by Symantec
Kaspersky Lab says it has
seen nearly 3.5 million socialengineered malware attacks
in the UAE
38.3% of users from the
UAE were attacked by web-
borne threats during this
period. This ranks
the UAE 31st worldwide for
malware threats of this type.
Source :
Kaspersky Lab Report
51% of social engineering
attacks are motivated by
financial gain
30% of large companies cite
a per incident cost of over
100,000 USDSource :
Dimensional Research UK
7/30/2019 (Kinverg) Cyber Security Summit 2012
11/40
KeyIndicatorsKeyIndicators
SourceInternet Crime Compliant Centre IC3
2011 Internet Crime Report
Supported by BJA ,NWCCC, FBI
7/30/2019 (Kinverg) Cyber Security Summit 2012
12/40
TheConfessionofKevinTheConfessionofKevin
In more than half of my successful network exploits
I gained information about the network,
sometimes including access to the network,
through social engineering
Kevin Mitnick
Convicted Criminal and Hacker
3 March 2000 Article in the Washington Post
7/30/2019 (Kinverg) Cyber Security Summit 2012
13/40
SOCIAL ENGINEERING
HAS KEY ROLE INCYBER SECURITY
7/30/2019 (Kinverg) Cyber Security Summit 2012
14/40
WhatareKeySocialEngineeringWhatareKeySocialEngineering
VulnerabilitiesforCyberSecurity?VulnerabilitiesforCyberSecurity?
7/30/2019 (Kinverg) Cyber Security Summit 2012
15/40
Social Engineering VulnerabilitiesA general term for attackers trying to trick people .
Planning
the CyberAttack
Launchingthe Cyber
Attack
Cyber Attack
7/30/2019 (Kinverg) Cyber Security Summit 2012
16/40
SocialMediaSocialMedia
Celebrity
Profiles
Anonymous
Friends
Status and
Check-In
Account
Hacking
Idle Account
Hacking
7/30/2019 (Kinverg) Cyber Security Summit 2012
17/40
EmployeesEmployees
Friends of
Employees
Network & SystemAdministrators /
CIOs / IT Directors
Janitorial& House
Keeping Staff
C-Levels
7/30/2019 (Kinverg) Cyber Security Summit 2012
18/40
ImpersonationImpersonation
Government
Official
Senior
Management
Employee
Third Party
Maintenance/Support Staff
7/30/2019 (Kinverg) Cyber Security Summit 2012
19/40
EmailEmail
Email With
Download Link
Email from
Compromised
Accounts
Email fromCompromised
Devices
Email from
Legitimate
Entities
7/30/2019 (Kinverg) Cyber Security Summit 2012
20/40
MaliciousSoftwaresMaliciousSoftwares
The Apps!Drivers & OS
Updates
Code-Bomb in
Business IS
Social Media
Applications
7/30/2019 (Kinverg) Cyber Security Summit 2012
21/40
DefaultDeviceConfigurationDefaultDeviceConfiguration
Device Default
Configurations
7/30/2019 (Kinverg) Cyber Security Summit 2012
22/40
Telephone/IVRTelephone/IVR
Call fromSupport Staff
7/30/2019 (Kinverg) Cyber Security Summit 2012
23/40
SocialEngineeringScenarioandDiscussionSocialEngineeringScenarioandDiscussion
7/30/2019 (Kinverg) Cyber Security Summit 2012
24/40
Challenge A (5 Minutes)
Put your self in the Role of Cyber Hacker and ConsiderYour Current Orginisation or any other orginisation in
your mind
List at least 3 Social Engineering Vulnaribities which canbe used to launch a Cyber Attack on that orginisation.
Challenge B (5 Minutes)
List the Law (s) and Regulation (s) by UAE Government forgoverning Internet & Cyber Crimes
7/30/2019 (Kinverg) Cyber Security Summit 2012
25/40
WhataretheControlsforSocialEngineeringWhataretheControlsforSocialEngineering
Vulnerabilities?Vulnerabilities?
7/30/2019 (Kinverg) Cyber Security Summit 2012
26/40
SEControlsDesignFrameworkSEControlsDesignFramework
INDIVIDUAL
ORGANIZATIONAL
COUNTRY
GLOBAL
Awareness , Education and Training
for educating about Social
engineering
Laws , Regulatory Compliance
Joining Global Consortiums ,
Orgnisation's and Communication
between Governments for Cyber
Crimes. Global Legislations
Technical Controls to prevent Social
Engineering Attacks
7/30/2019 (Kinverg) Cyber Security Summit 2012
27/40
RiskBasedApproachRiskBasedApproach
> Justifies investment on Cyber
Security
> Help analyze the control
requirements
> Prioritize information security efforts
and investments
> Helps in preparing business case for
Cyber Security
> Helps in aligning Cyber Security
efforts to the Organizations overallbusiness objectives
> Defines what needs to be measures
in Cyber Security
RISKRISK
7/30/2019 (Kinverg) Cyber Security Summit 2012
28/40
EducationandAwarenessEducationandAwareness
Continuous education and awareness about socialengineering
Education and awareness starts from the TOP
Along with traditional trainings ; participative methodsof training must be adapted
Social engineering penetration audits should beperformed with equal importance to technical andapplication audits
7/30/2019 (Kinverg) Cyber Security Summit 2012
29/40
ISO/IEC27001ISO/IEC27001--20052005
Generic Controls
4.2.1.d Risk Identification
A.5.1.1 Information Security Policy
A.6.1.6 Confidentiality Agreements
A.6.1.7 Contact with Special Interest Group A.6..2.1 Identification of risks related to external parties
A.6.2.2 Addressing security with customers
A.6.2.1 Addressing security in third party agreements
A.13.1.1- Reporting IS Events
A.15.1.1 Applicable Legislations
A.15.3.2 Protection of Information Systems Audit Tools
7/30/2019 (Kinverg) Cyber Security Summit 2012
30/40
ISO/IEC27002ISO/IEC27002--20052005
Email WithDownload Link
Email from
Compromised
Accounts
Email from
Compromised
Devices
Email from
Legitimate
Entities
A.8.3.3 Removal of Access Rights
A.9.1.3 Securing Offices , rooms and facilities
A.10.4.1 Control against malicious code
A.10.4.2 Control against mobile code
A.10.8.4 Electronic messagingA.11.5.3 Password Management
A.11.7.1 Mobile Computing and
Communications
A.12.3.2 Key Management
7/30/2019 (Kinverg) Cyber Security Summit 2012
31/40
MaliciousSoftwaresMaliciousSoftwares
The Apps!
Drivers & OS
Updates
Code-Bomb in
Business IS
A.10.4.1 Control against malicious codeA.10.4.2 Control against mobile code
A.12.1.1 Security requirements analysis
and specification
A.12.4.3 Access control to program source
control
A.12.5.5 Outsourced Software
Development
7/30/2019 (Kinverg) Cyber Security Summit 2012
32/40
EmployeesEmployees
Friends of
Employees
Network & System
Administrators /
CIOs / IT Directors
Janitorial& House
Keeping Staff
C-Levels
A.7.1.3 Acceptable Use of Assets
A.8.1.2 ScreeningA.8.2.3 Disciplinary Process
A.8.3.3 Removal of Access Rights
A.9.1.3 Securing Offices , rooms and facilities
A.10.1.3 Segregation of DutiesA.10.8.4 Electronic messaging
A.10.10.4 Administrator and operator logs
A.11.4.2 User authentication for external
connection
A.11.5.3 Password Management
A.11.7.1 Mobile Computing and
Communications
A.11.5.2 User identification and authentication
7/30/2019 (Kinverg) Cyber Security Summit 2012
33/40
ImpersonationImpersonation
GovernmentOfficial
Senior
Management
Employee
Third Party
Maintenance
/Support Staff
A.9.1.3 Securing Offices , rooms and facilities
A.9.1.6 Public access , delivery and loading
areas
A.9.2.6 Secure disposal or reuse of equipment
A.10.1.3 Segregation of DutiesA.10.7.2 Disposal of media
A.10.8.3 Physical media in transit
A.10.10.4 Administrator and operator logs
7/30/2019 (Kinverg) Cyber Security Summit 2012
34/40
SocialMediaSocialMedia
Celebrity
Profiles
Anonymous
Friends
Status and
Check-In
Account
Hacking
Idle Account
Hacking
A.7.1.3 Acceptable Use of Assets
7/30/2019 (Kinverg) Cyber Security Summit 2012
35/40
DefaultDeviceConfigurationDefaultDeviceConfiguration
Device Default
Configurations
A.11.5.3 Password Management
7/30/2019 (Kinverg) Cyber Security Summit 2012
36/40
Telephone/IVRTelephone/IVR
Call fromSupport Staff
Generic Controls
7/30/2019 (Kinverg) Cyber Security Summit 2012
37/40
PCIDSSPCIDSS
Generic Controls
Requirement12Maintain a policy that addressinformation security for all personals
7/30/2019 (Kinverg) Cyber Security Summit 2012
38/40
PCIDSSControlsPCIDSSControls
Requirement 2 - Do not use vendor supplieddefaults for systems passwords and other
security parameters
Requirement 7Restricts acees to Cardholder
Data by business need to know
Device DefaultConfigurations
Employees
7/30/2019 (Kinverg) Cyber Security Summit 2012
39/40
QuestionsQuestions
http://localhost/var/www/apps/conversion/tmp/scratch_1/kinverg.com7/30/2019 (Kinverg) Cyber Security Summit 2012
40/40
Office No. 11 , Level. 10 , Arfa Software Technology Park , 346-B
Ferozepur Road Lahore 54000 PakistanPhone: +92-423-597-2112
Fax: +92-423-595-8117
Email :info [at] kinverg.com
URL : kinverg.com
Facebook.com/ kinverg
Linkedin.com/company/ kinverg
Twitter.com/ kinverg
PAKISTAN | KSA
http://localhost/var/www/apps/conversion/tmp/scratch_1/Facebook.com/kinverghttp://localhost/var/www/apps/conversion/tmp/scratch_1/twitter.com/kinverghttp://localhost/var/www/apps/conversion/tmp/scratch_1/linkedin.com/company/kinvergTop Related