Newark Nottinghamshire Vacation of Dreams

Author: David Morrisonbr
Source: ezinearticles.combr
br
Security is only ever as strong as its weakest link, and the majority of the time, an organisations users become the weakest point. No matter how much money is invested in security, installing firewalls, intrusion prevention systems, complex remote access systems, security guards, physical access passes or a myriad of other solutions that combine to form strong layered security, if users are not educated in the basic principles of security, it is all pointless.

One of the greatest risks to an organisation is the possibility that one of its users could be manipulated or deceived into performing some action or disclosing confidential information to someone outside the business. Information Security terminology defines this manipulation as social engineering. While the term social engineering is a fairly new term, this type of attack is as old as the human race itself. Two of the most famous social engineering attacks are those of the story of the wooden horse of Troy from Homers The Odyssey, and dating even further back to the start of the Bible with Adam and Eve and the Devils manipulation of Eve to persuade her to take a bite from the apple in the Garden of Eden.

In the story of the wooden horse of Troy, after the Greeks had failed to overthrow Troy, they built a giant wooden horse which they left outside the city. Leaving one soldier behind, the Greeks left the outskirts of Troy to return home. When captured, the soldier told the people of Troy the Greeks had left the wooden horse as an offering to the Gods to ensure safe travel. He also disclosed they had created the horse too large for it to be moved within Troy as bad luck would befall the Greeks if this came to pass. Little did the people of Troy know that hidden inside the horse were a number of Greek soldiers. Of course the people of Troy could not resist moving the horse inside the gates to inflict ill-luck on the Greeks. In this text book example of social engineering, the soldier had manipulated the people of Troy into performing the action of moving the horse, with the Greeks inside, inside the city walls, something the Greeks had not been able to do themselves. That night the Greeks slipped out of the horse, killed the guards and opened the city gates to allow the rest of the Greek army in to defeat Troy.

While not IT related, the story of Troy is a perfect example of strong security defeated via the weakest link, something people do not necessarily even see as security related. Troy had withstood the attacks of the Greeks for over a decade. They had guards and soldiers, strong impenetrable walls and food to sustain them for countless years. It was only via the weakest link in their security model, their residents, that the Greeks were able to succeed.

In the present day, IT and physical related social engineering attacks are aimed at users in an attempt to reach a number of specific outcomes. The most common objectives are:

• Gaining access to restricted data;
• Gaining access to restricted areas;
• Monetary gain and profit; and
• Identity theft

The first two in the list, gaining access to restricted data and areas, are most commonly aimed at gaining unauthorised access to an organisation. Identity theft is generally aimed at individuals, whereas monetary gain targets both areas. While initiation and execution of these attacks follow different methods and paths, they all follow the same principle: manipulate the user without them knowing.

While an organisation may have implemented strong layered security, in a lot of environments, all that is required to access the network from anywhere in the world is knowing how to connect to the organisations remote access system, along with a valid username and password. In the past, this required the phone number of the organisations remote access modem, but with the common place use of sophisticated Virtual Private Network (VPN) devices in most organisations, all that is required is an IP address or a URL. There are countless methods for acquiring organisational information such as modem numbers, VPN access information or usernames and possible passwords. Wardialing, the act of dialing consecutive numbers in an area looking for modems, was common place when modems were the chief method of remote access. Trashing is the act of going through an individuals or organisations trash looking for information such as account details for users and sometimes finding corresponding passwords. Google hacking is the act of using the Google search engine to extract as much usable information about a user or organisation as possible. And finally, the organisations Help Desk. If an attacker has the names of legitimate users within the organisation, including other information that may help to establish credibility, it is not difficult to impersonate a user and request an action such as a password reset or request information such as the VPN access details or modem number. A successful attack such as this would enable an attacker to access the organisations network from anywhere in the world. Depending on the access rights of the user they are impersonating, this could lead to vast compromises of critical systems.

Access to IT systems and the data contained within these system is not the only goal of social engineers. Most medium to large organisations have now implemented some form of physical access token to allow access to buildings, offices and restricted areas. These come in various forms, be they magnetic swipe cards, HID, RFID or just simple identification badges validated by other users or security guards. Social engineers have dozens of methods for bypassing these systems without the need to even touch the technology. By targeting the users of these systems, there is no need. Social engineering is a low tech solution for a high tech problem. All that is required is that the attacker fits in to the environment, that he or she looks like she belongs in the organisation or is there performing a valid task. Tailgating, the act of following close behind an individual, is a common method to bypass physical access controls. This method allows the attacker to follow another person through a restricted door after they have provided the required authentication. Impersonation, the act of pretending to be someone else, is extremely effective. How often have you seen tradesmen, cleaners or other individuals within your organisation? How often have you actually looked at their pass or asked to verify who they are? Have you ever held a door open for them while they wheeled in their trolley, tools or carried a cumbersome box? These are all common methods of the skilled social engineer.

Organisations are not the only prey of the social engineer. The vast amounts of SPAM and Phishing attacks everyone receives in their email is just another form of social engineering. Phishing attacks, the act of attempting to gain sensitive information by masquerading as a trusted individual, is a perfect example. The only differences between the attacks described above and Phishing are the targets and the methods. Phishing tends to aim at individuals on a personal level, rather than aimed at an individual in an attempt to compromise an organisation. Also, while the above methods are manual attacks, Phishing is generally automated and aimed at hundreds, thousands or even millions of users. This method provides the attacker with a much higher success rate and correspondingly, considerably more profit.

The only defence against social engineering is education. Organisations should implement a security awareness program that becomes a requirement when new staff begin, including annual refresher courses for established staff. Security awareness is an integral part of an organisations overall security implementation, and as such, is a mandatory requirement in the Payment Card Industry Data Security Standards (PCI:DSS), section 12.6. Security awareness and training is also specified in section 5.2.2 of the ISO 27001 security standards. While security awareness training should include such areas as password policies and acceptable use, the following areas specific to social engineering should be discussed:

1. Always wear identification badges.

Identification badges should be worn and visible at all times by all staff, contractors and visitors. These should be easily identifiable and to all staff. Visitor IDs should be returned at the end of their visit and disposed of properly.

2. Question unknown people

If staff see someone within their area that they do not recognise, or someone trying to tailgate, question them. Ask to see their ID or who they are visiting and escort them to that staff member.

3. Remove or turn around identification badges when outside the office

Staff who wear identification in full view when outside the office are providing more than enough information for an attacker to start a social engineering attack. While some passes only display a photo, most have valuable information to a social engineer. Common information displayed on corporate ID passes include their full name, company and even the department the user belongs to within that company. When leaving the premises, remove the badge and place it in your pocket or handbag, or at the very least, turn the badge around so no information is visible.

4. Never write down passwords

Passwords should never be written down, period. Choose passwords that can be easily remembered without the need to write it down. Users commonly write down passwords and stick them to monitors, under keyboards, on their cubicle walls or place them in their desk drawer. A social engineer, contractor, visitor, cleaner or even other staff can easily see these when walking by a desk or by taking a few seconds to look for them. Paper, especially post-it notes that easily stick to other items, are commonly thrown out in the trash accidentally. This allows easy access for social engineers performing trashing attacks.

5. Help Desk staff should always validate users fully before disclosing any information

When talking to users on the telephone, any request to disclose or modify information should require Help Desk to fully validate the user on the other end. Validation questions should always include some form of non-wallet question. A non-wallet question is something about a user that cannot be discovered from reading the contents of their wallet. If questions like, DOB, address or drivers license number are used, a social engineer that has stolen a wallet or been through a users trash will have easily obtained this information. Non-wallet questions should be something that the user knows and is not easily found out via trashing, Googling or simple social engineering of the user to obtain the information.

6. Shred all documents

All documents with any form of sensitive information should be shredded or placed in secure disposal bins that are shredded by a trusted third-party company. No documents with any confidential data should ever be thrown in the trash or recycling bins.

7. Do not open email attachments or visit URLs from unknown people or from suspicious looking emails.

Users should be educated in basic phishing attacks and how they can identify a phishing attack versus a real email from a valid source.

A few examples include:

• Banks and other financial institutions will never send emails asking for your credentials or to log in to your account by using a link in the email.
• If a suspicious looking email is sent requesting you to visit a URL to a company you know, do not click on the link. Instead, open your web browser and manually type the known URL for the company and visit the site that way.
• Never open an attachment sent by someone you do not know.
• Be wary of executable type attachments, for example, .exe, .com, .scr, sent by friends unless you are expecting this type of document. They may not realise that they are sending you a malicious file.

If a security awareness program is developed and implemented, the chances of successful social engineering attacks become far less likely. If an organisations users are no longer the weakest link, attacks against the company become a lot harder. Not only does security awareness help protect an organisation, it also helps defend users in their personal lives. Understanding common attacks and how to recognise and defend against them will help users protect themselves against attacks such as phishing, aimed at stealing their bank account or other personal details.

br
br
pDavid Morrison is a security consultant with Sense of Security. Sense of Security is the premier provider of a target=_new href=http://www.senseofsecurity.com rel=nofollowIT Security and Risk Management Solutions/a in Australia, and is the trusted provider to many of Australias leading organisations./pbr
br

Author: Nikki Sacobr
Source: downloadbr
br
Encrypt, secure, prohibit or pay the price!

Thats what Congress and state legislators should tell Ernst Young, Veterans Affairs and other companies and agencies that play fast and loose with our personal data.

In the last several days, major news networks and countless online news sources reported two more incidents of lost or stolen laptops containing personal data of millions of individuals. The first theft involved a laptop stolen from a Veterans Affairs employee. Follow-up reports on that theft go from bad to worse, indicating 2.2 million active-duty personnel are now at risk for identity theft. The lost data in this case includes Social Security numbers.

The second incident involved a laptop stolen from an Ernst Young employee. That laptop contained the personal data, including credit card information, of approximately 243,000 customers of Hotels.Com who had booked rooms between 2002 and 2004. In a way, this second incident is more egregious because losing laptops is reportedly commonplace for Ernst Young.
Nokia staff jacked by Ernst Young laptop loss (30 March 2006)
40,000 BP workers exposed in Ernst Young laptop loss (23 March 2006)
Lost Ernst Young laptop exposes IBM staff (15 March 2006)
Readers amazed by Ernst Youngs laptop giveaway (4 March 2006)
Ernst Young loses four more laptops (26 February 2006)
Ernst Young fails to disclose high-profile data loss (25 February 2006)
According to The Register, a British technology news site, password protection was the only security available on some of the laptops lost by Ernst Young during a prior incident, which any avid computer user knows can be easily compromised. What about the laptops more recently lost by Ernst Young employees? Was the data contained in those laptops encrypted? Are there any company policies limiting the extent of personal data that may leave the office where presumably network security standards and firewall protection are in place? Are there any company rules prohibiting employees from leaving laptops unattended (though you would think common sense would be enough)? Or better still, are there rules prohibiting the transfer of personal data to employee laptops? I expect there arent. If any such measures were in place, Ernst Youngs public relations people would have plastered that all over the media to reassure clients and the public in an attempt to save the firms corporate derriere.

Ernst Young and the VA are not the only entities that have lost laptops with personal data, and most of these entities have developed a typical response straight from the Corporate Playbook. Ernst Young has agreed to offer Hotel.Com customers a years free credit monitoring. Thats no compensation for someone who will have to spend potentially years clearing up a resulting bad credit history. Anyone whos been in the tenuous position of having to prove they do not owe a debt they do not owe will tell you that. If Ernst Young created a task force to help consumers clear identity theft issues, then maybe that could be considered compensatory. If they offered to pay legal fees for anyone having to clear resulting bad credit histories, or pay state fines for prosecution of identity thieves, that might be considered compensatory. If they committed to and implemented a program to encrypt and secure the data and, in particular, prohibited downloading of personal data to portable computers in the first place, that would be considered the best move of all.

Employees of the auditing companies dont seem to care what happens to your personal data. The Register reported that, in one case, employees left laptops in an unattended conference room while they went off to lunch. You can just see how that might happen. Theyre in Miami at yet another conference. The conference is at a downtown hotel theyve been to a couple times. Theyre familiar with the hotel and the area so already they feel some sense of false security. Someones been talking for hours about converting more sales, pushing certain investments, or their companys new data recovery center that will help clients feel more secure. Anyway, the speaker stops to take a breath and everyone realizes its a good time to break for lunch. Theyre coming back to the room so, hey, why lug around those heavy laptops? Arent they coming back to the room for the second half of the conference? Do they even ask if the conference room will be locked during lunch? Of course not. Theyre company laptops. Whats a few lost laptops to a big corporation like Ernst Young.

Maybe these irresponsible employees need a little incentive to show better judgment. Suspending reality for just a moment, wouldnt it be interesting if, any time one of these employees acted that irresponsibly, his or her Social Security number were posted on StupidIrresponsibleJerks.Com? That way they could sweat it out with the rest of us who have personal data floating out there and possibly in the wrong hands. While were at it, lets also expose the personal data of policymakers at these auditing companies who are too shortsighted to better secure your data and the companys reputation. Let them sweat it out too. At a minimum, how about if these employees immediately lost their jobs, were required to be individually named in negligence lawsuits filed by victims of identity theft, or at a minimum SIMPLY HAD TO PAY FOR THE LOST LAPTOPS? I bet wed see a decrease in stolen laptops then. Seriously people, some of these employees were so careless you can almost imagine them extending their arms and presenting the laptop to Joe Thief. Here, take it. Id give you my Windows password too, but you wont need it. I didnt bother to log off before going to lunch – check out my Paris Hilton screen saver.

Most of these companies who have lost laptops with sensitive data try to pacify the public by saying the thieves are just after the hardware. Sure. Thats like telling a home burglary victim the burglar just wants your jewelry box. Hes not really interested in the $50,000 tear-drop diamond earrings you had inside. Bull. When a thief steals, every part of the stolen item has value. Everything. Even a computer illiterate thief knows there will be programs on a laptop and, if he knows whats loaded, he can better evaluate the asking price when he fences it.

Ernst Youngs web site praises the companys network security measures in their section titled Security and Technology Solutions. These measures may well be admirable. However, too often individuals, companies, and the public in general are so focused on stuff going over the Internet that they forget about stuff sitting in hard drives. A truly secure network focuses on data stream (information being transferred) and on data storage (information waiting to be used). In my dreams, my personal data is properly stored in a secure location, in a building with armed guards, vicious dogs, and an unfriendly receptionist. Well, I can hope. I can also hope that some of that data might also be encrypted. I realize my personal data with one institution may be stored in more than one location; for example, Building A (their main offices) and Building B (a branch office or, better still, a data recovery center). But, not in my wildest imagining would I expect that any business storing my personal data would allow it to be downloaded and stored on a laptop that an employee can take home where he does his online shopping. I know I also dont expect that the laptop with my personal data is being left unattended in a hotel conference room, a bar counter or someones car. I dont care how many financial or online banking agreements I sign. Im never consenting to anyone downloading my personal information to a laptop. No one consents to the mishandling of their personal data.

I have yet to read any banking or credit agreement that expressly states the information will be downloaded to a laptop or in any way made available to anyone outside the secured network of the financial institution. There is a vague all-encompassing comment about information sharing, but the appearance given by these institutions is that the information will be handled and shared in a secure method over an encrypted Internet connection. Everything they say about their security has to do with their firewalled and encrypted data streams. To me that means that anyone working from home and needing access to my personal data is doing that using one of the many encrypted remote access programs that are out there: for example, Windows Remote Desktop or GoToMyPC or some other Citrix product. These programs are by no means impenetrable, but they are simply a better option, utterly available and far more secure. Thats just not the case with data downloaded to laptops without encryption or adequate password protected (though passwords are simply not enough). Over the years, I have used a number of remote access programs to log into my office and work on client files. Ive even used a laptop to work downstairs on files stored on my main computer in an upstairs bedroom. The remote desktop creates a window that shows me the programs and data files on the main workstation or network server that is hosting my connection and contains what I need to see. I am NEVER required to download any data to the laptop to work remotely on it. Thats the whole point of the remote access software.

By compelling employees to log in, do the work and immediately exit the remote access program, Ernst Young, the VA and any other entity that stores personal data minimizes the window of opportunity for your personal data to fall into the wrong hands while remaining behind an encrypted and presumably firewalled connection during the entire time that your personal data may need to be accessed. During remote access sessions, the company retains control of your information and there is oversight of the employees use of your information. Best of all, if your personal data is not needed during that particular remote access session, it never even becomes part of the encrypted data stream traveling over the Internet. This would expose even fewer people from the threat of identity theft. Think about it. Can any Ernst Young employee work on the data of 243,000 Hotel.Com customers during one remote access session? Can one VA employee work on the accounts of 2.2 million active-duty personnel during one online remote access session? And yet, both these individuals collectively had the personal data of nearly 2.5 million people stored on their laptops and immediately available to anyone using their laptops. Why?

There ought to be a law, right? Oh, absolutely. Congress should immediately implement its own measures, including possibly levying fines against any entity that acts irresponsibly with your personal data, and should impose broader guidelines regarding access to your personal data. In 1996 Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) regulating the use of and access to personal health information and related identifying personal data, like medical record numbers and Social Security numbers contained in patient medical records. Though HIPAA caused a lot of headaches in the medical and legal communities, it validated concerns over privacy. HIPAA was still a step in the right direction even if, like most legislation, it needs to evolve to better reflect the legislative intent. Similar, legislation needs to be considered with respect to the personal data maintained by businesses and financial institutions. A person shouldnt have to get sick to protect his or her personal data, though the apparent lack of security is sure to make you sick.

Although HIPAA addressed privacy concerns, the issue of protecting personal data isnt a question of privacy; its a question of security. Protecting personal data could easily fall within the purview of Homeland Security. Personal data needs to remain secure because the casual criminal is not the only one making use of it. Whether its to raise fear or awareness, consistently our government tells us about the manner in which terrorists make use of other peoples personal data to create phoney IDs, buy cell phones, or book plane tickets. Its not a leap of logic to suggest that protecting personal data thwarts terrorist activity. A bold politician might even say failure to do so is a breach of national security. But thats going a bit too far, dont you think? Certainly, though, its conceivable that personal data has the potential of falling into the hands of someone desiring more than just an overpriced pair of shoes, hair extensions or HDTV.

Other measures offer consumers far more protection than weve been seeing. There are currently legislative initiatives in certain states that would allow their residents to place a security freeze on their credit files prohibiting any new credit or loan application to go through without the consumers authorized PIN number. The freeze would allow consumers to lock their credit and temporarily unlock it when they know they will be applying for a loan or need to make some other type of major purchase. For more on security freezes, read the June 8, 2006, Home Watch article on WomensWebWatch.Com. A link to that site is provided in the authors bio below.

Ernst Young is not a small operation. It is a successful business with, I imagine, an exceptional track record and the ability to provide solid services or it would not be retained by so many reputable businesses. However, the best company can show poor judgment and in this case it has. To be fair, I surmise that, like all companies, Ernst Young has careless employees and most certainly careful ones. The company as a whole may be undeserving of the resulting bad reputation its getting. On the other hand, it has not shown its done enough to curb the loss of personal data. Frankly, even the most careful employee can be overwhelmed during a crime, or overly fatigued, and become dispossessed of his or her laptop. There is little compelling reason for those laptops to contain personal data. Every entity that handles personal data needs to implement a zero-download policy and issue essentially dumb terminals to their employees (laptops just for remote access).

Too many times, these institutions forego implementing some security measures because, they argue, no measure is 100% foolproof. They claim it would not be cost-effective for them to implement measures that can be breached. Well, every one of them has already implemented security measures which are not impenetrable. Most of these places already use encrypted Internet security connections for their data streams because failure to do so in this day and age is unthinkable, right? Ive even heard that some of these places lock their doors at night so someone cant walk in and steal the CEOs favorite coffee cup. Adopting a company policy prohibiting the download of personal data to laptops is as expensive as sending around a memo about the upcoming company picnic. There is no need to download the data. Workers can still remote access the encrypted data using adequate alphanumeric passwords through a secure Internet connection behind firewalls on both sides, on the host computer and remote desktop. No, its not 100% foolproof. Thats true. My front door can be broken down, but I still lock it at night. Allowing downloads of sensitive data to laptops is the same as leaving the front door wide open.br
br
br
br