of 15
8/10/2019 ITPP Security Part1
1/15
Security in the
Modern WorldAn ITProPortal Magbook
Part One
8/10/2019 ITPP Security Part1
2/15
Introduction
Social Engineering: The basics
What is Social Engineering, and how do you spot an attack?
Why companies need military-style drills against social engineering attacks?
Security in a mobile world
Mobile security: 5 tips or protecting your sensitive data
How can business take mobile security to the next level?
1
2
2
4
7
7
11
Contents
8/10/2019 ITPP Security Part1
3/15
Introduction
Let's ace the acts: the world has become a pretty scary place. In the salad days o
your youth, all you had to worry about was the health and well-being o your amily,
keeping your business running and locking your doors at night. Not anymore.
Today, you need to worry about security in a whole dierent arena: Your PC, and
your business online systems. Spyware, viruses and Trojans are lurking online,
waiting to inest your network, steal your data, and send your proits plummeting.
All these threats could easily cripple your business i you're not careul. Worse yet,
hackers could steal important personal inormation, or the inormation o yourcustomers.
There are all manner o threats out there, but ITProPortal is here to help. In this
exclusive series o security-ocused whitepapers, we take you through every acet
o modern security, rom mobile to cloud, rom keeping your small business sae to
delving into the dark uture or IT security.
Fasten your seatbelts its going to be one bumpy ride.
1
8/10/2019 ITPP Security Part1
4/15
Social Engineering: The basics
Despite investing in advanced security soware and protecting themselves against
the latest threats, companies are still alling oul o the oldest tricks in the book: a
criminal with the gi or the gab.
Social engineering is what powers phishing emails, and malicious websites
disguises as sae ones - but what can you do to protect your businesses rom the
one attack a irewall won't stop? This exclusive white paper has the answers.
What is Social Engineering, and how do you spot an attack?By Max Eddy
Social engineering is what powers phishing emails, and malicious websites that are
dressed up to look like sae, popular websites. During a discussion with Chris
Hadnagy, Chie Human Hacker at Social-Engineer Inc., I asked him how to spot
these scams. His advice echoes what we've oen told readers: always be
suspicious.
More than a con
From my discussion with Hadnagy, it's clear that some o what we call social
engineering are the same tricks that people have used inluence decisions or
years. The ast ood industry, or example, amously explored what colours would
encourage people to eat aster. Phony spiritualists rom the 19th century up to the
present day use a tactic called "cold reading" to trick victims into revealing
inormation about themselves.
But there's more to social engineering than cheap tricks, as demonstrated by theSocial Engineering Capture the Flag Competition held at De Con. Here, contestants
earn points or inormation they glean rom researching companies and rom
contacting those companies directly. Hadnagy said that the best scoring
contestants also did the most research, which demonstrates how useul it is to
know your targets.
Unortunately, now is a great time to be a social engineer doing research, or open
source inormation gathering. Hadnagy explained that companies and individuals
post a lot o inormation on social media, much o which can be used in socialengineering attacks.
2
8/10/2019 ITPP Security Part1
5/15
Targeting emotion
One o the best social engineering tactics is to keep you rom thinking critically,
usually by targeting emotion. Hadnagy said that one attack that nearly ooled him
claimed to be an Amazon shipping email. "It was something personal, something
that aected my lie, and something that was important to me," he said. In thisparticular attack, Hadnagy received an email saying that one o his important
Amazon orders was delayed due to a declined credit card number. In the days
leading up to a major conerence, Hadnagy said that he was overworked and
clicked the link in the email instead o visiting Amazon directly. The page he was
taken to was well craed, but thankully he noticed the ".ru" domain beore
entering any personal inormation.
While it was simple, this tactic was very eective. "I'm the guy that, because o
what I do, phished over 190,000 people in the last ew months," said Hadnagy,
reerring to his consulting work. "I almost ell or this attack."
Another advantage o appealing to emotion is that it doesn't require the kind o
research the best social engineers employed. "What we'll see is that [attackers]
pick things that are important to the masses." Hadnagy explained that this includes
UPS shipping, Amazon orders, and PayPal transers.
Mass appeal also works well or broadcasting en-masse, another requent tactic.
"They send these to millions o people at a time, so they don't care i they get 100
per cent," said Hadnagy. "10 per cent is still thousands o compromised accounts."
Im the guy that, because o what I do, phished over 19,000
people in the last ew months.
Staying sae
Many o the tactics used to spot phishing emails are true or social engineering as
well. Anything that sounds too good to be true or too bad to be true probably
isn't true. Tactics like hovering over links to see the ull URL, manually entering web
addresses, and avoiding links that arrive out o the blue are all sound tactics.
But the live calling portion o the Capture the Flag competition highlights another
acet o social engineering: institutional trust. This year, many o the contestantsposed as coworkers or vendors, which gave the employees at the target companies
an immediate reason to trust them. Sometimes, it pays to ask questions when
3
8/10/2019 ITPP Security Part1
6/15
someone claiming to be the CEO o your company calls you personally.
Hadnagy has made a career explaining social engineering, but he's not concerned i
attackers are picking up his tricks. "The bad guys aren't looking or the data on how
to do this," he told SecurityWatch. "They already know how. The problem is that the
good guys don't."
Through his work, Hadnagy believes he can teach both corporations and regular
people how to think critically about their daily interactions, and how to respond in
worst case scenarios. Hadnagy explained it this way: "Instead o arming the bad
guys, it arms the good guys."
Why companies need military-style drills against social
engineering attacksBy Alex Balan
We recently covered the Social Engineering Capture the Flag event at DEF CON,
which exposed just how many large companies are still alling or hackers with the
plain old gi o the gab so-called social engineers.
Shockingly, contestants were able to gain access to secure company systems by
duping employees at major irms, using only publicly available inormation ound
on websites and social media.
We spoke to Alex Balan, Head o Product Management or security and antivirus
irm BullGuard, about the growing threat o social engineering, and what
companies can do to protect themselves.
The days o the purely technical hackerare over, Balan told us.
"People without imagination will
basically use tools," he said. "They'll ire
up Metasploit or some tool used to hack,
and they'll be more or less successul
depending on how well the company's
security is conigured. And on the other
side o the barricade, you have the CSO
or the CISO making sure the web
4
8/10/2019 ITPP Security Part1
7/15
irewalls and the intrusion detection systems are in place."
This arms race is almost as old as computers themselves.
"But, social engineering is an area that is not covered enough in most o the
companies that I know," Balan told us. "Including security companies."
This is based on work he's done or several companies, perorming audits o
security systems and protocols. "Companies don't do enough security training or
their employees," he said.
"There should be military-style drills. Every now and then, there should be a drill
where someone tries to social engineer his way into someone's account. These
exercises should be run by the security division o that company." "They should also
do periodic drills to see how well their employees react to social engineering."
So will social engineering play a greater role in security threats as technology
advances? Balan isn't convinced.
Targeted attacks are the ones that are the most dangerous,
that have the most advanced methods o attacks.
"Security as a concept may evolve rom a technological standpoint, and so will the
threats but social engineering will stay the same. This will be the case in a
thousand years, not a hundred years." The problem is the premeditated and
meticulously-planned nature o social engineering attacks.
"Social engineering is targeted," Balan told us. "And usually targeted attacks are the
ones that are the most dangerous, that have the most advanced methods o
attacks.
And they're usually the ones that people are the least prepared or."
So should we despair? No, says Balan, so long as a number o common-sense
steps are taken to manage the risks.
Any company should have a security division, even i it's outsourced. Perorm drills.
Even i it happens twice a year, it's better than never. Enact basic best practices,like using paper shredders and disk drive destroyers so nothing can be recovered
rom old systems.
5
8/10/2019 ITPP Security Part1
8/15
With these steps, companies should be able to tighten up their operational security
and prevent these breaches rom occurring. Unortunately, we may never move
beyond a world where social engineering is a threat.
"The problem is that there are no warning signs," Balan told us. "I you have awarning, then you can get on your toes and be on the lookout."
The problem is that social engineers ensure the success o their attacks with
immaculate planning and a long campaign o inormation gathering on their
unortunate targets. As Balan added, "the attacker only has one shot."
"Usually the attack is already successul by the time suspicions are aroused. What
usually happens is that rom the irst phone call or the irst email, the weakest link
has already allen into the trap. Data access control is the number-one answer to
tightening your security.
"It's important to decide who can access what data," Balan said. "Sometimes the
janitor at a company has more access than security officials. Personnel like this can
be easily plied, and this is another area o vulnerability."
So should small businesses be worried, as well as massive multinationals?
Usually small businesses aren't o interest to hackers," Balan said, "because they
don't have large databases o users, and they're not high proile enough to make
the news.
However, he made sure to mention that "i a small business was targeted, it would
have a much greater chance o alling victim to such an attack, because they don't
have CSO, they don't have a security division, and they're not that aware o what
security means."
6
8/10/2019 ITPP Security Part1
9/15
Security in a mobile world
For well over a decade, IT security experts have been striving to convince PC users
they are at risk rom a plethora o dangers online, and while it is a ight that will
never truly end or the preachers, certain security principles have now been
established and ingrained in our minds.
But the arrival o the smartphone and its insistence on assuming nearly all the
responsibilities we have traditionally entrusted to our PC has eectively reset the
battle ground and produced the same struggle or the security industry all over
again.
As security threats prolierate in the mobile space, inormed and well protected
organisations have an advantage. So how can you make sure youre on o the
survivors? This exclusive white paper takes you through the threats you dont seecoming, and the solutions you didnt know existed.
Mobile security: 5 tips or protecting your sensitive dataBy Dave Anderson
There is little doubt mobile devices have prooundly transormed todays businessworld, with organisations now commonly making line-o-business applications
accessible to their increasingly mobile workorce.7
8/10/2019 ITPP Security Part1
10/15
Once mostly prohibited by IT, smartphones and tablets are being used by hundreds
o millions o employees worldwide to access, transmit and store corporate
inormation in todays 24/7 business environment. This extended enterprise
introduces new challenges and complexities or IT. Not surprisingly, security has
emerged as the number one challenge posed by the BYOD (bring your own device)
trend. IT organisations are concerned with device loss, data leakage andunauthorised access to corporate resources, as well as the growing use o guest
access to corporate networks.
No amount o perimeter deence can protect data accessed
by smartphones and tablets.
In response to these perceived risks, organisations have begun implementing a
range o data security measures. Traditional approaches involve perimeter-based
security controls such as irewalls and smart screen ilters. But no amount o
perimeter deence can protect data accessed by, and subsequently stored and
transmitted by smartphones and tablets, especially outside o enterprise control.
There are the three mission-critical areas in which mobile data must be protected
without disrupting user productivity:
Email applications which contain sensitive inormation and are subject to
regulatory compliance
Sensitive business iles and documents
Transaction data captured by new mobile payment methods
Even as security threats loom, inormed organisations have an advantage. These
ive tips can make or break mobile data security eorts:
1. Go beyond device protection, home in on the data
In an ideal world, sensitive data travels in well-deined paths rom data repositories
to a well understood set o applications. In the real world, however, data travels
everywhere, anytime, with constantly shiing applications running on an evolving
set o platorms.
The data liecycle is oen complex, extending beyond the container and the
application - even outside the enterprise into osite backup services, cloudanalytics systems and outsourced service providers. Not to mention the onslaught
o user-owned devices making their way into the old. So although armouring
8
8/10/2019 ITPP Security Part1
11/15
applications and devices is one dimension in establishing a deensive posture, it
isnt the entire answer nor is the installation o security solutions rom a wide
range o vendors.
There will be security gaps that eventually impede enterprise risk management and
user productivity. Rather, data security is a multi-pronged risk challenge thatrequires a data centric approach across all dimensions.
2. Assume youve been breached
Thats the unsettling opinion o Shawn Henry, the FBIs top cyber-security officer.
Henry, ormerly Executive Assistant Director at the FBI, told The Wall Street Journal
that current approaches to ending o hackers are unsustainable. FBI agents
increasingly come across data stolen rom companies whose executives had no
idea their systems had been accessed.
We have ound their data in the
middle o other investigations,
he told the Journal. Theyve been
breached or many months, in
some cases years, which means
that an adversary had ull
visibility into everything occurring
on that network, potentially.
The challenge is only
compounded by the prolieration
o smartphones and tablets.
Henry said companies need to
make major changes to avoid
urther damage to national
security and the economy.
3. You dont need an entirely separate strategy to protect your mobile data
Mobile devices are endpoints that require the same attention that is given to PCs
and laptops. Many o the same processes and policies that are leveraged or PCs
and laptops are applicable to mobile platorms.
Still, mobile devices are built or connectivity; the personal nature o these devices,
combined with the inability to regulate or monitor user activity, means that theocus o protection must change. Simply adding another point solution isnt the
answer.9
8/10/2019 ITPP Security Part1
12/15
Enterprises need to make mobile data security part o their risk management
strategy - consistent with desktop and laptop security - without compromising the
user experience.
When encryption is used, its typically
non-user-riendly.
4. You dont have to oreit usability or security
The primary purpose o smart device adoption is to improve productivity or a
geographically spread and highly mobile workorce. Security mustnt be a barrier toproductivity. Still, current mobile security solutions ocus on creating boundaries
within the devices on which data can be stored and accessed.
When encryption is used, its typically non-user-riendly, non-application-speciic
and lacks granular policy controls. Additionally, it usually relies on a traditional key
management approach that requires massive investment to scale in todays
environment.
Security or mobile data must be as transparent as possible without losingeectiveness, and it must not intrude on amiliar user experiences - yet it has to
provide IT with the control it needs in order to ensure security at the data level.
5. Compliance doesnt equal security
Compliance relevant to IT systems is now being extended to mobile devices - and
or very sound data risk reasons. Companies must understand how these same
data privacy, regulatory compliance and risk management practices should be
applied to the mobile and cloud platorms.
But being certiied compliant or using solutions that help achieve compliance
doesnt always translate into eective data security. For example, a desktop
computer stolen rom a Caliornia health care organisation in 2011 was
password-protected but unencrypted. The the potentially exposed the personal
inormation o nearly our million patients.
Mobile security in the real world
Over the years, companies have taken numerous approaches to mobile security.
10
8/10/2019 ITPP Security Part1
13/15
These have ranged rom banning such devices altogether rom the corporate
network to remotely wiping corporate data in the event o the loss or the o a
device, to adopting a container approach to protect mobile apps and data.
None o these approaches are satisactory. In a data-centric approach to mobile
security, data (both structured and unstructured) is encrypted as soon as itsacquired. It remains encrypted as it is used, stored or moved across data centres,
public and private clouds and devices, to be decrypted only by the intended party.
The goal is to devalue or kill data, so that even in the event o a breach, the
encrypted data will have no value to cyber-criminals. And data is protected without
disruption o user productivity.
Take action now
Mobile devices arent going away, and BYOD is not a passing ad. These trends are
quantiiably improving corporate agility, but the security risk is real.
Traditional security approaches lock down the inrastructure, but thats not the
target or todays cyber-criminals. They want sensitive data, which is valuable;
easily monetised; and increasingly on the move, in and out o IT inrastructures.
And they ully understand where and when to ind data in the clear, when its most
vulnerable, and theyre willing to wait.
But waiting is one thing you cant aord to do. Data is key and a data-centric
approach to mobile security with encryption helps keep sensitive data sae
wherever it goes, however it is used and throughout its liecycle. Ultimately, it
mitigates the risk o data breaches and other threats so mobility can be leveraged
to its ullest potential. And isnt that the goal o any security measure?
How can business take mobile security to the next level?By Keith Turnbull
As the workorce continues to become more mobile, new IT challenges and
demands have arisen, placing pressure on the IT department to adapt its security
procedures. End-users now work on multiple devices and in a multitude o
locations. But one thing remains the same; all o them want access to data
regardless o device or location.
11
8/10/2019 ITPP Security Part1
14/15
Because o this, the need or security is more evident than ever. The challenge or
IT managers is how to deliver access to data securely. They have to put systems in
place that will not only consider user data security, but also allow workers to be
lexible in how they use technology to get the job done.
The latest versions o the Kindle Fire and iPad Air being released drew attention tothe growing consumer interest in new devices, and also the level o sophistication
the devices and soware run on it have reached.
Blackberry has also had a variety o announcements recently about its CEO and
possible bids, and it could be said that Blackberry, in its current guise, might not be
around this time next year becoming more an application than device ocused
company.
The new working landscape
These changes relect how consumerisation and the complexity o devices have
changed the working landscape. With a wide range o mobile devices now available
or business users to use or a variety o dierent tasks. Many users choose devices
because they are convenient and or businesses to keep employees engaged,
happy and productive it is important that IT departments are as lexible as possible
to allow this in the workplace.
This is true in both the public and private sector. To help it overcome mobility
challenges, the Government and the CESG, the government's authority on
inormation security, has recently updated an End User Devices Security and
Coniguration Guidance policy to relect the market's desire or lexibility around
end-user devices.
Consumerisation and the complexity odevices have changed the working landscape.
This policy describes how devices such as smartphones, laptops and devices can
be conigured to help enterprises meet its users' needs and expectations, with
security recommendations and good practice. This policy also highlights key items
or consideration when deploying devices to users. And or the irst time, policy
clears the use o Android devices or government work, which has previously been
an area which only BlackBerry could play in.
This is interesting as recent research suggests that aer BlackBerry, Windows
12
8/10/2019 ITPP Security Part1
15/15
Phone is the most trusted mobile platorm amongst large enterprise, with only 20
per cent o IT managers considering it a security risk.
However, although this policy helps guide its organisations as to how to adopt
dierent devices, it still limits them and seems to miss the point on availability.
Whether in the public or private sector, users should be able to choose devices thatare convenient to them.
A better way?
This begs the question, is there a better way to approach mobile working? And is
there a way in which to overcome security concerns, should businesses move to
the cloud and more virtualisation solutions?
In short the answer is yes. IT decision makers need to take a step back and look at
how to manage users, rather than the devices they use. IT will have to shi towards
being more service centric and ocus less on purchasing and coniguring devices
and operating systems.
The irst step in achieving this would be to separate applications, data and users
rom their devices. This will help it to move towards a device agnostic environment
and concentrate on the delivery o services to end-users as opposed to ocusing on
supporting platorms and devices.
Ultimately, IT departments need to tailor their services, mobile or not, around the
end-users to ensure that they are working in an environment that enables them to
be as productive as possible. At the same time businesses need to create a
strategy that is secure or mobile devices, no matter what users want to use them
or. Devices, aer all, are no longer luxuries, but strategic business tools.
Dont miss part two o our exclusive whitepaper, where well look into how to build
a secure cloud strategy, and our comprehensive guide to data breaches: how to
avoid them, and how to respond when they occur.
And i youre in a small to medium business, you cant miss part three, where we
go into the unique security challenges acing SMBs in the modern world, and
where we look into whats coming on the horizon o digital security.
13