8/10/2019 ITPP Security Part1

1/15

Security in the

Modern WorldAn ITProPortal Magbook

Part One

8/10/2019 ITPP Security Part1

2/15

Introduction

Social Engineering: The basics

What is Social Engineering, and how do you spot an attack?

Why companies need military-style drills against social engineering attacks?

Security in a mobile world

Mobile security: 5 tips or protecting your sensitive data

How can business take mobile security to the next level?

1

2

2

4

7

7

11

Contents

8/10/2019 ITPP Security Part1

3/15

Introduction

Let's ace the acts: the world has become a pretty scary place. In the salad days o

your youth, all you had to worry about was the health and well-being o your amily,

keeping your business running and locking your doors at night. Not anymore.

Today, you need to worry about security in a whole dierent arena: Your PC, and

your business online systems. Spyware, viruses and Trojans are lurking online,

waiting to inest your network, steal your data, and send your proits plummeting.

All these threats could easily cripple your business i you're not careul. Worse yet,

hackers could steal important personal inormation, or the inormation o yourcustomers.

There are all manner o threats out there, but ITProPortal is here to help. In this

exclusive series o security-ocused whitepapers, we take you through every acet

o modern security, rom mobile to cloud, rom keeping your small business sae to

delving into the dark uture or IT security.

Fasten your seatbelts its going to be one bumpy ride.

1

8/10/2019 ITPP Security Part1

4/15

Social Engineering: The basics

Despite investing in advanced security soware and protecting themselves against

the latest threats, companies are still alling oul o the oldest tricks in the book: a

criminal with the gi or the gab.

Social engineering is what powers phishing emails, and malicious websites

disguises as sae ones - but what can you do to protect your businesses rom the

one attack a irewall won't stop? This exclusive white paper has the answers.

What is Social Engineering, and how do you spot an attack?By Max Eddy

Social engineering is what powers phishing emails, and malicious websites that are

dressed up to look like sae, popular websites. During a discussion with Chris

Hadnagy, Chie Human Hacker at Social-Engineer Inc., I asked him how to spot

these scams. His advice echoes what we've oen told readers: always be

suspicious.

More than a con

From my discussion with Hadnagy, it's clear that some o what we call social

engineering are the same tricks that people have used inluence decisions or

years. The ast ood industry, or example, amously explored what colours would

encourage people to eat aster. Phony spiritualists rom the 19th century up to the

present day use a tactic called "cold reading" to trick victims into revealing

inormation about themselves.

But there's more to social engineering than cheap tricks, as demonstrated by theSocial Engineering Capture the Flag Competition held at De Con. Here, contestants

earn points or inormation they glean rom researching companies and rom

contacting those companies directly. Hadnagy said that the best scoring

contestants also did the most research, which demonstrates how useul it is to

know your targets.

Unortunately, now is a great time to be a social engineer doing research, or open

source inormation gathering. Hadnagy explained that companies and individuals

post a lot o inormation on social media, much o which can be used in socialengineering attacks.

2

8/10/2019 ITPP Security Part1

5/15

Targeting emotion

One o the best social engineering tactics is to keep you rom thinking critically,

usually by targeting emotion. Hadnagy said that one attack that nearly ooled him

claimed to be an Amazon shipping email. "It was something personal, something

that aected my lie, and something that was important to me," he said. In thisparticular attack, Hadnagy received an email saying that one o his important

Amazon orders was delayed due to a declined credit card number. In the days

leading up to a major conerence, Hadnagy said that he was overworked and

clicked the link in the email instead o visiting Amazon directly. The page he was

taken to was well craed, but thankully he noticed the ".ru" domain beore

entering any personal inormation.

While it was simple, this tactic was very eective. "I'm the guy that, because o

what I do, phished over 190,000 people in the last ew months," said Hadnagy,

reerring to his consulting work. "I almost ell or this attack."

Another advantage o appealing to emotion is that it doesn't require the kind o

research the best social engineers employed. "What we'll see is that [attackers]

pick things that are important to the masses." Hadnagy explained that this includes

UPS shipping, Amazon orders, and PayPal transers.

Mass appeal also works well or broadcasting en-masse, another requent tactic.

"They send these to millions o people at a time, so they don't care i they get 100

per cent," said Hadnagy. "10 per cent is still thousands o compromised accounts."

Im the guy that, because o what I do, phished over 19,000

people in the last ew months.

Staying sae

Many o the tactics used to spot phishing emails are true or social engineering as

well. Anything that sounds too good to be true or too bad to be true probably

isn't true. Tactics like hovering over links to see the ull URL, manually entering web

addresses, and avoiding links that arrive out o the blue are all sound tactics.

But the live calling portion o the Capture the Flag competition highlights another

acet o social engineering: institutional trust. This year, many o the contestantsposed as coworkers or vendors, which gave the employees at the target companies

an immediate reason to trust them. Sometimes, it pays to ask questions when

3

8/10/2019 ITPP Security Part1

6/15

someone claiming to be the CEO o your company calls you personally.

Hadnagy has made a career explaining social engineering, but he's not concerned i

attackers are picking up his tricks. "The bad guys aren't looking or the data on how

to do this," he told SecurityWatch. "They already know how. The problem is that the

good guys don't."

Through his work, Hadnagy believes he can teach both corporations and regular

people how to think critically about their daily interactions, and how to respond in

worst case scenarios. Hadnagy explained it this way: "Instead o arming the bad

guys, it arms the good guys."

Why companies need military-style drills against social

engineering attacksBy Alex Balan

We recently covered the Social Engineering Capture the Flag event at DEF CON,

which exposed just how many large companies are still alling or hackers with the

plain old gi o the gab so-called social engineers.

Shockingly, contestants were able to gain access to secure company systems by

duping employees at major irms, using only publicly available inormation ound

on websites and social media.

We spoke to Alex Balan, Head o Product Management or security and antivirus

irm BullGuard, about the growing threat o social engineering, and what

companies can do to protect themselves.

The days o the purely technical hackerare over, Balan told us.

"People without imagination will

basically use tools," he said. "They'll ire

up Metasploit or some tool used to hack,

and they'll be more or less successul

depending on how well the company's

security is conigured. And on the other

side o the barricade, you have the CSO

or the CISO making sure the web

4

8/10/2019 ITPP Security Part1

7/15

irewalls and the intrusion detection systems are in place."

This arms race is almost as old as computers themselves.

"But, social engineering is an area that is not covered enough in most o the

companies that I know," Balan told us. "Including security companies."

This is based on work he's done or several companies, perorming audits o

security systems and protocols. "Companies don't do enough security training or

their employees," he said.

"There should be military-style drills. Every now and then, there should be a drill

where someone tries to social engineer his way into someone's account. These

exercises should be run by the security division o that company." "They should also

do periodic drills to see how well their employees react to social engineering."

So will social engineering play a greater role in security threats as technology

advances? Balan isn't convinced.

Targeted attacks are the ones that are the most dangerous,

that have the most advanced methods o attacks.

"Security as a concept may evolve rom a technological standpoint, and so will the

threats but social engineering will stay the same. This will be the case in a

thousand years, not a hundred years." The problem is the premeditated and

meticulously-planned nature o social engineering attacks.

"Social engineering is targeted," Balan told us. "And usually targeted attacks are the

ones that are the most dangerous, that have the most advanced methods o

attacks.

And they're usually the ones that people are the least prepared or."

So should we despair? No, says Balan, so long as a number o common-sense

steps are taken to manage the risks.

Any company should have a security division, even i it's outsourced. Perorm drills.

Even i it happens twice a year, it's better than never. Enact basic best practices,like using paper shredders and disk drive destroyers so nothing can be recovered

rom old systems.

5

8/10/2019 ITPP Security Part1

8/15

With these steps, companies should be able to tighten up their operational security

and prevent these breaches rom occurring. Unortunately, we may never move

beyond a world where social engineering is a threat.

"The problem is that there are no warning signs," Balan told us. "I you have awarning, then you can get on your toes and be on the lookout."

The problem is that social engineers ensure the success o their attacks with

immaculate planning and a long campaign o inormation gathering on their

unortunate targets. As Balan added, "the attacker only has one shot."

"Usually the attack is already successul by the time suspicions are aroused. What

usually happens is that rom the irst phone call or the irst email, the weakest link

has already allen into the trap. Data access control is the number-one answer to

tightening your security.

"It's important to decide who can access what data," Balan said. "Sometimes the

janitor at a company has more access than security officials. Personnel like this can

be easily plied, and this is another area o vulnerability."

So should small businesses be worried, as well as massive multinationals?

Usually small businesses aren't o interest to hackers," Balan said, "because they

don't have large databases o users, and they're not high proile enough to make

the news.

However, he made sure to mention that "i a small business was targeted, it would

have a much greater chance o alling victim to such an attack, because they don't

have CSO, they don't have a security division, and they're not that aware o what

security means."

6

8/10/2019 ITPP Security Part1

9/15

Security in a mobile world

For well over a decade, IT security experts have been striving to convince PC users

they are at risk rom a plethora o dangers online, and while it is a ight that will

never truly end or the preachers, certain security principles have now been

established and ingrained in our minds.

But the arrival o the smartphone and its insistence on assuming nearly all the

responsibilities we have traditionally entrusted to our PC has eectively reset the

battle ground and produced the same struggle or the security industry all over

again.

As security threats prolierate in the mobile space, inormed and well protected

organisations have an advantage. So how can you make sure youre on o the

survivors? This exclusive white paper takes you through the threats you dont seecoming, and the solutions you didnt know existed.

Mobile security: 5 tips or protecting your sensitive dataBy Dave Anderson

There is little doubt mobile devices have prooundly transormed todays businessworld, with organisations now commonly making line-o-business applications

accessible to their increasingly mobile workorce.7

8/10/2019 ITPP Security Part1

10/15

Once mostly prohibited by IT, smartphones and tablets are being used by hundreds

o millions o employees worldwide to access, transmit and store corporate

inormation in todays 24/7 business environment. This extended enterprise

introduces new challenges and complexities or IT. Not surprisingly, security has

emerged as the number one challenge posed by the BYOD (bring your own device)

trend. IT organisations are concerned with device loss, data leakage andunauthorised access to corporate resources, as well as the growing use o guest

access to corporate networks.

No amount o perimeter deence can protect data accessed

by smartphones and tablets.

In response to these perceived risks, organisations have begun implementing a

range o data security measures. Traditional approaches involve perimeter-based

security controls such as irewalls and smart screen ilters. But no amount o

perimeter deence can protect data accessed by, and subsequently stored and

transmitted by smartphones and tablets, especially outside o enterprise control.

There are the three mission-critical areas in which mobile data must be protected

without disrupting user productivity:

Email applications which contain sensitive inormation and are subject to

regulatory compliance

Sensitive business iles and documents

Transaction data captured by new mobile payment methods

Even as security threats loom, inormed organisations have an advantage. These

ive tips can make or break mobile data security eorts:

1. Go beyond device protection, home in on the data

In an ideal world, sensitive data travels in well-deined paths rom data repositories

to a well understood set o applications. In the real world, however, data travels

everywhere, anytime, with constantly shiing applications running on an evolving

set o platorms.

The data liecycle is oen complex, extending beyond the container and the

application - even outside the enterprise into osite backup services, cloudanalytics systems and outsourced service providers. Not to mention the onslaught

o user-owned devices making their way into the old. So although armouring

8

8/10/2019 ITPP Security Part1

11/15

applications and devices is one dimension in establishing a deensive posture, it

isnt the entire answer nor is the installation o security solutions rom a wide

range o vendors.

There will be security gaps that eventually impede enterprise risk management and

user productivity. Rather, data security is a multi-pronged risk challenge thatrequires a data centric approach across all dimensions.

2. Assume youve been breached

Thats the unsettling opinion o Shawn Henry, the FBIs top cyber-security officer.

Henry, ormerly Executive Assistant Director at the FBI, told The Wall Street Journal

that current approaches to ending o hackers are unsustainable. FBI agents

increasingly come across data stolen rom companies whose executives had no

idea their systems had been accessed.

We have ound their data in the

middle o other investigations,

he told the Journal. Theyve been

breached or many months, in

some cases years, which means

that an adversary had ull

visibility into everything occurring

on that network, potentially.

The challenge is only

compounded by the prolieration

o smartphones and tablets.

Henry said companies need to

make major changes to avoid

urther damage to national

security and the economy.

3. You dont need an entirely separate strategy to protect your mobile data

Mobile devices are endpoints that require the same attention that is given to PCs

and laptops. Many o the same processes and policies that are leveraged or PCs

and laptops are applicable to mobile platorms.

Still, mobile devices are built or connectivity; the personal nature o these devices,

combined with the inability to regulate or monitor user activity, means that theocus o protection must change. Simply adding another point solution isnt the

answer.9

8/10/2019 ITPP Security Part1

12/15

Enterprises need to make mobile data security part o their risk management

strategy - consistent with desktop and laptop security - without compromising the

user experience.

When encryption is used, its typically

non-user-riendly.

4. You dont have to oreit usability or security

The primary purpose o smart device adoption is to improve productivity or a

geographically spread and highly mobile workorce. Security mustnt be a barrier toproductivity. Still, current mobile security solutions ocus on creating boundaries

within the devices on which data can be stored and accessed.

When encryption is used, its typically non-user-riendly, non-application-speciic

and lacks granular policy controls. Additionally, it usually relies on a traditional key

management approach that requires massive investment to scale in todays

environment.

Security or mobile data must be as transparent as possible without losingeectiveness, and it must not intrude on amiliar user experiences - yet it has to

provide IT with the control it needs in order to ensure security at the data level.

5. Compliance doesnt equal security

Compliance relevant to IT systems is now being extended to mobile devices - and

or very sound data risk reasons. Companies must understand how these same

data privacy, regulatory compliance and risk management practices should be

applied to the mobile and cloud platorms.

But being certiied compliant or using solutions that help achieve compliance

doesnt always translate into eective data security. For example, a desktop

computer stolen rom a Caliornia health care organisation in 2011 was

password-protected but unencrypted. The the potentially exposed the personal

inormation o nearly our million patients.

Mobile security in the real world

Over the years, companies have taken numerous approaches to mobile security.

10

8/10/2019 ITPP Security Part1

13/15

These have ranged rom banning such devices altogether rom the corporate

network to remotely wiping corporate data in the event o the loss or the o a

device, to adopting a container approach to protect mobile apps and data.

None o these approaches are satisactory. In a data-centric approach to mobile

security, data (both structured and unstructured) is encrypted as soon as itsacquired. It remains encrypted as it is used, stored or moved across data centres,

public and private clouds and devices, to be decrypted only by the intended party.

The goal is to devalue or kill data, so that even in the event o a breach, the

encrypted data will have no value to cyber-criminals. And data is protected without

disruption o user productivity.

Take action now

Mobile devices arent going away, and BYOD is not a passing ad. These trends are

quantiiably improving corporate agility, but the security risk is real.

Traditional security approaches lock down the inrastructure, but thats not the

target or todays cyber-criminals. They want sensitive data, which is valuable;

easily monetised; and increasingly on the move, in and out o IT inrastructures.

And they ully understand where and when to ind data in the clear, when its most

vulnerable, and theyre willing to wait.

But waiting is one thing you cant aord to do. Data is key and a data-centric

approach to mobile security with encryption helps keep sensitive data sae

wherever it goes, however it is used and throughout its liecycle. Ultimately, it

mitigates the risk o data breaches and other threats so mobility can be leveraged

to its ullest potential. And isnt that the goal o any security measure?

How can business take mobile security to the next level?By Keith Turnbull

As the workorce continues to become more mobile, new IT challenges and

demands have arisen, placing pressure on the IT department to adapt its security

procedures. End-users now work on multiple devices and in a multitude o

locations. But one thing remains the same; all o them want access to data

regardless o device or location.

11

8/10/2019 ITPP Security Part1

14/15

Because o this, the need or security is more evident than ever. The challenge or

IT managers is how to deliver access to data securely. They have to put systems in

place that will not only consider user data security, but also allow workers to be

lexible in how they use technology to get the job done.

The latest versions o the Kindle Fire and iPad Air being released drew attention tothe growing consumer interest in new devices, and also the level o sophistication

the devices and soware run on it have reached.

Blackberry has also had a variety o announcements recently about its CEO and

possible bids, and it could be said that Blackberry, in its current guise, might not be

around this time next year becoming more an application than device ocused

company.

The new working landscape

These changes relect how consumerisation and the complexity o devices have

changed the working landscape. With a wide range o mobile devices now available

or business users to use or a variety o dierent tasks. Many users choose devices

because they are convenient and or businesses to keep employees engaged,

happy and productive it is important that IT departments are as lexible as possible

to allow this in the workplace.

This is true in both the public and private sector. To help it overcome mobility

challenges, the Government and the CESG, the government's authority on

inormation security, has recently updated an End User Devices Security and

Coniguration Guidance policy to relect the market's desire or lexibility around

end-user devices.

Consumerisation and the complexity odevices have changed the working landscape.

This policy describes how devices such as smartphones, laptops and devices can

be conigured to help enterprises meet its users' needs and expectations, with

security recommendations and good practice. This policy also highlights key items

or consideration when deploying devices to users. And or the irst time, policy

clears the use o Android devices or government work, which has previously been

an area which only BlackBerry could play in.

This is interesting as recent research suggests that aer BlackBerry, Windows

12

8/10/2019 ITPP Security Part1

15/15

Phone is the most trusted mobile platorm amongst large enterprise, with only 20

per cent o IT managers considering it a security risk.

However, although this policy helps guide its organisations as to how to adopt

dierent devices, it still limits them and seems to miss the point on availability.

Whether in the public or private sector, users should be able to choose devices thatare convenient to them.

A better way?

This begs the question, is there a better way to approach mobile working? And is

there a way in which to overcome security concerns, should businesses move to

the cloud and more virtualisation solutions?

In short the answer is yes. IT decision makers need to take a step back and look at

how to manage users, rather than the devices they use. IT will have to shi towards

being more service centric and ocus less on purchasing and coniguring devices

and operating systems.

The irst step in achieving this would be to separate applications, data and users

rom their devices. This will help it to move towards a device agnostic environment

and concentrate on the delivery o services to end-users as opposed to ocusing on

supporting platorms and devices.

Ultimately, IT departments need to tailor their services, mobile or not, around the

end-users to ensure that they are working in an environment that enables them to

be as productive as possible. At the same time businesses need to create a

strategy that is secure or mobile devices, no matter what users want to use them

or. Devices, aer all, are no longer luxuries, but strategic business tools.

Dont miss part two o our exclusive whitepaper, where well look into how to build

a secure cloud strategy, and our comprehensive guide to data breaches: how to

avoid them, and how to respond when they occur.

And i youre in a small to medium business, you cant miss part three, where we

go into the unique security challenges acing SMBs in the modern world, and

where we look into whats coming on the horizon o digital security.

13