Network Security: Social engineering

As part of the Network Security class I am taking I was required to respond to a case study in the Security+ Guide to Network Security Fundamentals textbook.  I thought the case study presented a realistic example how social engineering can be used to gain access to a companies network and included a summary of the case study and my response below.

 Case Project 2-6: Community Site Activity

Case project 2-6 involves reading a security case study involving an auditor who was hired to determine if he could gain access to the network of a corporation. The CEO of the corporation proudly proclaims the auditor will not gain access to the corporate network because the network is secure and the company operates in a confidential and secret manner. The auditor uses social engineering to discover information about the CEO, then uses the information to have the CEO willingly open an email attachment, opening a back door into the corporate network (Ciampa, 2012, p. 77). The full case study can be found on page 77 of Security+ Guide to Network Security Fundamentals.

After reading the case study, the following questions are asked: What would you say to the CEO? Why? What recommendations would you make for training?

According to the case study, the auditor was able to determine some information about the CEO via Facebook.com. I would recommend the CEO not have an account on Facebook.com, but if the CEO insists on having a Facebook account he limits the amount of public information to only his name. Unfortunately, Facebook does not make it easy for users to change security settings and verify their account is not sharing more information than the user wishes to share. According to a June 2011 post by Graham Cluley from at Sophos, “Most Facebook users still don't know how to set their privacy options safely, finding the whole system confusing. It's even harder though to keep control when Facebook changes the settings without your knowledge” (http://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/). I would also recommend the CEO limits the amount of public information available on other websites (e.g. Twitter, Flicker, blogs, etc) as easy access to information about the CEO is what allowed the auditor in this case study to penetrate the corporate network.

I think it would be advantageous for all companies to hold quarterly security training. Since the world of network/IT security is changing at such a fast pace, 15,000 – 20,000 new phishing attacks are launched each month (Ciampa, 2012, p. 60), IT professionals must continually educate end-users as to what the new attacks are and how they operate. Another recommendation is for companies to create a corporate intranet where new security attacks are updated on a weekly basis, thereby, allowing end-users to stay on top of the latest security threats.

Finally, security training must educate end-users on both the software vulnerabilities (e.g. inserting a USB drive from home into a company computer), and the social engineering vulnerabilities such as providing a caller with information about the company computer (e.g. type of operating system, vendor of anti-virus, etc). Unfortunately, companies regularly place tools with company secrets and access to company networks (computers, smart phones, tablets) in the hands of their employees without continually educating the employee how to securely use the tools they are given. While no company will ever be 100% safe from malicious attacks on their network and devices, we can minimize the number of successful exploits by continuing to educate end-users.

Verizon and the CR-48

As many of you know by now, I am one of the fortunate ones who received a Google CR-48 notebook computer.  I recently activated the 100 free megabytes per month promotion that comes with the notebook; activation was easy and only required me to create a Verizon account.

I decided today to inquire how I might add more data to my monthly allowance, and I contacted Verizon via phone.  After spending nearly 30 minutes with 3 different Verizon representatives explaining what the CR-48 is and how I receive 100MB of data each month for free with Verizon, I was finally told that Verizon has never head of this arrangement, but would treat the data usage as pre-paid mobile broad band.  The last gentleman to help me also informed me that mobile broad band is relatively new and therefore, very expensive.  See below for the rates and data usage amounts I was quoted.  The Verizon representative continued to explain that if I planned on watching any Youtube videos 5GB was not going to be enough, adding that none of the data plans would really allow me to do much on the Internet.

Rates and usage as quoted by Verizon representative

• 5GB for $80
• 1GB for $50
• 300MB for $30
• 100MB for $15

After ending my call with Verizon, I did what I should have done in the first place, I Googled CR-48 and Verizon.  Upon reading some posts in a CR-48 forum, I came across the following post from Google, http://www.google.com/chromeos/features-connectivity.html .  According to this post, the rates are much different than what the Verizon representative quoted me (see below).  Although I'm still not sure how increase my monthly data allowance, the post by Google give me hope that I can afford to purchase some more bits!

Rates and usage as quoted by Google

Data plans

Plan	Price
100MB of data per month1	Free
Limitless day pass2	$9.99 per day
Additional 1GB of data3	$20 per month
Additional 3GB of data3	$35 per month
Additional 5GB of data3	$50 per month

Flow

I received my beta invite to Flow, a new task manager that claims it will change the way I work; I'm not sure if the developers realize just how big of a task they have in organizing my life. Setting up my flow account was super easy, and 2 of the 3 fields required for account set up were pre-filled.

I am impressed by the sleek looking user interface, and the handwritten description of what a tab or button does makes the interface appear really friendly.

I rely heavily on my Android phone as my go to device, the one device I always have on me. Unfortunately, Flow does not mention anything about developing an Android app at this time, although, they state an IPhone app is in progress. Until I am able to access my grocery list on my phone while I am at the grocery store, I'm not sure how practical flow will be for my everyday use. However, I am looking forward to giving flow a try for my non-mobile tasks.

Anyone looking for a new task management application should head over to http://getflow.com/ and register for a beta invite so you can give Flow a try for yourself.

Verizon to sentence top users to reduced bandwidth

After reading an Engadget post about Verizon's plan to throttle its top 5 percent of wireless data users, I'm left pondering the if the 5 percent stated by Verizon is truly 5 percent? According to the terms of service posted on Engadget, "if you use an extraordinary amount of data and fall within the top 5 percent of Verizon Wireless data users we may reduce your data throughput speeds periodically for the remainder of your then current and immediately following billing cycle to ensure high quality network performance for other users at locations and times of peak demand." To summarize, the top 5 percent of wireless data users will have their bandwidth speeds reduced for the remainder of the current billing cycle, and the following billing cycle. Theoretically, if the top 5 percent of data users are placed into a pool of reduced bandwidth users, a new top 5 percent of data users could, and should, emerge. For example, if I am a heavy wireless data user and my bandwidth speed is now filtered, it will now take me longer to download the same amount of content as it did before the filtered bandwidth sentence. Therefore, my wireless data usage should naturally drop as a result of the sentence, thereby allowing someone who was previously in the top 6 percent of bandwidth users to take my place in the top 5 percent pool. The question is what is the true bottom of the 5 percent pool?

The other question is will Verizon disclose to its customers sentenced to reduced bandwidth that indeed their bandwidth is reduced, or will the customer be required to call Verizon customer service to complain about slow download speeds, only to find out they've been sentenced for using too much of the service they are paying to have?