Monday, September 5, 2011

Network Security: Social engineering


As part of the Network Security class I am taking I was required to respond to a case study in the Security+ Guide to Network Security Fundamentals textbook.  I thought the case study presented a realistic example how social engineering can be used to gain access to a companies network and included a summary of the case study and my response below.

 Case Project 2-6: Community Site Activity

Case project 2-6 involves reading a security case study involving an auditor who was hired to determine if he could gain access to the network of a corporation. The CEO of the corporation proudly proclaims the auditor will not gain access to the corporate network because the network is secure and the company operates in a confidential and secret manner. The auditor uses social engineering to discover information about the CEO, then uses the information to have the CEO willingly open an email attachment, opening a back door into the corporate network (Ciampa, 2012, p. 77). The full case study can be found on page 77 of Security+ Guide to Network Security Fundamentals.

After reading the case study, the following questions are asked: What would you say to the CEO? Why? What recommendations would you make for training?

According to the case study, the auditor was able to determine some information about the CEO via Facebook.com. I would recommend the CEO not have an account on Facebook.com, but if the CEO insists on having a Facebook account he limits the amount of public information to only his name. Unfortunately, Facebook does not make it easy for users to change security settings and verify their account is not sharing more information than the user wishes to share. According to a June 2011 post by Graham Cluley from at Sophos, “Most Facebook users still don't know how to set their privacy options safely, finding the whole system confusing. It's even harder though to keep control when Facebook changes the settings without your knowledge” (http://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/). I would also recommend the CEO limits the amount of public information available on other websites (e.g. Twitter, Flicker, blogs, etc) as easy access to information about the CEO is what allowed the auditor in this case study to penetrate the corporate network.

I think it would be advantageous for all companies to hold quarterly security training. Since the world of network/IT security is changing at such a fast pace, 15,000 – 20,000 new phishing attacks are launched each month (Ciampa, 2012, p. 60), IT professionals must continually educate end-users as to what the new attacks are and how they operate. Another recommendation is for companies to create a corporate intranet where new security attacks are updated on a weekly basis, thereby, allowing end-users to stay on top of the latest security threats.

Finally, security training must educate end-users on both the software vulnerabilities (e.g. inserting a USB drive from home into a company computer), and the social engineering vulnerabilities such as providing a caller with information about the company computer (e.g. type of operating system, vendor of anti-virus, etc). Unfortunately, companies regularly place tools with company secrets and access to company networks (computers, smart phones, tablets) in the hands of their employees without continually educating the employee how to securely use the tools they are given. While no company will ever be 100% safe from malicious attacks on their network and devices, we can minimize the number of successful exploits by continuing to educate end-users.