Monday, September 5, 2011

Network Security: Social engineering


As part of the Network Security class I am taking I was required to respond to a case study in the Security+ Guide to Network Security Fundamentals textbook.  I thought the case study presented a realistic example how social engineering can be used to gain access to a companies network and included a summary of the case study and my response below.

 Case Project 2-6: Community Site Activity

Case project 2-6 involves reading a security case study involving an auditor who was hired to determine if he could gain access to the network of a corporation. The CEO of the corporation proudly proclaims the auditor will not gain access to the corporate network because the network is secure and the company operates in a confidential and secret manner. The auditor uses social engineering to discover information about the CEO, then uses the information to have the CEO willingly open an email attachment, opening a back door into the corporate network (Ciampa, 2012, p. 77). The full case study can be found on page 77 of Security+ Guide to Network Security Fundamentals.

After reading the case study, the following questions are asked: What would you say to the CEO? Why? What recommendations would you make for training?

According to the case study, the auditor was able to determine some information about the CEO via Facebook.com. I would recommend the CEO not have an account on Facebook.com, but if the CEO insists on having a Facebook account he limits the amount of public information to only his name. Unfortunately, Facebook does not make it easy for users to change security settings and verify their account is not sharing more information than the user wishes to share. According to a June 2011 post by Graham Cluley from at Sophos, “Most Facebook users still don't know how to set their privacy options safely, finding the whole system confusing. It's even harder though to keep control when Facebook changes the settings without your knowledge” (http://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/). I would also recommend the CEO limits the amount of public information available on other websites (e.g. Twitter, Flicker, blogs, etc) as easy access to information about the CEO is what allowed the auditor in this case study to penetrate the corporate network.

I think it would be advantageous for all companies to hold quarterly security training. Since the world of network/IT security is changing at such a fast pace, 15,000 – 20,000 new phishing attacks are launched each month (Ciampa, 2012, p. 60), IT professionals must continually educate end-users as to what the new attacks are and how they operate. Another recommendation is for companies to create a corporate intranet where new security attacks are updated on a weekly basis, thereby, allowing end-users to stay on top of the latest security threats.

Finally, security training must educate end-users on both the software vulnerabilities (e.g. inserting a USB drive from home into a company computer), and the social engineering vulnerabilities such as providing a caller with information about the company computer (e.g. type of operating system, vendor of anti-virus, etc). Unfortunately, companies regularly place tools with company secrets and access to company networks (computers, smart phones, tablets) in the hands of their employees without continually educating the employee how to securely use the tools they are given. While no company will ever be 100% safe from malicious attacks on their network and devices, we can minimize the number of successful exploits by continuing to educate end-users.

13 comments:

Anonymous said...

This is really interesting, You are a very skilled blogger.
I've joined your rss feed and look forward to seeking more of your fantastic post. Also, I have shared your site in my social networks!

My web-site - breast actives

Anonymous said...

Hey great website! Does running a blog like this
take a massive amount work? I have absolutely no knowledge of programming however I had been hoping to
start my own blog soon. Anyways, should you have any recommendations or techniques
for new blog owners please share. I understand this is off topic however I simply had to ask.
Thank you!

my web page: buy smoke deter

Anonymous said...

Now I am ready to do my breakfast, after having
my breakfast coming yet again to read more news.

my website rosacea

Anonymous said...

Quality posts is the key to attract the viewers to pay a visit the site, that's what this web site is providing.

my web blog :: breast actives topical cream

Anonymous said...

If you want to improve your knowledge only keep
visiting this web site and be updated with the most recent
information posted here.

Here is my web blog: idollash.beep.com

Anonymous said...

I've been surfing online greater than three hours lately, but I never discovered any fascinating article like yours. It's pretty price sufficient
for me. In my view, if all site owners and bloggers made just right content
as you probably did, the net will be much more useful than ever before.


Feel free to surf to my weblog ... http://tinnituscontrol.herbalcurenow.com

Anonymous said...

I need to to thank you for this good read!! I definitely loved every little bit of it.
I have got you saved as a favorite to check out new stuff you post…

Here is my blog: male enlargement supplements

Anonymous said...

Very shortly this web site will be famous amid all blogging and
site-building people, due to it's nice content

Here is my web site: best all natural male enhancement pills

Anonymous said...

I wanted to thank you for this great read!!
I definitely enjoyed every little bit of it. I have
you saved as a favorite to check out new stuff you post…

Also visit my web site - best penile enlargement pills

Anonymous said...

Hi friends, how is all, and what you wish for to say concerning this article, in my view its genuinely awesome designed for me.


Feel free to surf to my weblog increase penis

Anonymous said...

It's impressive that you are getting thoughts from this paragraph as well as from our dialogue made at this time.

My web-site :: toe nail fungus cure

Anonymous said...

I was able to find good advice from your blog articles.


Here is my weblog ... capsiplex review

Anonymous said...

Greetings from Los angeles! I'm bored to tears at work so I decided to check out your blog on my iphone during lunch break. I enjoy the info you provide here and can't wait to take a look
when I get home. I'm amazed at how fast your blog loaded on my mobile .. I'm not even using WIFI, just 3G
.. Anyhow, wonderful site!

My weblog :: semenax video reviews - www.hobbylocal.com -