As part of the Network Security class I am taking I was required to respond to a case study in the Security+ Guide to Network Security Fundamentals textbook. I thought the case study presented a realistic example how social engineering can be used to gain access to a companies network and included a summary of the case study and my response below.
Case
Project 2-6: Community Site Activity
Case
project 2-6 involves reading a security case study involving an
auditor who was hired to determine if he could gain access to the
network of a corporation. The CEO of the corporation proudly
proclaims the auditor will not gain access to the corporate network
because the network is secure and the company operates in a
confidential and secret manner. The auditor uses social engineering
to discover information about the CEO, then uses the information to
have the CEO willingly open an email attachment, opening a back door
into the corporate network (Ciampa, 2012, p. 77). The full case
study can be found on page 77 of Security+ Guide to Network Security
Fundamentals.
After
reading the case study, the following questions are asked: What
would you say to the CEO? Why? What recommendations would you make
for training?
According
to the case study, the auditor was able to determine some information
about the CEO via Facebook.com. I would recommend the CEO not have
an account on Facebook.com, but if the CEO insists on having a
Facebook account he limits the amount of public information to only
his name. Unfortunately, Facebook does not make it easy for users to
change security settings and verify their account is not sharing more
information than the user wishes to share. According to a June 2011
post by Graham
Cluley from at Sophos, “Most Facebook users still don't know how to
set their privacy options safely, finding the whole system confusing.
It's even harder though to keep control when Facebook changes the
settings without your knowledge”
(http://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/).
I would also recommend the CEO limits the amount of public
information available on other websites (e.g. Twitter, Flicker,
blogs, etc) as easy access to information about the CEO is what
allowed the auditor in this case study to penetrate the corporate
network.
I
think it would be advantageous for all companies to hold quarterly
security training. Since the world of network/IT security is
changing at such a fast pace, 15,000 – 20,000 new phishing attacks
are launched each month (Ciampa, 2012, p. 60), IT professionals must
continually educate end-users as to what the new attacks are and how
they operate. Another recommendation is for companies to create a
corporate intranet where new security attacks are updated on a weekly
basis, thereby, allowing end-users to stay on top of the latest
security threats.
Finally,
security training must educate end-users on both the software
vulnerabilities (e.g. inserting a USB drive from home into a company
computer), and the social engineering vulnerabilities such as
providing a caller with information about the company computer (e.g.
type of operating system, vendor of anti-virus, etc). Unfortunately,
companies regularly place tools with company secrets and access to
company networks (computers, smart phones, tablets) in the hands of
their employees without continually educating the employee how to
securely use the tools they are given. While no company will ever be
100% safe from malicious attacks on their network and devices, we can
minimize the number of successful exploits by continuing to educate
end-users.