New awareness module on social engineering

The eponymous man in the street may think information security primarily involves technical security controls but in fact other types of control are equally important in protecting information assets. For example, physical controls (locks, gates, fire/intruder/water alarms etc.), legal and regulatory controls (data protection/privacy laws, PCI DSS, HIPAA etc.) and procedural controls (policies, procedures, guidelines, management reviews, audits etc.). Most security risks are countered by a combination of controls from these different categories. Social engineering is fairly unusual in that technical controls are more or less irrelevant: social engineers aim to bypass the technology completely either by physically penetrating the organization or by fooling employees into giving them unauthorized access to information assets. We have covered awareness of physical security controls and compliance obligations in other NoticeBored modules but November’s module concentrates on pretexting, phishing and other techniques used by social engineers to fool employees.

Policies, procedures and guidelines are essential controls against social engineering, but these are useless unless employees both know about them and follow them in practice. Social engineering is therefore a particularly important security awareness topic, one of our “core topics” in fact that merits being covered annually in all awareness programs. Employees need to be taught about how social engineers work in order to spot them and stop them. It’s a tricky task since social engineers are adept at finding ways to build and exploit trust, slipping quietly beneath the corporate radar. The best social engineering attacks are never detected. Our aim is not to completely prevent social engineering attacks from succeeding but to create significant barriers that block simple attacks and frustrate more advanced ones, such that social engineers hopefully move along to softer targets.

One of the issues we cover, for instance, concerns the publication of personal details by employees on social networking sites. Names, addresses and birthdates are fabulous starting points for enterprising identity thieves and social engineers to pretend to be someone. Being cautious about what you publish is a simple control but is only valuable if you appreciate the risk sufficiently to be careful, hence the value of awareness.

Find out what's in the awareness module and read all about the NoticeBored service.

Malicious 'M$ update' attachment

Here's a crude attempt to get me to install malware, fresh from my inbox:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.


Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Doh!

I wonder how many non-infosec professionals would fall for it though.

The ethics of entrapment

Police are using technology to capture criminals, for example by fitting out vehicles with CCTV and leaving them in vulnerable locations to lure car thieves. The CCTV images are so good that it's easy to make out the criminal's facial features and sometimes even his name and birth date tattoo'd on his neck (doh!).

But consider the question about whether such activity is ethical. From most perspectives (other than the criminals'!), it seems acceptable since the recording devices are within someone's property space which is clearly being violated by the criminals. One might argue that leaving such an attractive lure in a vulnerable place is entrapment, encouraging an otherwise law-abiding person to step over the line and break in, but what do you think? This is a good topic for a tea-time discussion in the average office.

UPDATE Oct 17th: Here's another situation with similar ethical issues. The FBI has allegedly been running DarkMarket, a carders' web exchange for stolen credit card numbers. What a great way to capture details about the criminals, the cards and the culture, but is it ethical? To make it work, they had to let a significant number of carders' transactions go ahead without interference, leading to millions of pounds worth of fraudulent purchases and costs for the card holders and/or credit card companies, banks and retailers concerned, in the same way that undercover drugs cops let and in fact help drug deals proceed until they have the opportunity to spring the trap.

Worth a look: Computer Ethics book

My colleague Rob Slade, renowned for his book reviews, has just circulated a glowing review of the book Computer Ethics by Deborah Johnson. I say "glowing" deliberately: Rob has published many harsh reviews and, in my experience, they are generally well deserved. The relatively few books that Rob likes stand out as somewhat exceptional and, again, in my experience are well worth reading. Rob knows his stuff. I find him hard but fair. In short, I trust Rob's judgement on computer security books.

Ethically I should point out that I have not actually read Johnson's book myself - I am merely passing on a recommendation. If you have read it and would like to put me straight, please comment below!

Dual use IT

A fellow inmate of CISSPforum sent us a link today to an interesting piece in the Boston Globe regarding the victim of a laptop theft using remote access software to log on to his machine and, in due course, identify the suspected thief's name and address as he typed it into a website. At last, an ethical use for a Remote Access Trojan (RAT)!

The Web is awash with organizations offering to license their RATs and keylogging Trojans but, so far as I can see, they are mostly aiming at the "Spy on your spouse" market. Some of them claim to be aiming at "Spy on your employees" or "Spy on your children", as if that legimitises their activities but speaking personally, I find these uses unethical too. Spouses, employees and children ALL have legitimate expectations of privacy, whether online or off. To me, spying on them as they use the computers is essentially the same as spying on them in the Real World. It's underhand and unfair. Putting yourself in their shoes, how would you like to be spied upon?

[Aside: presumably there is a market for counter-espionage techniques, software that identifies RATs etc. and responds in some appropriate fashion, perhaps feeding the spies false information or simply cutting the link, the IT equivalent of firing a poison pellet into the spy's calf!].

That said, an incident close to home has made me reconsider my ethical position when a close family member discovered that her child was being 'groomed' through online chatrooms. The discovery came not through spy software but good ol' fashioned parenting - keeping a close eye on the little ones and protecting their interests. In this case, the parents' concern was justified and the groomer was stopped in his tracks, but I'm not saying that "the end justifies the means". If my relative had used spy software, I would still have found it distasteful. I think. But that's my personal perspective: you may see things differently.

Anyway, the use of spy software to recover a stolen computer seems perfectly reasonable and indeed entirely legitimate to me. The thief has no reasonable expectation of privacy while using stolen equipment. Maybe I wouldn't go so far as to say the thief has no rights at all (he is still a human being after all) but privacy is not one of them. The Globe mentions similar cases where owners have turned on built-in cameras to photograph those who are using their stolen systems - again, that's not unreasonable to me, just a creative use of technology.

Of course, thieves will see things differently.

Bootstrapping for software developers

Why is it that so many organizations expect their software developers and other IT people to “do” information security, yet they don’t bother to train them in the art?

A new security awareness briefing pack contains a set of notelets (short briefings) to help those involved in managing and delivering IT system developments fulfill their information security obligations.

The notelets fall into two groups:

1. Technical notelets introduce common information security controls, explain generic control requirements and outline the options available to satisfy those requirements.
2. Development process notelets outline information security issues that ought to be taken into account during most software developments (including ‘end user computing’ projects such as spreadsheet programs).

Although all the notelets are succinct double-sided items, the briefing pack contains 33 of them and hence with introduction and copyright notice is some 70 pages in total.
Download the complete pack here (1Mb PDF file).

The editable MS Word version of the pack is available free of charge on request by NoticeBored customers. An earlier version of the pack was delivered in the module on ‘SDLC integration’ in 2006.