Tagged: social engineering Toggle Comment Threads | Keyboard Shortcuts

  • Justin Pineda 8:51 pm on April 29, 2020 Permalink | Reply
    Tags: business continuity, covid-19, cybersecurity, , malware, pinedacybersecurity, remote work, security awareness, social engineering, wfh, work from home   

    Securing the Organization’s IT Assets Amidst COVID-19 

    man having a video call on his phone

    Photo by Edward Jenner on Pexels.com

    How should organizations conduct operations during a pandemic? How should organizations secure their IT assets during a pandemic? For big multinational companies, they have their respective Business Continuity Plans (BCP) that assist them in times like lockdowns, quarantines, or any disruptions to normal business activities. However, a lot of companies were caught off-guard and they were not able to smoothly transition to the “quarantine mode.”

    How organizations are affected by COVID-19

    According to an April 2020 report from Accenture about the effects of COVID-19 to organizations, there are significant impacts on system resilience and business continuity from the perspective of technology.  On a survey that they conducted in 2019 on system resilience, only 10% of the 8,300 respondents answered that their technology is resilient.  They summarized the effects on IT based on the following: business continuity risks, a surge in transaction volumes, workforce productivity challenges, and security risks.
    Common cybersecurity issues faced

    Phishing, scams, malware, access to malicious/bogus sites unknowingly are the common cybersecurity issues that organizations faced during the pandemic. Attacks on NASA have been reported consistently since the spread of COVID-19. Local banks like BPI, have issued a memo warning customers of phishing attacks that spoof BPI online platforms.  Google reported that there were 18 million malware detected in a week that are related to COVID-19. Trend Micro also reported a surge in COVID-19 themed attacks ranging from spam, malware, and malicious domains. Worse, unscrupulous individuals host COVID-19 case trackers and fill it with malware so visitors will be infected as they visit.

    The following are the major cybersecurity issues organizations face:

    • Increased number of phishing and malware attacks that use COVID-19 as bait or theme.
    • There is an increase in cybersecurity risks because employees are in their homes which IT has a hard time managing. On the other end, support on the company networks will also be lessened because of reduced IT staffing.
    • Remote work/Work from home security issues.

    Cybersecurity defense against attacks

    SANS has created the SANS Security Awareness Deployment Guide that is very useful for organizations and employees during this time of reduced IT staff and work from home for a lot of employees. It contains all the materials that organizations will need such as templates, fact sheets, posters, and messaging for employees. It even has short learning videos that are very informative covering wide topics on social engineering, securing your home, and working remotely.

    It is alarming to note as well that a lot of big multinational companies mentioned in the introduction whose technology and security maturity are both at the top of the line still suffer a lot of cybersecurity attacks such as phishing and malware. They have the best industry-grade anti-malware with a lot of advanced features, encryption in the hard drive level, and other security tools. But as we say in security, the technology is just as strong as the weakest link, which is the people. We have to emphasize the need for a consistent and periodic Security Awareness for employees especially now that the IT/Security team has a limited view of the organization’s assets.

    It is also important that the IT/Security team should be accessible not only for support but for security incidents. Attacks can be well-planned and it can target certain people in the organization. Reporting the information about security incidents will help IT/Security team to respond promptly and make important communication to the stakeholders to prevent others from being victimized.

    There also has to be clear guidelines/policies for employees. Remote work is a different and new environment that may need further and detailed guidance. For example, should users be allowed to connect to public Wi-Fi? Or are they only allowed to access their home network? If they are only allowed to use their home network, what necessary configurations should be done? A clear policy/guideline will be very helpful.

    Management support is also of utmost importance. Quick and immediate approval of policies/guidelines is necessary for this volatile time. Budget is also a key element especially when you need to procure additional security software licenses. Management can provide both approval and budget.

    The following are some of the security issues that need to be discussed with employees to take note of:

    Social Engineering – Phishing, spear phishing, vishing, CEO fraud, and USB drop are some of the non-technical attacks that can target your organization. Employees must be trained on how to spot these attacks and report them immediately to the IT/Security team. Usual ways to spot these attacks include a strong sense of urgency, pressuring you to violate a policy, generic e-mail, brief message, and use of personal e-mail.

    Passwords – Since the use of passwords is the most common type of authentication, certain best practices have to be observed so that attackers will have a hard time to access your account. The use of passphrases,  unique passwords for different accounts, password managers (see LastPass and KeePass), and the use of multi-factor authentication (MFA) (see Google Auth and LastPass Authenticator) are the best practices to build a layered-defense for your passwords.

    Updated Systems – From your router to your laptops, mobile devices all the way to the applications, you need to ensure that they are always up-to-date. A lot of successful attacks leverage the exploitation of vulnerable systems, those that are not updated.  You need to enable Automatic Updating.

    Backups – Another important practice is to back up your files routinely. The usual expectation of the IT/Security team is that worst-case scenarios will happen such as your workstation will be infected by ransomware or that the device will be lost. Aside from wanting to wipe out the contents of the device, you want to retrieve the information in it. That’s where backups play a vital role.

    VPN – In some organizations, confidential company data must remain in the trusted network (company network). But since a lot of employees are working from home, a secured way of getting access to company data stored internally is through a Virtual Private Network (VPN).

    Device Misuse – Another important practice is to maintain the use of company-issued devices for work use only. A lot of malware nowadays comes from social networking platforms through third-party ads, hoax, etc.  It is important to remove that risk by not using it for personal use. At the same time, company resources should not be accessed on a personal device. It may be accidentally shared or retained unknowingly.  Lastly, children/relatives/guests should not be allowed to use company-issued devices.

    The new normal in the time of pandemic forces business to take drastic and rapid changes in its day-to-day operations. While initially, the move of a lot of organizations is to relax security so that business continuity will not be hindered, it is important that security mechanisms must be restored, reconfigured, and recalibrated so that it will fit the current setup of the organization.

    Here is the slide deck on Securing the Organization’s Assets Amidst COVID-19 v1.0. Feel free to use it to help inform more people on how to secure their respective organizations.

     

     

     
  • Justin Pineda 5:09 pm on December 26, 2019 Permalink | Reply
    Tags: mensrea, penetrationtesting, social engineering, vapt   

    4 Reasons Why All-In-One/Automated Penetration Testing is a Fallacy 

    COMING from the business side, I have met and seen various vendors who promise heaven and earth to answer IT problems in your organization. There are the ‘yes’ guys who will always answer ‘yes’ when you ask if the solution can do this or that. There are the ‘deflectors’ who try to confuse or worse, mislead you when their solution cannot solve your IT issue. Then there are just the plain highfalutin ones who use terms such as AI or ML carelessly just to make a sale.

    Now that I am on the side of the vendor, I have also met and seen fellow vendors- ambitious, innovative yet idealistic. For instance, there’s a vendor that sells the-only-anti-malware-that-you-will-need-for-your-organization. You don’t need perimeter security. Just install the solution to all your machines and you’re 100% protected from all attacks. Apparently, there are a lot of disclaimers and caveats in the Terms and Conditions, one is to assume that the attacks are known in their database and another is that the attacks should only be host-based.

    I think as IT professionals, we have the responsibility to correct the ‘fake news’ in our own turf, similar to what scientists, doctors, lawyers, and other professions do to protect their respective reputations. As an IT security professional, I am both shocked and amazed at companies that claim that the entire VAPT can be automated and that their tool can do everything that a pen tester can do. I’ve seen a couple of different products on LinkedIn and some I’ve met and had a (heated) discussion.

    I have listed 4 reasons why All-In-One/Automated Penetration Testing is a fallacy contrary to the claims of some companies that their solutions will replace actual pen testers.

    By the way, one of the common misconceptions is that the Vulnerability Assessment (VA) activities and Penetration Testing (PT) activities are the same. They are not. To cut the story short, VA looks for existing vulnerabilities while PT exploits these vulnerabilities found. Some “self-proclaimed IT pundits” don’t even have a clear understanding of the definitions making the misinformation worse.

    Anyway, so here are my reasons:

    • Mens rea of the attacker
      • In the study of law, mens rea is defined as the intention or knowledge of wrongdoing that constitutes part of a crime. An attacker’s mens rea cannot be fully scoped by an automated tool. A tool can scope a certain known part of the assessment. But in the real world, exploits can be done by a gullible legitimate employee who accidentally clicks on a link that triggers the malware or a connivance/inside job to bypass stringent security measures. Scenarios mentioned can only be done by real people, not tools.
    • An attacker’s out of the box perspective or the attack’s art (creativity)
      • The tool is limited by the signatures or known behaviors in its knowledge-based. Hackers/attackers are creative. For example, they will try to scan fast but not too fast so it can evade IDS tools. They will attempt to password guess but not reach the threshold and wait for a reset period before attempting to crack passwords again. The criminal mind is colorful and options are plentiful. Tools may have automating capabilities but limited to their applicability in actual testing.
    • Timing and repetition attacks
      • There are attacks that require timing and repetition to actually exploit certain vulnerabilities. In a way, tools are a good complement for these attacks but it is the strategy of the attacker that dictates the success of the attack. For example, for applications that have so many pages of forms to fill before being allowed to submit, the tool alone cannot automate adding random data in all of these form fields. A human has to analyze and determine which parameters can the application accept and which can be used for automation.
    • Logic attacks
      • Simply put, understanding logic, program flow, and its parameters are things that humans can handle easily compared to automated tools. Imagine if you are browsing an application and you encountered a transaction feature that requires you to input a 6-digit OTP from your registered phone through SMS. You know as a tester that you can automate a test that will input all possible combinations of 6-digits and use it to brute force the transaction. Tools, on the other hand, do not know that by default. Humans must still intervene. And the list goes on…

    I think I am obliged to write this blog to emphasize that security testing involves both human testers and tools. They work hand in hand and the tools cannot work alone no matter how big the signature database is. The problem with these predatory solutions is that they promise too much, things that are too good to be true. Imagine if you use their tools and the tool didn’t find anything then you will feel secure. But a week later, you still get defaced through social engineering. So how would you respond?

    Another very interesting and important advantage of using pen testers is the human tendency to exhaust all knowledge and techniques to find vulnerabilities. The hunger and desire of pen testers to find vulnerabilities is a big motivation to help the organizations find real security issues.

     

     
  • Justin Pineda 11:48 am on February 5, 2015 Permalink | Reply
    Tags: social engineering   

    Lesson 5: Social Engineering 

    When I studied and took EC-Council’s Certified Ethical Hacker (CEH) in 2013, I learned a very important lesson: even if you follow the hacking methodologies, it only has a 10% success rate. This lesson has, on the other hand, 90% success rate. In gist: Why would you spend a lot of time to brute force a password when you can just ask for it? That’s social engineering.

    Social Engineering is an attempt to gain information from a victim or target through manipulation and deceit. The attacker attempts to gain the victim’s trust then exploits the emotions of the latter.

    Note: There is a reading I wrote in 2011 that is relevant with this lesson. Copies will be/are given during class.

    Why is Social Engineering very successful?

    In the past lessons, we studied about Defense in Depth. This means that in every layer of security, there should be protection. Now in Network Security for instance, you may deploy and implement a firewall. The firewall has its limitations but it will strictly enforce whatever rules are written in the ACL. If it says allow web traffic, it will allow web traffic. If it says deny FTP traffic then it will deny FTP traffic.

    Problems rise when humans intervene. Let’s say a school enforces a “No ID, No Entry” policy. All students are required to wear their ID upon entering the school. One day, one student forgot to bring his ID but the guard still allowed him to enter because they’re friends. Is it correct for a guard to make exceptions even if there’s an explicit ID policy? What if the said student brought his friends? Will the guard still allow it because they’re friends?

    Humans or wetware are the weakest link in the security chain because they simply make a lot of exceptions. That’s why the human vulnerability is a weakness that no patch can perfectly fix.

    Ethics: Social Engineering in Penetration Testing

    In penetration testing, a third party service provider actively tests the security solutions implemented in the network. Active testing means exploiting discovered weaknesses in security. One of the tests is the social engineering test. In this case, the pen tester tries to bypass security through social engineering.

    For example, the company security policy requires the use of a badge/ID to enter the office. The pen tester will carry a lot of heavy things so the guard will help him instead of looking for the ID. The pen tester successfully enters the facility with the guard as accessory to the crime. After the pen testing, the guard is terminated due to abandonment of duty during the test.

    It is the job of the pen tester to lure people into breaking the policy. The targets, out of good-will, will help them. But in the end, they will be terminated. Is that ethical?

    Steps in Social Engineering

    There are three steps in social engineering.

    1. Information Gathering

    In this step, the social engineer gathers as many information about his target as possible. He can do online searches in social networking sites, stalk the target to learn his routines and talk to his friends to learn more about his likes.

    1. Developing Relationships

    After you have gathered enough information about your target, it’s time to build relationship. Let’s say you learned that the target likes Justin Bieber. You can create a “perfect encounter” with him in his daily routine. You could probably sit beside him in a bus and have a little chitchat about Justin Bieber. Ideally, you can build a relationship with the “serendipitous meeting.” In some cases, you will need to “invest” on something. If you learned that the target is in a lot of debt, aside from being a Justin Bieber fan, you can use that to your advantage for the next step.

    1. Exploitation

    In the last step, you push through with your goal of eliciting the information you need from the target. You may have allowed your target to borrow a sum of money from you so that he can pay his debt. Now, you can use that to your advantage. You can ask for the information and remind him that he is in debt so he should return the favor. In this case, you are successful in your mission.

    Types of Social Engineering Attacks

    The Social Engineering Attacks can be classified into 2 categories:

    1. Non-technical – Doing social engineering in a traditional way
      1. Dumpster diving – Literally checking the target’s garbage.
      2. Shoulder surfing – Glancing at other person’s computer, cellphone or paper.
      3. Impersonation – Pretending to be key personnel in your target’s company.
      4. Tailgating – Walking in the vicinity after the person ahead of you taps his badge to open the access door.
    2. Technical – Doing social engineering using technology
      1. Phishing – Getting target’s information using fake e-mail or website.
      2. Spear phishing – A type of phishing targeting a particular person.
      3. Pharming – A type of phishing targeting a group of people/organization.
      4. Vishing – Deceiving target using telephone/cellphone/smart phone.

    —– NOTHING FOLLOWS —–

    You can download the PDF version of this lesson here: INFOSEC_L5_SE

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: