Social Engineering

Social Engineering

Donovan Anderson

July 24, 2006

Many firms believe that they are security conscious. Large portions of IT budgets are spent on adaptive firewalls, distributed virus scan software, intrusion detection systems, and other security related products. What all of these products fail to address is the human element, which is the weakest link in the security chain. In his observation of the state of physical security at the 2001 RSA (Rivest, Shamir, Adleman) conference, Kevin Mitnick noted: “you could spend a fortune purchasing technology and services… and your network could still remain vulnerable to old fashioned manipulation.”

Social Engineering, defined as “the practice of obtaining confidential information by manipulation of legitimate users”, is more common than many realize (Reference.com.) There are many varieties of social engineering attacks. There are direct personal or phone attacks, where the attacker pretends to be someone with proper credentials requesting privileged information, shoulder surfing, where the attacker observes the victim typing in a password or PIN code, dumpster diving (digging through trash for corporate documents), and on line phishing scams such as the “eBay scam” (Granger, 2001.) While much time and effort is spent defending the infrastructure from a technical standpoint, many organizations fail to adequately address this threat. Training in how to deal with a social engineering incident is often limited, or non-existent. Social engineering is often the easiest way for a criminal hacker to gain access to a company’s network.

The reason that social engineering is such a successful vector of attack, is that it exploits tendencies that are common to all human beings. “The average user wants to believe the colleague on the phone and wants to help” (Granger, 2001.) There are certain psychological situations which can be exploited by a hacker using social engineering techniques. One is the diffusion of responsibility. If a user can be made to believe that they will not be held responsible for their actions, they will more willingly give up information. The next is the chance for ingratiation. Most employees will do anything to impress their management, and they do not want to get in the way of their boss or displease
them. Another factor is that most people will try to do what they believe is right. If an attacker can appeal to a victim’s sense of moral duty, the victim will play into the attacker’s trap, giving up information and believing that they are doing the right thing (Brenner, 1997.)

An attack may sound something like this:

Attacker: “Hey, this is Elaine from accounting, I need Peterson’s password.” Helpdesk: “I’m sorry, I can’t give that to you.” Attacker: “Please, this is really really important, if I don’t get this report done Peterson’s going to have me fired.” (appealing to moral duty)

Helpdesk: “How do I know you’re Peterson’s assistant?” (trying to be helpful)

Attacker: “His mothers name is Estelle, and he has a dog named Barney.” (information

gained through evesdropping)

Helpdesk: “Ok, it’s ‘bigboy’.”

In this example, the attacker appealed to the helpdesk technician’s sense of moral duty. The helpdesk tech wanted to be helpful and did not want to impede what sounded like important work. Other attacks may be more insidious. There have been numerous document incidents of attackers gaining access to corporate networks by sprinkling media containing trojan horses around the area. In one such attack, a CD-ROM labeled: “2005 Financials & Layoffs” was left in a restroom to be picked up by an employee and inserted in the employee’s computer. When the employee inserted the disc, a trojan was installed on his machine that opened a back door to the entire network. This is known as a “180 degree attack” (Miller, 2005.) These kinds of attacks appeal to a person’s sense of scarcity. People desire knowledge that they are forbidden to have. It is not necessary to breach an security measures by technical means, in this type of attack, as an attacker gains direct access to the network.

There are certain precautions an organization can take to protect itself. The first and most important of these is user education. Every member of an organization must learn how to recognize a social engineering attempt, and must know how to prevent them. Employees must be trained to properly dispose of classified information by shredding or incineration. Policies must be set forth defining what information is deemed to be classified and what the proper procedures are regarding

access to classified information. In addition to user education and training, risk can be mitigated by properly segmenting the network, and restricting user access to only the sections required. By doing this, a company can avoid the “180 degree attack” by limiting the resources the compromised workstation has access to.

The best information security posture is a multi-layered defense. Social engineering is a threat that cannot be addressed by throwing technology at it. Only through diligence, training, and awareness, can an organization defend itself against these techniques. Companies that continue to ignore this reality do so at a great financial risk.

Works Cited

Brenner S. (1997). The psychology of social engineering. Retrieved
July 17, 2006, from Web site: www.cybercrimes.net/Property/Hacking/Social%20Engineering/PsychSocEng/PsySocEng.html

Granger S. (2001). Social engineering fundamentals, part I: hacker tactics . Retrieved
July 17, 2006, from Web site: www.securityfocus.com/infocus/1527

Mitnick K. (2001). My first RSA conference . Retrieved
July 17, 2006, from Web site: www.securityfocus.com/news/199

Miller D. (2005). Social engineering; you have been a victim. Retrieved
July 17, 2006, from Web site: www.windowsecurity.com/whitepaper/Social-Engineering-Victim.html

Unified Threat Management

Unified Threat Management

Donovan Anderson

July 29, 2006

UTM, or Unified Threat Management is one of the hot buzzwords in the IT security field today. Working at the application level, UTM combines traditional security elements, including firewalls, intrusion detection and prevention, junk mail filtering, spyware filtering, and content filtering into one appliance (Probert, 2005.) In a traditional network environment each of these functions would be handled by a separate device. The phrase “Unified Threat Management” was coined by the technology research organization, IDC in 2004 to “describe a category of security appliances which integrates a range of security features into a single appliance”(Webopedia.com.) UTM attempts to simplify the management of security on the network by bundling these services on one easy to manage package.

The first element of the UTM appliance is the firewall and intrusion detection system. Firewalls operate at the gateway level of the network and control which ports are accessible from the outside of the network. More advanced firewalls contain rule sets for each machine on the network, blocking access to some machines on certain ports while permitting access to other machines on those same ports. An intrusion detection system analyzes network traffic in real time, and compares the traffic against a database of known attack signatures. When an IDS detects traffic matching one of these signatures, it begins to log the activity and notifies the system administrators of the trouble. When an IDS is combined with a firewall, as is the case with unified threat management, the IDS can send a command to the firewall that shuts down access from the offending IP address, port, or both for a predetermined interval. This is a very effective way of neutralizing outside attacks.

The next component is the junk mail, virus and spyware filtering software. Working at the application level, a junk mail filter scans incoming messages and analyzes the content. A certain point value will be assigned to attributes indicative of junk mail. Once a message reaches a certain threshold, it will be either deleted or sent to a quarantine folder. An additional level of filtering is provided by subscribing to blacklist databases containing the IP addresses of known junk mail sources. Usually, mail from these sources is deleted immediately, skipping the quarantine. The mail scanning software will also scan attachments in email for known viruses and spyware programs. While virus and spyware defense is mainly handled by the mail scanning application, the third element, content filtering, also aides in this task.

Content filtering is limiting web access to only organizationally approved sites or subjects. Commonly restricted sites would include any kind of adult content. There are two main methods used in content filtering. The first method is the use of URL databases. In this, the URLs of blocked websites are contained in a database. When a user makes a web request, the requested URL is compared against the blocked content database, if there is a match, access is denied. There is an issue with the URL database method regarding new content recognition. This is solved by employing dynamic filtering. The dynamic filtering approach analyzes the HTML code as it passes through the router. This includes words, pictures, and other content on the website (Azoulay, 2006.) With this method, unauthorized material can be blocked even if it has not yet been categorized and included in the blocked URL databases.

As one can imagine, managing each one of these elements separately can be a daunting task, and can consume a great amount of the IT staff’s time, arguably the most expensive organizational resource. Centralizing this management reduces the amount of labor required to address security threats. UTM systems also eliminate the cost of purchasing separate machines for each of these jobs. Because Unified Threat Management brings all of these filters and security devices out to the gateway level, threats are better managed, and stopped before they can reach the internal network (Gosal and Solanki, 2006.)

The disadvantages of employing Unified Threat Management are relatively few. There can be a performance issue in some larger networks. The latency involved in analyzing traffic at the router can create a bottleneck in a high bandwidth environment (Gosal and Solanki, 2006.) This latency is rather small, and would only be a factor at very large organizations. The other disadvantage is that it represents a single point of failure on the network. If there is a bug in the mail filtering software that overflows the appliance’s resources, it could cut off access to the network completely.

The advantages in moving to UTM far out weigh the disadvantages. The initial cost of deploying UTM will be offset by freeing up the IT staff, and allowing them to concentrate on more profitable activities. Many organizations also need to consider various compliance regulations such as PCI Compliance and the Sarbanes-Oxley Act of 2002. Many of the standards set forth by these regulations can be addressed by the deployment of a single UTM appliance.

Works Cited

Azoulay O. (2005). How unified threat management vendors can ensure they provide comprehensive and flexible content filtering solution to users. Retrieved July 25, 2006, from Web site: www.securitypark.co.uk/article.asp?articleid=25087&CategoryID=33

Gosal S. and Solanki V. (2006). Unified threat management: preparing for a new generation of network security threats. Retrieved July 25, 2006, from Web site: www.itsecurity.com/security.htm?s=16856

N A. (ND). Unified threat management. Retrieved
July 25, 2006, from Web site:
practicallynetworked.webopedia.com/TERM/U/Unified_Threat_Management.html

Probert T. (2005). Unified threat management will make IT security easier. Retrieved
July 25, 2006, from Web site: www.it-observer.com/articles.php?id=1010

Securing VoIP

Donovan Anderson
August 6, 2006
Securing VoIP

Few would doubt that Voice Over IP (VoIP), has become a viable alternative to the traditional PTSN (Public Telephone Switched Network) phone system. Many companies have already switched over at least a portion of their voice network to VoIP solutions. Though attacks have not yet become widespread, there is a need to be concerned with security when it comes to VoIP.

With the traditional PTSN, it is fairly difficult to mount an attack. Physical access to the wire is required to intercept a call. While it is possible to tap the wire just outside the building, doing so would be quite risky. Access to the internal workings of the telephone network for the purpose of call interception would be nearly impossible to gain (Lookabaugh and Sicker, 2004.) Other advantages the PTSN has over VoIP networks is ease of use and user familiarity. For most users the telephone just works, and works instantly without going through any complicated processes to get it to work. This presents a challenge when implementing security solutions for VoIP networks. Anything that deviates from user expectations when using the phone will be seen as a nuisance, and an impedance to productivity (Lookabaugh and Sicker, 2004.)

There are three main aspects that need to be addressed when securing a Voice over IP network. The first and easiest to address is physical access to the phones. This may seem obvious, but physical security is one of the most often over-looked components of network defense. Phones should be secured at the very least by password authentication. An improvement over password authentication would be the use of bio-metric authentication devices. The phones themselves may also be running other applications. Companies should protect themselves by analyzing these applications and determining what ports they are leaving open, and what vulnerabilities might be exploitable (Schwartz, 2006.) If any of these vulnerabilities are found, every attempt should be made to disable that service, or block the ports it is using at the firewall.

The second element that needs to be secured is the communications channel. With the PSTN, this security was maintained by the phone company by strictly limiting access to the infrastructure. With calls going out over the Internet, this security is no longer guaranteed. Voice transmissions over the Internet are vulnerable to the same kinds of threats known to any other application transmitting over TCP/IP. To maintain the level of security afforded by the PSTN, a secure connection must be established. However, establishing this connection can raise quality of service issues. “Methods that may work well for securing data packets would decrease call quality too drastically” (Parizo, 2004.) To avoid this quality of service issue, companies must use UDP based VPNs between sites. Because TCP is a “reliable” protocol, that is it verifies packet deliver and resends lost packets, it is unsuitable for voice connections. Retransmission of lost voice packets would make communication unintelligible (Pitz, 2006.) One UDP based VPN solution is “OpenVPN,” an open source VPN application (Clark and Wink, 2005.)

While establishing a VPN tunnel provides a layer of security on the inside of the network, encryption is needed to secure the transmission once it leaves the network for the wilderness of the Internet. This again poses a quality of service issue. Many encryption methods designed for data networks are unsuitable for a voice application. To address this issue, the Secure Real Time Protocol was developed (Pitz, 2006.) SRTP adds an encryption layer to RTP, the standard VoIP protocol, using the widely accepted DES or RSA encryption standards.

Finally, a company must separate and protect the VoIP application server itself. As with
all systems, it is a must that IT departments deploy these systems in accordance with established standards and best practices. This includes, but is not limited to closing all unnecessary ports and services, limiting user access, and maintaining operating system and application patch levels. It would be a good idea to jail the VoIP application in a restricted environment. In the event of the VoIP software being compromised, the main system would still be survivable. Traffic from the VoIP server to the clients should be restricted to its own virtual LAN (Schwartz, 2006.) This will make sure that all traffic on that segment will be VoIP traffic, and make it easier to monitor for suspicious activities.

With diligence, Voice over IP can be deployed securely. If done properly, switching to VoIP can save a company a great deal of money compared to the traditional phone company. If these guidelines are ignored, however; a company’s voice communications become every bit as vulnerable as unencrypted email. It would be very easy for an industrial spy to capture phone conversations using an ordinary packet sniffer and recording software. This is a gamble most organizations cannot afford to lose.

Works Cited

Clark C. & Wink B. (2005). Installing & securing VoIP with Linux. Retrieved
August 1, 2006, from Web site:
www.softwink.com/papers/Installation_Securing_VoIP_With_Linux/

Lookabaugh T. & Sicker D. (2004). VoIP security: not an afterthought. Retrieved
August 1, 2006, from Web site: www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=209&page=1

Schwartz M. (2006). 5 tips for securing VoIP. Retrieved
August 1, 2006, from Web site: esj.com/Security/article.aspx?EditorialsID=1971

Parizo E. (2004). VoIP security daunting, but possible. Retrieved August 1, 2006,
from Web site:
searchvoip.techtarget.com/originalContent/0,289142,sid66_gci1028157,00.html