Social Engineering, sometimes referred to as 'human hacking', is responsible for some of the most damaging attacks ever recorded. Even aspects of Stuxnet were attributed to targeted social engineering operations. Social engineering is dangerous because it revolves around the one factor in an organization that can't be predictably incorporated into a security program.
Or can it?
Just in case I've lost you, social engineering is the act of persuading a user to divulge information that may or may not be in their best interest. For example, I could call, email, or simply approach someone in person and claim to be an IT professional. I could tell them that their workstation has been infected, and that they'll likely get in trouble because this has occurred as a result of their 'abuse' of company network resources. People might start thinking, 'oh no, I must have clicked on something on Facebook...', but will rejoice when I inform them that I can fix it before anyone has to find out. All they have to do is give me the keys.
Most professionals and attackers will tell you that the easiest way to obtain someone's credentials is to ask for them. If you ask the right way, you'll find that statement is surprisingly true.
I've recently become more interested and involved in social engineering assessments at the office. Partly because I genuinely find it interesting, and also because we don't seem to have a resident expert. We have a guy that's really smart on networking and program management, another guy that's a brilliant coder and pentester, but no one that seems to want to own the social aspect. There's a lot to be said about finding a niche and becoming part of the team, at least enough to motivate growth.
So back to my original question; can the human factor be made predictable enough to secure an organization? I think yes, but probably not the way you think.
Truth; just assume someone in your organization is going to be victim to an attack. Don't 'if' about it and train like you're going to raise user awareness to a level that is immune to an attacker's charm and wit. Someone is going to screw up and give someone bad the keys to the castle.
However, you can put other safeguards in place to detect, contain and remediate the effects of a compromised user. In my opinion, the focus on awareness training should be less significant than the focus on mitigation efforts. As I've said before, you put in sprinklers and do fire drills so that 'when' the fire occurs, you can react. Information security should be no different.
Monday, June 29, 2015
Wednesday, June 24, 2015
Databases, Parsers, and Sprinklers
So, quick confessional: I've been so busy lately that I forgot about a deadline that I actually set in the first place. That's the bad news.
The good news is I've made a lot of progress in the last week and a half. Regarding my final project, I've created an Entity Relationship Diagram (ERD) that maps out all of the tables, their fields, primary and foreign keys, etc. I used a tool called MySQL Workbench, which is written by Oracle for MySQL users.
https://www.mysql.com/products/workbench/
It's pretty great if you're going to develop databases to be used in production, but it's also just super-rad if you need to design the schema and then reverse-engineer some SQL. I used it for the latter. I'm now at a point where I think I can begin working on my Python parsers to put the raw XML data from our network discovery and vulnerability scans into a format more easily imported into a database (most likely .csv).
Aside from that, we've been working on a new project at the office. I don't think I can talk much about it publicly right now, but the guys that I work for are incredibly smart and are onto something big that will likely change the way people look at security in the area.
This brings me to an observation that I've made since starting with this security consulting company; there's a lot of people that probably don't care enough about security. I understand that it's difficult to maintain perspective when you take on a specialization. All of the network engineers probably say, 'we don't have enough people to manage these firewalls, and they buy us crap to work with!'. The help desk specialists say, 'people don't care about the equipment or how to use it! We need to spend more on training and better hardware!'. Everyone probably thinks their specialization is a little more important than the rest.
That's how I've recently started to feel about security. I don't understand why people aren't more concerned. You install fire alarms and sprinklers to protect your physical assets (which are totally replaceable), but you won't lift a finger to protect your digital assets? I use the generally 'you' here, which really means 'some of the companies I've run across'.
Granted, there are many clients that are very involved in the development of their security program. These clients are motivated to receive assessments and get better. That's the attitude everyone should have. Unfortunately, I think some people won't learn until it's too late.
In other news, the only other thing worth mentioning is that I've been doing a lot more lately with Social Engineering. I think it's very interesting, and I enjoy it a ton, but I'll save that for next time!
The good news is I've made a lot of progress in the last week and a half. Regarding my final project, I've created an Entity Relationship Diagram (ERD) that maps out all of the tables, their fields, primary and foreign keys, etc. I used a tool called MySQL Workbench, which is written by Oracle for MySQL users.
https://www.mysql.com/products/workbench/
It's pretty great if you're going to develop databases to be used in production, but it's also just super-rad if you need to design the schema and then reverse-engineer some SQL. I used it for the latter. I'm now at a point where I think I can begin working on my Python parsers to put the raw XML data from our network discovery and vulnerability scans into a format more easily imported into a database (most likely .csv).
Aside from that, we've been working on a new project at the office. I don't think I can talk much about it publicly right now, but the guys that I work for are incredibly smart and are onto something big that will likely change the way people look at security in the area.
This brings me to an observation that I've made since starting with this security consulting company; there's a lot of people that probably don't care enough about security. I understand that it's difficult to maintain perspective when you take on a specialization. All of the network engineers probably say, 'we don't have enough people to manage these firewalls, and they buy us crap to work with!'. The help desk specialists say, 'people don't care about the equipment or how to use it! We need to spend more on training and better hardware!'. Everyone probably thinks their specialization is a little more important than the rest.
That's how I've recently started to feel about security. I don't understand why people aren't more concerned. You install fire alarms and sprinklers to protect your physical assets (which are totally replaceable), but you won't lift a finger to protect your digital assets? I use the generally 'you' here, which really means 'some of the companies I've run across'.
Granted, there are many clients that are very involved in the development of their security program. These clients are motivated to receive assessments and get better. That's the attitude everyone should have. Unfortunately, I think some people won't learn until it's too late.
In other news, the only other thing worth mentioning is that I've been doing a lot more lately with Social Engineering. I think it's very interesting, and I enjoy it a ton, but I'll save that for next time!
Saturday, June 13, 2015
Hello, World!
Welcome to my University of Kentucky Information Communication Technology Internship blog! The purpose of this site is to document my experience as an Information Communication Technology intern and discuss things I've learned through this experience.
While the grading period is technically June 11-August 6, I began working as an intern since late March of 2015. I was accepted for an internship with Lexington-based technology company as a Security Analyst Intern.
My interview process was unorthodox. I took a class with UK Computer Science Professor Dr. Ken Calvert in 2013, Network Security, and I met a guy in that course that was an intern at a technology security company. I was intrigued by the many stories he would tell me during class of the fun things he got to do, and get paid to do! Earlier this year my friend reached out to me and let me know that his company was looking for interns to join their security team.
I sent him a resume and was called for an interview. My interview was a luncheon at a local pizza restaurant, where the entire security team and I sat at a table and discussed security related topics for an hour or so over lunch. I was rather nervous, but my friend had prepared me beforehand by giving me a list of topics that would be discussed as part of the interview. I answered their questions to the best of my ability, and within a week I had an offer!
Perhaps that isn't so unorthodox, after all. Most jobs that I've had came about by knowing someone that could help me get a foot in the door. I suppose you could say that this job had a lot to do with networking.
Networking.
That's a joke, but I digress. I didn't have a tremendous amount of security knowledge going into the internship, but they re-assured me that all they required of me was motivation and potential. If I could learn, they could teach me.
Thus, since starting with this company I've learned a tremendous amount about the Information Security industry. I've learned to use network discovery tools, vulnerability scanners, write reports, and even aspects of social engineering!
You may have noticed, but I've decided not talk specifically about the company. One thing I've learned about the corporate world is that they're not incredibly fond of unofficial mouth-pieces. That's not to say that I've been forbidden to discuss details of my internship as part of the ICT 596 course, but let's just suffice it to say the following (and then just move on):
While the grading period is technically June 11-August 6, I began working as an intern since late March of 2015. I was accepted for an internship with Lexington-based technology company as a Security Analyst Intern.
My interview process was unorthodox. I took a class with UK Computer Science Professor Dr. Ken Calvert in 2013, Network Security, and I met a guy in that course that was an intern at a technology security company. I was intrigued by the many stories he would tell me during class of the fun things he got to do, and get paid to do! Earlier this year my friend reached out to me and let me know that his company was looking for interns to join their security team.
I sent him a resume and was called for an interview. My interview was a luncheon at a local pizza restaurant, where the entire security team and I sat at a table and discussed security related topics for an hour or so over lunch. I was rather nervous, but my friend had prepared me beforehand by giving me a list of topics that would be discussed as part of the interview. I answered their questions to the best of my ability, and within a week I had an offer!
Perhaps that isn't so unorthodox, after all. Most jobs that I've had came about by knowing someone that could help me get a foot in the door. I suppose you could say that this job had a lot to do with networking.
Networking.
That's a joke, but I digress. I didn't have a tremendous amount of security knowledge going into the internship, but they re-assured me that all they required of me was motivation and potential. If I could learn, they could teach me.
Thus, since starting with this company I've learned a tremendous amount about the Information Security industry. I've learned to use network discovery tools, vulnerability scanners, write reports, and even aspects of social engineering!
You may have noticed, but I've decided not talk specifically about the company. One thing I've learned about the corporate world is that they're not incredibly fond of unofficial mouth-pieces. That's not to say that I've been forbidden to discuss details of my internship as part of the ICT 596 course, but let's just suffice it to say the following (and then just move on):
- I'm an intern for a company that offers technology solutions.
- I work in a department that conducts information security assessments. We consult clients on how to protect their information assets.
- There is a steep learning curve for this industry, and a lot to learn. Although I've already been here for a few months, I am still very much in training.
Subscribe to:
Posts (Atom)