Securing a large complicated network can be a daunting task with so many technologies and devices. You may be asking yourself where to start. What could I do to get the most out of the time I spend securing my network? There are three areas that you can start with that will significantly reduce your attack surface and make your network more secure in the process. It is such a simple list yet overlooked by many: patching, maintain passwords, and disable unnecessary services.
Today’s NCSAM Tip is on recognizing and avoiding the most commonly used social engineering techniques. The root of the problem is simple enough: people are too trusting of content on the Internet. There is a long promoted perception of community, information sharing, free items, help, and friendliness on the Internet that has lulled many into a false sense of safety or security. Unfortunately, the reality is that just about every “con, scam, grift, hustle, bunko, swindle, flim flam, gaffle, sting or bamboozle” known is alive and well on the Internet. When you more closely examine the social engineering techniques that are used by criminals on the Internet, you see they are often the same or variations of con games and scams that go way back, and that many people are familiar with. This too gives people a false sense of security in that many believe they can identify these malicious attempts to exploit them. But, many tests of these beliefs have shown that most fail.
Instead of looking at the complicated technical details or various techniques themselves, it is easier to see the human factors they are attempting to exploit. Cisco SIO did some research of those human factors commonly exploited in 2010, and included the findings in the Cisco 2010 Annual Security Report. What we found was that regardless of the technical details or specific techniques and variations, the attackers commonly attempted to exploit a short list of human weaknesses:
Digital photography has certainly brought considerable joy into the lives of millions of people around the world, but there are also security implications and they may be somewhat different than what many people believe. Many images, including JPGs, can contain metadata, data about the data in the image. To illustrate, I took a picture of the Ike cutout in front of my cube.
Seems harmless enough, but let’s take a look at the EXIF data in this image.
I used http://regex.info/exif.cgi but there are other sites and apps that will let you view and/or manipulate EXIF data. Per regex.info here is some of the EXIF data:
Basic Image Information
Camera: Samsung GT-I9000
Lens: 3.5 mm (Max aperture f/2.6)
Exposure: Auto exposure, Program AE, 1/13 sec, f/2.6, ISO 100
Flash: Off, Did not fire
Date: September 15, 2011 9:26:08AM
Location: 37° 24′ 30″N, 121° 55′ 39″WAltitude: 0 m
Timezone guess from earthtools.org: 8 hours behind GMT
File: 1,920 × 2,560 JPEG (4.9 megapixels)
1,542,855 bytes (1.5 megabytes) Image compression: 90%
Look, it put me correctly in Building 17.
Lately we have seen various attacks against the various SSL/TLS usages that we have in the world. The attacks have not been technical per se, but instead use weaknesses in the procedures that are used to get a certificate. Lets first look at how trust is built up using SSL.
Passwords are the prevalent means of authentication. Even though there have been many complementary authentication mechanisms and schemes, passwords are used almost everywhere that a user wants to prove that he knows a secret that only he is supposed to know. On the other hand, if someone else can guess that password, along with the username (often easy to find), then he could pretend he is the user and do all sorts of things on his behalf. We have seen multiple examples of corporate executives having their personal email accounts hijacked. We have seen celebrities having their Twitter accounts stolen and posting things they would never do. We also have seen studies that show that a vast majority of users still use standard and pretty easy password to guess.
It is common knowledge that passwords need to be hard to guess; that is a requirement. Andy Balinsky’s post describes some guideliness about choosing numeric passwords (aka for handheld devices). In the same context, David McGrew’s post provides a script that can generate random keys that can be used for pre-shared key authentication. Electronic user passwords are a little different because they involve letters and completely depend on the user (system checks are usually also employed). Users need to be able to chose and remember them in order to use them when needed. But the “hard to guess” and the “easy to remember” requirements don’t go well together and that is the basic challenge.