2024: Domino Containers - The Next Step. News from the Domino Container commu...
Edith Turuka: Cyber-Security, An Eye Opener to the Society
1. Cyber-Security: An Eye Opener
to the Society
Presented by
Ms. Edith Turuka
Telecommunications Engineer – Ministry of
Communications Science and Technology
11th June, 2012
3. Introduction – Cyber-Security
Before discussing about cyber-security lets
take a quick glance at the following:
Do we need to know about cyber crime
What exactly cybercrime is
Who can do cyber crime
Why conduct cyber crime
Types of cyber crime
Impacts of cyber crime
4. Introduction – Cyber-Security
• Protecting information from unauthorized
access or destruction / abuse.
3 aspects under consideration (CIA triad)
Confidentiality
Integrity
Availability
9. Reconnaissance techniques - Low
tech methods countermeasures
User awareness
Security badges / biometrics e.g Iris scan,
hand geometry, motion detectors, voice,
blood vessels / Tailgate detection system
Monitor devises taken in / out
Use locks on cabinets containing sensitive
information, servers
Use automatic password-protected screen
servers
Encrypt stored files, HDD, DB
Paper shredder, destroy devises e.g HDD
before discarding
10. Other Reconnaissance techniques
General web searches
The use of databases e.g Whois, DNS
Different Reconnaissance tools are available!
Wireshack, keylogger, Nmap, Samspade e.t.c
Countermeasures
Security policy
Information on public database - keep to
minimum
11. Notable quotes….
Notorious hacker Kevin Mitnick said, "The
weakest link in the security chain is the
human element," 6
According to a March 2000 article in the
Washington Post. He went on to say that in
more than half of his successful network
exploits he gained information about the
network, sometimes including access to the
network, through social engineering. 6
“You could spend a fortune purchasing
technology and services...and your network
infrastructure could still remain vulnerable to
old-fashioned manipulation.” 6
13. Social Engineering
Monday morning, 6am; the electric rooster is
telling you it's time to start a new work week.
A shower, some coffee, and you're in the car
and off. On the way to work you're thinking
of all you need to accomplished this week.
Then, on top of that there's the recent merger
between your company and a competitor. One
of your associates told you, you better be on
your toes because rumors of layoff's are
floating around.
14. Social Engineering
You arrive at the office and stop by the
restroom to make sure you look your best.
You straighten your tie, and turn to head to
your cube when you notice, sitting on the back
of the sink, is a CD-ROM. Someone must have
left this behind by accident. You pick it up and
notice there is a label on it. The label reads
"2005 Financials & Layoff's". You get a sinking
feeling in your stomach and hurry to your
desk. It looks like your associate has good
reasons for concern, and you're about to find
out for your self.
15. And so
The Game Is In Play: People Are The Easiest
Target
You make it to your desk and insert the CD-ROM.
You find several files on the CD, including a
spreadsheet which you quickly open. The
spreadsheet contains a list of employee names, start
dates, salaries, and a note field that says "Release" or
"Retain". You quickly search for your name but
cannot find it. In fact, many of the names don't seem
familiar. Why would they, this is pretty large
company, you don't know everyone.
Since your name is not on the list you feel a bit of
relief. It's time to turn this over to your boss. Your
boss thanks you and you head back to your desk.
16. Let's Take A Step Back In
Time
The CD you found in the restroom, it was not
left there by accident. It was strategically placed
there by me, or one of Security Consulting
employees.
You see, a firm has been hired to perform a
Network Security Assessment on your
company.
In reality, they have been contracted to hack
into your company from the Internet and have
been authorized to utilize social engineering
techniques.
17. Bingo - Gotcha
The spreadsheet you opened was not the only
thing executing on your computer.
The moment you open that file you caused a
script to execute which installed a few files on
your computer.
Those files were designed to call home and
make a connection to one of our servers on
the Internet. Once the connection was made
the software on the Security firms servers
responded by pushing (or downloading)
several software tools to your computer.
Tools designed to give the team complete
control of your computer. Now they have a
platform, inside your company's network,
where they can continue to hack the
network. And, they can do it from inside
without even being there.
18. This is what we call a 180 degree attack.
Meaning, the security consulting team did not
have to defeat the security measures of your
company's firewall from the Internet.
You took care of that for us.
Many organizations give their employees
unfettered access (or impose limited control)
to the Internet.
Given this fact, the security firm devised a
method for attacking the network from within
with the explicit purpose of gaining control of a
computer on the private network.
All we had to do is get someone inside to do it
for us.
19. Welcome to Social Engineering
What would you have done if you found
a CD with this type of information on it?
Yes it is people who are the weakest link
in any security system and Social
Engineering Exploits that ---
21. IT Security Policy
Identifies the rules and procedures that
all persons accessing computer resources
must adhere to in order to ensure the
confidentiality, integrity, and availability
of data and resources
22. A good IT Security Policy
Amongst other things,
Provides sufficient guidance for development
of specific procedures;
Balances protection with productivity;
Identifies how incidents will be handled; and
Should not impede an organization from
meeting its mission and goals.
A good policy will provide the organization
with the assurance and the “acceptable” level
of asset protection from external and internal
threats.
Is enacted by a senior official (e.g., CEO).
23. Components of a good security
policy
Security Definition
Enforcement
Physical Security of ICT Components
Access Control to the System
Security of specific components such as
Servers
Internet Use and Security
Virus Protection
Wide Area Network Issues
Voice related Services
Back Ups and Recovery
A working IT Security Policy is one
of the MUST HAVE pillar in any
organization !!!
24. EPOCA – Sections on ICT Security
The Electronic and Postal Communications
Act, CAP 306 of the laws of Tanzania
Section 124 of EPOCA prohibits
Unauthorized access or use of computer
systems.
Section 98 of EPOCA creates a duty of
confidentiality to the information received by
virtue of the Communications laws.
Section 99 of EPOCA states that disclosure of
such information should be authorized by the
person for official duties such as operational
of the laws.
25. Conclusion and Recommendations
Worthy noting initiatives towards a safe cyberspace in
Tanzania e.g Laws, National CERT & simcard registration
While the ICT infrastructure is protected by built in
state-of-the-art security technology and solutions, it is
extremely important that national capacity to safeguard
its ICT assets is built, as built in protection is not
sufficient and sustainable.
Security mindset / being cautious / suspicious / not taking
everything for granted /awareness need be created
Important for every Organization to have an IT Security
Policy and all employees comply to the terms in it.