Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cyber-Security: An Eye Openerto the Society                                Presented by                             Ms. Ed...
Agenda Introduction; Reconnaissance and Countermeasures; Corporate IT Security policy; Conclusion and Recommendations.
Introduction – Cyber-SecurityBefore discussing about cyber-security letstake a quick glance at the following:Do we need t...
Introduction – Cyber-Security•   Protecting information from unauthorized    access or destruction / abuse.   3 aspects u...
How careless are weHow vulnerable are we
Reconnaissance techniques -Low tech methods   Social Engineering
Reconnaissance techniques –Low tech methods cont…   Physical Break-In
Reconnaissance techniques –Low tech methods cont…   Dumpster Diving
Reconnaissance techniques - Lowtech methods countermeasures  User awareness  Security badges / biometrics e.g Iris scan,...
Other Reconnaissance techniques   General web searches The use of databases e.g Whois, DNS Different Reconnaissance too...
Notable quotes…. Notorious hacker Kevin Mitnick said, "The  weakest link in the security chain is the  human element," 6...
Case study….
Social Engineering   Monday morning, 6am; the electric rooster is    telling you its time to start a new work week.    A ...
Social Engineering   You arrive at the office and stop by the    restroom to make sure you look your best.    You straigh...
And so   The Game Is In Play: People Are The Easiest    Target    You make it to your desk and insert the CD-ROM.     You...
Lets Take A Step Back In    Time   The CD you found in the restroom, it was not    left there by accident.  It was strate...
Bingo - Gotcha The spreadsheet you opened was not the only  thing executing on your computer. The moment you open that f...
This is what we call a 180 degree attack.      Meaning, the security consulting team did not      have to defeat the secu...
Welcome to Social Engineering   What would you have done if you found    a CD with this type of information on it?   Yes...
Corporate IT Security Policy
IT Security PolicyIdentifies the rules and procedures thatall persons accessing computer resourcesmust adhere to in order...
A good IT Security PolicyAmongst other things,Provides sufficient guidance for developmentof specific procedures;Balance...
Components of a good securitypolicy     Security Definition     Enforcement     Physical Security of ICT Components   ...
EPOCA – Sections on ICT Security The Electronic and Postal Communications  Act, CAP 306 of the laws of Tanzania Section ...
Conclusion and Recommendations   Worthy noting initiatives towards a safe cyberspace in    Tanzania e.g Laws, National CE...
ASANTENI SANA     KWA  KUSIKILIZA
Upcoming SlideShare
Loading in …5
×

Edith Turuka: Cyber-Security, An Eye Opener to the Society

  • Login to see the comments

  • Be the first to like this

Edith Turuka: Cyber-Security, An Eye Opener to the Society

  1. 1. Cyber-Security: An Eye Openerto the Society Presented by Ms. Edith Turuka Telecommunications Engineer – Ministry of Communications Science and Technology 11th June, 2012
  2. 2. Agenda Introduction; Reconnaissance and Countermeasures; Corporate IT Security policy; Conclusion and Recommendations.
  3. 3. Introduction – Cyber-SecurityBefore discussing about cyber-security letstake a quick glance at the following:Do we need to know about cyber crimeWhat exactly cybercrime isWho can do cyber crimeWhy conduct cyber crimeTypes of cyber crimeImpacts of cyber crime
  4. 4. Introduction – Cyber-Security• Protecting information from unauthorized access or destruction / abuse. 3 aspects under consideration (CIA triad) Confidentiality Integrity Availability
  5. 5. How careless are weHow vulnerable are we
  6. 6. Reconnaissance techniques -Low tech methods Social Engineering
  7. 7. Reconnaissance techniques –Low tech methods cont… Physical Break-In
  8. 8. Reconnaissance techniques –Low tech methods cont… Dumpster Diving
  9. 9. Reconnaissance techniques - Lowtech methods countermeasures  User awareness  Security badges / biometrics e.g Iris scan, hand geometry, motion detectors, voice, blood vessels / Tailgate detection system  Monitor devises taken in / out  Use locks on cabinets containing sensitive information, servers  Use automatic password-protected screen servers  Encrypt stored files, HDD, DB  Paper shredder, destroy devises e.g HDD before discarding
  10. 10. Other Reconnaissance techniques General web searches The use of databases e.g Whois, DNS Different Reconnaissance tools are available! Wireshack, keylogger, Nmap, Samspade e.t.cCountermeasures Security policy Information on public database - keep to minimum
  11. 11. Notable quotes…. Notorious hacker Kevin Mitnick said, "The weakest link in the security chain is the human element," 6 According to a March 2000 article in the Washington Post. He went on to say that in more than half of his successful network exploits he gained information about the network, sometimes including access to the network, through social engineering. 6 “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” 6
  12. 12. Case study….
  13. 13. Social Engineering Monday morning, 6am; the electric rooster is telling you its time to start a new work week. A shower, some coffee, and youre in the car and off.  On the way to work youre thinking of all you need to accomplished this week.  Then, on top of that theres the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoffs are floating around.
  14. 14. Social Engineering You arrive at the office and stop by the restroom to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it.  The label reads "2005 Financials & Layoffs". You get a sinking feeling in your stomach and hurry to your desk.  It looks like your associate has good reasons for concern, and youre about to find out for your self.
  15. 15. And so The Game Is In Play: People Are The Easiest Target You make it to your desk and insert the CD-ROM.  You find several files on the CD, including a spreadsheet which you quickly open.  The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain".  You quickly search for your name but cannot find it.  In fact, many of the names dont seem familiar.  Why would they, this is pretty large company, you dont know everyone. Since your name is not on the list you feel a bit of relief.  Its time to turn this over to your boss. Your boss thanks you and you head back to your desk.
  16. 16. Lets Take A Step Back In Time The CD you found in the restroom, it was not left there by accident.  It was strategically placed there by me, or one of Security Consulting employees.  You see, a firm has been hired to perform a Network Security Assessment on your company.  In reality, they have been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.
  17. 17. Bingo - Gotcha The spreadsheet you opened was not the only thing executing on your computer. The moment you open that file you caused a script to execute which installed a few files on your computer.  Those files were designed to call home and make a connection to one of our servers on the Internet.  Once the connection was made the software on the Security firms servers responded by pushing (or downloading) several software tools to your computer.  Tools designed to give the team complete control of your computer.  Now they have a platform, inside your companys network, where they can continue to hack the network.  And, they can do it from inside without even being there.
  18. 18. This is what we call a 180 degree attack.  Meaning, the security consulting team did not have to defeat the security measures of your companys firewall from the Internet.   You took care of that for us.   Many organizations give their employees unfettered access (or impose limited control) to the Internet.   Given this fact, the security firm devised a method for attacking the network from within with the explicit purpose of gaining control of a computer on the private network.  All we had to do is get someone inside to do it for us.
  19. 19. Welcome to Social Engineering What would you have done if you found a CD with this type of information on it? Yes it is people who are the weakest link in any security system and Social Engineering Exploits that ---
  20. 20. Corporate IT Security Policy
  21. 21. IT Security PolicyIdentifies the rules and procedures thatall persons accessing computer resourcesmust adhere to in order to ensure theconfidentiality, integrity, and availabilityof data and resources
  22. 22. A good IT Security PolicyAmongst other things,Provides sufficient guidance for developmentof specific procedures;Balances protection with productivity;Identifies how incidents will be handled; andShould not impede an organization frommeeting its mission and goals.A good policy will provide the organizationwith the assurance and the “acceptable” levelof asset protection from external and internalthreats.Is enacted by a senior official (e.g., CEO).
  23. 23. Components of a good securitypolicy  Security Definition  Enforcement  Physical Security of ICT Components  Access Control to the System  Security of specific components such as Servers  Internet Use and Security  Virus Protection  Wide Area Network Issues  Voice related Services  Back Ups and Recovery A working IT Security Policy is one of the MUST HAVE pillar in any organization !!!
  24. 24. EPOCA – Sections on ICT Security The Electronic and Postal Communications Act, CAP 306 of the laws of Tanzania Section 124 of EPOCA prohibits Unauthorized access or use of computer systems. Section 98 of EPOCA creates a duty of confidentiality to the information received by virtue of the Communications laws. Section 99 of EPOCA states that disclosure of such information should be authorized by the person for official duties such as operational of the laws.
  25. 25. Conclusion and Recommendations Worthy noting initiatives towards a safe cyberspace in Tanzania e.g Laws, National CERT & simcard registration While the ICT infrastructure is protected by built in state-of-the-art security technology and solutions, it is extremely important that national capacity to safeguard its ICT assets is built, as built in protection is not sufficient and sustainable. Security mindset / being cautious / suspicious / not taking everything for granted /awareness need be created Important for every Organization to have an IT Security Policy and all employees comply to the terms in it.
  26. 26. ASANTENI SANA KWA KUSIKILIZA

×