Rgitinformationsecurityawareness Final 100228084138 Phpapp01

Rajiv Gandhi Institute of Technology
February 24, 2009
Information Security the profession;

concepts, risks and more..
Presented by:
Dinesh O Bareja
CISA, CISM, ITIL
Open Security Alliance

(www.opensecurityalliance.org)
About Me Warming Up
Dinesh Bareja
BA, CISA, CISM, ITIL, BS 7799 (LA, Imp)
Engaged in continuous study and learning
Work in Information Security consulting, advisory and technical

services; identifying emerging opportunities; strategic business
planning; training, mentoring and awareness & more
Past life (pre-.com) was spent in mfg, trdg, exports.

.
Co founder of Indian Honeynet Project, Open Security Alliance and
actively involved with DSCI and other Information Security groups.
RGIT, Mumbai 02/24 www.opensecurityalliance.org

A Starting Thought Warming Up
..... every human endeavour operates partly in

light and partly in shadow; and, especially, in those
fields that delve deeply into shadow, some
succumb to temptation.
- Richard Power (Computerworld)

Covering your mistakes Warming Up

Some more (simpler) thoughts Warming Up
We have sidewalks but cannot walk on them !
In parks they say keep off the grass!
Cars at home but driving is a killer
Using computers . and there is the risk of
everything going wrong
..
Rules rules and more rules !!

My Rules Warmed Up
Dont be shy ask questions (we have a lot of time)
Feel free to interrupt me
Nod intelligently even if you fall asleep
Correct me if I make a mistake (remember I am in a continuous learning
mode)
Hijack this presentation and change it into a debate !
Dont take notes, this slide deck will be available on our website (or on
the college file server)
There is no test at the end of this session You get marks for being a
good and interactive audience
Finally please make sure your cellphones are in shivering mode ! It is
bad manners to make any odd sounds when people around you are
trying to learn something

The What and Why of
Information Security
Information Security Domains
and Concepts
Standards, Guidelines and
Frameworks
Proposition
Infosec Profession / Careers
Risks and Awareness

What
Preserving authorized
restrictions on access and
disclosure, including
means for protecting
personal privacy and
for proprietary information
protecting information
and information
systems from
Guarding against
improper information
unauthorized access, Confidentiality modification or
Ensuring timely destruction, and
use, and reliable includes ensuring
access to and information non-
disclosure, repudiation and
use of
disruption, information. authenticity;
modification, or
destruction
Availability Integrity

CIA in more detail
Confidentiality Sensitive information must be available only to a set of

predefined individuals. Unauthorized transmission and usage of information
should be restricted. For example, confidentiality of information ensures that a
customer's personal or financial information is not obtained by an unauthorized
individual for malicious purposes such as identity theft or credit fraud.
Integrity Information should not be altered in ways that render it incomplete
or incorrect. Unauthorized users should be restricted from the ability to modify
or destroy sensitive information.
Availability Information should be accessible to authorized users any time
that it is needed. Availability is a warranty that information can be obtained with
an agreed-upon frequency and timeliness. This is often measured in terms of
percentages and agreed to formally in Service Level Agreements (SLAs) used
by network service providers and their enterprise clients.
Continuity Information should be continuously available to the business
user and this is ensured thorough appropriate business continuity and disaster
preparedness.

The Need for IT Security, Governance
Security Keeping
IT Running
Aligning Managing
IT with Complexity
Business
Regulatory
Value/Cost
Compliance
Organizations require a structured approach for managing these and other challenges.
ISACA
Why Information Security
Ensure Availability of Business

Take care of the risk of loss of Confidentiality,
Integrity and Availability of Information Assets
Protect Data and Information Systems
Brand and Reputation Loss
Increased Productivity through best practices
Higher levels of assurance
Competitive advantage
Enable Business Continuity and Disaster Recovery
And for this we need Security Controls
Security Controls
Computer security is often divided into three distinct master categories, commonly referred to as controls:
Physical
Technical
Administrative
Physical Controls - is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to
sensitive material. Examples of physical controls are:
Closed-circuit surveillance cameras
Motion or thermal alarm systems
Security guards
Picture IDs
Locked and dead-bolted steel doors
Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals)
Administrative Controls - define the human factors of security. It involves all levels of personnel within an organization and determines
which users have access to what resources and information by such means as:
Training and awareness
Disaster preparedness and recovery plans
Personnel recruitment and separation strategies
Personnel registration and accounting
Technical Controls - use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure
and over a network. Technical controls are far-reaching in scope and encompass such technologies as:
Encryption
Smart cards
Network authentication
Access control lists (ACLs)
File integrity auditing software

Key Information Security Program Elements
Technology Process
People

Key Information Security Program Elements
- Training
Technology - Awareness Process
- HR Policies
- Background Checks
- Roles /
responsibilities
- Mobile Computing
- Social Engineering
- Social Networking
- Acceptable Use
- Policies
- Performance Mgt
- System Security - Risk Management

- UTM. Firewalls - Asset Management
- IDS/IPS - Data Classification
- Data Center - Info Rights Mgt
- Physical Security - Data Leak Prevention
- Vulnerability Assmt - Access Management
- Penetration Testing - Change Management
-Application Security - Patch Management
- Secure SDLC - Configuration Mgmt
- SIM/SIEM - Incident Response
- Managed Services - Incident Management
People

Essential Information Security Practices
MANAGEMENT COMMITMENT
RISK MANAGEMENT
ASSET INVENTORY AND MANAGEMENT
CHANGE MANAGEMENT
INCIDENT RESPONSE AND MANAGEMENT
CONFIGURATION MANAGEMENT
TRAINING AND AWARENESS
CONTINUOUS AUDIT
METRICS AND MEASUREMENT

VULNERABILITY ASSESSMENT
PENETRATION TESTING
APPLICATION SECURITY TESTING
DEVICE MANAGEMENT
LOG MONITORING, ANALYSIS AND MANAGEMENT
SECURE DEVELOPMENT

Defining Information Assets
Tangible or intangible corporate assets
Hardware
Software
Data
Intellectual Property
Patents
Processes
Device Configurations
Plans
Designs / Blueprints

Risk Management
Risk is defined in ISO 31000 as the effect of uncertainty on objectives

(whether positive or negative).
Risk management : the identification, assessment, and prioritization of
risks followed by coordinated and economical application of resources
to minimize, monitor, and control the probability and/or impact of
unfortunate events or to maximize the realization of opportunities.
Risks can come from uncertainty in financial markets, project failures,
legal liabilities, credit risk, accidents, natural causes and disasters as
well as deliberate attacks from an adversary.
Strategies to manage risk :
Avoidance (eliminate, withdraw from or not become involved)
Reduction (optimise - mitigate)
Sharing (transfer - outsource or insure)
Retention (accept and budget)

Information Risks, Threats, Vulnerabilities
Web Application Botnets

Vulnerabilities Spam / Targeted mails
Social Networks
Malware / Virus Murder
DDOS attacks (Denial of Reputation Loss
Service) Scams
Phishing, Vishing, Spear- Identity Theft
Phishing
Privacy Violation
Social Engineering
Insider Threat
Software Vulnerabilities
Wireless
The driver Malicious Motivation
Criminal
Intent
Coercion
Greed
Show Off
Revenge
Attack
Curiosity

Hackers n Crackers
During the 1960s, the word "hacker" grew to prominence describing a

person with strong computer skills, an extensive understanding of how
computer programs worked, and a driving curiosity about computer
systems.
True hackers are computer programming enthusiasts who pushed
computer systems to their limits without malicious intent and followed a
hacker code of ethics.
They believed technical information should be freely available to any
person, and they abided by a code of ethics that looked down upon
destroying, moving, or altering information in a way could cause injury
or expense.
Hacking, however, soon became nearly synonymous with illegal
activity. Negative publicity surrounding hackers continued to grow.

Hackers n Crackers
While the first incidents of hacking dealt with breaking into phone
systems, hackers also began diving into computer systems as
technology advanced.
Hacking became increasingly problematic during the 1980s and as a
result, in the US the Computer Fraud and Abuse Act was created,
imposing more severe punishments for those caught abusing computer
systems. In the early 1980s, the FBI made one of its first arrests
related to hacking.
As a result, several hacker groups coined the term 'cracker' in 1985 to
define a person who broke into computer systems and ignored hacker
ethics; however, the media continued to use the word hacker.

Profiling . the color of your hat !
Black Hat
Also known as crackers these are the

White Hat ones to watch out for, they send and
Also known as friendly hackers are always make viruses, destroy data, and
using their knowledge for good reasons deface websites along with other
illegal activity and break into peoples
machines. This type of hacker has a
bad reputation.
Grey Hat
Are borderline white/black hats. They Not to forget the
sometimes prank unsuspecting users and hatless..
cause general mayhem. While they think
this kind of activity is harmless, they may - Script Kiddies
face long periods of jail time if they ever get - The Hobbyist
found out.
- Insider
- Countries

Information Security is
implemented in organizations
based on Standards, Guidelines,
Frameworks,
Other factors are Laws and
Regulations, Customer
requirements Standards etc
All require the adoption of best
practices

Common Standards / Frameworks / Guidelines / Regulatory
ISO:27001 2005 IT Act and applicable Criminal /

PCI-DSS Civil legislation
CobiT HIPAA
BS:25999 GLBA
ISO 2000 Sarbanes Oxley
ITIL Basel II
Clause 49 (SEBI Guideline, PCAOB
Government of India) SAS 70
CTCL Privacy Laws (e.g.PIPEDA)
NERC-CIP many more..
Data Protection Act

ISO 27001, BS 25999, CobiT, IIL
or ISO 20000
These are the most widely used

and recognized standard for
Information Security globally
ISO 27001, CobiT etc
Form the foundation of security
for various other framework and
regulatory requirements

ISO 27001: 2005
Information security is the protection of

information from a wide range of threats in order to
ensure business continuity, minimize business risk,
and maximize return on investments and business
opportunities.

ISO 27001 Fundamental Principles
Maintain and Establish ISMS

Improve the Context and Risk
ISMS Assessment
Act Plan
Development,
Improvement
and
Maintenance
Cycle
Check Do
Monitor and Design and
Review the Implement the
ISMS ISMS
ISO 27001 Fundamental Principle
Act Plan
Check Do
ITIL
The Information Technology Infrastructure Library (ITIL) is a set of

concepts and practices for managing Information Technology (IT)
services (ITSM), IT development and IT operations.
ITIL gives detailed descriptions of a number of important IT practices
and provides comprehensive checklists, tasks and procedures that any
IT organization can tailor to its needs. ITIL is published in a series of
books, each of which covers an IT management topic.
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement

CobiT : Control Objectives for Information and related Technology
IT resources are managed by IT processes to achieve IT

goals that respond to the business requirements. This is
the basic principle of the COBIT framework, as illustrated by
the COBIT cube.
Business-focused
Process-oriented
Controls-based
Measurement-
driven
IT Governance Institute

CobiT Framework
BUSINESS OBJECTIVES AND
GOVERNANCE OBJECTIVES
C O B I T
ME1 Monitor and evaluate IT FRAMEWORK
PO1 Define a strategic IT plan.
performance. INFORMATION
PO2 Define the information
ME2 Monitor and evaluate
architecture.
internal control.
Efficiency Integrity PO3 Determine technological
ME3 Ensure compliance with
Effectiveness Availability direction.
external requirements.
Compliance PO4 Define the IT processes,
ME4 Provide IT governance. Confidentiality
organisation and
Reliability relationships.
MONITOR PLAN PO5 Manage the IT investment.
AND AND PO6 Communicate management
EVALUATE ORGANISE aims and direction.
IT PO7 Manage IT human resources.
DS1 Define and manage service RESOURCES PO8 Manage quality.
levels.
PO9 Assess and manage IT risks.
DS2 Manage third-party services.
PO10 Manage projects.
DS3 Manage performance and
capacity.
DS4 Ensure continuous service. Applications
Information
DS5 Ensure systems security. AI1 Identify automated solutions.
Infrastructure
DS6 Identify and allocate costs. People AI2 Acquire and maintain
DS7 Educate and train users. application software.
DELIVER ACQUIRE
DS8 Manage service desk and AND AI3 Acquire and maintain
AND
incidents. SUPPORT IMPLEMENT technology infrastructure.
DS9 Manage the configuration. AI4 Enable operation and use.
DS10 Manage problems. AI5 Procure IT resources.
DS11 Manage data. AI6 Manage changes.
DS12 Manage the physical AI7 Install and accredit solutions
environment. and changes.
DS13 Manage operations.
IT Governance Institute

BS 25999
The standard for Business Continuity Management.

Part 1 : Code of Practice
Section 1 - Scope and Applicability.
Section 2 - Terms and Definitions.
Section 3 - Overview of Business Continuity Management.
Section 4 - The Business Continuity Management Policy.
Section 5 - BCM Programme Management.
Section 6 - Understanding the organization.
Section 7 - Determining BCM Strategies.
Section 8 - Developing and implementing a BCM response.
Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture.
Section 10 - Embedding BCM into the organizations culture.
Part 2 : Specification
Section 1 - Scope.
Section 2 - Terms and Definitions.
Section 3 - Planning the Business Continuity Management System (PLAN).
Section 4 - Implementing and Operating the BCMS (DO)
Section 5 - Monitoring and Reviewing the BCMS (CHECK)
Section 6 Maintaining and Improving the BCMS (ACT)

MANAGEMENT COMMITMENT
RISK MANAGEMENT
ASSET INVENTORY AND MANAGEMENT
CHANGE MANAGEMENT
INCIDENT RESPONSE AND MANAGEMENT
CONFIGURATION MANAGEMENT
TRAINING AND AWARENESS
CONTINUOUS AUDIT
METRICS AND MEASUREMENT

General information about data
loss and breaches
Snapshot of CERT reported Data Loss Statistics

incidences:
2003 - 137,529
2002 - 82,094
2001 - 52,658

Internet Users
Internet User Growth

http://www.bankinfosecurity.com/articles.php?art_id=1766

Data Breach Timeline

Size / Business Does Not Matter
Data Breach by industry type
Number of Employees by Percent of Breaches 13 percent of

organizations
had recently
been merged
or acquired
Source: Verizon Data Breach Incident Report 2009

Statistics for online habits
Some common risks
What can you do for yourself,
the college and the community Profession and Career

Information Security Certifications
ISACA - Information Systems Audit and Control Association

CISA - Certified Information Systems Auditor
CISM - Certified Information Security Manager
CGEIT - Certified in the Governance of Enterprise IT
CRISC - Certified in Risk and Information Systems Control
(ISC)
CISSP - Certified Information Systems Security Professional
SSCP - Systems Security Certified Practitioner
Institute of Internal Auditors
CIA - Certified Internal Auditor
(CGAP) - The Certified Government Auditing Professional
CFSA - Certified Financial Services Auditor
CCSA Certification in Control Self-Assessment
PMI
PMP
The Security Industry Association (SIA)
CSPM - Certified Security Project Manager (CSPM)

Information Security Certifications
[ITIL]
ITIL Service Management Foundations Certificate
ITIL Service Manager
ITIL Practitioner
DRI - Institute for Continuity Management
ABCP - Associate Business Continuity Professional
CBCP - Certified Business Continuity Professional
CFCP - Certified Functional Continuity
MBCP - Master Business Continuity
Association of Certified Fraud Examiners (ACFE)
CFE - Certified Fraud Examiner
Forensics - EnCase
EnCE - EnCase Certified Examiner (EnCE)
CISCO
CCSP Cisco Certified Security Professional

Career Specializations
1. Computer forensics Learn forensic investigation tools and techniques to investigate cyber crimes and financial
crimes.
2. IT security auditor Focus on auditing capabilities. As part of this, you must explore platforms like mainframes,
SAP, and core banking platforms as your areas of expertise.
3. Application security specialist Specialize in areas like secure coding, security testing tools and techniques,
secure design of web applications, and threat modelling.
4. Compliance specialist Focus on helping organizations comply to standards and regulations such as ISO 27001,
PCI DSS, HIPAA, FDA and Sarbanes-Oxley.
5. Security solutions architect Specialize in secure network architecture, security solutions procurement and
deployment, and hardening of infrastructure.
6. Security trainer Focus on spreading knowledge about information security, and create awareness at all levels.
7. Cyber law expert Combine knowledge of the Indian IT Act 2008 with IT knowledge and forensics know-how.

Some Required Skills or Traits
1. High level of passion - Security changes on an almost daily basis there are new tools, attack
vectors, and vulnerabilities being discovered almost hourly. A security professional can remain ahead
of the game only by constantly updating himself, and this requires a high amount of passion for the
field. A security professional should not only be well-versed with a wide range of technologies,
but also be reasonably acquainted with the basics of psychology, economics, finance, and
physical security.
2. Creativity - Be it a penetration test or developing an automated way to carry out a particular activity,
a high level of creativity is a must in every aspect of a security professional's job. Thinking out of the
box is an almost daily activity for a security professional.
3. A never-say-die attitude - Security issues are typically complex, and often there are no easy
solutions. Quite often, the situations are also very high-pressure the client's been hacked, or
someone inside leaked out critical internal data, or systems have to be hardened before going live. A
seasoned security professional knows that there is a solution on the other side of every problem. And
he is willing to do what it takes to be as resourceful in finding the right solution.
4. Grasp of a wide range of subjects - Security is not just about policies and procedures or buffer
overflows or SQL injection. Most security issues stem from, and can be resolved, by human
intervention. A security professional should not only be well-versed with a wide range of technologies,
but should also be reasonably acquainted with the basics of psychology, economics, finance, and
physical security.

Technology Skills
Application Development
Secure SDLC
Networking
Vulnerability Assessment
Penetration Testing On any given day, there
are approximately 225
System Hardening major incidences of
security breach
Device Support reported to the CERT
Coordination Center at
Wireless Security Carnegie Mellon
University.


Common and uncommon Risks
Statistics about online habits
What can you do for yourself,
the college and the community Risks and Awareness

What Can You Do
Cyber Security (virus, online habits, filesharing

etc) Cyberethics (copying and use of IP)
Cybersafety (identify protection, cyber bullying etc)
Educate your friends and family (trojans,

keyloggers, phishing, scams
Secure home computers and for family/friends
(wireless, backup etc)
Take care of your Social Networking risks

Securing Yourself
Common Sense
Awareness
Regularly Update Patches
Anti Virus, anti spyware
Be careful on P2P filesharing .. what you download
Read the computer message(s)
Dont blindly click next > next > next
Be careful when you read email especially if it belongs to
someone else
Dont try to open every attachment
Keep your password to yourself
CybeSecurity Cyberethics Cybersafety
In Simple Words
Noticebored

Refer TOI today
Noticebored

How many friends are online and in real life

So what have you done online lately
I have connected with old friends online

Rekindled a relationship online
Share a secret or two or some personal stuff
online

Some online habits

Some online habits

Some online habits

Noticebored

What Can You Do
Cyber Security (virus, online habits, filesharing

etc) Cyberethics (copying and use of IP)
Cybersafety (identify protection, cyber bullying etc)
Educate your friends and family (trojans,

keyloggers, phishing, scams
Secure home computers and for family/friends
(wireless, backup etc)
Take care of your Social Networking risks

What Can You Do (2)
Think out of the box

Evaluate tools and technologies as part of your projects
Develop tools and scripts
Share findings with industry, government and law
enforcement
Research and study malware trends, defense methods
Create a virtual library of your work so your peers and
followers will also benefit
Institutional security policies and procedures
Conduct network assessments in the college from time to
time and share the findings with all

Future trends / opportunities
Social networking compliance assurance

Unified communication
Microblogging
Intelligent search
Mobile apps

Case Study
Factual Facebook Hack Case Study

http://snosoft.blogspot.com/2009/02/facebook-from-
hackers-perspective.html
Twitter Hack
Hotmail Outage leads to malware offering sites
Clicking Blindly

Some information about Open
Security Alliance
About Us

Open Security Alliance
A small group of professionals working in Information Security got

together to discuss life beyond technical stuff which non-techies find
difficult to understand.
So these guys got together to work under the OSA banner to present
risks, threats and vulnerabilities in an easy and understandable
language. Just to make sure the non-geek understands the problems
as well and gets as scared as the IS guy.
OSA - an open community of individuals who are committed to

providing the benefit of their knowledge and expertise to community.
OSA - individual initiatives to undertake research and studies in
Information Security (India centric) then provide learning to community.
. The underlying thought is to Be The Change.

Contact Information
Dinesh O Bareja
M: +91.9769890505
E: dineshbareja AT gmail DOT com
E: dinesh AT opensecurityalliance DOT org
Twitter: @bizsprite
Linked In (India Information Security Community)

Conclusion
Questions and Discussion
Thank You !

Disclaimer & Copyright
All logos and brand names belong to their respective owners and we do not claim any relationship or
association, implied or otherwise, with them.
Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly.
We have taken care to attribute all sources for external materials used in this presentation, and any
oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these
materials kindly communicate the same to us at issues AT opensecurityalliance DOT org
Any omissions, in terms of attribution, may be due to an error on our part and not intentional.
This document is a creation of Dinesh Bareja (securians.com) and is released in the public
domain under Creative Commons License (Attribution-Noncommercial 2.5 India)
http://creativecommons.org/licenses/by-nc-sa/2.5/in/.
Disclaimer: The practices listed in the document are provided as is and as guidance and the authors do
not claim that these comprise the only practices to be followed. The readers are urged to make
informed decisions in their usage. Feedback is solicited and you can access other topics at our
website www.opensecurityalliance.org
Contributors: Dinesh O Bareja Reviewers: Vicky Shah
Title: Information Security the profession; concepts, risks and more..
Version: 1.0 / February 2010

References
Educause Video Contest

http://www.educause.edu/SecurityVideoContest
CERT
India CERT
NIST
OWASP
SANS

Social Networking Case Study : Facebook Hack
The threat from social networks comes from social

engineering employees post company information
the attackers collects during reconnaissance then
infiltrates the social network that exists between the
employees then uses that trust to phish for VPN
passwords or any other information.
The Facebook hack case study is for an assignment carried out

by SnoSoft and presents a unique insight into the threats and
Case Study
risks exposed on such sites

Facebook Hack Step 1 : Reconnaissance
Conduct Social and Technical Reconnaissance

Social
1400 employees identified through the internet of which 900 used social networking
sites like Facebook, Orkut, LinkedIn, MySpace etc.
Studied about 200 profiles and created a false identity
Technical
Probed the corporate website and identified Cross Side Scripting vulnerabilities
(which the researchers expected and hoped to find)
Cross-site scripting ("XSS") vulnerability is

most frequently discovered in websites that do
not have sufficient input validation or data
Case Study
validation capabilities. XSS vulnerabilities

allow an attacker to inject code into a website
that is viewed by other users. This injection
can be done sever side by saving the injected
code on the server (in a forum, blog, etc) or it
can be done client side by injecting the code
into a specially crafted URL that can be
delivered to a victim.

Facebook Hack Step 2: Setup
Used a client side attack as opposed to a server side attack because it enabled
the select ion of only those users that we are interested in attacking. Server
side attacks are not as surgical and usually affect any user who views the
compromised server page.
A payload is created and was designed to render a legitimate looking https
secured web page that appeared to be a component of the customer's web site.
When a victim clicks on the specially crafted link the payload is executed and
the fake web page is rendered.
In this case our fake web page was an alert that warned users that their
accounts may have been compromised and that they should verify their
credentials by entering them into the form provided.
When the users credentials are entered the form submitted them to
Case Study
http://www.netragard.com and were extracted by an automated tool that had

been created.


Facebook Hack Step 3: Create Profile
After the payload was created and tested we started the process of
building an easy to trust facebook profile.
Because most of the targeted employees were male between the
ages of 20 and 40 we decided that it would be best to become a
very attractive 28 year old female.
A fitting photograph was found by searching google images and used
for the fake Facebook profile.
The profile was populated with information about our experiences at
work by using combined stories that were collected from real employee
facebook profiles.
Case Study

Facebook Hack Step 3: Create Profile
After the payload was created and tested we started the process of
building an easy to trust facebook profile.
Because most of the targeted employees were male between the
ages of 20 and 40 we decided that it would be best to become a
very attractive 28 year old female.
A fitting photograph was found by searching google images and used
for the fake Facebook profile.
The profile was populated with information about our experiences at
work by using combined stories that were collected from real employee
facebook profiles.
Case Study

Facebook Hack Step 4: Attack Launch
Upon completion we joined the company facebook group.
Joining request was approved in a matter of hours and within twenty
minutes of accepted as group members, legitimate customer
employees began sending friendship requests.
In addition we made hundreds of outbound requests.
The friends list grew very quickly and included managers, executives,
secretaries, interns, and even contractors.
Having collected a few hundred friends, we began chatting.
Case Study

Facebook Hack Step 5: Attack On
Conversations were based on work related issues that we were able

to collect from legitimate employee profiles.
After a period of three days of conversing and sharing links, we
posted our specially crafted link to our facebook profile.
The title of the link was "Omigawd have you seen this I think we got
hacked!
. and people started clicking on the link and verifying their credentials.
Ironically, the first set of credentials that we got belonged to the

hiring manager.
Case Study

Facebook Hack Step 6: Success
Using those credentials one had access to the web-vpn which in

turn gave access to the network.
Those credentials also allowed access to a majority of systems on
the network including the Active Directory server, the mainframe,
pump control systems, the checkpoint firewall console, etc.
The Facebook hack has worked.

Case Study

Hotmail Outage
Tuesday, February 16, 2010

Hotmail Users Look for Answers in Dangerous Places
An outage of the Windows Live ID service affected a large number of
MSN users today including users of the popular Hotmail email service.
Hotmail is one of the largest web based email outlets and not
surprisingly news of the outage spread quickly as users were not able
to access their email.
Those hoping to find more information on Google may have ended up

with more than they bargained for. Blackhats have once again worked
their magic to infect users looking for news related to the outage. In
fact, 8 out of the top 10 results for hotmail service unavailable
returned dangerous URLs.

Le Twitter hack

Le Twitter Hack
From lalawaq.com

Clicking Blindly
Case Study : Clicking blindly !
Settled in for a nice bit of surfing in the library!

Study ! Ah hah ! Just dont click the link blindly !
Whoops ! Thats a big load of malware you just got

From EDUCAUSE with sound effects !
You dont want to look like this !


Rgitinformationsecurityawareness Final 100228084138 Phpapp01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rgitinformationsecurityawareness Final 100228084138 Phpapp01

Uploaded by

Copyright:

Available Formats

Rajiv Gandhi Institute of Technology

February 24, 2009

Information Security the profession;

Open Security Alliance

Engaged in continuous study and learning

Work in Information Security consulting, advisory and technical

Past life (pre-.com) was spent in mfg, trdg, exports.

RGIT, Mumbai 02/24 www.opensecurityalliance.org

..... every human endeavour operates partly in

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Rules rules and more rules !!

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Risks and Awareness

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Confidentiality Sensitive information must be available only to a set of

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Ensure Availability of Business

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

- System Security - Risk Management

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Tangible or intangible corporate assets

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Risk is defined in ISO 31000 as the effect of uncertainty on objectives

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Web Application Botnets

RGIT, Mumbai 02/24 www.opensecurityalliance.org

During the 1960s, the word "hacker" grew to prominence describing a

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Also known as crackers these are the

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

ISO:27001 2005 IT Act and applicable Criminal /

RGIT, Mumbai 02/24 www.opensecurityalliance.org

These are the most widely used

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Information security is the protection of

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Maintain and Establish ISMS

The Information Technology Infrastructure Library (ITIL) is a set of

RGIT, Mumbai 02/24 www.opensecurityalliance.org

IT resources are managed by IT processes to achieve IT

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

The standard for Business Continuity Management.

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Snapshot of CERT reported Data Loss Statistics

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org

Data Breach by industry type

Number of Employees by Percent of Breaches 13 percent of

Source: Verizon Data Breach Incident Report 2009

RGIT, Mumbai 02/24 www.opensecurityalliance.org

RGIT, Mumbai 02/24 www.opensecurityalliance.org