Социалния инженеринг - съществена заплаха за информационната сигурност

What exactly is social engineering?

August 26, 2015 by Rebecca Moran  
© 2003-2015 IT Governance Ltd 

This blog entry was submitted by one of our guest bloggers. The author’s views are entirely her own and may not reflect the views of IT Governance.

Human beings, as we well know, are flawed. Our brains are governed by a complex mix of emotions and (hopefully) rational thought processes; this makes us vulnerable to those who wish to exploit us – it means that we can be hacked.

How do you hack a human brain?
It’s simple if you understand human behaviour. Bugs in our “human hardware” can be exploited using technical and non-technical techniques; these techniques can inspire fear or curiosity, but almost always aim to have the target do something they probably shouldn’t.
It’s often said that the simplest way to get your password or hack your computer is just to ask. It could be in normal conversation, via a social media site, for example. I could send you a friend request on Facebook and quickly enter into a conversation with you about friends and family. This is a fairly normal introductory conversation, one that you will expect, and in that conversation you may tell me –about your children’s names or your football team – you may even mention your partner’s birthday coming up at the weekend. If you happen to use any of this information as a memorable password or recovery question, then you’re now in trouble.
After one conversation I have a lot of information about you – and that information that can be used to steal from you, to commit fraud in your name, to break into your social networking profiles and much, much more. It was easy because you made it easy. I’ll keep talking to you until I have what I want.

Social engineering comes in many forms
There are other forms of social engineering that can be harder to spot. Phishing emails are a good example. It’s quite easy to design an email that looks like it came from your bank; the script may go something like this: “We have detected fraudulent activity on your online banking account. Please click the following link to change your password.” Then a link is provided. The email looks legitimate, it has the bank’s logo on it, and the email sender looks correct so you follow the link to a website that looks just like your bank’s website and enter your details in order to change your password.
The problem is… that email wasn’t from your bank, and the link did not take you to your banking page. It took you to a fake website mimicking the real website’s look and feel, and you just gave the fraudsters the login details for your online banking. You did it because it looked real and you were scared that someone was going to take your money – but instead you walked straight into a trap. Sometimes the emails come with a phone number to call that lead you to an interactive voice system, just like your bank’s. You are asked to enter your bank account number and your sort code, and to divulge digits of your access code – little realising that you are giving this information straight to the criminals.

Quid pro quo is another favourite
Get something, give something. Often referred to as ‘vishing’ or ‘phone spoofing’, this involves criminal hackers telephoning your company and asking to be put through to various members of staff. The recipient of the call will be told “this is IT support” or similar, and eventually the criminals get through to someone who actually has a technical issue. This person will be grateful for the call because they believe someone is there to help them. At this point, they can be asked to do ANYTHING on their computer. They can be guided to a website that’s been designed to steal access information and could even infect your company’s systems with malicious code. The user won’t have a clue because they believe that they are being helped.
The bottom line is that your organisation could spend a small fortune purchasing technology to mitigate cyber risk, yet you remain completely vulnerable because you haven’t educated your staff or addressed and altered common behaviours.

So, who are these human hackers?
They could be anyone: black-hat hackers, spies, disgruntled employees, scam artists, information brokers and everyday people, and they’re good at what they do. They have mastered the art of gathering information and they’re fully aware that their victims are not as educated as they should be. They know that this is an easy job and it pays well.

How do we defend ourselves against this daily threat? How do we prevent ourselves from becoming another cyber victim? 
Quite simply: be aware.
Understanding social engineering is the first step; questioning everything is the second. Organisations should implement continuous training and awareness programmes, and should recognise and address their biggest risk: their own employees. All staff should be made aware of how they can be targeted by hackers and they should be shown how easy it is to extract information. People who understand the risks and methods used to exploit human vulnerabilities are better equipped to fight them. Don’t let your organisation fall foul of social engineering; instead, ensure that your staff know exactly what they are up against.
Use email certificates to prevent phishing, install antivirus software and keep it up to date, teach your staff how to verify that callers and emails are legitimate. Ensure that your network prevents the use of unauthorised websites. Above all – educate your staff.

Кибер сигурност и ISO 27001

CYBER SECURITY & ISO 27001

A SHORT INTRODUCTION 

August 2015
IT Governance Green Paper
© IT Governance Ltd 2015

Don’t risk it – cyber secure it with ISO 27001 !

Introduction 
Automated cyber attacks are increasing in frequency and severity at an alarming rate, jeopardising the success of businesses of all sizes and sectors. According to the Department of Business, Innovation & Skills’ 2015 Information Security Breaches Survey, 90% of large organisations and 74% of small business suffered a security breach last year. The urgent need to protect their information – and, moreover, to be seen to be protecting it – is therefore motivating more and more companies to achieve accredited certification to the international standard for cyber security, ISO 27001. ISO 27001 certification enables organisations to demonstrate an accredited level of cyber security that will assure their boards, customers, stakeholders and staff that they are following international best practice, and thereby preventing devastating cyber attacks. 

The cyber threat landscape 
Automated attacks are indiscriminate and easy to instigate, meaning every website – and every business – is equally at risk. Even if you don’t store financial information such as customer payment details, the data you do hold – such as username and login credentials, employee payroll details, proprietary data or client information – has a value to cyber criminals. Your website could also be used as a means of attacking a larger organisation in the supply chain: many massive hacks on big companies are known to have been perpetrated as a direct result of initial attacks on smaller third-party suppliers. Most alarmingly, it’s statistically likely that you’ve already been successfully attacked but don’t know about it: the 2015 Trustwave Global Security Report found that 81% of breached companies did not detect the breach themselves.

Vulnerabilities 
Many SME websites use common, off-theshelf content management system (CMS) platforms, software, applications and plugins, which often contain vulnerabilities that can be exploited by criminal hackers. If another website has been compromised and login details have been stolen, criminals will also automate attacks using the username/password combinations they have gained to see what else they can gain access to. Password reuse is rife, so the statistical chances of criminals gaining access to multiple sites with a single set of stolen credentials are vast. The threat you face as a direct result of the malicious or unwitting conduct of your own staff or suppliers is also regularly cited as one of the main security risks to companies: the IBM X-Force Threat Intelligence Quarterly report for 2Q, 2015 found that 95% of insider breaches were found to be the result of human error, such as clicking on malicious links in phishing emails.

ISO 27001 
ISO 27001 is a technology-neutral and vendor-agnostic international standard that sets out the specifications of a best-practice information security management system (ISMS) – a risk-based approach to security specific to the organisation that implements and maintains it. An ISMS addresses people, processes and technology, reflecting the fact that cyber security threats are not solely technological in nature, but affect the whole organisation. By dint of this enterprise-wide approach, an ISO 27001-compliant ISMS will enable an organisation to mitigate the cyber security risks it faces with appropriate controls, limiting the threats posed by untrained staff, inadequate procedures, uncontrolled access rights, and out-of-date software solutions. Not only does every organisation have its own specific business model, objectives, unique selling points and culture, it also has its own appetite for risk. ISO 27001 therefore stipulates that every ISMS must be based on the outcome of a risk assessment, ensuring that each ISMS meets the individual requirements of the organisation that implements and maintains it.

Business value of ISO 27001 certification 
In the UK, ISO 27001 certification is already a requirement of many business relationships: certain government contracts require tendering organisations to be ISO 27001-certified; ISO 27001 is the basis of G-Cloud accreditation; the NHS's Information Governance Toolkit is based on ISO 27001; and the Gambling Commission's remote gambling and software technical standards reflect ISO 27001. ISO 27001 supports compliance with international standards such as the PCI DSS, laws including the UK’s Data Protection Act 1998 (DPA) and the EU’s forthcoming General Data Protection Regulation (GDPR), and, in the US, state data breach notification laws and industryspecific federal regulations such as FISMA, the GLBA, HIPAA and SOX.

The market value of certification 
As well as helping you to protect your information and comply with data handling laws, there is a distinct market value to ISO 27001 certification. Certification provides a valuable and visible proof of your organisation’s willingness to meet internationally accepted data security standards. Achieving certification to ISO 27001 is not simply marketing: as nations implement their own data protection, your organisation’s ability to prove that it complies with ISO 27001 is likely to open business opportunities across the globe. 

International recognition 
Certification to ISO 27001 is achieved through auditing by an accredited third party. In the UK, the accreditation of certification bodies is handled by the United Kingdom Accreditation Service (UKAS), which maintains a list of all organisations qualified to certify ISO 27001. Through a number of agreements with other international bodies, a certification in the UK is recognised across the globe. The International Accreditation Forum (IAF) ensures that ISO 27001 certification is recognised across the world through a mutual recognition arrangement, agreed by more than 60 national accreditation bodies. Many markets have already shown a desire for ISO 27001 certification: according to the latest ISO survey, nearly 23,000 organisations worldwide have achieved certification to ISO 27001.

ISO 27001 implementation 
Although implementing an ISO 27001-compliant ISMS necessarily involves the whole organisation, it needn't be a complicated process; indeed, for some organisations it could be as straightforward as organising documentation and bringing policies and processes into line with the Standard’s requirements. The right route to certification you depends on your budget, experience and available resources. Take advantage of our free, no-obligation 15-minute consultation to talk about what is right for you.

Don’t risk it – cyber secure it with ISO 27001 !