Friday, March 21, 2014

[Quote] The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick


<- Previous Post | Main Post | Book review | This is the last post]

“… because the human factor is truly security weakest link.”
“Anyone who thinks that security products alone offer true security is settling for illusion of security.” 
“Security is not a product. It’s a process. Moreover, security is not a technology problem. It’s a people and management problem.”
--Bruce Schnier
“Many people look around until they find a better deal; social engineers don’t look for a better deal, they find a way to make a deal better.” 

Tuesday, March 18, 2014

Part V-2: Security Awareness Training


<- Previous Post | Main Post | Book review | Next Post ->

     Security awareness training needs to be customized to fit target groups. These groups include but not limited to managers, IT personnel, computer users, non-technical personnel, administrative assistants, receptionists, and security guards.

     Unfortunately, security awareness training is usually quite boring. So, you need to focus on most important things, which is to motivate employees to enforce security measure. You may assign a role play in the training to keep the class engaged. In the end, you might let the class help each other figure out security measures for a certain attack.

Friday, March 14, 2014

Part V-1: Corporate Information Security Policy


<- Previous Post | Main Post | Book review | Next Post ->

Attacks Seem Not to Be as Often Because ….

Nine out of ten companies have been attacked, but only one out of three reports security incidents. There are several reasons for this. Here are a few:
  • The company might not know about the incidents.
  • The incidents tarnish company’s reputation.
  • The incidents may attract more attackers.

Tuesday, March 11, 2014

Part IV: Miscellaneous Security Tips


<- Previous Post | Main Post | Book review | Next Post ->

The Irony of High Security

Is having sophisticated equipment to secure the company a good thing? Maybe. Maybe not. If you think about it, serial killers cannot resist the urge to kill someone. Hacker cannot resist to hack into highly secured place. The higher the security, the more exciting and challenging it is. If hackers were bees, your highly secured system would smell like honey to hackers.

Using Credit Cards

     In the US, you are liable only to the first $50 if someone stole your credit card and use it at their leisure. But a lot of people still don’t fell comfortable using their credit cards online. On the other hand, they feel safer when using credit card offline. They give credit cards to waiters or waitresses when they pay the bill, and do not feel whether the waiters/waitresses would write down their credit card number for their own use.

Friday, March 7, 2014

Part III-3: Security Software


<- Previous Post | Main Post | Book review | Next Post ->

Name Description
Default passwords for common hardware Available at www.phenoelit.de/dpl/dpl.html
Anti Trojan Software - The Cleaner, available at www.moosoft.com
- Trojan Defense Sweep, available at www.dimondcs.com.au
ClearLogs Erase Audit Log, available at www.ntsecurity.nu
Enumeration Reveal opened ports and services, available at www.ntsleuth.0catch.com
pwddump3 Download unprotected password hashes from computers
L0phtcrack3 (‘loft-crack’)* Brute-force password guessing, available at www.atstake.com
Elcomsoft* Brute-force password guessing, available at www.elcomsoft.com






















*Capable of 2.8 million guesses per second for a 1 GHz machine

Tuesday, March 4, 2014

Part III-2: Security Best Practice


<- Previous Post | Main Post | Book review | Next Post ->

Context Innocuous Information

Again, the sensitivity of information depends on the context. Social engineers usually create a context through which information is likely to be disclosed (e.g., claiming to be an employee working on the field).
It is very difficult to verify the context over the phone. So, do not give out both sensitive and insensitive information over the phone unless you know that voice of the other side AND the other side has a need to know.