Social Engineering

Identity Theft: Social Engineering December 5, 2011 Daniel Sama & Stacey Smith Sr Computer Ethics CIS-324, Fall 2011 Strayer University Identity Theft: Social Engineering December 5, 2011 Daniel Sama & Stacey Smith Sr Computer Ethics CIS-324, Fall 2011 Strayer University Abstract Social Engineering from the outset may seem like a topic one might hear when talking about sociology or psychology, when in fact it is a form of identity theft. To an information technology (IT) professional, Social Engineering is a form of voluntary, unintentional identity theft. Many victims fail to realize they are being victimized until it is too late, while many others may never know. This paper will provide a definition of social engineering as it applies to information technology while introducing some the pioneers of social engineering; those who have, essentially, written the book on social engineering. We will provide real world examples of how social engineers apply their trade and provide important points to consider with regards to social engineering attacks. In conclusion we will propose counter-measures, which individuals and organizations should take in order to guard against social engineering. Social Engineering as defined by IT professionals is the practice of deceiving someone, either in person, over the phone or using a computer, with the express intent of breaching some level of security, either personal or professional (Ledford, 2011. ) Implementing quality risk analysis solutions while maintaining data integrity is a crucial element of successful system modeling; within the context of social engineering in the workplace, there are several factors that can make implementing those solutions rather challenging. Social engineering is a type of intrusion, which relies heavily on human interaction and usually involves the tricking of other people to break normal, everyday security policies. Social engineers (SE) often prey on the natural helpfulness of other people. When analyzing and attempting to conduct a particular attack, a SE will commonly appeal to vanity or authority as well as simple eavesdropping to acquire the desired information. Social engineering, in a nutshell is a hacker’s clever manipulation of the natural human tendency to trust. This will provide the unauthorized access to the valued information, system or machine. Never interrupt your enemy when he is making a mistake† (Bonaparte, n. d. ) This is a mantra for all successful SE’s, as they take any and all information about and from a target for later use against said target. The SE will gather as much information as possible about their target in advance, most of which is readily available online, usually , with just a few keystrokes; anything from hobbies to their favorite lunchtime meal. This information helps build a connection and instills trust with the target. With this trust, seemingly innocuous information will come flooding out of the target. Akin to fictional spies like James Bond and Michael Weston, SE’s assume a persona that is not their own and attempt to establish with their target a reasonable justification to fulfill a request. The aforementioned tactics allow the SE to maintain the facade and leave an out to avoid burning his or her information source. Bottom line; a good SE is a good actor. â€Å"All of the firewalls and encryption in the world will never stop a gifted social engineer from rifling a corporate database or an irate employee from crashing the system,† says pioneer Kevin Mitnick, the world’s most celebrated hacker who popularized the term. Mitnick firmly states in his two books The Art of Deception and The Art of Intrusion that it’s much easier to trick someone into giving a password for a system than spending the time using a brute force hack or other more traditional means to compromise the integrity of sensitive data. Mitnick who was a world famous controversial computer hacker in the late 1980’s was sentenced to 46 months in prison for hacking into the Pacific Bell telephone systems while evading the Federal Bureau of Investigation (FBI). The notorious hacker also allegedly wiretapped the California Department of Motor Vehicles (DMV), compromised the FBI and Pentagon’s systems. This led Mitnick to spend the majority of his time incarcerated in solitary confinement due to the government’s fear of him attempting to gain control of more sensitive information. Mitnick states in both of his aforementioned books that he compromised computers solely by using passwords and codes acquired as a result of social engineering. As a result, Mitnick was restricted from using any forms of technology upon his release from prison until approximately 5 years ago. Kevin Mitnick is now the CEO of Mitnick Security Consulting, a computer security consultancy. Social engineering awareness is a being addressed at the enterprise level as a vital corporate security initiative. Security experts advise that a properly trained staff, not technology is the best asset against social engineering attacks on sensitive information. The importance placed upon security policies is imperative when attempting to combat this type of attack. Combat strategies require action on both physical and psychological levels. This form appeals to hackers because the Internet is so widely used and it evades all intrusion detection systems. Social engineering is also a desirable method for hackers because of the low risk and low cost involved. There are no compatibility issues with social engineering; it works on every operating system. There’s no audit trail and if executed properly its effects can be completely devastating to the target. These attacks are real and staggering to any company, which is why strong corporate policies should be measured by access control and implementing specific procedures. One of the advantages of having such policies in place is that it negates the responsibility of an employee having to make a judgment call or using discretion regarding a social engineer’s request. Companies and their subsequent staffs have become much too relaxed as it pertains to corporate security initiative. These attacks can potentially be costly and unnerving to management as well as the IT department. Social engineering attacks commonly take place on two different levels: physical and psychological. Physical settings for these attacks can be anything from your office, your trash, over the telephone and even online. A rudimentary, common form of a social engineering attack is social engineering by telephone. Clever social engineers will attempt to target the company’s help desk while fooling the help desk representative into believing they are calling from inside the company. Help desks are specifically the most vulnerable to social engineering attacks since these employees are trained to be accommodating, be friendly and give out information. Help desk employees are minimally educated and get paid a below average salary so it is common for these individuals to answer one question and move right along to the next. This can potentially create an alarming security hole when the proper security initiative is not properly set into place. A classic example of this would be a SE calling the company operator and saying something like â€Å"Hi, I’m your AT&T rep; I’m stuck on a pole. I need you to punch a few buttons for me. † This type of attack is directed at the company’s help desk environment and nearly always successful. Other forms attack target those in charge of making multi-million dollar decisions for corporations, namely the CEO’s and CFO’s. A clever SE can get either one of these individuals to willingly offer information pertinent to hacking into a corporation’s network infrastructure. Though cases such as these are rarely documented, they still occur. Corporations spend millions of dollars to test for these kinds of attacks. Individuals who perform this specialized testing are referred to as Social Engineering Auditors. One of the premier SE Auditors in the industry today is Chris Hadnagy. Hadnagy states that on any given assignment, all he has to do is perform a bit of research on the key players in the company before he is ready to strike. In most cases he will play a sympathy card, pretending to be a member of a charity the CEO or CFO may belong to and make regular donations to. In one case, he called a CEO of a corporation pretending to be a fundraiser for a charity the CEO contributed to in the past. He stated they were having a raffle drawing and named off prizes such as major league game tickets and gift cards to a few restaurants, one of which happened to be a favorite of the CEO. When he was finished explaining all the prizes available he asked if it would be alright to email a flier outlining all the prizes up for grabs in a PDF. The CEO agreed and willingly gave Hadnagy his corporate email address. Hadnagy further asked for the version of Adobe Reader the company used under the guise he wanted to make sure he was sending a PDF the CEO could read. The CEO willingly gave this information up. With this information he was able to send a PDF with malicious code embedded that gave him unfettered access to the CEO’s machine and in essence the company’s servers (Goodchild, 2011). Not all SE attacks occur completely over the phone. Another case that Hadnagy reports on occurred at a theme park. The back story on this case is he was hired by a major theme park concerned about software security as their guest check-in computers were linked with corporate servers, and if the check-in computers were compromised a serious data breach may occur (Goodchild, 2011). Hadnagy started this attack by first calling the park posing as a software salesman, peddling newer PDF-reading software which he was offering free on a trial basis. From this phone call he was able to obtain the version of PDF-reader the park utilized and put the rest of his plan in action. He next headed to the park with his family, walking up to one of the employees at guest services asking if he could use one of their terminals to access his email. He was allowed to access his email to print off a coupon for admission to the park that day. What this email also allowed was to embed malicious code on to the servers and once again gained unfettered access to the parks servers. Hadnagy proposes six points to ponder in regards to social engineering attacks: * No information, regardless of it personal or emotional nature, is off limits for a SE seeking to do harm. It is often the person who thinks he is most secure who poses the biggest vulnerability to an organization. Executives are the easiest SE marks. * An organizations security policy is only as good as its enforcement. * SE’s will often play to the employees good nature and desire to be helpful * Social Engineering should be a part of an organizations defense strategy. * SE’s will often go for the low- hanging fruit. Everyone is a target if security is low. The first countermeasure of social engineering prevention begins with security policies. Employee training is essential in combating even the most cunning and sly social engineers. Just like social engineering itself, training on a psychological and physical basis is required to alleviate these attacks. Training must begin at the top with management. All management must understand that social engineering attacks stem from both a psychological and physical angle therefore they must implement adequate policies that can mitigate the damage from an attacker while having a robust, enforceable penalty process for those that violate those policies. Access control is a good place to start when applying these policies. A competent system administrator and his IT department should work cooperatively with management in hashing out policies that control and limit user’s permission to sensitive data. This will negate the responsibility on the part of an average employee from having to exercise personal judgment and discretion when a potential attack may occur. When suspicious calls for information occur within the company, the employee should keep three questions in mind: 1. Does the person asking deserve this information? 2. Why is she/he asking for it? 3. What are the possible repercussions of giving up the requested information? If there is a strong policy in place with enforceable penalties in place, these questions will help to reduce the potential for a SE attack (Scher, 2011). Another countermeasure against a social engineering attack is to limit the amount of information easily available online. With Facebook, Twitter, Four-Square and the like, there is an overabundance of information readily available at any given moment online. By just drastically limiting the amount of information available online it makes the SE’s task of information gathering that much more difficult. Throughout all of the tactics and strategies utilized when cultivating social engineering expertise, it’s extremely difficult to combat human error. So when implementing employee access control and information security, it is important to remember that everyone is human. This type of awareness can also be costly so it’s important to adopt a practical approach to fighting social engineering. Balancing company morale and pleasant work environment is a common difficulty when dealing with social engineering prevention and awareness. It is vital to keep in perspective that the threat of social engineering is very real and everyone is a potential target. References Bonaparte, N. (n. d. ). BrainyQuote. com. Retrieved December 6, 2011, from BrainyQuote. com Web site: http://www. brainyquote. com/quotes/authors/n/napoleon_bonaparte_3. html Goodchild, J. (2011). Social Engineering: 3 Examples of Human Hacking. Retrieved November 28, 2011 Retrieved from www. csoonline. om Web site: http://www. csoonline. com/article/663329/social-engineering-3-examples-of -human-hacking Fadia, A. and Manu, Z. (2008). Networking Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection. Boston, Massachusetts. Thompson Course Technology. 2008. Ledford, J. (2011). Identity Theft 101, Social Engineering. Retrieved from About. com on December 1, 2011. Retrieved from: http://www. idtheft. about. com/od/glossary/g/Social_Enginneering. htm Long, J. and Mitnick, K. (2008. ) No Tech Hacking: A Guide to Social Engineering, Dumpster Diving and Shoulder Surfing. Burlington, Massachusetts. Syngress Publishing Inc. 2008. Mann, I. Hacking the Human. Burlington, Vermont: Gower Publishing, 2008. Mitnick, K. and Simon, W. The Art of Deception. Indianapolis, Indiana: Wiley Publishing Inc. 2002. Mitnick, K. and Simon, W. (2006. ) The Art of Intrusion. Indianapolis, Indiana: Wiley Publishing Inc. 2006. Scher, R. (2011). Is This the Most Dangerous Man in America? Security Specialist Breaches Networks for Fun & Profit. Retrieved from ComputerPowerUser. com on November 29, 2011. Retrieved from: http://www. social-engineer. org/resources/CPU-MostDangerousMan. pdf

HIST - American History Since 1865 Research Paper

HIST - American History Since 1865 - Research Paper Example It is the legacy of that decision which since 1945 has come to have a variety of interpretations among both laymen and scholars alike. Despite the ensuing controversy, the bombing of Nagasaki was both necessary and militarily expedient. Shortly after the Hiroshima bombing President Truman addressed the American people regarding his decision and the implications it and nuclear weapons would have for the future of the country and the world. †¦It was to spare the Japanese people from utter destruction that the ultimatum of July 26 was issued at Potsdam. Their leaders promptly rejected that ultimatum. If they do not now accept our terms they may expect a rain of ruin from the air, the like of which has never been seen on this earth.2 The President in no uncertain terms sought to justify his decision as one that would prevent the costly use of manpower needed to carry out an amphibious invasion of Japan. This comes as little surprise given that by 1945 some â€Å"7,000 American fami lies had already sacrificed two or more of their boys for freedom.†3 Many Americans had grown tired of the war, then in its fourth year. Truman made it clear that his decision stemmed from the sole desire to utterly destroy and annihilate Japan’s war-making capacity and shock that country into surrender. The decision to bomb Nagasaki therefore was a pragmatic one. Secretary of War at the time, Henry L. Stimson, played a major role in the decision to use the bomb on both Hiroshima and Nagasaki. A recent biography of Stimson by Prof. Sean L. Malloy has claimed that Stimson took part in the most significant foreign policy decision of the twentieth century: â€Å"to use nuclear weapons against Japan and as a diplomatic tool against the Soviet Union.†4 Revisionist historians have long sought to claim that the use of the bomb was to intimidate the USSR and not due to real military needs. Many historians today look to Truman and Stimson as being the two biggest factors in the decision to use the bomb. They assert the president’s role by virtue of his office and Stimson’s role by virtue of his political influence with the president. Stimson supported both Truman’s reasoning and his decision. The fact that he saw the practical effects of the bomb for diplomatic and political ends after the war is not surprising. Given that the post-war world was shaping up to be one dominated by the US, a weakened Britain, and a war-ready and war-ravaged Soviet Union, men like Stimson (who had far more foreign policy experience than Truman) were well aware of the implications of atomic weaponry. And yet the war in the Pacific Theatre had been an especially sanguine one. This is not to say that the European Theatre was nothing to fret about, after all death and mayhem are, in the end, death and mayhem. Many accounts of American soldiers who fought in both Europe and the Pacific often detail the outright perseverance, refusal to surrender, fight-t il-death mentality of the Japanese as being somehow more pronounced than in other armies’ soldiers. Japanese tenacity was well demonstrated and DOWNFALL (the code name for an invasion of the Japan) assumed a death toll of at least 500,000 and as much as 1 million.5 The unanimity of Japanese defense commanders is striking. Navy and air commanders presided over mere remnants of their forces, but the Japanese spirit, and their suicide devices, still gave them hope. The army, short as it was of fuel, was almost manic because of its powerful defense of

Jet Blue Essay Example | Topics and Well Written Essays - 1250 words

Jet Blue - Essay Example The resources are many in the JetBlue atmosphere, including the opportunities brought on by the shareholders invested in JetBlue, JP Morgan or LiveTv, the wholly owned JetBlue Subsidiary. It seems as though JetBlue has access to many perks based on affiliated companies and partnerships, and work hard to make new partnerships available to learn about and for those who own a company, to participate in. This directly reflects the internal environment of JetBlue, which is based on the strengths of the business being interconnected and in touch with the consumer and corporate strata. At the same time, the website isn’t wholly specific about what resources are directly used in forming the company or its core values, but JetBlue places a lot of emphasis on confidentiality, so it isn’t a huge surprise that this information isn’t readily volunteered. The Capabilities of JetBlue seem staggering, as the company has only been around ten years and already they’ve become a leading provider of commercial aviation services. Along with being capable of making more corporate alliances and to grow as a business, JetBlue also has the capability to serve as an example of a progressive company environment, as shown in the company’s â€Å"Code of Ethics,† community relations and â€Å"Code of Business Conduct.† These points of reference on the website emphasize diversity, company loyalty and a charitableness to the human condition that goes far beyond expectation. For example, there is a specific page on the JetBlue website where you can apply to be a part of the â€Å"we care† program, an opportunity for charities to submit to be on the website and to have customers donate to their causes, if the causes are in alignment with JetBlue’s core values. The core competencies of JetBlue seem to be in order, as well. The JetBlue Airways â€Å"Customer Bill of Rights† outlines the

Out-of Control Interview Assignment Example | Topics and Well Written Essays - 1000 words

Out-of Control Interview - Assignment Example By Maria being able to take a job as a waitress in a hotel yet she’s such an intelligent person just shows how non-selective she is when it comes to doing anything to survive. She’s therefore depicted as one who is driven by her goals and will do anything to achieve her goals. He can be useful to the organization in case Maria was employed there since she will ensure she does what it takes in order to achieve what they want. On the part of the carelessness of the firm’s management with their questions, it actually reflected a well-thought interview, most interviews are known for just touching on what they people expect out of the interview such as questions about one’s career, skills, and experience. A person is always prepared fully to even tell a lie when it comes to testing them on the usual aspect they expected out of an interview. Therefore, for the management to really realize your real character, thought and skills of critical thinking, it is very i mportant that they make the interview appear like they are not even serious with it or have careless questions in between. In this way, one will be taken out of their already thought answers that might not be true, to give exactly what you are to the panel. As you try to respond to the careless questions they throw at you, they also get the chance to study your reaction that gives them a chance to make their informed decision about you. Maria must have regarded the carelessness of the management seriously and decided to be herself in responding to such questions.

Role of HR in developing talent at work in the banking sector (UK and Literature review

Role of HR in developing talent at work in the banking sector (UK and US) - Literature review Example Human resource managers include various tools in recognizing and developing talent in the organization. According to Berger & Berger (2010), the talent assessing tools may include 360- degree feedback; however, the appropriateness and effectiveness of tools used is what matters the most. In addition, coaching plays an important role in the development of an employee’s talent; it can be conducted by a manager or a fellow colleague. Moreover, Morgan & Jardin (2010, p.23) argue that, â€Å"it is vitally important to run talent management like a business in order to drive maximum return on investment in people.† The role of HR has been significant to the organization and an individual as well. In talent development and management, the human resources department ensures that appropriate measures are put in place to ensure that there is presence of the right personnel needed for an organization to succeed (Catalyst, N.d., p. 21). This paper’s aim is to focus on the hum an resources role in developing talent in the banking sector, mainly in the United States and the United Kingdom. 2) Human Resource Role The human resource role concerning talent development begins with the creation of that talent, hence nurturing and developing it. In this talent driven economy, talent- powered organizations are essential; indeed, such talents must be developed and further sustained (Cheese, Thomas, & Craig, 2007, p.46). Talent is normally referred to as a special gift, in this case involving experience, knowledge, & skills of an individual, (Shavininna, 2007, p.159). Therefore, each organization aims at acquiring, retaining, and sustaining such talent, with an aim of achieving organizational goals. According to Collins (2011, p.35), a global war for talent is evident, with global graduates seeking opportunities to develop their skills and experience in oversees countries. In addition, the United Nations data revealed that over 214 million people live away from the ir home countries. In countries like the United Kingdom and the United States, the arrival of highly skilled migrants contributes to higher education through fees. The talent war is aimed at accessing the best talent, with companies offering favorable working environment with an aim of attracting best talent. The banking sector of any country is a vital field; almost all banks in the United States and in the United Kingdom have incorporated human resources in their operations, especially as this department deals with a number of duties concerning the employees, such as training and development. One such bank is the Deutsche bank, which is based in various countries among them the United States, and attests to the human resource importance in its organization, whereby, the human resources contribute to developing and retaining the best talent (Deutsche Bank, 2011). In addition, Standard Chattered Bank in the United Kingdom has incorporated talent development programmes, whereby, attr acting the best talent and further developing it is their main aim, as they believe in building their employees (Standard Chartered Bank, 2009). Success is determined when a company’

The Regal Marine Case Study Example | Topics and Well Written Essays - 500 words

The Regal Marine - Case Study Example According to the research findings, it can, therefore, be said that the strengths of the firm are that it concentrates on innovation which can attract high-class customers. The concentration on quality service can keep customer loyalty and brand identity. The connection with a large number of a supplier is an advantage which can avail them of products at a cheaper price. This can also increase their profitability. All these factors make the strategy perfect for brand positioning. They can target a middle-class customer by making the cheaper boat and look out for the wide range of customers. They can also opt for materials which are cheaper and take less production and design time. The firm has chosen the differentiation strategy which provides unique service different from their competitors. They want to provide value for what the customer is paying for and the quality expected is the best. The firm is placed in Orlando, Florida which is the United States. The country has the high ma rket for the service provided by the company. The United States is the richest country has the high concentration of wealthy people. Also, the country is a tourist destination which gives many opportunities for the luxury boat service. The firm provides luxury boats to its customers. People always look for quality service and products when it comes to leisure and tourism. So it is a high priority among customer who looks for a luxurious experience.

John Steinbeck's Life Essay Example | Topics and Well Written Essays - 1250 words

John Steinbeck's Life - Essay Example Published in the Stanford Spectator, a student enterprise, "Fingers of Cloud" seems out of place within its own deceptively-titled context, and, indeed, has been out of place, beyond the pens of Steinbeck critics, for over eighty years. Only Hughes and Timmerman have ventured more than the obligatory sentence or two that Steinbeck's biographers have deigned to scribe and share. Hughes's most helpful contribution is re-stating Thomas Kiernan's biographical information concerning Steinbeck's job as straw-boss on the Spreckels sugar-beet ranch in January 1921 (Hughes 4-5), which is likely the basis for some of the content in "Fingers of Cloud"; Timmerman's is noting the "mysterious pull of the mountains upon the human spirit" in the story, which "would surface in later works of Steinbeck's," and insisting, incorrectly, that Steinbeck's initial offering is "clearly inferior" when compared with "the later Steinbeck canon" (Timmerman 11, 22). Regardless of the opinions regarding the source and worth of "Fingers and Cloud," ecocriticism of Steinbeck's first story, as well as its place within Steinbeck's overall environmental context, have never been attempted. "Fingers of Cloud" is brief, only five pages long. In the story a young orphaned woman named Gertie appears, sweeping the floors of her house, singing gaily to herself. Steinbeck describes Gertie's "flat, pink face," her "benign smile," her "hair, as white as a washed sheep's wool and nearly as curly," and her "pink eyes" (160). In the span of only a few pages, Gertie ascends a mountain; gets caught in a rainstorm; barges into a Filipino labor camp; meets, seduces, and is seduced by Pedro, the boss; is married to him the following day; sets up house within the labor camp; gets beaten for days after; realizes and makes realized her whiteness and her new husband's blackness; and then, finally, re-Â ­ascends the mountain after apparently leaving Pedro, for good, behind. In terms of characterization, setting, and d ialogue, "Fingers of Cloud" offers tantalizing tastes of Steinbeck's style--a style that would allow Steinbeck to begin realizing his deepest wish, and a style that would cement his status as American's finest twentieth century American writer. Steinbeck's first character, Gertie, disregards her worldly duties, embracing instead the brilliant mystery of tall mountains and bright skies. At the story's opener, Gertie chants to herself, "Don't have to sweep no more--don't have to wash no more--don't have to do absolutely nothin'--no more" (160), repeating the last two words for extra effect. With her parents absent, and the family home now her own, the naive Gertie is well aware of her newfound freedom but does not yet realize how an absence of human connections will negatively impact her life, which comes into play later in Steinbeck's story. It is as if, with her mother and father gone, Gertie's purpose departs; and though her life may now be carefree, an emptiness still remains. Thu s, Gertie decides to leave behind her neighborhood--which is a monotonous collection of "houses and fences and grass plots" followed immediately by "new houses and fences and grass plots" (160)--and instead succumbs to the pull of the wild from the top of a mountain. Interestingly enough, upon