INFORMATION SECURITY TRAINING

MCI maintains a highly visible Security environment that provides for the safety of the Company and our employees. However, no one can be totally risk free in today's society. To lessen the chances of security incidents occurring, everyone's cooperation and vigilance is needed. All members of the MCI community (employees, contractors, venders and other business partners) are encouraged to immediately report all suspected crimes, unusual or suspicious activities, and emergencies to the security department. The purpose of this presentation is to provide MCI employees basic security information that prepares them to protection of resources, detection of security breaches and reaction to a potential or actual security incident.

MCI security awareness program will broadly cover the following elements of information security:

  1. What is Information Security?
  2. Social Engineering
  3. E-Mail Security
  4. E-Mail Etiquette
  5. Top Tips
  6. Information Security Policy and Incident Response (IT Personel)
  7. Incident Response (IT Personel)
WHAT IS INFORMATION SECURITY

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.

WHAT IS SOCIAL ENGINEERING
 

Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick a person into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.”

Social Engineering Cycle

  1. Information Gathering: a variety of techniques can be used by an aggressor to gather information about the target(s). Once gathered, this information can then be used to build a relationship with either the target or someone important to the success of the attack.

 

 Information that might be gathered includes, but is not limited to:

  • a phone list
  • birth dates
  • an organization’s organizational chart

 

  1. Developing Relationship: an aggressor may freely exploit the willingness of a target to be trusting in order to develop rapport with them. While developing this relationship, the aggressor will position himself into a position of trust which he will then exploit.

 

  1. Exploitation: the target may then be manipulated by the ‘trusted’ aggressor to reveal information (e.g. passwords) or perform an action (e.g. creating an account or reversing telephone charges) that would not normally occur. This action could be the end of the attack or the beginning of the next stage.
  1. Execution: once the target has completed the task requested by the aggressor, the cycle is complete.

 

Human Behavior

What motivates an individual to perform a Social Engineering attack? What techniques might they employ? Are there any common traits to watch out for? These questions are answered in the following sections.

Motivation

What motivates an individual to carry out a Social Engineering attack? A variety of motivations exist which include, but are not limited to:

 

  • Financial gain: for a variety of reasons, an individual might become transfixed on monetary gains. For example, he may believe he deserves more money than he earns or maybe there is a need to satisfy an out–of-control gambling habit.
  • Self-interest: an individual might, for example, want to access and/or modify information that is associated with a family member, friend or even a neighbor.
  • Revenge: for reasons only truly known by an individual, he might look to target a friend, colleague, organization or even a total stranger to satisfy the emotional desire for vengeance.
  • External pressure: an individual may be receiving pressure from friends, family or organized crime syndicates for reasons such as financial gain, self-interest and/or revenge.

Techniques

What techniques might be employed? The techniques that could be employed largely rely on the strength, skill and ability of the individual employing them.

 

Examples of information-gathering techniques that could be used include:

  • Shoulder surfing: looking over the shoulder of an individual as he types in his access code and password/PIN on a keypad for the purpose of committing this to memory so it can be reproduced.
  • Checking the rubbish (commonly referred to as ‘Dumpster Diving’): searching through rubbish thrown away to obtain potentially useful information that should have been disposed of more securely (e.g. shredding).
  • Mail-outs: information is gathered about an individual/organization by enticing him/its staff to participate in a survey that offers enticements, such as prizes for completing the survey.
  • Forensic analysis: obtaining old computer equipment such as hard-drives, memory sticks, DVD/CDs, floppy disks and attempting to extract information that might be of use about an individual/organization.

 

No matter which technique is used, an individual is likely to favor simplicity to ensure success.  Common techniques that might be used include the following:

 

Direct approach: an aggressor may directly ask a target individual to complete a task (e.g. a phone call to a receptionist asking them for their username and password). While this is the easiest and the most straightforward approach, it will most likely be unsuccessful, since any security-conscious individual will be mindful of providing such information.


 

 

Important user: by pretending to be a senior manager of an organization with an important deadline, the aggressor could pressure the Helpdesk operator into disclosing useful information, such as:

 

  • the type of remote access software used
  • how to configure it
  • the telephone numbers to the remote access server to dial
  • the appropriate credentials to log in to the server

 

Helpless user: an aggressor may pretend to be a user who requires assistance to gain access to the organization's systems. This is a simple process for an aggressor to carry out, particularly if he has been unable to obtain/research enough information about the organization. For example, the aggressor would call a secretary within the   organization pretending to be a new temp who is having trouble accessing the organization's system.  By

not wishing to offend the person or appear incompetent, the secretary may be inclined to help out by supplying the username and password of an active account.

 

Technical support personnel: by pretending to belong to an organization's technical support team, an aggressor could extract useful information from an unsuspecting user. For example, the aggressor may pretend to be a system administrator who is trying to help with a system problem and requires the user's username and password to resolve the problem.

 

Reverse Social Engineering (RSE): a legitimate user is enticed to ask the aggressor questions to obtain information. With this approach, the aggressor is perceived as being of higher seniority than the legitimate user who is actually the target.

A typical RSE attack involves three parts:

  • Sabotage: after gaining simple access, the aggressor either corrupts the workstation or gives it an appearance of being corrupted. The user of the system discovers the problem and tries to seek help.
  • Marketing: in order to ensure the user calls the aggressor, the aggressor must advertise. The aggressor can do his by either leaving his business cards around the target's office and/or by placing his contact number on the error message itself.
  • Support: finally, the aggressor would assist with the problem, ensuring that the user remains unsuspicious while the aggressor obtains the required information.

 

 

 

 

 

E-mail: the use of a topical subject to trigger an emotion that leads to unwitting participation from the target. There are two common forms. The first involves malicious code, such as that used to create a virus. This code is usually hidden within a file attached to an email. The intention is that an unsuspecting user will click/open the file; for example, 'ILoveYou' virus, 'Anna Kournikova' worm. The second equally effective approach involves scam, chain mail and virus hoaxes. These have been designed to clog mail systems by reporting a non-existent Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

 

Website: a ruse used to get an unwitting user to disclose potentially sensitive data, such as the password he/she uses at work. For example, a website may promote a fictitious competition or promotion, which requires a user to enter in a contact email address and password. The password entered may very well be similar to the password used by the individual at work.

 

  • Phishing: uses specially crafted emails to entice recipients to visit a counterfeit website. This website is likely to have been designed, using well-known and trusted brands, to convince the individual to provide financial and/or personal information. The information harvested is then used for fraudulent purposes. In some instances, while visiting a website, malicious code such as Trojan key logging software is installed on the unsuspecting user’s computer in an attempt to gain further sensitive information about/from the individual.

 

Common traits

Are there any common traits to watch out for? Whatever the motivation or technique used, there are certain traits that usually entice the target to comply with the request(s).

 

These traits include:

  • The movement of responsibility away from the target, so that the target is not considered solely responsible for his/her actions.
  • The perception by the target that, by conforming with the request, the target will get on the 'right side' of somebody who could award them future benefits, more commonly known as "getting in with the boss".
  • The target's instinct to act morally in helping someone out, thus avoiding the feeling of guilt.
  • Communication on a personal level, resulting in the target voluntarily complying with the
  • request without realizing the pressure being applied.
    • The target believes he/she is making a reasoned decision in exchange for a small loss of time
  • and energy.

 

The likelihood of the target's compliance is further increased if:

  • The aggressor is able to avoid conflict by using a consultative approach rather than an aggressive one.
  • The aggressor is able to develop and build a relationship through previous dealings. The target will probably comply with a large request having previously complied with smaller one.
  • The aggressor is able to appeal to the target's senses, such as sight and sound. By appealing to such senses, the aggressor will be able build a better relationship with the target by appearing 'human' rather than just a voice or email message.

 

 

Counter-measures

Is there an effective way to fully protect against Social Engineering an attack? The answer is 'No'. For the simple reason that no matter what controls are implemented, there will always be the possibility of the 'human factor' being influenced by a social, political and/or cultural event. Nevertheless, as with any threat, there are ways in which to reduce the likelihood of success. This can be achieved by having an appreciation of the threat, and knowledge of both the techniques that could be used and the counter-measures that can be implemented.


 

 

Controls

Below is a list of core controls that can be implemented to protect against such an attack.

However, when considering which of these controls to implement, it is important to ensure that

they –

 

  • do not disrupt normal day to day operations;
  • are robust enough to block a variety of malicious actions occurring concurrently;
  • can establish the difference between an attack and normal day-to-day activity.

 

 

Core controls that can be implemented:

  • Management buy-in: managers require an understanding of their role to be able to define what requires protection, and why. This understanding should ensure that appropriate protective measures are taken to protect against associated risks.
  • Security policy: a sound security policy will ensure a clear direction on what is expected of staff within an organization. For example, support teams should only offer assistance for a defined range of activities.
  • Physical security: a key control that involves restricting physical access to computer facilities and systems for staff, contractors and visitors. For example, in order to remove the possibility of people overstating their authority, the use of access badges indicating an individual’s status (e.g. employee, contractor, and visitor) is recommended. In addition, employees should be encouraged to look at the badges.

 

  • Education/Awareness: a simple solution that can be used to prevent these types of attacks. For example, a knowledgeable user can be advised that he/she should never give out any information without the appropriate authorization and that he/she should report any suspicious behavior. A good training and awareness program focusing on the type of behavior required will undoubtedly pay for itself. This program might even provide users with a checklist on how to recognize a possible ‘Social Engineering’ attack.
  • Good security architecture: smart infrastructure architecture will allow personnel to concentrate on more important duties. For example, by ensuring outbound firewall access controls are configured just as carefully as inbound controls, an administrator will know exactly how the networked environment will respond under certain events. This understanding will ensure that the administrator is able to avoid spending time following up on 'false positives'.
  • Limit data leakage: reducing the amount of specific data available will ensure that the attack is not an effortless exercise. For example, websites, public databases, Internet registries, and other publicly accessible data sources should only list generic information, such as main Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 organization phone number and job titles instead of employee name(s) [for example, 'site administrator' instead of 'Joe Bloggs']
  • Incident response strategy: a documented response strategy will ensure that, if under pressure, a user will know exactly what procedures to follow. For example, if a user receives a request, he/she should verify its authenticity before acting on the instructions he/she has received. If, however, he/she has already acted on the request, then he should alert the administrator. It will then be the responsibility of the administrator to check with the users to ensure no other user has followed the instructions of the request.
  • Security culture: building an information security culture within an organization starts with making people aware of security issues, providing them with tools to react, and encouraging two-way communication between security personnel, managers and employees. The creation of a security culture should be considered a long-term investment, which requires a constant effort to maintain and grow.

 

 

EMAIL SECURITY

What does e-mail security involve?

The three main principles of Information Security involve maintaining the confidentiality, integrity, and availability of information resources. These three principles can be directly applied to the area of email security as well.

Confidentiality of email involves making sure it is protected from unauthorized access. Integrity of email involves a guarantee that it has not be modified or destroyed by an unauthorized individual. Availability of email involves ensuring that mail servers remain online and able to service the user community. A weakness in any one of these three key areas will undermine the security posture of an email system and open the door to exploitation.

 

E-Mail Security Threats

 

Viruses

Email security is threatened by a range of issues. One of the most publicized and high risk of all the issues is viruses. Viruses are so dangerous because they often deliver extremely destructive payloads, destroying data, and bringing down entire mail systems. As a result they are a major drain on corporate IT departments and users.

 

SPAM

Another major threat to email security today is SPAM, often cited by organizations as being their number one concern. Otherwise known as junk email, SPAM is considered a security threat not only because the volume of it

can affect system availability, but also because it can carry viruses, malicious code, and fraudulent solicitations for private information.

 

Phishing

Phishing, also known as identify theft, is a newer threat to email security that was relatively unheard of one year ago. Phishing is the process whereby identity thieves target customers of financial institutions and high-profile online retailers, using common spamming techniques to generate large numbers of emails with the intent of luring customers to spoofed web sites and tricking them into giving up personal information such as passwords and credit card numbers.

EMAIL ETIQUETTE
 
  • SPECIFY A SUBJECT FOR EACH MESSAGE. Use descriptive subject titles like "Study Group at 4PM" or "Apartment Available." Don't force your recipients to guess why you are sending them a message.
  • Be brief. Add blank lines and other formatting so the structure of your message is clear.
  • Do not use attachments unless you know your recipient's system is able to decode them. Many systems will not handle attached documents correctly. It is often much better to cut and paste text from a word process or directly into the body of your message. This ensures that it will be readable when it reaches its destination.
  • SIGN YOUR MESSAGES with your name and your return email address if you expect a reply. Many systems cannot handle automatic return addresses. This is especially important when sending email from a public workstation or World Wide Web browser such as Internet Explorer, Firefox, etc.

 

 

  • THINK BEFORE YOU SEND EMAIL TO MORE THAN ONE PERSON. Do the additional people really want or need to see this message? Will everyone know the context for this message? If you can't answer "yes" to these questions you probably shouldn't send it to the larger group. Other people are seldom interested in email "chat" between two parties. Never send personal email to a mailing list such as "All First Year Students."
  • Be careful when you reply to email from a mailing list. If you really intend to respond to the PERSON who wrote the original message, use a PERSONAL address. You may need to go to an address book and look it up if the reply has been automatically addressed to the list.
  • When you quote a message from someone else, be sure it is clear who said what and when. Be especially careful when you forward an entire message. Will the recipient understand why you are sending it? Did the original author intend for the information to be passed on? If in doubt, ask!
  • BE CAREFUL WITH PERSONAL INFORMATION and what you say about others. Remember that once you send a message you cannot control who will ultimately read it. If you are quoted out of context, someone may become offended or angry even though this is not what you intended.
  • Be careful with humor and sarcasm. Some jokes fall short in the absence of facial expression and tone of voice. Humorous remarks may be taken seriously when they are quoted out of context.
  • DO NOT SEND CONFIDENTIAL PATIENT INFORMATION VIA EMAIL unless it is encrypted. Email is copied, archived, and retransmitted continuously as part of normal processing. Plain text messages might be read by someone along the way. Do not place your patients' confidentiality at risk.
PASSWORDS
 

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of your organizations entire corporate network. As such, all corporate employees (including contractors and vendors with access to the organizations systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. The result of selecting a good password means that the password cannot be guessed, searched for or predicted by others. Only you can protect your organizations sensitive information. In many instances confidential information is only as safe and secure as the strength of your password. Do not use family names, nicknames, anniversaries, birthdays or pet names. Don’t use sports teams either. If someone were at your desk and sees you have a Detroit Lion’s poster,

guessing your password, like 'Go Lions' or something similar is quite easy. Finally, do not use the word “password” for any of your personal password selections. It is important that you select a password that is long and strong and a non-dictionary word. Ideally, use a minimum of 8 characters using both upper and lower case letters, and a mix of numbers and special characters or symbols.

 

To help you remember your password use the first letters of each word in a phrase that means something to you. One way to do this is to create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R@" or "Tmb1W#r$" or some other variation.

 

Keeping your password to yourself is critical to your company’s security. Only you can protect your organizations sensitive information. Never change your password to something known to anyone else, not even for a moment. Never share your password with anyone – including your manager, IT Security, IT Help Desk, family, friends or coworkers. Even if someone calls you and says they are from I.T. Security or the I.T. Help Desk and they need your password to check something, don't give it to anyone who asks.

This could very well be an attempt by an unauthorized person to "social engineer" you into giving them your password. No one in I.T. should ever ask for your password over the phone for ANY reason. If this happens, you should get their name and number and call your manager and IT Security to report a possible security incident. Never display your password anywhere especially on a post-it note near your computer, or under your keyboard as we've seen so many times. Finally, never use the same password for both your work and personal accounts. Be accountable and take responsibility for the usage of your password(s). Only you can prevent a security incident from happening. Remember to

do your part to help keep company confidential information secure.

TOP INFORMATION SECURITY TIPS
 

VIRUSES

Viruses are frequently transmitted by e-mail. Some telltale signs are:

  • Expressions of love
  • Here's that file you wanted
  • Pornography
  • Games or screensavers

Some virus messages are actually hoaxes, advising you to delete critical files or download infected software from a web site.  Viruses can send e-mail using a friend or coworker's system, effectively impersonating them.

Delete suspicious e-mail. When in doubt, consider whether the message has a legitimate business use. Do not open an attachment unless you are comfortable with the content of the rest of the message.

Anti-virus software uses stored virus definitions to detect and quarantine viruses. Virus definitions must be updated to defend against new viruses.



 

 

 

 

 

WORKSTATION SECURITY

An unlocked workstation is a violation of security policy and leaves the system open to compromise.

You should always lock your workstation before leaving your desk:

  1. Press Ctrl + Alt + Del
  2. Click on "Lock Computer"
  3. Or press the Windows Button and the letter L.  This will also lock the PC.

Both methods eliminate a period of vulnerability while the system is left unattended. The system can be unlocked by supplying your login ID and password.


TRUST YOUR INSTINCTS

When investigating a security incident, it is often discovered that people knew or suspected that something was going on before the incident occurred.

From time to time people may raise a false alarm and that's OK. It happens to security professionals occasionally and is to be expected.

Trust your instincts and use your best judgment. When you call to report an incident, provide as much detail as possible. The security group does not bite. ;-)


PASSWORDS

Hackers use software and word lists to automate password submittals. Source materials include dictionary files and lists of common names, characters, movies, etc. Using these methods, hackers can compromise weak passwords in under an hour.

Per company policy, passwords must be 8 characters and consist of 3 of the following elements:

  • Upper case
  • Lower case
  • Numeric characters
  • Special characters (i.e. * ! @ & )

 

 

The following password elements are prohibited:

  • Common elements (i.e. words, names, sports, movies & shows, groups, songs, etc.)
  • Elements relating to the user (i.e. user id, graduation, birthdays, phone numbers, SSN, pets, etc.)
  • Keyboard patterns (i.e. 1q2w3e4r)
  • Repeating patterns (i.e. ah*fJDS1, ah*fJDS2, etc.)

The following practices are prohibited:

  • Recording user ids or passwords on paper
  • Group accounts or shared passwords (passwords provide accountability, user to system)
  • Distribution of passwords by e-mail or other insecure methods (i.e. fax)
  • Use of the same password on multiple systems

Before distributing a password, positively identify the person and their need-to-know. Examples include:

  • Confirmation by employee ID
  • Checking driver’s license against the company directory
  • Calling back at the number listed in the directory
  • Confirmation with a supervisor
  • Confirmation with human resources

Passwords should be stored in password management software (i.e. eWallet or Password Safe).

Change your password at least every 6 months and whenever you suspect it has been compromised.

The help desk will not ask for your password. Report any attempts to obtain it to the security group.


CONTINUITY

Continuity is a key component to the success of any business. Single points of failure are a threat to continuity. Business depends on its employees to complete their duties. It also needs a reliable supply of goods and services. Its phone and IT systems must be highly available. Each employee must address continuity.

PERSONNEL CONTINUITY
Each critical function must have a primary and alternate formally assigned. Document mission essential procedures thoroughly. Documentation should be routinely updated and marked with the date of last revision.

RESOURCE CONTINUITY
Each department should consider the goods and services required to fulfill its mission. Verify that external organizations have methods to ensure reliable service/delivery in the event of equipment failure, supply chain issues, and emergencies such as natural disasters, terrorism, etc. If necessary, make legally binding backup agreements with separate providers.

PLANNING
Business continuity and disaster recovery should be addressed with comprehensive plans. Each department must contribute. Off-site storage and alternate work sites with phones and IT systems are also required. Verify your organization's state of preparedness by testing the plans at least annually.



 

 

 

 

 

CLEAN DESK POLICY

It is crucial to protect sensitive information from disclosure. Office space is frequented by visitors, consultants, vendors, cleaning crews, maintenance and fellow employees.

Please keep your workspace neat. If it is messy, you may not notice when something is missing. Throughout the day:

  • Lock sensitive documents and computer media in drawers or filing cabinets
  • Physically secure laptops with security cables
  • Secure your workstation before walking away (Ctrl+Alt+Delete or windows key + L)

 

At the end of the day, take a moment to:

  • Tidy up and secure sensitive material
  • Lock drawers, file cabinets and offices
  • Secure expensive equipment (laptops, PDAs, etc.)


DESTRUCTION OF SENSITIVE MATERIALS

Hackers and industrial spies have long used "dumpster diving" as a method for gathering sensitive information. Sensitive materials must be thoroughly sanitized before being discarded.

PAPER
Paper containing sensitive information must be shredded. Use high quality cross cut shredders to cut paper into fine/small pieces. Place shredders in common areas. Personal shredders should be purchased for employees that work daily with sensitive information. (Some clients have a “No Paper, writing instruments, etc.”)  This means there should be absolutely no paper, pens, markers, etc. on the production floor.  Violation could result in a written warning up to termination of employment.

CD-ROMS
CD-ROMs should be fed through a CD-ROM shredder. An alternative would be to snap CD-ROMs in half. The process of breaking a CD-ROM can send shards of plastic flying. The sharp edges of a broken CD-ROM can cut. A shredder is a better solution.

MAGNETIC MEDIA
Floppy disks and backup tapes should be opened and cut into small pieces. Hard drives should be over written 3 times with zeros and ones. Magnetic media containing extremely sensitive material should be sanitized with the magnetic field of a degaussing device. Degaussers can be expensive. As an alternative, disassemble each hard drive and sand the surface of its platters.



 

 

 

PHOTOGRAPHY

Photography has always been a threat to information security. Spy films highlight how easy it is to use a small camera to swipe confidential information. In just a moment of opportunity, a camera can be used to take information with no one the wiser. With digital cameras the size of a pack of cigarettes and cell phone camera combos, it is easier than ever to slip in a camera unnoticed.

In some cases visitors have stolen intellectual property by taking pictures on escorted tours. Visitors must never be permitted to take photographs. Do not leave visitors alone with sensitive materials, even for a moment.

Challenge anyone taking pictures in an unusual situation by asking "May I help you?" and following up with something like "What are the pictures for?". Immediately report any suspicious activity to the security group.


BACKUP YOUR DATA

Any files stored locally on your workstation will be lost in the event of a hardware failure. This includes your entire C drive and your workstation's desktop.

Store files on your personal network drive (X drive). It is backed up nightly. Use of your X drive also makes it possible to quickly replace your workstation for hardware and operating system upgrades.

PERSONAL TELEPHONE CALLS/CELL PHONES

The Company’s primary method of communication with its customers and business associates is through its telephone system, because of this, it is necessary to limit the use of the telephone system to Company business only. Accordingly, Company telephones should not be used for an employee’s personal telephone calls. In addition, except in the case of an emergency, employees are asked to discourage friends and relatives from calling them at work. Personal phone calls should only be made during lunch or break periods. Personal long-distance calls should be collect or charged to the employee’s personal credit card.

The Company is aware that employees utilize their personal or company-supplied cellular phones for business purposes. At the same time, cell phones are a distraction and security risk in the workplace. Camera phones can present risks to Company, including violations of client contracts, potentially compromising customer information, trade secrets, or the privacy of other employees.

To ensure workplace effectiveness employees are asked to leave personal cell phones in vibrate or silent mode while in the facility. Personal cell phones may only be answered in designated areas within the building, such as facility break rooms. Agents should check with their supervisor prior to leaving the calling floor to answer a personal cell phone. Use of personal cell phones, including texting, or charging the device, on the calling floor is subject to corrective action up to and including termination.