1. A Security Perspective on
“Phishing” and “Social
Networks”
Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is
given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires
written permission from the author. Videos and specific graphics presented are not for public distribution.
2. Session Guide
Erwin “Chris” Louis Carrow
IT Auditor, M.Div., MSIS, BM, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA,
LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who
cares?!)
Board of Regents, University System of Georgia; Office of Internal Audit and Compliance
270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax
Email: erwin.carrow@usg.edu http://www.linkedin.com/in/thebishop
http://twitter.com/ecarrow
What I Do? Just a “Glorified Geek”
High level – IT Evaluations System Wide
General focus – Lack granularity of detail regarding day
to day operations
Bottom line “It’s all about ME” (joke)!
3. Session Agenda
Key Takeaways and Introductions
Basic Terminology, Context, &
Methodology
Strategic Use of YOUR and Others
Personal Information
What to Do to Be Safe / Limit Risk
Q&A
4. Key Takeaways
At the end of this session you should be able to:
Understand the RISK with Phishing & Social
Networks;
Understand the Motivation for Exploitation of
YOUR or OTHERS PERSONAL INFORMATION
Identify & Assess Resources to Mitigate
Associated RISK;
Apply Basic Precautions to Mitigate Potential
LOSES;
5. Gone Phishing and Not Just
Wishing -Videos
Safe-guarding the Process
http://www.youtube.com/watch?v=UNanKfY5T9A
online.gov/videos/overview.aspx
Types of Phishing http://www.onguard
6. Threats and the Facts
Recent Email, Browser, & Web Site Exploits (this month!)
Yahoo, Hotmail, & Gmail – Oct 7, self propagating phishing scam; Oct 6,
account username / password s illegally leaked
Google – Oct 13, Web Masters of compromised sites warned with detailed
code samples found
Microsoft– Oct 14, Phishing attacks with Zeus Trojan targeting
Outlook Webmail
Mozilla - Oct 16, disabled a Microsoft plug-in for Firefox
Facebook, My Space, etc. – Oct 16, Twitter phishing login scams
Browsers – Oct 1-5, IE, Chrome, Safari duped by bogus PayPal SSL
certificate of authority
Peer to Peer downloads – Oct 12, Software piracy embeds malware
Puppet Nets / Bot Nets: Trusted Major brand’s Web site - instead of
stealing customer records, the attacker installs malware that infects
the computers of thousands of visitors to the site
Cyber Terrorism – Oct 9, Research points to new cyber terror tactics; Oct
13, Polish Government attack blamed on Russia (duh)!
Click fraud – Oct 23, Botnet click fraud at record high
7. More of the Same “Threats and the
Facts” – But, What are the Results?
Privacy Right Clearinghouse
Chronology of Data Breaches 2,500,000 since January 2005
that have been reported
[www.privacyrights.org/ar/ChronDataBreaches.htm]
Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008)
Self evaluation of overall performance of organization: -- 9%
gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a
“D” – 5% gave a “F” [www.HRH.com/privacy]
80 % believed their organizations experienced information
system data breaches and loss of customer and personal
information
50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other
criminal activity;
36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31%
9 or more
8. Terminology, Context, & Who are
the Key Players
People – Good (solution oriented), Bad (problem producers),
and Indifferent (folks who don’t care /understand the problem)
Technology – Good (well managed), Bad (poorly managed),
and Indifferent (don’t care or understand the problem)
Services – The Internet (Home, Work, or Public environment),
and associated resources, e.g., ISP, FaceBook, Games, email, etc.
YOU – “Part of the S0lution” or “Part of the Problem,” e.g., a
Recipient (“Poor Slob” that GOT HIT), Participant
(inadvertently contributed either “for” or “against”), or Initiator
(Johnny or Jill Hacker)?
Specific or Potential Risks – Phishing attempts, Social
Network exploits, etc.
9. Basic Methodology for all -
Terrorist or Criminal Exploitations
Identify Social / Cultural “Normalcy” and associated “Common
Denominators” where potential gain or benefit may exist on Internet
Email has become the primary “Means of Communication”
Browser Based Culture and Community, e.g., On-line Gaming
(Entertainment), Banking (financial), Social Networks (Socialization)
Exploit “Common Denominators” by …
Making it look like normal expected activity
Browser based exploits – Social networks, social engineer, harvest information, or
capitalize on browser technology vulnerabilities
Email based exploits – Phishing
Browser, Email, and Web Site exploitation are all used in conjunction
Obscure and confuse the real with the Counterfeit!
Their Objective …, is to recreate a Counterfeit “Normalcy” that
attracts and is utilized by YOU!!!!
FOR ORGANIZATIONAL (Terrorist) or PERSONAL (Theft, Malice, or
Vendetta) GAIN
10. Response?
Know Yourself – Know Your Enemy!
The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military treatise
that was written during the 6th century BC by Sun Tzu.
Two Possible not Recommended Responses to the Challenge
Freak Out: Embrace Hopelessness, Hide, Ignore, Deny, and Play
Computer games until the Inevitable Occurs
Idealistic and Unrealistic: Do the “Don Quixote (To Dream the
Impossible Dream and Fight the Impossible Fight)” - Wear yourself
out Fighting Windmills by shooting at whatever pops its head out!
Third Approach “How do you Eat the Elephant standing in the corner,
Instead of Avoiding it?” Take ONE BITE at a time by…
Assess the level of risk you are willing to incur
Strategize a response
Be deliberate and not apathetic or indifferent
Be practical / understand it is not just about you (or ME)
Be an advocate or part of a culture that supports secure practices
Test and monitor the process with identifiable outcomes
11. Know Yourself
Profile – Who are YOU?
Habits & Preferences
Vocation or Ad-Vocation
Social Outlets, What you do,
& Who you Know
Financial Resources
Education & Military Duty
Government Affiliation
YOUR PERSONAL
IDENTITY is based on what
you share in your “Click!”
12. Know Your Enemy
Profile - Who are They?
Terrorist
Foreign Governments
Organized Crime
Petty Thieves
People trying to have
fun at your expense?
People who don’t Like
you!
All motivated by what
you have or what you
can provide them, e.g.,
“Click”
13. The Internet is Bigger than Any
Person or Government!
No Boundaries,
Constantly Changing, &
High Complexity
Political Alliances w/
Limitations
Governments Sponsored
Terrorism and Hacking
Electronic Relationships
w/ No Commitment
Values vary with Social
Cultural Norms
Fallacy / Pitfall – YOU will
evaluate acceptability by
your own standards!
14. Risk Profile, Probability, & Impact
Risk “reality” is just a
“Click” away!
Am I important, and if so
why?
Why would someone want
me to “Click?”
If I commit to “Clicking,”
what could be the
outcome?
Is the “Click” cost to high?
How will the “Click”
possibly impact others?
15. Campus “Life Cycle” of Security & Process
Provisioning – Are YOU the Weakest Link?
16. What to Do to Be Safe…?
Protect Yourself and Others?
Hardware – OS updates; Latest version of Browser / Email
Clients and ensure they are patched; Dedicated systems per
functional risk
Software – Anti-virus / Anti-Malware, Host level IDS –IPS,
Security Browser Apps, Plug-in filters, etc. (buy from
reputable vendor)
Head-ware, e.g., “Common Sense” that is not too common
Don’t “Bank Online” (personal opinion and choice), limit on-line
purchases, etc. – every transaction has an associated risk!
Don’t share personal identifiable information of any type or form
online without assessing the risk!
Have fun, be cautious, and educate yourself regarding the risk
Remember, once it is on the Internet “it belongs to everyone.” Is it
something you really wanted to share?
17. Thank You for Your Participation
- Any Questions?
Understand the “browser-based” Risk
and potential Phishing and Social
Networking Scams that dominate
“normalcy!”
Profile Your and Others Risk per the
“Click” you take!
Take the necessary Precautions,
Preventive measures, and Practice safe
browsing!
19. Helpful Resources
USGBOR Information Security Reporting Process
http://www.usg.edu/infosec/incident_management/ Twitter:
http://twitter.com/usginfosec/
Internet Alert Dashboard To report cyber infrastructure incidents or to request
information, please contact US-CERT at sos@us-cert.gov or visit their Website:
http://www.us-cert.gov. Information on IT information sharing and analysis
can be found at the IT ISAC (Information Sharing and Analysis Center) Website:
https://www.it-isac.org/
US-CERT: us-cert.gov/cas/tips/st06-003.html
StaySafeOnline: staysafeonline.info/practices/index.html
CyberSmart.org:
www.ccybersmart.org/downloads/pdf/SocialNetworkGuide.pdf
GetNetWise: www.getnetwise.org
OnGuard Online: onguardonline.gov/socialnetworking_youth.html
TechMission, Inc. Safe Families:
www.safefamilies.org/socialnetworking.php
Join my FaceBook “Mafia War” Family (beware it is a social networking
experiment) http://www.facebook.com/TheBishopOfOZ