SlideShare une entreprise Scribd logo

Edith Turuka: Cyber-Security, An Eye Opener to the Society

Télécharger en tant que PPT, PDF
Hamisi Kibonde
Hamisi Kibonde
Technologie
1  sur  26
Cyber-Security: An Eye Opener to the Society Presented by Ms. Edith Turuka Telecommunications Engineer – Ministry of Communications Science and Technology 11th June, 2012
Agenda  Introduction;  Reconnaissance and Countermeasures;  Corporate IT Security policy;  Conclusion and Recommendations.
Introduction – Cyber-Security Before discussing about cyber-security lets take a quick glance at the following: Do we need to know about cyber crime What exactly cybercrime is Who can do cyber crime Why conduct cyber crime Types of cyber crime Impacts of cyber crime
Introduction – Cyber-Security • Protecting information from unauthorized access or destruction / abuse.  3 aspects under consideration (CIA triad) Confidentiality Integrity Availability
How careless are we How vulnerable are we
Reconnaissance techniques - Low tech methods  Social Engineering
Reconnaissance techniques – Low tech methods cont…  Physical Break-In
Reconnaissance techniques – Low tech methods cont…  Dumpster Diving
Reconnaissance techniques - Low tech methods countermeasures  User awareness  Security badges / biometrics e.g Iris scan, hand geometry, motion detectors, voice, blood vessels / Tailgate detection system  Monitor devises taken in / out  Use locks on cabinets containing sensitive information, servers  Use automatic password-protected screen servers  Encrypt stored files, HDD, DB  Paper shredder, destroy devises e.g HDD before discarding
Other Reconnaissance techniques  General web searches  The use of databases e.g Whois, DNS  Different Reconnaissance tools are available! Wireshack, keylogger, Nmap, Samspade e.t.c Countermeasures  Security policy  Information on public database - keep to minimum
Notable quotes….  Notorious hacker Kevin Mitnick said, "The weakest link in the security chain is the human element," 6  According to a March 2000 article in the Washington Post. He went on to say that in more than half of his successful network exploits he gained information about the network, sometimes including access to the network, through social engineering. 6  “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” 6
Case study….
Social Engineering  Monday morning, 6am; the electric rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off.  On the way to work you're thinking of all you need to accomplished this week.   Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoff's are floating around.
Social Engineering  You arrive at the office and stop by the restroom to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it.  The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk.  It looks like your associate has good reasons for concern, and you're about to find out for your self.
And so  The Game Is In Play: People Are The Easiest Target You make it to your desk and insert the CD-ROM.  You find several files on the CD, including a spreadsheet which you quickly open.  The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain".  You quickly search for your name but cannot find it.  In fact, many of the names don't seem familiar.  Why would they, this is pretty large company, you don't know everyone. Since your name is not on the list you feel a bit of relief.  It's time to turn this over to your boss. Your boss thanks you and you head back to your desk.
Let's Take A Step Back In Time  The CD you found in the restroom, it was not left there by accident.  It was strategically placed there by me, or one of Security Consulting employees.   You see, a firm has been hired to perform a Network Security Assessment on your company.   In reality, they have been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.
Bingo - Gotcha  The spreadsheet you opened was not the only thing executing on your computer.  The moment you open that file you caused a script to execute which installed a few files on your computer.   Those files were designed to call home and make a connection to one of our servers on the Internet.  Once the connection was made the software on the Security firms servers responded by pushing (or downloading) several software tools to your computer.   Tools designed to give the team complete control of your computer.  Now they have a platform, inside your company's network, where they can continue to hack the network.  And, they can do it from inside without even being there.
This is what we call a 180 degree attack.  Meaning, the security consulting team did not have to defeat the security measures of your company's firewall from the Internet.   You took care of that for us.   Many organizations give their employees unfettered access (or impose limited control) to the Internet.   Given this fact, the security firm devised a method for attacking the network from within with the explicit purpose of gaining control of a computer on the private network.  All we had to do is get someone inside to do it for us.
Welcome to Social Engineering  What would you have done if you found a CD with this type of information on it?  Yes it is people who are the weakest link in any security system and Social Engineering Exploits that ---
Corporate IT Security Policy
IT Security Policy Identifies the rules and procedures that all persons accessing computer resources must adhere to in order to ensure the confidentiality, integrity, and availability of data and resources
A good IT Security Policy Amongst other things, Provides sufficient guidance for development of specific procedures; Balances protection with productivity; Identifies how incidents will be handled; and Should not impede an organization from meeting its mission and goals. A good policy will provide the organization with the assurance and the “acceptable” level of asset protection from external and internal threats. Is enacted by a senior official (e.g., CEO).
Components of a good security policy  Security Definition  Enforcement  Physical Security of ICT Components  Access Control to the System  Security of specific components such as Servers  Internet Use and Security  Virus Protection  Wide Area Network Issues  Voice related Services  Back Ups and Recovery A working IT Security Policy is one of the MUST HAVE pillar in any organization !!!
EPOCA – Sections on ICT Security  The Electronic and Postal Communications Act, CAP 306 of the laws of Tanzania  Section 124 of EPOCA prohibits Unauthorized access or use of computer systems.  Section 98 of EPOCA creates a duty of confidentiality to the information received by virtue of the Communications laws.  Section 99 of EPOCA states that disclosure of such information should be authorized by the person for official duties such as operational of the laws.
Conclusion and Recommendations  Worthy noting initiatives towards a safe cyberspace in Tanzania e.g Laws, National CERT & simcard registration  While the ICT infrastructure is protected by built in state-of-the-art security technology and solutions, it is extremely important that national capacity to safeguard its ICT assets is built, as built in protection is not sufficient and sustainable.  Security mindset / being cautious / suspicious / not taking everything for granted /awareness need be created  Important for every Organization to have an IT Security Policy and all employees comply to the terms in it.
ASANTENI SANA KWA KUSIKILIZA

Recommandé

Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
James '​-- Mckinlay
 
Information security
Information securityInformation security
Information security
Vijayananda Mohire
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry Insider
Ben Johnson
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
James '​-- Mckinlay
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadays
PECB
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
 
Cyber Hygiene
Cyber HygieneCyber Hygiene
Cyber Hygiene
GAURAV. H .TANDON
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Dinesh O Bareja
 

Recommandé

Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
James '​-- Mckinlay
 
Information security
Information securityInformation security
Information security
Vijayananda Mohire
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry Insider
Ben Johnson
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
James '​-- Mckinlay
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadays
PECB
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
 
Cyber Hygiene
Cyber HygieneCyber Hygiene
Cyber Hygiene
GAURAV. H .TANDON
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Dinesh O Bareja
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And Compliance
Oracle
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
Ivo Depoorter
 
5 Critical Steps to Handling a Security Breach
5 Critical Steps to Handling a Security Breach5 Critical Steps to Handling a Security Breach
5 Critical Steps to Handling a Security Breach
Seculert
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of users
Joel Cardella
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
Nawanan Theera-Ampornpunt
 
Cyber Domain Security
Cyber Domain SecurityCyber Domain Security
Cyber Domain Security
ICSA, LLC
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
danielblander
 
Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011
Tony Richardson CISSP
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness training
Sandeep Taileng
 
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at HomeWebinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
WPICPE
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
Julius Clark, CISSP, CISA
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers Miserable
Julius Clark, CISSP, CISA
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
PECB
 
IT Security - Guidelines
IT Security - GuidelinesIT Security - Guidelines
IT Security - Guidelines
Pedro Espinosa
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires Superhumans
Dinesh O Bareja
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
EnergySec
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
The Network Support Company
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
Lancope, Inc.
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
Rwik Kumar Dutta
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
Animesh Roy
 

Contenu connexe

Tendances

Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And Compliance
Oracle
 
5 Critical Steps to Handling a Security Breach
5 Critical Steps to Handling a Security Breach5 Critical Steps to Handling a Security Breach
5 Critical Steps to Handling a Security Breach
Seculert
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
danielblander
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
PECB
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
EnergySec
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
Lancope, Inc.
 

Tendances (20)

Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And Compliance
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
 
5 Critical Steps to Handling a Security Breach
5 Critical Steps to Handling a Security Breach5 Critical Steps to Handling a Security Breach
5 Critical Steps to Handling a Security Breach
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of users
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
Cyber Domain Security
Cyber Domain SecurityCyber Domain Security
Cyber Domain Security
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness training
 
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at HomeWebinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers Miserable
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
 
IT Security - Guidelines
IT Security - GuidelinesIT Security - Guidelines
IT Security - Guidelines
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires Superhumans
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 

Similaire à Edith Turuka: Cyber-Security, An Eye Opener to the Society

Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
Service2Media
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
ciso_insights
 
Ethnosit.net
Ethnosit.netEthnosit.net
Ethnosit.net
ethnos
 

Similaire à Edith Turuka: Cyber-Security, An Eye Opener to the Society (20)

Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.
 
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to Maturity
 
All About Network Security & its Essentials.pptx
All About Network Security & its Essentials.pptxAll About Network Security & its Essentials.pptx
All About Network Security & its Essentials.pptx
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives
 
Effects of using IT
Effects of using ITEffects of using IT
Effects of using IT
 
Security
SecuritySecurity
Security
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Cyber Security and GDPR Made Easy
Cyber Security and GDPR Made EasyCyber Security and GDPR Made Easy
Cyber Security and GDPR Made Easy
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
 
Ethical hacking for information security
Ethical hacking for information securityEthical hacking for information security
Ethical hacking for information security
 
Ethnosit.net
Ethnosit.netEthnosit.net
Ethnosit.net
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
Ethical hacking basics
Ethical hacking basicsEthical hacking basics
Ethical hacking basics
 
SMB Network Security Checklist
SMB Network Security Checklist SMB Network Security Checklist
SMB Network Security Checklist
 

Dernier

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Dernier (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Edith Turuka: Cyber-Security, An Eye Opener to the Society

  • 1. Cyber-Security: An Eye Opener to the Society Presented by Ms. Edith Turuka Telecommunications Engineer – Ministry of Communications Science and Technology 11th June, 2012
  • 2. Agenda  Introduction;  Reconnaissance and Countermeasures;  Corporate IT Security policy;  Conclusion and Recommendations.
  • 3. Introduction – Cyber-Security Before discussing about cyber-security lets take a quick glance at the following: Do we need to know about cyber crime What exactly cybercrime is Who can do cyber crime Why conduct cyber crime Types of cyber crime Impacts of cyber crime
  • 4. Introduction – Cyber-Security • Protecting information from unauthorized access or destruction / abuse.  3 aspects under consideration (CIA triad) Confidentiality Integrity Availability
  • 5. How careless are we How vulnerable are we
  • 6. Reconnaissance techniques - Low tech methods  Social Engineering
  • 7. Reconnaissance techniques – Low tech methods cont…  Physical Break-In
  • 8. Reconnaissance techniques – Low tech methods cont…  Dumpster Diving
  • 9. Reconnaissance techniques - Low tech methods countermeasures  User awareness  Security badges / biometrics e.g Iris scan, hand geometry, motion detectors, voice, blood vessels / Tailgate detection system  Monitor devises taken in / out  Use locks on cabinets containing sensitive information, servers  Use automatic password-protected screen servers  Encrypt stored files, HDD, DB  Paper shredder, destroy devises e.g HDD before discarding
  • 10. Other Reconnaissance techniques  General web searches  The use of databases e.g Whois, DNS  Different Reconnaissance tools are available! Wireshack, keylogger, Nmap, Samspade e.t.c Countermeasures  Security policy  Information on public database - keep to minimum
  • 11. Notable quotes….  Notorious hacker Kevin Mitnick said, "The weakest link in the security chain is the human element," 6  According to a March 2000 article in the Washington Post. He went on to say that in more than half of his successful network exploits he gained information about the network, sometimes including access to the network, through social engineering. 6  “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” 6
  • 13. Social Engineering  Monday morning, 6am; the electric rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off.  On the way to work you're thinking of all you need to accomplished this week.   Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoff's are floating around.
  • 14. Social Engineering  You arrive at the office and stop by the restroom to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it.  The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk.  It looks like your associate has good reasons for concern, and you're about to find out for your self.
  • 15. And so  The Game Is In Play: People Are The Easiest Target You make it to your desk and insert the CD-ROM.  You find several files on the CD, including a spreadsheet which you quickly open.  The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain".  You quickly search for your name but cannot find it.  In fact, many of the names don't seem familiar.  Why would they, this is pretty large company, you don't know everyone. Since your name is not on the list you feel a bit of relief.  It's time to turn this over to your boss. Your boss thanks you and you head back to your desk.
  • 16. Let's Take A Step Back In Time  The CD you found in the restroom, it was not left there by accident.  It was strategically placed there by me, or one of Security Consulting employees.   You see, a firm has been hired to perform a Network Security Assessment on your company.   In reality, they have been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.
  • 17. Bingo - Gotcha  The spreadsheet you opened was not the only thing executing on your computer.  The moment you open that file you caused a script to execute which installed a few files on your computer.   Those files were designed to call home and make a connection to one of our servers on the Internet.  Once the connection was made the software on the Security firms servers responded by pushing (or downloading) several software tools to your computer.   Tools designed to give the team complete control of your computer.  Now they have a platform, inside your company's network, where they can continue to hack the network.  And, they can do it from inside without even being there.
  • 18. This is what we call a 180 degree attack.  Meaning, the security consulting team did not have to defeat the security measures of your company's firewall from the Internet.   You took care of that for us.   Many organizations give their employees unfettered access (or impose limited control) to the Internet.   Given this fact, the security firm devised a method for attacking the network from within with the explicit purpose of gaining control of a computer on the private network.  All we had to do is get someone inside to do it for us.
  • 19. Welcome to Social Engineering  What would you have done if you found a CD with this type of information on it?  Yes it is people who are the weakest link in any security system and Social Engineering Exploits that ---
  • 21. IT Security Policy Identifies the rules and procedures that all persons accessing computer resources must adhere to in order to ensure the confidentiality, integrity, and availability of data and resources
  • 22. A good IT Security Policy Amongst other things, Provides sufficient guidance for development of specific procedures; Balances protection with productivity; Identifies how incidents will be handled; and Should not impede an organization from meeting its mission and goals. A good policy will provide the organization with the assurance and the “acceptable” level of asset protection from external and internal threats. Is enacted by a senior official (e.g., CEO).
  • 23. Components of a good security policy  Security Definition  Enforcement  Physical Security of ICT Components  Access Control to the System  Security of specific components such as Servers  Internet Use and Security  Virus Protection  Wide Area Network Issues  Voice related Services  Back Ups and Recovery A working IT Security Policy is one of the MUST HAVE pillar in any organization !!!
  • 24. EPOCA – Sections on ICT Security  The Electronic and Postal Communications Act, CAP 306 of the laws of Tanzania  Section 124 of EPOCA prohibits Unauthorized access or use of computer systems.  Section 98 of EPOCA creates a duty of confidentiality to the information received by virtue of the Communications laws.  Section 99 of EPOCA states that disclosure of such information should be authorized by the person for official duties such as operational of the laws.
  • 25. Conclusion and Recommendations  Worthy noting initiatives towards a safe cyberspace in Tanzania e.g Laws, National CERT & simcard registration  While the ICT infrastructure is protected by built in state-of-the-art security technology and solutions, it is extremely important that national capacity to safeguard its ICT assets is built, as built in protection is not sufficient and sustainable.  Security mindset / being cautious / suspicious / not taking everything for granted /awareness need be created  Important for every Organization to have an IT Security Policy and all employees comply to the terms in it.
  • 26. ASANTENI SANA KWA KUSIKILIZA