Prepared by: Aymard

 Awareness
 Importance of Information Security in today’s world
 Social engineering
 Hacking
 Security controls [risk mitigation lattice]

 Hands-on practices
 Managing passwords (Office applications)
 PDF conversion
 Encryption
Importance of Information Security in today’s world

 Why Security?
 Evolution of technology focused on ease of use
 Increased network environment and network-based
applications
 Decreasing skill level needed for exploit
 Direct impact of security breach on corporate asset base
and goodwill
 Increasing complexity of computer infrastructure
administration and management
Essential Terminologies
 Risk - The quantifiable likelihood of a threat taking advantage of
vulnerability in a system, or the probability that a threat will exploit
a vulnerability

Threat - An action or event that might compromise security. A
threat is a potential violation of security. OR Something that is a
source of danger; capabilities, intentions, and attack methods of
adversaries that can exploit or cause harm to a system
 Vulnerability - Existence of a weakness, design or implementation
error that can lead to an unexpected and undesirable event
compromising the security of the system.
 Attack - An assault on the system security that is derived from
intelligent threat.
 Exploit - A defined way to breach the security of an IT System via
vulnerability
Essential Terminologies (Cont’d)
 Exposure - The potential compromise associated with an attack
exploiting a corresponding vulnerability
 Countermeasure – Action of reducing the impact of an attack,
detecting the occurrence of an attack, and/or assisting in the
recovery from an attack
 Subject - Generally a person, process, or device that causes
information to flow among objects.
 Object - A passive entity containing or receiving information;
Access to an object usually implies access to the information that it
contains
Essential Terminologies (Cont’d)
The DIKW Hierarchy helps define the jobs of security pros.:

 Gathering data - (log files, visual inspections, asking questions,

reading RSS feeds)

 Turning that data into information - (figuring out what is

happening to whom, & where and when it’s happening)

 Applying information to create knowledge - (“How is this

happening?”)

 Synthesizing knowledge into wisdom (“What can we do to make

sure we’re safer? What are best practices?”)
Security Elements
 Commonly based on CIA (Confidentiality, Integrity &
Availability)
 CIA + adds other elements: Identity, Privacy, Authentication,
Authorization, Accounting.
Security, Functionality, Ease of use Triangle
 The number of exploits is minimized when the number of
weaknesses is reduced = Great Security
 The more Security the less Functionality
 Moving the ball toward security

Functionality

Security Ease of use

Attack Phases (IT Systems)
Reconnaissance
Reconnaissance
Passive: acquire information
Passive: acquire information
without directly interacting
without directly interacting
with the target
with the target

Active: Involves interacting

Active: Involves interacting
with the target directly by any
with the target directly by any
means
means
Social Engineering – Concept:
 Social engineering is the tactic or trick of gaining
sensitive information by exploiting the basic
human nature such as:
 Trust
 Fear
 Desire to help

 Social engineers attempt to gather information such as:

 Sensitive information
 Authorization details
 Access details
Social Engineering (Cont’d) – Categories:
 Human-based:
 Gathers sensitive information by interaction
 Exploits trust, fear, helping nature of humans

 Computer-based:
 Social engineering is carried out with the aid of
computers
More on Human-based Social Engineering
 Eavesdropping or unauthorized listening of
conversations or reading of messages
 Interception of any form such as audio, video,
or
written
 Shoulder surfing
 Dumpster Diving:
 Trash-bins
 Printer trash-bins
 User desk for sticky notes
Dumpster diving targets:
 Phones bills
 Contact information
 Financial information, etc.
More on Human-based Social Engineering
 Tailgating
 An unauthorized person with a fake ID badge
 Piggybacking
 Authorized person provides access to an unauthorized
person by keeping the secured door open.
 Reverse Social engineering
 The attacker creates a persona that appears to be in a
position to be in a position of authority so that employees
will ask him for information, rather than the other way
around
 Reverse social engineering attack involves:
 Sabotage
 Marketing
 Providing support