SECURITY POLICIES

STANDARDS,PROCEDURES
AND GUIDELINES AND
SOCIAL ENGINEERING

Chapter 2 part 2
SECURITY POLICIES STANDARDS,
PROCEDURES AND GUIDELINES
 Policies – High – level broad statements
 Standards- Mandatory elements regarding the
implementation of policy
 Guidelines- Recommendation relating to
Policies
 Procedures- step – by- step instructions on
how to implement policies
POLICY LIFE- CYCLE
 Plan(Adjust)- develop the policy, procedures
and guidelines, and design the security
component
 Implement- Implementation of Policy with
Instruction Period
 Monitor- Ensuring that h/w , s/f and , policy,
procedure and guidelines are effective in
securing you systems.
 Evaluate- Evaluating the effectiveness of the
security measures u have in place – includes
vulnerability Assessments, Penetration Test
etc
SECURITY POLICIES
STANDARDS,PROCEDURES AND GUIDELINES
 DETAILED EXPLAINATION(IF NEEDED)
KNOW HOW TO SET POLICIES
 Part of information security management is determining
how security will be maintained in the organization.
 Management defines information security policies to
describe how the organization wants to protect its
information assets.
 After policies are outlined, standards are defined to
set the mandatory rules that will be used to implement
the policies.
 Some policies can have multiple guidelines, which
are recommendations as to how the policies can be
implemented.
 Finally, information security management,
administrators, and engineers create procedures from
the standards and guidelines that follow the policies.
INFORMATION SECURITY POLICIES

 Information security policies are high-level

plans that describe the goals of the
procedures.
 Policies are not guidelines or standards, nor
are they procedures or controls.
 Policies describe security in general terms,
not specifics.
 They provide the blueprints for an overall
security program just as a specification
defines your next product.
HOW POLICIES SHOULD BE DEVELOPED
 Before policy documents can be written, the overall goal
of the policies must be determined. Is the goal to protect
the company and its interactions with its customers?
 Or will you protect the flow of data for the system? In any
case, the first step is to determine what is being
protected and why it is being protected.
 Policies can be written to affect hardware, software,
access, people, connections, networks,
telecommunications, enforcement, and so on.
 Before you begin the writing process, determine which
systems and processes are important to your company's
mission.
 This will help you determine what and how many policies
are necessary to complete your mission.
DEFINE WHAT POLICIES NEED TO BE WRITTEN
 Information security policies do not have to be a
single document. To make it easier, policies can be
made up of many documents—just like the
organization of the book
 So, rather than trying to write one policy
document, write individual documents and call
them chapters of your information security policy.
 By doing so, they are easier to understand, easier
to distribute, and easier to provide individual
training with because each policy has its own
section.
 Smaller sections are also easier to modify and
update.
IDENTIFY WHAT IS TO BE PROTECTED
 If you remember that computers are the tools for
processing the company's intellectual property, that the
disks are for storing that property, and that the
networks are for allowing that information to flow
through the various business processes,
 The following is an example of what can be inventoried:
 Hardware
 Software
 Network equipment
 Diagnostic equipment
 Documentation
 Information assets
 Preprinted forms
 Human resource assets
IDENTIFY FROM WHOM IT IS BEING PROTECTED
 Defining access is understanding how each
system and network component is accessed.
 Your network might have a system to support
network-based authentication and another
supporting intranet-like services, but are all
the systems accessed like this?
 How is data accessed amongst systems? By
understanding how information resources are
accessed, you should be able to identify on
whom your policies should concentrate. Some
considerations for data access are
IDENTIFY FROM WHOM IT IS BEING PROTECTED

 Authorized and unauthorized access to

resources and information
 Unintended or unauthorized disclosure of
information
 Enforcement procedures
 Bugs and user errors
SETTING STANDARDS

 When creating policies for an established

organization, there is an existing process for
maintaining the security of the assets.
 These policies are used as drivers for the
policies.
CREATING BASELINES

 Baselines are used to create a minimum level

of security necessary to meet policy
requirements.
 Baselines can be configurations,
architectures, or procedures that might or
might not reflect the business process but
that can be adapted to meet those
requirements.
 You can use these baselines as an abstraction
to develop standards.
GUIDELINES
 Standards and baselines describe specific products,
configurations, or other mechanisms to secure the
systems.
 Sometimes security cannot be described as a
standard or set as a baseline, but some guidance is
necessary.
 These are areas where recommendations are
created as guidelines to the user community as a
reference to proper security.
 For example, your policy might require a risk
analysis every year.
 Rather than require specific procedures to perform
this audit, a guideline can specify the methodology
that is to be used, leaving the audit team to work
with management to fill in the details.
SETTING AND IMPLEMENTING PROCEDURES
 Procedures are written to support the
implementation of the policies.
 Because policies change between
organizations, defining which procedures must
be written is impossible.
 For example, if your organization does not
perform software development, procedures
for testing and quality assurance are
unnecessary.
 However, some types of procedures might be
common amongst networked systems,
including
SETTING AND IMPLEMENTING PROCEDURES

 Auditing—These procedures can include what

to audit, how to maintain audit logs, and the
goals of what is being audited.
 Administrative—These procedures can be used
to have a separation of duties among the
people charged with operating and monitoring
the systems.
 Access control—These procedures are an
extension of administrative procedures that tell
administrators how to configure authentication
and other access control features of the various
components.
SETTING AND IMPLEMENTING PROCEDURES
 Configuration—These procedures cover the
firewalls, routers, switches, and operating systems.
 Incident response—These procedures cover
everything from detection to how to respond to the
incident. These procedures should discuss how to
involve management in the response as well as
when to involve law enforcement.
 Physical and environmental—These procedures
cover not only the air conditioning and other
environmental controls in rooms where servers and
other equipment are stored, but also the shielding
of Ethernet cables to prevent them from being
tapped.
WHAT IS SOCIAL ENGINEERING
 Social engineering is the term used for a
broad range of malicious activities
accomplished through human interactions.
 It uses psychological manipulation to trick
users into making security mistakes or giving
away sensitive information.
SOCIAL ENGINEERING ATTACKS
HAPPEN IN ONE OR MORE STEPS.
 A perpetrator first investigates the intended
victim to gather necessary background
information, such as potential points of entry
and weak security protocols, needed to
proceed with the attack.
 Then, the attacker moves to gain the victim’s
trust and provide stimuli for subsequent
actions that break security practices, such as
revealing sensitive information or granting
access to critical resources.
SOCIAL ENGINEERING LIFE CYCLE
WHAT MAKES SOCIAL
ENGINEERING DANGEROUS
 What makes social engineering especially
dangerous is that it relies on human error,
rather than vulnerabilities in software and
operating systems.
 Mistakes made by legitimate users are much
less predictable, making them harder to
identify and stop than a malware-based
intrusion.
SOCIAL ENGINEERING ATTACK TECHNIQUES
 Social engineering attacks come in many
different forms and can be performed anywhere
where human interaction is involved.
 The following are the five most common forms of
digital social engineering assaults.
BAITING
 As its name implies, baiting attacks use a false promise to
attract a victim’s greed or curiosity. They lure users into a trap
that steals their personal information or inflicts their systems
with malware.
 The most reviled form of baiting uses physical media to
disperse malware. For example, attackers leave the bait—
typically malware-infected flash drives—in conspicuous areas
where potential victims are certain to see them (e.g.,
bathrooms, elevators, the parking lot of a targeted company).
The bait has an authentic look to it, such as a label presenting
it as the company’s payroll list.
 Victims pick up the bait out of curiosity and insert it into a
work or home computer, resulting in automatic malware
installation on the system.
 Baiting scams don’t necessarily have to be carried out in the
physical world. Online forms of baiting consist of enticing ads
that lead to malicious sites or that encourage users to
download a malware-infected application.
SCAREWARE
 Scareware involves victims being bombarded with false
alarms and fictitious threats. Users are deceived to think
their system is infected with malware, prompting them to
install software that has no real benefit (other than for the
perpetrator) or is malware itself.
 Scareware is also referred to as deception software, rogue
scanner software and fraudware.
 A common scareware example is the legitimate-looking
popup banners appearing in your browser while surfing the
web, displaying such text such as, “Your computer may be
infected with harmful spyware programs.”
 It either offers to install the tool (often malware-infected)
for you, or will direct you to a malicious site where your
computer becomes infected.
 Scareware is also distributed via spam email that doles out
bogus warnings, or makes offers for users to buy
worthless/harmful services.
PRETEXTING
 Here an attacker obtains information through a series of
cleverly crafted lies. The scam is often initiated by a
perpetrator pretending to need sensitive information from a
victim so as to perform a critical task.

 The attacker usually starts by establishing trust with their

victim by impersonating co-workers, police, bank and tax
officials, or other persons who have right-to-know authority.

 The pretexter asks questions that are ostensibly required to

confirm the victim’s identity, through which they gather
important personal data.

 All sorts of pertinent information and records is gathered

using this scam, such as social security numbers, personal
addresses and phone numbers, phone records, staff vacation
dates, bank records and even security information related to
a physical plant.
PHISHING

 As one of the most popular social engineering attack types,

phishing scams are email and text message campaigns aimed
at creating a sense of urgency, curiosity or fear in victims. It
then prods them into revealing sensitive information, clicking
on links to malicious websites, or opening attachments that
contain malware.
 An example is an email sent to users of an online service that
alerts them of a policy violation requiring immediate action on
their part, such as a required password change. It includes a
link to an illegitimate website—nearly identical in appearance
to its legitimate version—prompting the unsuspecting user to
enter their current credentials and new password. Upon form
submittal the information is sent to the attacker.
 Given that identical, or near-identical, messages are sent to
all users in phishing campaigns, detecting and blocking them
are much easier for mail servers having access to threat
sharing platforms.
SPEAR PHISHING

 This is a more targeted version of the phishing scam whereby

an attacker chooses specific individuals or enterprises. They
then tailor their messages based on characteristics, job
positions, and contacts belonging to their victims to make
their attack less conspicuous. Spear phishing requires much
more effort on behalf of the perpetrator and may take
weeks and months to pull off. They’re much harder to
detect and have better success rates if done skillfully.
 A spear phishing scenario might involve an attacker who, in
impersonating an organization’s IT consultant, sends an
email to one or more employees. It’s worded and signed
exactly as the consultant normally does, thereby deceiving
recipients into thinking it’s an authentic message. The
message prompts recipients to change their password and
provides them with a link that redirects them to a malicious
page where the attacker now captures their credentials.
SOCIAL ENGINEERING PREVENTION

 Social engineers manipulate human feelings,

such as curiosity or fear, to carry out
schemes and draw victims into their traps.
 Therefore, be wary whenever you feel
alarmed by an email, attracted to an offer
displayed on a website, or when you come
across stray digital media lying about.
 Being alert can help you protect yourself
against most social engineering attacks
taking place in the digital realm.
MOREOVER, THE FOLLOWING TIPS CAN HELP
IMPROVE YOUR VIGILANCE IN RELATION TO SOCIAL
ENGINEERING HACKS.
 Don’t open emails and attachments from
suspicious sources – If you don’t know the
sender in question, you don’t need to answer
an email. Even if you do know them and are
suspicious about their message, cross-check
and confirm the news from other sources,
such as via telephone or directly from a
service provider’s site.
 Remember that email addresses are spoofed
all of the time; even an email supposedly
coming from a trusted source may have
actually been initiated by an attacker.
CONTD….
 Use multifactor authentication – One of the
most valuable pieces of information
attackers seek are user credentials.
 Using multifactor authentication helps
ensure your account’s protection in the event
of system compromise.
 Be wary of tempting offers – If an offer
sounds too enticing, think twice before
accepting it as fact. Googling the topic can
help you quickly determine whether you’re
dealing with a legitimate offer or a trap.
CONTD…
 Keep your antivirus/antimalware software
updated – Make sure automatic updates are
engaged, or make it a habbit to download
the latest signatures first thing each day.
Periodically check to make sure that the
updates have been applied, and scan your
system for possible infections.