1.  Continue my education.  As mentioned in other blog entries I miss the management arena.  I have many skills that are now not being used.  To build on these skills and to better form my professional life I have decided to return to college for my masters in Business Administration.  I expect to return to college Fall 2010.  My goal is to use my technical skills in combination with my management skills to either start my own technology based business or become a vital part of an established organization’s employee infrastructure.   This employment transition will not take place anytime soon – current employer can relax.

2.  Compliance is who I am.  My goal is to build my systems-compliance knowledge.   They are many compliance standards I would like to learn.  My goal is to attempt to become knowledgeable on at least one new compliance standard per week.  A few of the future compliance standards I would like to learn include PCI DSS, FISMA, and HIPAA.  Follow my twitter to keep updated on what I am learning.

3.  Certifications.  I need certifications.  I need to complete my A+.  I need to get as many supporting certifications as financially and logically possible.

4.  I need to regularly update my blog.  Keep on me – I need to do this.

Several years ago I was a miserable hourly worker who faced daily the challenges of the grocery-retail environment.  The entire event of working in grocery-retail was not a lost cause.  I successfully developed my interpersonal and management skills.  I learned conflict resolution.  I learned to manage my time and to work with others to reach a common cause.  I learned to enforce and support company and governmental compliance and regulatory standards.  Later in life I learned the latter to be my lost and then undetermined ultimate interest.

As years progressed in my grocery-retail reality, I progressed to lower levels of management by putting my higher education off.  Often employees expressed their satisfaction on my management skills.  In most cases I was their favorite.  It was not that I excelled with charm, it was not that I was easy or negligent, it was that I understood how to work with people – I reflected the respect onto my associates that they conveyed to me.  My goal was not to be their friends but to gain their respect as a colleague.  The stress of the fast-paced high-stress environment began to take its toll on my strength and will-power.  Something had to change – I was still missing something.

I decided to transition into loss prevention.  This was an interesting experience.  I learned additional company compliance standards.  I became the auditor, the enforcer, the regulator.  Something about this position filled a gap in my life that I have since not been able to fill successfully.  I often had considered joining the ranks of law enforcement.  I had applied to several different law enforcement agencies and even had tested at a few of these.  I came very close to being accepted to the “list” in Orlando, FL but was later knocked out due to a lack of higher education.  A high school diploma did not cut it.  They preferred college – a proof of learning power.  Something was still missing.  Criminals kept trying to kill me over cheap merchandise.  This was not worth the risk.

I returned to my management duties reassuming my previous position with the company.  To be management again was bitter-sweet.  I again quickly returned to “the best” – my yearly reviews reflected this.  The stress was back but I again had the ability to influence my department and make a difference.  I went back to school.  First re-joining as a Criminal Justice Major, then Business Management, and then Systems Programming.  I eventually did get my degree – it took time, it took dedication.  I worked full time and took a full time class load.  The wait was worth it.  I finally progressed past the retail environment.  No more high-stress environment, no more unappreciated slave labor, no more unskilled labor.  I was ready to join the real world.

New job, new responsibilities… something is STILL missing…

I joined my current employer to assist in compliance documentation (among other things).  I am compliance, I live compliance.  I will admit that it hurts not being management – I miss it every day and feel that I am capable of so much more.  I do not find it appropriate to comment on the experiences and events of my current employment.  I respect my employer.  I do enjoy MOST aspects of my job.  I have learned many new things in my newly assumed environment.   Based on the knowledge and experience I have gained in the field I now have a strong understanding on what I desire in my professional life.  These goals will be posted in subsequent blog posts.

To those who may follow my post do not get me wrong – life is good.  This post is not intended as a bash and should not be taken personally.  I post this only to document the process of my decisions.  To show that I am capable of rational thought.  I will achieve my goals.

21st Birthday Gift Basket

This gift basket contains:
1 qty 11.2 fl oz Captain Morgan Parrot Bay Wave Runner Passion Fruit and Mango
1 qty 11.2 fl oz Mike’s Hard Lemonade
1 qty 50 ml Jagermeister
1 qty 50 ml Hipnotiq
1 qty 50 ml Southern Comfort
1 qty 50 ml Voyant Chai Creme
1 qty 50 ml Jack Daniels
1 qty 50 ml Smirnoff Pomegranate
1 qty 50 ml DeKuyper Washington Apple Burst
1 qty 50 ml Absolut Vodka
1 qty 50 ml Mezcal Con Gusano Monte Alban
1 qty 50 ml Skyy Vodka
1 qty 50 ml Smirnoff Melon
1 qty 50 ml Goldschlager
1 qty 50 ml Jim Beam
1 qty 50 ml Captain Morgan Original Spiced Rum
1 qty 50 ml DeKyuper Peachtree Schnapps
2 qty 50 ml Twistee Vanilla/Blueberry Shots
2 ct. Bayer Aspirin
2 ct. Alka-Seltzer

Total Value: $43.59

Enjoy!

Thank you.

Website/Blog Disclaimer

August 27, 2008

The data and information provided by this site (releeh.com/dawheeler.com/netz2.com) is for informational, reference and portfolio purposes only. The data contained on this site has no guarantee of accuracy, validity, or completeness and is provided “AS IS” with no warranties or guarantees. The information contained on this Website/Blog will not be held liable for errors, losses, injuries or damages arising from its display or use. The information provided on this Website/Blog is for information, reference, and portfolio purposes only and it remains the responsibility of the user to make proper citation of its use. The owner of this Website/Blog does not permit or condone dishonesty, piracy or plagiarism in any form. This is a personal Website/Blog and the opinions expressed here represent my own thoughts and not the thoughts of other agencies. By using/viewing the information contained on this Website/Blog you are acknowledging the terms of their use.

]]> http://releeh.com/?feed=rss2&p=466 0 http://releeh.com/?p=465 http://releeh.com/?p=465#comments Mon, 25 Aug 2008 17:41:37 +0000 David http://releeh.com/?p=465 I have created a new Photo/Slide Show page to put pictures of family events, vacations, and other fun stuff.

Check it out at the following link:

http://releeh.com/?page_id=354

http://www.rickyoder.com

Please note that we are not affiliated with Century 21 Pace Four Seasons or Rick Yoder in any way (well, with the exception of using them to hopefully sell our home.)

With the convenience of technology and the advantages in increasing productivity and simplicity it has delivered, a deviant world has emerged. This deviance is in the form of multiple variations of attacks on computer technology and the data contained within.

SYSTEMS ASSURANCE

Summary of Security Techniques

David Wheeler

Purdue University Calumet

ITS 454, Section 1

Due: February 12, 2008

Abstract

With the convenience of technology and the advantages in increasing productivity and simplicity it has delivered, a deviant world has emerged. This deviance is in the form of multiple variations of attacks on computer technology and the data contained within. Various tools and protocols exist in networking technology to authenticate networked data to ensure security and the identity of both parties involved in the transmission. Additional tools and techniques exist to prevent, detect, and deter unauthorized access to systems. Using these tools in layers will help ensure a more secure, stable networking system. Implementation of these techniques is necessary to not only prevent unauthorized access but to ensure the authenticity of data transmissions.

Summary of Security Techniques

This essay will discuss various tools and techniques used to develop and implement a more secure computer networking system. This essay will begin with an introduction of the need for computer security. In the introduction, the need for security, I intend to summarize the need for security techniques and the losses which may occur due to attacks or misuse. Once a solid ground of the need for systems security has been established, the essay will shift to a brief introduction of various security techniques. For each technique I intend to list the associated advantages and disadvantages. The essay will conclude with a summary on the need to layer the techniques in order to provide multiple layers of security.

The Need for Security

It is obvious that individuals, companies, and organizations depend on their networking systems. Organizations insist on the need for reliable, accurate transmission and storage of computer data. Lost, corrupt, or inaccurate data could lead to lost revenue, increased man-hours, and even legal actions depending on the intensity and necessity of the data. Various forms of attack techniques exist which put computer networks and their data at risk each day. In addition to these attack techniques, operator error and misuse are also vital sources of information loss and unauthorized access. Defense mechanisms exist to block unauthorized access and to prevent data corruption or loss.

Security Policies

Organizations should have security policies in place specifically outlining how an organization should defend against unauthorized traffic and how the organization’s employees should use the computer systems. A security policy is a statement that exactly defines what defenses will be configured to block unauthorized access, what constitutes acceptable use of network resources, how the organization will respond to attacks, and how employees should use the organizations resources to prevent and discourage the loss or damage to data (Weaver, 2007). For a security policy to work effectively, employees of an organization must be trained and understand the security policies. A security policy will only be advantageous if, and only if it is enforced and maintained. Security policies must be updated with changes in business configurations and the introduction of new technology.

Determining Security Needs

The security needs of an organization’s network are dependant on the organization’s operations. The security required of a system depends on what information it processes, for what purposes, the sensitivity of transmitted data, and the availability necessity of data (Boran, 2000). Security is based on three elements: confidentiality, integrity, and availability (Convery, 2004). Security needs of a system concentrate on the triad of these three elements. For example, a system may not contain highly confidential data, but must have a six-sigma uptime rating. In this example, the system described has high availability requirements and low confidentiality of data. However, the system does have a high confidentiality rating in order to defend against DoS, denial-of-service, attacks. In another example, a system may contain highly classified data and need to be available 100% of the time. In this example not only does the organization have an extremely high need for confidentiality, it also has an increased need for integrity and availability. Using various tools, techniques, and policies will help an organization achieve the levels of the triad it requires.

Cryptography

Encrypting data transmissions will help prevent and deter unauthorized access to information. Cryptography is the technique of writing of converting information into a secret, encrypted code. Cryptography can be used to protect data from theft, unauthorized modification, and authentication purposes (Kessler, 2007). These goals are achieved through the use of symmetric cryptography, asymmetric cryptography and hash functions. Hash functions use a mathematical transformation to irreversibly “encrypt” information (Kessler, 2007).

Symmetric (Secret Key) Cryptography

Symmetric cryptography, secret key encryption, uses a single key for both encryption and decryption activities. Secret key cryptography can be categorized as being either stream ciphers or block ciphers. Stream ciphers operate on a single bit at a time and implement a feedback mechanism so that the key constantly changes. A block cipher encrypts one block of data at a time using the same key on each block (Kessler, 2007).

Asymmetric (Public Key) Cryptography

Asymmetric cryptography, public key encryption, uses a key for the encryption process and a different key for the decryption process. As stated, public key encryption requires a different key for encryption and decryption. One of the keys is designated as a public key and the other is designated as a private key. The public key, used for encoding information, may be prescribed to others as necessary while the private key is kept privately by the decoder. When the decoder receives the encoded message it uses the private key to decode the information. In contrast, a sender may encode information using their private key and the receiver may decode the information using their public key. This contrasting scenario is an example of non-repudiation. Non-repudiation ensures that the send can’t deny sending the message since their private key was used to encrypt the information (Weaver, 2007).

Firewall

A firewall is a network device that has the capability to implement access control or other security techniques to enforce a particular traffic policy at a given point in a network (Convery, 2004). This capability to restrict traffic is possible using rules set in the firewall’s configuration. A firewall is the first level of defense for a network. The firewall, acting as a perimeter defense, blocks unwanted traffic from entering the network similar to a wall or mote surrounding a medieval castle. The perimeter defense mechanism acts as a choke point such as a castle’s perimeter doors and mote bridges (Sheldon, 2001). The organizational structure of the castle allows traffic, i.e. people, to leave and enter the castle structure using these choke points. External traffic is not allowed to enter the castle unless the doors and bridges are opened, similar to authorized, open ports in a network firewall. A firewall uses one or more of three methods to control traffic flowing in and out of a network. These three primary methods include Packet Filtering, Proxy Services, and Stateful Inspection (Tyson, 1999).

Packet filtering is where packets are analyzed against a set of filtering rules. Packets matching these filter rules are allowed to pass through the network while packets not meeting the rules are discarded (Tyson, 1999). Packet filtering works similar to a coffee filter. For example, a coffee filter is designed to let water flow through (i.e. approved packets) while the coffee grounds (i.e. unapproved packets) are kept out.

According to Indiana University’s Information Technology Knowledge Base, a proxy, or application level gateway, is a computer that acts as a gateway between a local network and a larger-scale network (such as the Internet (Indiana Univeristy, 2007).) A proxy server works by taking all incoming data entering on one port and forwarding that data to the rest of the network using another port. Blocking direct access between two networks provides additional security by preventing malicious mapping of the internal network.

The Stateful Inspection technique works similar to the Packet Filtering technique. In a Stateful Inspection, key parts of incoming packets are compared to a database of trusted information which is obtained by monitoring outgoing traffic for defining characteristics (Tyson, 1999). Incoming information is compared to the characteristics of the outgoing information. If the comparison provides a reasonable match, the information is allowed to pass through. If the comparison is not an appropriate match, the packets are discarded.

The safest firewall would block all traffic, but that defeats the purpose of making the connection, so you need to strictly control traffic in a secure way (Sheldon, 2001). It is important to control traffic coming in and out of a network. There are various attack methods a properly configured firewall may help prevent against. These attack methods include remote login, application backdoors, SMTP session hijacking, operating system bugs, and source routing (Tyson, 1999). Accessing a system is possible using open ports. If the firewall is blocking all unnecessary ports, many of these techniques will not work.

Operating System Security

An operating system provides two main functions: managing the resources available to the computer system and providing a reliable, stable, secure and consistent interface for applications to access the computer’s resources (Peikari & Fogie, 2004). An operating system is the primary software allowing a user to interface and take advantage of a computer’s power. User interaction with the operating system, whether through direct access or software, exposes the operating system to threats. Many operating system security techniques exist to prevent malicious attacks. It is important to use user accounts with passwords enabled. The use of password protection will prevent unauthorized users access. In addition to password protection it is also important to use firewalls, ant-virus software and ant-spyware software.

Implementing a Firewall is necessary to secure the perimeter of a computer system. As mentioned previously, a firewall is a network device that has the capability to implement access control or other security techniques to enforce a particular traffic policy at a given point in a network (Convery, 2004). Different forms of firewalls exist ranging from hardware to software based. Microsoft Windows XP Service Pack 2 and Microsoft Vista both come with a software based firewall implemented by default.

In addition to securing the perimeter of the computer system it is also necessary to use virus prevention and spyware detection software for passive and active monitoring of applications and the overall state of the computer system. Anti-virus software is software that is designed to detect viruses and prevent them from infecting the computer system. Anti-spyware programs are programs which protect a computer system against spyware.

Virus scanning refers to the process of examining files or e-mail messages for file names, file extensions, or other indications that viruses are present (Weaver, 2007). Anti-virus software works by comparing executable code of applications to patterns contained in the Anti-virus application’s signature file. If the pattern of the signature file matches the pattern in the application, the file is determined to contain a virus. Many anti-virus applications provide options to quarantine, clean, or delete the infected file. These options vary by anti-virus applications and the specific infection present.

Spyware is a form of Malware that is often associated with Browser Hijacking, Key loggers, and sending Web browsing habits to 3^rd parties (University at Albany, n.d.). Anti-spyware applications work similar to anti-virus software in that that compare applications, filenames, and operating system characteristics to a database of known malware applications. In the event the criteria of a specimen matches the database, the specimen is determined to be spyware. Most Anti-spyware applications provide options to remove the applications (when possible).

Virtual Private Networks (VPN)

A virtual private network provides a way for computers or computer networks to connect and communicate securely by using the same public communication channels available on the Internet (Weaver, 2007). The technique of VPN routing is “virtual” since the path taken between connections, the tunnel, is not static in that it may change based on performance requirements and server loads on the external network. Only specified computers or networks may connect to the communication tunnel. Information transmitted in a VPN is encrypted. Outsiders to the VPN tunnel cannot decrypt the information without the appropriate decipher algorithm. VPNs can use public Internet connections and still provide a high level of security because they perform a core set of activities: encapsulation, encryption, and authentication (Weaver, 2007). Various tunneling protocols exist to handle communication with various operating system platforms.

Network Address Translation (NAT)

Network address translation (NAT) translates internal network addresses into external interface addresses (Weaver, 2007). This translation hides the internal network addressing scheme from outside sources. In the event an attacker determines IP Addresses of the internal network it becomes possible for port scans to be run on the specific addresses to determine the location of open ports. Using NAT hides these internal networking addresses making it less possible to run port scans on internal network addresses. By lessening the possibility of finding open ports it limits the vulnerability of the system.

Intrusion Detection Systems

Intrusion detection systems are used to detect behaviors that may compromise the security of a computer system. These attacks include network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (Wikipedia, 2008). An intrusion detection system consists of sensors to monitor activities and to determine security events, consoles to monitor events and alerts, and a centralized engine which logs event records in a database and uses system rules to generate alerts in the event an intrusion has occurred.

Access Control

Access control involves the use of using authentication, authorization and audits to control physical access to a system. Access control systems provide the services of identification, authentication, authorization and accountability (Wikipedia, 2008). Identification and authentication commonly uses one of four authentication factors: something you know such as a PIN number, something you have such as a token, something you are such as a biometric, or where you are located (Wikipedia, 2008). Authorization determines the access restrictions a user possesses. These access restrictions may restrict or grant access to read, write, and execute capabilities on a system. Audits are conducted to ensure accountability. For instance, a user logged on used various authentication techniques can be held liable for activity taking place through their account.

Password Security

All of the system protection tools and techniques can easily be defeated if an account password is broken by a malicious entity. Strong passwords exist in order to minimize the possibility of someone guessing or breaking the password. There are several guidelines intended to strengthen passwords. The use of strong passwords acts as a firm deterrent against password guessing attacks, and buys additional time against other attacks (Security Stats, 2000). It is recommended to create passwords using upper and lower case letters and include numeric characters. Best practices indicate that a strong password should be at least 8 alpha-numeric characters. Additionally, it is not recommended to use any dictionary word, birth date, or location as a password.

Conclusions

Each of the security techniques discussed possesses their own advantages and disadvantages. No security system should be based off of one single security technique. In a networking system or local system it is advised to develop multiple levels of security techniques arranged in a layered boundary of defense. Each layer is responsible for its own security technique while providing a failsafe to preceding techniques that may have failed or been compromised. When developing a secure system, it is also necessary to consider system resources and organizational requirements. Often the more levels of security the more resource intensive the security system. When establishing security techniques it is important to consider the needs of the business or organization. The security techniques should establish security protocols without inhibiting business. Additionally, all of the security techniques in the world will not be effective if proper policies and enforcement guidelines are not developed and maintained by the organization. Security tools and techniques are useless without proper enforcement and education of the system’s users.

References

Boran, S. (2000). IT Security Cookbook. Retrieved February 11, 2008, from the Boran

Consulting Website: http://www.boran.com/security/IT1x-5.html

Convery, S. (2004). Network Security Architectures. Indiana: Cisco Press.

Kessler, G. (2007). An Overview of Cryptography. Retrieved February 11, 2008 from the

GaryKessler.net Website: http://www.garykessler.net/library/crypto.html

Peikari, C. & Fogie, S. (2004). Operating System Overview. Retrieved February 11, 2008

from the informIT Website:

http://www.informit.com/guides/content.aspx?g=security&seqNum=15

Sheldon, T. (2001). Firewall. Retrieved February 11, 2008 from the Linktionary Website:

http://www.linktionary.com/f/firewall.html

Tyson, J. (1999). How Firewalls Work. Retrieved February 11, 2008 from the

Howstuffworks Website: http://computer.howstuffworks.com/firewall1.htm

Unknown. (2007). Intrusion detection system. Retrieved February 11, 2008 from the

Wikipedia Website: http://en.wikipedia.org/wiki/Intrusion_detection_system

Unknown (2007). What is a proxy server. Retrieved February 11, 2008 from the Indiana

University Knowledge Base Website: http://kb.iu.edu/data/ahoo.html

Unknown (2008). Access control. Retrived February 11, 2008 from the Wikipedia

Website: http://en.wikipedia.org/wiki/Access_control

Unknown (2008). Tips for choosing a good password. Retrieved February 11, 2008 from

the SecruityStats.com Website:

http://www.securitystats.com/tools/password2.html

Unknown. (n.d.). Information Security Glossary. Retrieved February 11, 2008 from the

Office of the CIO University at Albany Website:

http://www.albany.edu/its/glossary.htm

Weaver, R. (2007). Guide to Network Defense and Countermeasures. Massachusetts:

Thomson Course Technology.

Running head: Social Engineering

Social Engineering

David Wheeler

Purdue University Calumet

ITS 350, Section 1

April 27, 2008

Abstract

Protection of personal information is “key” to preventing identity theft. With advancements in technology, tools and techniques have been created to protect information and resources. While these tools may prove to be an expensive semi-successful solution, human nature may be the true downfall. The use of social engineering techniques can destroy networks, cripple identities, and result in significant monetary loss. Using social engineering techniques can defeat intrusion detection systems and bypass well-planned network security techniques. Additionally, social engineering techniques may cause individuals to leak private information which in turn can be used to acquire the victim’s “identity.” In this research paper, I intend to portray what downfalls of human nature make social engineering techniques successful. I intend to cover, in-depth, common social engineering techniques citing real-world and probable examples. In addition to social engineering tools, other methods exist to assist in acquiring information. This research paper will cover personal and physical techniques capable of acquiring information. A conclusion will be provided summarizing the information covered and will offer a solution to the scenarios discussed. The topics discussed in this research paper are meant to act as a guide assisting in the security of private information.

Social Engineering

Human nature dictates that humans rarely question acts that are considered normal. The concept of social engineering can cause destruction to networks and cost companies millions of dollars (Miller, 2000). Using social engineering techniques can defeat intrusion detection systems and bypass well-planned networking security techniques. Social engineering may take place on a personal, physical or electronic level. Before going into depth about social engineering tools and techniques, it is necessary to define common terminology of this technique and the psychology involved.

An Introduction to Social Engineering and the Human Psyche

Social engineering is defined as a normally non-technical kind of intrusion that relies heavily on human interaction and often involves trickery to gain the trust of individuals in order to obtain non-obvious information (Shinder, 2004). Social engineering techniques are commonly based on four qualities of human nature including the desire to be helpful, the tendency to trust people, the fear of getting into trouble, and the willingness to take “short cuts” (Peltier, 2006). Three key aspects of social psychology summarize the psychological ploy involved in social engineering attacks. These three methods include alternative routes to persuasion, attitudes and beliefs that affect human interactions, and techniques for persuasion and influence (Peltier, 2006).

Personal Social Engineering

Common alternative routes of persuasion encompass two routes: direct and secondary (Peltier, 2006). Direct routes involve specifically asking an individual for information. For instance, “Susan, I need to log into the company Web site to check stock information and I forgot my password. What is your login information?” In the indirect method of persuasion, a social engineer will increase the susceptibility of the victim by influencing an emotional response. Social engineers may spend significant amounts of time learning their victims and developing a situation that plays on the background of a victim (Peltier, 2006). The targeted person must feel compelled to disclose the requested information. Additionally, the attacker must create a strong enough emotional attachment that the victim is willing to ignore policies and procedures of their personal beliefs or organizational policies (Thornburgh, 2004). The victim makes the decision to disclose the information to the other party since they feel the reason has been justified. Many factors are used to cause these strong emotions. Most commonly, authority and empathy are the leading cause of disclosure by this method (Thornburgh, 2004). Authority represents leadership by power. This power often appears in the capability of one person to award or punish another. Emotions evoked by this form of authoritarianism include pride, fear, or greed (Thornburgh, 2004).

In the event social engineering is used on a personal level, friendship and trust may be taken advantage of to obtain information. In the above scenario, Frank uses direct persuasion by asking Susan for her user name and password since he “forgot” his. It is possible this scenario is true; Frank may have in-fact lost his account information. Let’s suppose Frank is not being entirely truthful. Using Susan’s account information, Frank is electronically enabled to acquire Susan’s digital identity. While logged onto the organization’s network as Susan, Frank decides to view prohibited content. System logs reveal that this violation occurred on Susan’s account. Susan is held liable and terminated for violation of company policy. Obviously the only thing Susan did wrong was disclose her account information to Frank. It is important to keep confidential information confidential by not disclosing information to other parties. The personal level of social engineering is not a new topic; it has been around for years and continues to be a vulnerability to personal information.

Physical Social Engineering

Physical tools of social engineering include dumpster diving and office snooping. In the event physical tools are used, discarded information may be acquired from the trash and information may be heard without any active intervention.

Dumpster Diving

While Mary is cleaning out her file cabinet containing her bills from the past year, she discards past credit card bills, utility bills, and bank statements into the trash. The night before garbage day, Mary hauls all of her garbage to the curb, including the past bills. Mary sleeps soundly knowing her bills from the past year have been discarded. While Mary is sleeping, Sam, an identity attacker, is going through Mary’s garbage looking for personal information. Sam discovers the discarded billing information. From the credit card statements he acquires Mary’s credit card numbers. From the bank statements he acquires bank account information including balances, Mary’s social security number and account numbers. Sam uses this information to start electrical service in Mary’s name at his home in Cleveland, Ohio. Sam took part in the act known as dumpster diving and identity theft. Dumpster divers, also known as thrawlers or garbologists, find sensitive information in garbage cans and dumpsters (Peltier, 2006).

Dumpster diving techniques can be analogized into the corporate world. Company ABC discarded information from their research department. A member of Company ZZZ looks through Company ABC’s trash and locates this information. Using this information, Company ZZZ patents a new invention and earns additional revenue. Company ABC’s carelessness resulted in the loss of credit for the invention and the revenue acquired by the invention.

Shoulder Surfing

The shoulder surfer look’s over someone’s shoulder to gain information such as passwords and pin numbers (Peltier, 2006). A news report from several years ago showed the significance of protecting personal information from shoulder surfers. In their report, a reporter was given a phone card and told to use it in Grand Central Station in New York. While the reporter was making the call, police counted at least five people “shoulder surfing” her pin number. Within minutes the stolen card numbers were used to make international phone calls (Peltier, 2006). It is important to obscure any information from near-by onlookers.

Electronic Social Engineering

The electronic level of social engineering includes any electronic means of gathering information. Examples of the electronic level of social engineering include phishing, spear phishing, and e-mail hoaxes. These forms of social engineering are dependent on technology in the form of Pop-up windows, mail attachments, and Web sites (Peltier, 2006).

Phishing

Phishing is defined as the act of imitating a legitimate company in e-mails to entice people to share personal information such as credit card numbers or passwords (McFedries, 2008).

Figure 1 – Example Phishing email (Credibles, 2006).

The above screenshot is an example of a phishing email. This phishing email, an email hoax, attempts to entice the user into visiting the Web site which asks for personal, contact information. In actuality, the Web site is harvesting the user’s information which may then be used to commit the act of identity theft.

Spear Phishing

Spear phishing is any highly targeted phishing attack (Microsoft, 2006). Spear phishing attacks are unleashed with the intent of gaining access to an organization’s computer system (Microsoft, 2006). Additionally, spear phishing attacks may specifically target individuals who use a particular Web site. Spear phishing may take place on an electronic or physical level. For example, an attacker sends an email to every account of an organization claiming that it is necessary to respond back with user names and passwords so that the database can be updated. The attacker will commonly alter who the email is from in attempt to make the message appear legitimate. The users who respond back with the information gives the attacker their personal information. Using this information, the attacker now has the resources to access the organization’s network.

Defending Against Social Engineering Attacks

Tools and techniques exist to prevent social engineering attacks. Using these tools creates a lesser vulnerability to the organization or person(s) involved in a potential attack. Many of the concepts discussed pertaining to organizational security may also be used in personal security.

According to Douglas Twitchell, there are currently three ways commonly suggested to defend against social engineering attacks: education, training and awareness; policies; and enforcement through auditing (Twitchell, 2006). Educated users through training and awareness may be more reluctant to disclose personal information in turn creating less of a vulnerability to themselves or their organization. Policies should be in effect instructing users on the proper handling of company information and user data. Audits must be conducted to ensure the users of the organization are compliant with policies and procedures. Hard copies of organizational data, records, or personal information must be destroyed before being discarded. Common effective methods for destroying hard copy information include shredders and incinerators. Destroying the data cuts off the dumpster diver’s sole method of data snooping.

Conclusions

Social engineering is not a new technique of acquiring data; it has been around for years. Social engineering may take place on a physical, social, and electronic level. Common social engineering attack techniques include dumpster diving, the physical act of acquiring data from personal or organizational garbage; shoulder surfing, the act of acquiring data by looking at the information as it is being used by the owner; phishing, the act of sending a fictitious email or hosting a fictitious Web site constructed to mimic a legitimate site with the sole purpose of acquiring personal information; and spear phishing, a more specific, broad-area phishing attack. Tools and techniques exist which, if used and enforced, will prevent most of these social engineering attack techniques. The main concept to consider when actively protecting confidential information is the art of “using common sense.” If something seems too good to be true, it probably is. Do not release any information to anyone unless you are sure they are legitimate. If there is any doubt of the legitimacy of a situation, do not disclose any information. Once your information is disclosed, you or your organization may have been put at risk for identity theft.

References

McFedries, P. (2008). Phishing. Retrieved April 24, 2008 from the Word Spy Website: http://www.wordspy.com/words/phishing.asp

Microsoft (2006). Spear phishing: Highly targeted scams. Retrieved April 24, 2008 from the Microsoft Website: http://www.microsoft.com/protect/yourself/phishing/spear.mspx

Miller, T. (2000). Social Engineering: Techniques that can bypass intrusion detection  systems. Retrieved April 24, 2008 from the StillHq Website:  http://www.stillhq.com/pdfdb/000186/data.pdf

Peltier, T. (2006). Social Engineering: Concepts and Solutions. Information Systems  Security, 15(Thornburgh, 2004), 13-21. Retrieved April 10, 2008, from Corporate  ResourceNet database.

Shinder, D. (2004). How to defend your network again social engineers. Retrieved April 21, 2008 from the Window’s Security Website: http://www.windowsecurity.com/articles/Social_Engineering.htm

The Credibles (2006). Phishing: The art behind the crime. Retrieved April 24, 2008 from the  Oracle ThinkQuest Education Foundation Website: http://library.thinkquest.org/06aug/00446/Phishing.html

Thornburgh, T. (2004). Social Engineering: The Dark Art. Information security curriculum development, 133-135. Retrieved April 10, 2008, from Association for Computing  Machinery database.

Twitchell, D. (2006). Social engineering in information assurance curricula, 191-193. Retrieved April 10, 2008 from the Association for Computer Machinery database.

Adeline Bonzcek

ADELINE M. BONCZEK FORMERLY OF HOBART/HEBRON, IN Adeline M. Bonczek, age 82, of Oak Ridge, TN and formerly a longtime resident of Hobart and subsequently Hebron, IN, passed away quietly at home after an extended illness on Monday, May 26, 2008. She was born on June 16, 1925 in Hammond, IN, the daughter of Charles and Marie Easterlin. Adeline was married to Stanley Bonczek on February 14, 1942. She was a member of St. Mary’s Catholic Church in Oak Ridge, TN and a previous member of St. Helen’s Catholic Church in Hebron, IN, a member of the Hobart Garden Club, TOPS (Take Off Pounds Sensibly) and was a Girl Scout Leader in Hobart for many years. Previously, Adeline was a co-owner of the Horseshoe Trailer Park in Hobart. She enjoyed gardening and home crafts. She was a loving wife, mother, grandmother and great- grandmother. Adeline is survived by her loving family: her husband of 66 years, Stanley Bonczek of Oak Ridge, TN; sons: William (Marie) Bonczek of Fairport Harbor, OH and Richard (Kim) Bonczek of Oak Ridge, TN; daughters: Rose (Roland) Wibbing of Carriere, MS and Dorothy (Robert) Wheeler of Crown Point, IN; 12 grandchildren; 13 great- grandchildren; brothers: Vernon (Dorothy) Easterlin of Bothell, WA and John (Sandy) Easterlin of Hobart, IN; and other loving family and dear friends. Adeline was preceded in death by her parents; sister, Grace Nix; and brother, Charles Easterlin. A visitation for Adeline Bonczek will be held Friday, May 30, 2008 from 4:00-8:00 p.m. at Rees Funeral Home – Hobart Chapel, 600 W. Old Ridge Road, Hobart, IN. A Mass of Christian Burial will be held Saturday, May 31, 2008 at 10:00 a.m. at St. Helen’s Catholic Church, 302 N. Madison, Hebron, IN with Father Derrick F. Dudash officiating. Burial will be at Graceland Cemetery, Valparaiso, IN. For further information, please call Rees Funeral Home at (219) 942-2109 or online at: www.reesfuneralhomes.com
Published in The Times on 5/29/2008.

source: http://www.legacy.com/nwitimes/Obituaries.asp?Page=Lifestory&PersonId=110570621