Information Security Social Engineering

Question: Describe about Information Security, Social Engineering and Problems occur with social engineering? Answer: Introduction: Security is mainly concerned about the fact whom to trust. It is important to know about when to keep trust and to ignore. It often happens that someone told his personal information to someone else while communicating, though keeping trust on the websites or social media is not safe due to the intruders, who hack the website form the middle of the conversation or some time it may happen that the device is being used for the communication is not legitimate. Generally the user with less knowledge of online scams and also the users, who newly stepped into the social sites, may face the problem caused by the hackers, intruders. Users, who have the less knowledge about the security tools, which are most applicable for their device even can easily keep their faith over the online friends and the online media to reach friends and family can become the victim of the social engineering. Introduction to Information Security Information security is nothing but the method of securing data, giving protection to datas confidentiality, availability and the integrity of information. There are few key information security concepts which are involved in the process of securing data, Such as- Access: Access ca referred as a objects capacity to use, modify, manipulate or can affect another object. A legitimate user can have the authorized access to the system, where the illegal user do not have authorized access to the system and its data. Assets: Assets can be referred as the resources that have gained the focus to get protection. Assets can be the physical devices in use or the information about the websites, it can be the person with expertise and it may be the computer system or other physical object. Attack: Attack can be referred as the intentional or unintentional act of damaging physical system or the confidential data. Exploit: This technique is use to take advantage of a system. The threat agents may cause the unethical access of the data for their personal gain. Exposure: It is a condition of the system or the system component, when the system is vulnerable enough to welcome the hacker. Loss: A single event of damage caused by the unauthorized discloser or the modification. Security profile: The total set of security measures and the control including awareness, training, policy and technology that need to be implemented in order to give protection. Threat: Threat can be the person, object, or those entities that can cause danger to the assets. Threat agent: Threat agent can be identified as the component of threat. E.g. a hacker is a threat agent (Axelrod, Bayuk and Schutzer, 2009). Vulnerability: Vulnerability can be referred as the weakness in system. 1. Social Engineering: Social Engineering is a attractive method to manipulate people, so that they can give their confidential data, such as, their user name, password, bank details. The information types, which are mainly concern of these kinds of hackers, can vary. When an individual is targeted, the criminals usually try to tick a person to access his computer secretly by motivating him to download some malicious software into their system. All these information give privilege to the hackers to access personal data as well as control over victims computer. Criminals keep using tactics on social engineering, as it is easiest one to exploit someones natural tendency to trust then it makes the way to hack the software or the whole system (Katsikas and Gritzalis, 2006). Security is mainly concerned about the fact whom to trust. It is important to know about when to keep trust and to ignore. It often happens that someone told his personal information to someone else while communicating, though keeping trust on the websites or social media is not safe due to the intruders, who hack the website form the middle of the conversation or some time it may happen that the device is being used for the communication is not legitimate. As a common social engineering attack it may appear as message or as a mail form a legitimate user, where a criminal manages to socially engineer one persons email id and password and have access to his personal contact list in mailing account. In this the hackers have control over the email account and send messages to all of his friends social pages (Cheswick and Bellovin, 1994). 2. Findings: When a hacker does social engineering and sends message to other persons account, then that person may be asked for some verification by clicking on the link. After clicking on the link, it may ask for the personal information. The link location may seem very legitimate with the contents, logo. Some time all content the link is containing may be copied from some legitimate site, so it also looks legitimate. If someone trusts this link, they are asked to provide information (Zelkowitz, 2004). While phishing is concerned, there are several types of phishing, such as- Baiting: Baiting happens when an attacker intentionally leaves his physical device totally malware-affected at such a place, where it sure to be found. When finder picks up that device and loads these devices onto his computer, the user keep installing the malware in absence of its awareness. Phishing: Phishing take place when a malicious third party sends a fraudulent message or mail cloaked as a legitimate message or email. It often act as a coming from trusted source. This message is intended to trap the recipient to install the malware on his system or device or ask some financial information (Katsikas and Gritzalis, 2006). Pretexting: Pretexting takes place, when one party gives false information about them to another party in order to take the original information about the recipient. Quid pro quo: A quid pro quo happens when attacker ask for the personal information in exchange of credentials. For example, attackers may ask for the exchange of credentials with some attractive gifts. Spam: Spam is generally an unwanted junk message or mail. Spear Phishing: In this method of phishing, a modified approach is used for an organization or individual. In these kinds of cases attacker tries to revel personal information to a specific organization, so that they can obtain the trade secrets or the financial data (Kirkby, 2001). Tailgating: When an unauthorized party keeps following another legitimate party into an secured and verified location, usually for stealing the confidential information and the valuable property. 3. Problems occur with social engineering: Those people who take bait may become the victim with wicked software that is able to generate numbers of exploits against their contact and their personal information. It may cause to lose money without receiving the purchased items (Lai, 2012). It sometime happens that there are such proposals online to fasten the speed of the operating or to fix the bugs of the operating system for free. The moment someone gives response to these trap, become victim of exploitation. There are several of social engineering attacks. In a single attack may hacker can give someone experience of exploits in multiple forms. Then the criminal sell the information to others, so that other person can use the information to exploit that person, even friends and friends of friends of that person can be affected to (Merkow and Breithaupt, 2000). 4. Way to carry out the problems: To be aware of these attacks, an online user may flow some basic advices, to not to become victim of these kinds of attacks (Oriyano, 2013). User must slow down himself while there is a suggestion to take steps in urgent. Spammers try to trap someone to act before think. If there is a message of urgency to choose some option, it is then advised not to go with the flow and keep the careful review not influenced. Before acting upon any kind of malicious information user must have some researches upon that giver information. User must delete all those requests which generally ask for the a/c information or financial information. User must reject help offers. As any legitimate company never offer help personally contacting someone over mail or messages. User must be aware about any kind of download when someone is not sure about the content of the file or about the sender. In this scenario downloading can be a mistake. Some time receiving offers of foreign lottery are not legitimate. They may request to transfer money from a foreign country, which are easily recognizable as a scam. User must set the spam filters to high. User must secure its computer devices by automatically or manually updating the operating system of his device. He can also use anti-phishing tools to get alert about the risks (Wright, 2014). 5. Who are the victims? Generally the user with less knowledge of online scams and also the users, who newly stepped into the social sites, may face the problem caused by the hackers, intruders. Users, who have the less knowledge about the security tools, which are most applicable for their device even can easily keep their faith over the online friends and the online media to reach friends and family can become the victim of the social engineering (Peltier, Peltier and Blackley, 2005). 6. Recent trend: Attackers are increasing these days along with their increasing threats of social engineering, which is going beyond the targeted employees and trying to trap the employees to give up their information (Vacca, 2007). Cryptography 1. Significance and Functionality of different stages of cryptographic system: Cryptography system has much significance with predetermined functionality. Cryptography is mainly use to convert the plain text into cipher text (Phoha, 2002). Different stages of cryptography system is- There three stages of cryptography given in an order- Plain text Cipher text Plan text Functionality at different stage: Sender sends data as plain text, which is readable and can be modified by the sender, receiver and everyone else. When data passes through the encryption algorithm, there will be an application of encryption key. At the sender end, senders public key and receivers private will be used to encrypt the data. After this process the data become cipher text. When the cipher text arrives to the intended user, the receiver uses senders public key to decrypt the text. Senders public key will be known to everyone (Preetham, 2002). Numbers of cryptographic standards are there. There are standard protocols and algorithm to build popular application, which attracts a huge amount of cryptanalysis. Specific standards for Encryption: Triple-DES CipherSaber The original algorithm for public key encryption, RSA. OpenPGP Advanced Encryption standard. Data Encryption Standard. Hash standards: SHA-1, which is 160 bits MD5, which is 128 bit SHA2, it is available in different bit variance of 224, 256, 384,512, 616 and 680 PBKDF2, it is a key derivation function. Digital Signature Standards: RSA Digital Signature Standard, which is applied on Digital Signature Algorithm Elliptic Curve DSA PKI (Public-Key infrastructure) standards: 509 public key certificates. Wireless Standards: Wi-Fi protected Access, which known as WAP and better than WEP. It is a pre-standard and partial version of 802.11i. MD5 standard: MD5 is method of encryption, where the plain text is converted in cipher text. The security of MD5 hash function is compromised severely. MD5 algorithm takes message as input. Messages are of different length (as per requirement) and generate an output of 128 bit messages digest or finger print of the input (Reddy and Padmavathamma, 2007). The intention behind the application of this security algorithm is to compress a large file in a secure manner before the encryption with a private key under a public key cryptosystem (PGP). Network Security fundamentals a) Reason behind limiting rate to reduce the damaged caused due to DDoS attacks: A DNS amplification attack is the popular form of DDoS (Distributed Denial of Service) attack. In this case attackers use open DNS servers, which is publicly accessible by the attackers to flood a under fire system with DNS response traffic. The primary method in this attack is to send an open DNS server a lot of DNS lookup request. Where server gives IP address to the client assuming it a legitimate user but in the middle way, the fraud one get all the response and the legitimate one keeps starving for its turn. Lastly the DNS pool is empty enough to give response to the requests (Shim et al., 2000). The attacking method is closely related to open recursive resolvers, but it seems to be more difficult to mitigate. In this it is the reason why delay should focus on using the Response Rate Limiting to give restriction on the amount of traffic. b) Opinion and reason behind limiting rates can limit effectiveness too: Rate limiting is mostly used on the ISPs router, which is used to connect the home network to the WWW (World Wide Web). If someone is experiencing a flood attack, which is saturating the internet link may not that scenario where rate limiting will work for the improvement of the scenario. Rate limiting restricts the huge amount of outbound traffic. For example, if someone is victim of Smurf attack, he or she can use the rate limiting as a solution for short span of time to limit the traffic flood that he is sending to the attackers network (St. Denis and Johnson, 2007). c) Causes behind giving protection to the community problem due to the DDoS attack: As far as the DDoS attacks are concerned, attackers can easily achieve control of the infected bots to initiate the attack. They even amplify the attacks by exploiting the vulnerable areas in public services. This public services use the UDP (user datagram protocol) such as Network time protocol or the Domain name system services. Due to all these reason DDoS attacks are difficult to manage, due to its high capital costs of building infrastructure of attack mitigation and also the lack of proficiency in operating protected network. These are the reason why it is not only confined within the individual victims firms, but a community problem to deal (Stewart, 2011). d) Justification behind holding an effective defense by black against DDoS attack: Yes, Black hole routing has an effective impact against DDoS attacks. Black hole routing is known as the range of IP address or the IP address, which results the coming packets rather than being discarded, it protect the system resource for the wicked effects of DDoS. It also causes the packets to discard with malicious traffic attack (The Basics of Information Security, 2014). Firewalls Firewall is known as a security system in computing where it uses some protocols and packet filtering mechanism to give protection to the system, where the firewall is installed. It keeps users notified about malicious act going on behind the scene. Many hardware based firewall is also there which provide functionality to internal network, such as DHCP server for a network (Tipton and Krause, 2005). 1. Comparison between the different filtering mechanisms and information on the protocol used in firewall: Stateful packet inspection filtering Static packet filtering Application Proxy filtering Network Address Translation Static packet filtering is replace by the stateful packet inspection filtering It filtering technique has come prior to the stateful packet filtering It stands between two parties and requires the client to initiate the session with the proxy, then the proxy creates a session with the destination In firewall NAT functionality is used in order to hide the original address of the protected hosts. Analysis of the packets are done in the application layer Only packet headers are checked Proxy server checks from layer 4 to layer 7 for the valid connection Its functionality is used in order to address the limited number of routable IPv4 address Stateful packet inspection is able to monitor the communication of the packets over the time span. Static packet filtering only operates as per the administrator defined rules As the client set the session with proxy, which in turn authenticate the other side connection (destination) before the creation of the session Routable IPv4 addresses are assigned to the organization or to the individuals for providing enough public address space with a reduced cost. Conclusion: During early few years, Information security is directly a straight forward process of securing the physical components and the simple document checking scheme. The primary information security threat comes by physical theft of the devices or spying the data from the middle and damaging it. Information security is nothing but the method of securing data, giving protection to datas confidentiality, availability and the integrity of information. Security of information is needed at every phase of processing, storage and transmission. All these can be achieved by the technology, education, policy, training and awareness. References Axelrod, C., Bayuk, J. and Schutzer, D. (2009). Enterprise information security and privacy. Boston: Artech House. Carlet, C. (2009). Editorial: Cryptography and Communications, Volume 1, Issue 1. Cryptogr. Commun., 1(1), pp.1-2. Cheswick, W. and Bellovin, S. (1994). Firewalls and Internet security. Reading, Mass.: Addison-Wesley. Katsikas, S. and Gritzalis, S. (2006). Security issues of IT outsourcing. Bradford, England: Emerald Group Pub. Kirkby, A. (2001). Internet Trust And Security. Network Security, 2001(9), p.6. Lai, C. (2012). Security Issues on Machine to Machine Communications. KSII Transactions on Internet and Information Systems. Merkow, M. and Breithaupt, J. (2000). The complete guide to Internet security. New York: AMACOM. Oriyano, S. (2013). Cryptography. New York: McGraw-Hill Education. Peltier, T., Peltier, J. and Blackley, J. (2005). Information security fundamentals. Boca Raton, Fla.: Auerbach Publications. Phoha, V. (2002). Internet security dictionary. New York: Springer. Preetham, V. (2002). Internet security and firewalls. Cincinnati, Ohio: Premier Press. Reddy, P. and Padmavathamma, M. (2007). An authenticated key exchange protocol in elliptic curve cryptography. Journal of Discrete Mathematical Sciences and Cryptography, 10(5), pp.697-705. Shim, J., Shim, J., Qureshi, A. and Siegel, J. (2000). The international handbook of computer security. Chicago, Ill.: Glenlake Pub. St. Denis, T. and Johnson, S. (2007). Cryptography for developers. Rockland, MA: Syngress Pub. Stewart, J. (2011). Network security, firewalls, and VPNs. Sudbury, Mass.: Jones Bartlett Learning. The Basics of Information Security. (2014). Network Security, 2014(9), p.4. Tipton, H. and Krause, M. (2005). Information security management handbook. [London]: Taylor Francis e-Library. Vacca, J. (2007). Practical Internet security. New York, NY: Springer. Wright, O. (2014). Social Engineering. Engineering Technology Reference. Zelkowitz, M. (2004). Information security. Amsterdam: Elsevier Academic Press.