Conduct and Ethics in a Digital World
A Social Engineering Experiment
Let's conduct a little experiment.
Do you know the following information?
Your full name
Your Social Security Number
Your date of birth
Your mother's maiden name (her name before she was married)
Your pets name
Would you give this information to a stranger? To someone you just met? How about someone on the phone who says "your computer is hacked and they see your computer attacking them"? Your phone just rang. You pick it up and a man with a strange accent starts talking:
What do you do? Do you give them your email? Do you run their program? How do you know that Bob and Professional Security Consultants is legitimate? How did they get your number? What you just read was an example of a scam ran out of Asia. Their focus is to scare you with information that sounds legitimate and hope you will install their backdoor. From there, they will steal all the personal information they can and possibly ransom the system for money. They do this by encrypting the hard drive and holding the key till payment.
How do we know it's a scam? As security professionals, we should ask questions to validate the person and company. Questions like:
How did you get my number?
What is my name?
What is your company's address?
What is your phone number? I am going to call you back.
Can you send me a website for your company?
What is a *.pf file?
What is the malware on my system? What is it supposed to do.
Social Engineering is the process of manipulating a person to give up confidential information. This information can include: PII, account information, system access, etc. Now some expert social engineers may already have these questions answered, come up with clever responses on the fly, or try to pressure you more. It's your job to not give into the pressure and do your homework.
For example: going back to the scam text, *.pf files are part of the Windows operating system. Every time you start a program, a prefetch file is created in the C:\Windows\Prefetch directory. We found this link in Google regarding prefetch. http://helpdeskgeek.com/windows-vista-tips/delete-disable-windows-xp-prefetch/
We should always be vigilant on the data we give out to strangers, websites, people in general. We should also be vigilant on the access we give to our computer systems. Let's talk about some types of data we may interact with.
Personal Identifiable Information (PII)
Personal Identifiable Information or PII is any information that can be used to identify you as a person. The fact is that any PII should always be private. You may be in middle or high school now, but eventually you may need to apply for a car or school loan. If an adversary were able to get a hold of this information, they can completely ruin your financial credibility. Many victims of identity fraud spend years to fix their credit and may have to take drastic measures like changing the social security number and have a third-party monitor their credit.
Sometimes companies that we trust to hold and responsibly protect our PII leak our information as a result of a compromise. This is commonly called a data breach. Here are some notable data breaches and their impact:
Year
Company
Effected
Cost
Description
2013
Target
70 million
~$250 Million
A vulnerability in the HVAC management system led to an adversary compromising Target's network and stealing over 40 million credit card accounts and personal information on 70 million of its customers.
2014
Sony Pictures Entertainment
3,000
$35 Million
A cyberattack against the Sony Pictures network led to leaked internal documents, corporate emails, and PII on current and former employees.
2015
Anthem
80 million
$8-16 Billion
A major health insurance company fell victim to a cyber attack where 80 million of its patient and employee records were stollen.
2015
Office of Personnel Management
21.5 Million
Undisclosed
With evidence of the compromise going back to 2014, adversaries were able to breach OPM and steal employee records from all U.S. government agencies. Data stolen included: personnel records, background checks, fingerprints, and clearance information
Internet-based Accounts
Most of us have various Internet based accounts to access: email, social media, cloud resources, etc. But what information are we freely giving them. Will they protect our data? The answer is probably not.
Like most IT professionals, most companies are focused on availability and functionality of IT systems and not on security. As a user of the Internet, we need to be careful of the information we give these companies. Does Yahoo! need to know your social security number? No. But does a bank like Bank of America or USAA? Practice the concept of least privilege with your data. Do not give your data to these companies if you feel they do not need it. Also do not be afraid to ask questions. Find an alternative if you feel the company will not adequately protect your data.
Here are some notable data breaches and their impact:
Year
Company
Effected
Cost
Description
2016
Yahoo!
1 Billion
Unknown
Hackers obtained access in 2013 and stole: usernames, passwords hashes, security questions, etc. Considered the largest data breach of today.
2016
165 Million
Unknown
Hackers obtained access in 2012 and stole account information to include password hashes.
2014
JP Morgan Chase
76 Million households, 7 million small businesses
$1 Billion
A network compromise led to usernames, addresses, phone numbers, and emails leaked. No PII was reported to be stolen.
Proper Conduct in Cyberspace
Now that we know what PII is, we practice least privilege and only give out what is needed. But what about information regarding our daily lives? Do you post pictures of what you are eating in Snapchat? What about updates in Twitter? How about vacation photos on Facebook?
The advent of social media (e.g. Myspace, Facebook, Twitter) allows us to stay in constant contact with friends and family. But if we don't "lockdown" our account permissions, others can get important information about us and our activities. To prevent unauthorized access, use the following guidelines:
Use strong memorable passwords
Audit account permissions every 3 months
Scrub users (friend lists) of those you no longer communicate with
Do not give out passwords
Never leave your computer unlocked
Furthermore, do not post information about an activity until you return. This includes: vacations, military deployments, family visits, etc. If an adversary knows that your family will be on vacation for Spring Break, they know the perfect time to break into your home. Also, respect other's digital persona. Now days it is hard to find someone with no digital footprint and whatever we post could compromise their security as well. For example, many victims of crimes often hide from their attackers. Furthermore, most phones and cameras embed GPS coordinates into each taken photo. A posted picture could reveal the location of a victim to the attacker. Be vigilant.
Bottom Line Up Front
Keep private data private
Be respectful of other's digital persona
Think before you: post, text, or share
Operational Security (OPSEC)
Shifting gears a little, we will now talk about information assurance regarding a mission or operations. Operational Security or OPSEC is a five step process of determining the operational impact if there was a data breach. This process includes:
Identify Critical Information
Analysis of Threats
Analysis of Vulnerabilities
Assessment of Risk
Apply Appropriate Measures
Identify Critical Information
What information is critical to your operation? What happens if this information got out? What would be the impact to the mission? Your people? Think about the big picture when it comes to your information. One or two minor details of an operation, combined could uncover a major detail. For example: photography of a downed aircraft seems harmless. But that photo has embedded details to include: date it was taken, who took it, and GPS coordinates of the aircraft.
Analysis of Threats
Who may be listening on your communication channels? Do you have unauthorized people around the base? Are they sympathetic to your cause or can they hurt it?
Analysis of Vulnerabilities
Are you communicating with teams across an unencrypted channel? Do you have news cameras 10 feet from your base of operation? Can anyone walk into your base and access any of the laptops? As security professionals you need to number (enumerate) all vulnerabilities in your system and discuss their potential impacts with leadership.
Assessment of Risk
This is a process where we take all the threats and vulnerabilities and assess the:
Impact of Loss
Possibility of Loss
Using this information, we can determined whether or not the risk is acceptable. For example: you are currently assigned to a missing person operation and use an Internet-based communications channel for all team communication. All team members are sharing an open wireless access point for Internet connectivity. We also know that the communications channel is using DES for its encryption. Lets take a look at the threats and vulnerabilities:
Threats:
anyone looking to gain more information about the operation
Vulnerabilities:
access point is not secured, communications channel uses an insecure protocol (DES)
The possibility of loss is HIGH because anyone can connect to the open wireless access point. They could also trivially break DES encryption to read team communications.
The impact of loss is also HIGH because we want to ensure the safety of our teams and the person that is missing. If the missing person is actually a victim of an attack, the attacker may use operational information to find thier victim
Apply Appropriate Measures
Now that we know our threats, vulnerabilities, and risk, we can now deploy safeguards to prevent loss of information. For the above example, we can:
Secure the wireless access point with WPA2
Use low-power radios to prevent people outside of the base from trying to connect to the WiFi
Use Triple-DES or AES to encrypt communications
Ethics in a Digital World
Ethics is essentially how we define right and wrong conduct. What does it mean to be "ethical" in a digital world? Right now Cyberspace may seem like the wild west, but as security professionals we need to hold ourselves to higher standards.
The United States Air Force Academy has the honor code of: I will not lie, cheat, or steal...
but how does this apply to Cyberspace? We can use the following examples:
Real World
Digital World
Lie
Not telling the truth to a person's face
Impersonating someone or giving false information
Cheat
Obtaining and using test answers for a final
Hacking a voting machine to change an election or break into a school computer to change grades
Steal
Take money
Pirate software or send malware to someone that will hold their system ransom
Leaving Digital Evidence
Just like the real world, we leave digital fingerprints. Locard's Exchange Principle states that a perpetrator will always bring something and take something from the scene of the crime. Even though Cyberspace is a man-made domain, digital evidence can be collected to prove a crime was committed. This can include but not limited to:
Log files
Recovered files
Internet Service Provider information
Cellular phone service triangulation
Call history
Personal assistant activity logs (i.e. Amazon Alexa, Apple Siri)
Just because you "wiped your browser history" does not mean that there is not evidence in a log file that proves you downloaded or visited a site. Law enforcement and most cybersecurity professionals are trained to collect this evidence. This evidence could lead to the arrest and conviction of a criminal.
Certifications and Ethics
Most cybersecurity certifications like the CompTIA Security+ or ISC2 Computer Informations Systems Security Professional (CISSP) have codes of conduct for their members. All certification holders must adhere to these standards or risk loosing their certification for a period of time or forever. Here is an example of the CISSP Code of Ethics:
As a security professional, your credibility is paramount. Everyone that you professionally interact with need to know that you are trustworthy and have sound judgement. Especially if you choose to work for any government and receive a clearance. You also need to properly report any wrong doing, even if it is conducted by a friend. Use sound judgement and report wrong illegal activity or ethical violations to:
Teachers
Mentors
Parents
Last updated