Pages

Wednesday, March 27, 2013

Social Engineering by Anthony Ricigliano

Anthony Ricigliano - Anthony Ricigliano News and Advice:

Just when you thought you had your company resources locked down tight, a new type of security breach rears its ugly head. Social engineering is taking corporate theft to a personal level. Unlike a traditional hacker who works from a remote area to slip through your electronic defenses without any desire to walk through your actual doors, social engineers use both low- and high-tech strategies to exploit any weakness in your “human firewall.”

By launching an unrelenting assault on any weaknesses in your processes or employees, these unscrupulous groups or individuals almost always find a way in before they’re detected, if they’re detected at all. However, all is not lost. The best protection against social engineering attacks is to educate your employees about this growing threat in addition to developing a strong security program that takes every possible weakness into account.

What Exactly is a Social Engineering Attack?


Social engineering looks for any weakness, no matter how small, in your human firewall. This multi-dimensional approach uses the following strategies to gain entry into your organization either physically or virtually:
• Use small pieces of information as building blocks to learn even more
• Repetitive attacks
• Leverage technology
• Use of social skills and knowledge of basic human psychology

Social engineers are patient and detail oriented. They run through an endless cycle of finding information, developing a plan based on that information, executing the attack, and analyzing any new information. Each time, any new knowledge is used as a launch platform for the next cycle of attacks. This continues until the individual or group breaks into your facility, gets caught, or gives up. Needless to say, they rarely give up.

How Do Social Engineers Get Their Information?

They get tiny bits of information from all over the place and put it all together to create a complete picture of your business. In fact, when they’re done, they may know more about your operation than many of your employees. Here are some methods that have been used in the past:
• Google -Social engineers use Google Earth, Google Street View, and similar sites to “case the joint.”
• Phone Calls – With a simple phone call, social engineers can find unpublished locations, the names of important employees, and whether an employee is in the office or on vacation.
• The Company Website - With just a few clicks, social engineers can find the names, titles, email addresses, pictures, background, and phone numbers of the company’s top executives.
• Social Networks - Facebook, Monster, and LinkedIn are a social engineer’s best friend. In addition to looking at pages belonging to employees, these experts connect to the pages of friends and family, too.
• Campaign Contributions – This is public record and can give an insight into an employee’s personality or political tendencies.
• Impersonating a Vendor or Maintenance Person– Some companies don’t bother to verify every representative if they appear legitimate, and maintenance people often go unnoticed.
• Faking, Spoofing, or Stealing Electronic Credentials

Social engineers take this information and use a variety of techniques to either get more information or gain access to important company resources. They may befriend an employee, impersonate someone in a position of authority, threaten an employee in some way, or simply beg for help. By knowing how to use one piece of information to get more, how to read people for potential weaknesses, and how to manipulate any situation, Social Engineers can often achieve their goals without detection.

What Can I Do to Protect My Organization?

To combat the social engineer’s four-pronged attack strategy, implement a similar plan of your own. Your security program should include the following four constantly-repeating steps:
• Observe – Open your eyes and really look at your operation to find weak points.
• Document – Document what is happening as well as what should happen.
• Educate – Don’t think that your employees will completely understand the document. Teach them good practices and procedures with a hands-on approach.
• Test – Test the system to make sure it’s working as expected. This can include posing questions from time to time or launching a test attack.
• Refinement – Continue to circle back through the process to refine the program.

Here are a few best practices to include in every social engineering defense program:
• Verify Information – Trust your employees, your customers, and your vendors, but verify everything.
• Denial Should Be the Default – If there is any question, deny access to both physical and electronic resources. Make sure everything is locked down.
• Create a Notification Process – Give your employees a tool to use if they think they may have been the subject of a social engineering attack. This could be as simple as a number to call or an email to send. Include a method that passes communications up and down the chain of command if an attack is suspected.
• Restrict USB and CD access to prevent infections from viruses and other malicious code.

By using a mixture of both simple and complex methods, social engineers are available to learn an amazing amount of information about a company and launch sophisticated attacks. Educating your employees and continuing to improve your security procedures is the best way to thwart their efforts.

Anthony Ricigliano

Anthony Ricigliano: Five Fracking Facts


As the proponents of "fracking" (short for hydraulic fracturing) continue to tout its virtues, the side opposing fracking continues to press forward with its own information on why the practice should either be heavily regulated or stopped altogether. The practice, which pumps water, sand, and a cocktail of viscous fluids into shale formations to release hydrocarbons, has prompted both factual and widely exaggerated claims from proponent and opponents so taking a look at some unassailable fracking facts may be a good place to start.

These facts include:

1) The cocktail of viscous fluids used for fracking can contain several components that should not come anywhere near a supply of drinking water. These chemicals include antifreeze, a variety of oil-based products, soap, and diesel fuel.

2) Fracking that is conducted at deep enough levels will not affect aquifers and wells that are thousands of feet above the shale formation. This is due to the fact that cracks caused by the fracking process typically do not reach further than a thousand feet from the location where fracking is occurring.

3) Natural gas can accumulate and rise to the surface naturally. This is particularly true when a sandstone formation rests on top of one composed of hydrocarbon-bearing shale.

4) Fracking
can cause problems that are avoidable with planning and restraint. There needs to be regular monitoring of retention pits and well sites to prevent dumping and leaks into drinking water supplies. Fracking should be avoided in situations where the shale formation sits close to the surface or is separated from the surface by porous formations like sandstone.

5) The fracking process in a vacuum is not unsafe. Like any other extraction process there is a time and place factor that should be observed, which basically comes down to using common sense. Where there is the potential for problems, fracking should be avoided. Where the process can extract hydrocarbons efficiently without exposing the surrounding areas to harm, it can be employed.

The two sides of the debate remain polar opposites in any conversation regarding the safety of fracking. Maybe, by starting with the facts of the technique, the proponents and the opponents of fracking can find some middle ground that allows for safe extraction while doing no harm to the surrounding environment.      

Tuesday, March 26, 2013

Anthony Ricigliano: What "Grid Down" is Teaching Us - Again


After a series of sudden and violent storms which were followed by soaring temperatures, the Governors Virginia, West Virginia and Ohio declared a state of emergency due to storm damage and a power outage that has affected millions of people. The outage, or "Grid Down" situation has left people without air conditioning on days when temperatures went well over 100 degrees, without refrigeration, and scrambling to find food and water.

Grid Down has happened before and will happen again and each time the same lessons are taught. Here are a few things we can learn this time - again:

* As people and industry demand more from our aging power grids, they become more fragile. Demand continues to increase, placing a burden on grids that they were not built to bear. Electric companies in California and other states are already warning residents and businesses of rolling blackouts if temperatures spike this summer.
* A Grid Down situation can turn into a major emergency for people with specific circumstances if electricity can't be restored quickly. Anyone vulnerable to high temperatures or relying on electricity to power medical devices is at serious risk without electricity. Having a small generator to power up appliances and devices in Grid Down situations could be the difference between life and death.
* People who are unprepared for outages make dealing with an emergency more difficult. The most recent Grid Down had people calling 911 even though they didn't need help. This prevented people in emergency situations from accessing the help they needed.
* Cell phones require electricity. Without electricity, recharging a phone becomes a lot more difficult. Transmission towers need electricity too so if they're not powered up, cell phones in the area will all read "no service".
* In a crisis, emergency services will be overwhelmed. In almost every municipality emergency services are geared toward handling day-to-day demands, which means that most people will be left to their own devices in a large-scale emergency for at least in the early stages of the crisis.

We hear this so often from an early age that it has almost become background noise but crisis preparedness is important and becoming more so. If we can't rely on the electrical grid, emergency services, cell phones, etc., we can only rely on ourselves.