Daniel Smith
Human Relations
What areas do you see as your strengths and what areas you see as needing improvement?
I see my strengths as my ability to problem solve, effectively interpret another person’s point of view, as well as be creative and think in ways that others may not see.
My weaknesses tend to be towards effective communication. Sometimes I have trouble explaining what I see. Also, I am not good at interpreting what may or may not offend someone. Basically I am kind of shy when I do not know a person, then I let my mouth get away from me when I do.
2. What can you do to improve in the areas you identified as needing improvement?
Well, this course for one should help improve in my weaknesses. Taking time to think before I talk would also help me.
absolutroot39361.3828935185haha, and here is a report I did back in august because I wanted a job at a company, but because I didnt have a degree they wouldnt let me in. I had a friend in the information security department and got some info out of him. After I gave this report to the director of it security, she told my boss that she didnt want me on the floor with people on it because i am a security risk. And she told my friend in her department not to talk to me about work related stuff--in fact, not to talk to me at work at all. the only one who got a kick out of it was the vp of corporate security, who said he would give me a job as soon as i got my bachelor's degree.
Human Element Security
Daniel Smith
August 1, 2006
I.Human Element Security. A. What this report is. 1. Human Element Security is security practices put into place to prevent, identify, and plan for attacks of a Social Engineering nature. Social Engineering is a type of attack that is usually performed on companies during the enumeration phase of a planned larger scale attack. It is well known in the information security world that the human element is usually the weakest link in a company’s security, because “it targets an individual’s tendency to trust rather than a technical aspect”. (Smith) 2. This is a report of human element vulnerabilities I noticed passively at the xxxxxxxx office in xxxxxxxx (blacked out for protection). I have not including many, just basic ones I saw, because, well, I have only been at the building for two days, and I don’t want to stick my nose in too far. B. Why a report? 1. I am making this report to release to the Coporate Information Security department at the above mentioned company because: a) I have noticed a few vulnerabilities and would like to bring them to their attention, in case they have not already seen them. b) More directly, I am trying to impress the head of IT security. Our meeting yesterday was brief, and I kind of feel stupid for not trying to make a lasting impression, so that I kind of stand out. This report was written with the main intention of at least grabbing your attention, and hopefully bettering my chances of getting a job. I realize that you said yesterday you usually only hire juniors and seniors that are in college, not sophomores or lesser. Also I was told that I would probably be happier in Operations Security. Truthfully, right now I am just trying to get my foot in the door. If you think I am not ready to be in the security department, I agree with you, but I would like to be considered for entry level IT position’s at least, and try to work my way up. I really need to get some solid IT experience.c) This report is not in any way an attempt to be overbearing, rude, egotistical, or offensive. If you think I cross ANY of these boundaries, please let me know, and I will correct myself. I highly respect people in IT security, especially those of your background and qualifications, and I hope you find this report at most bold, maybe enlightening, and possibly entertaining. I am kind of going out on a limb with this report, and I hope you don’t think worst of me by trying to prove myself.
II.Building Security A. Parking Lot security. 1. Observations a) There are not parking stickers on cars in the employee parking lot. b) There are not security guards regularly roaming the parking lot and grounds. 2. Security risks a) These problems pose a small security risk especially in the area of logging visitors. Anyone who may do any type of social engineering attack on the building would probably have some sort of false information. For this reason, it would be important to scan for visitors in the employee parking lot to at least log their license plate. If there is a discovered social engineering attack on the building by an individual who gave false information, there is the chance that he/she has parked in the parking lot and has a genuine license plate. This is the kind of specific detail that could catch some individuals unaware. This could also contribute to more minuscule problems like keeping shoppers etc. from “camping” their car in the employee parking lot.
3. Possible Solutions
a) Require all employees to have parking stickers when they intend to park in the employee parking lot. b) Post guards at each entrance to verify the parking stickers, and log any guests without one. The guests don’t have to be turned away, but there should at least be a log that they were there.
B. Front Door Security 1. Observations a) Security guards check for government issued ID’s from all COB’s that come on site, but they rarely check that the information written on the sign-in sheet matches the information on the ID. b) Security guards do not check if visitors that come on site and represent themselves as contractors really belong in the building. c) I noticed that employees entering at the security desks show their ID’s to the security guards and they pass. I may be wrong, but I did not see a way to verify that the badges shown at the security desk are valid—although other entrances do verify by scanning ID’s.
2. Security risks a) This is a major security risk, and takes away the whole point of showing the government issued ID. This means that anyone with a genuine identification can present their ID to the security guard, but then write down false information on the sign-in sheet. If a social engineering attack, theft, defacement, or any other type of attack then takes place on the building, and the sign-in sheets are checked, then all they would probably get is the name “Elvis Presley” or “George W. Bush”. b) This is also a security risk, because people who do not belong in the building may be getting into the building. Anyone who knows a little about the corporate projects would be able to falsify information to get in. c) This is a security risk because an attacker may get ahold of an ex-employee’s ID, or make a false ID that looks like a real one. They could use this ID to get in through a security guard entrance and not be checked. 3. Possible Solutions a) Since the security guard is checking ID’s, an extra measure would be to have the guard write down the visitor’s information when they sign in, or at least verify that the information is correct before allowing the visitor to go further into the building. b) A way to prevent this is to require that all visitors or contractors be placed on a list of people allowed in the building, or at least be escorted in by an employee of the building. This could be integrated into solution #a by signing in visitors using a database that checks if the visitor is allowed in the building, sort of like an ACL. c) This problem can be resolved by using RFID chips, or something similar, in employee ID’s and making them scan their ID’s at all entrances—not just the entrances where a security guard is not present. That way all employee ID’s are checked for validity.
C. Physical Social Engineering 1. Observations a) Most employees take their lunch at the same time—around noon. Employees not at lunch are usually the ones who are concentrating on their work and not on the people around them. b) There are not security guards on the site floor during opening or closing hours. c) Business related items are not put away when the employee leaves his/her desk. Employees do not have shredders in their offices.
d) Employee’s in the company of strangers seem to be trusting—especially after polite conversation. 2. Security risks a) This is a security risk because lunch would be a key time for an attacker to browse cubicles for information. Most people are gone, and the ones who are there are usually involved in their work and not paying attention. b) Clock out/in times are also times of the day when there is minimum activity on the site floor. Most employees will come on time and leave on time, meaning there are fewer employees to watch for strange behavior in the morning or evening hours. c) If employees leave documents on their desks then it makes it easy for an attacker to just walk into an unoccupied office and browse through them or grab them. Also, most employees do not have shredders, so an attacker may be able to find sensitive information in their trash can (dumpster diving). d) This opens the risk of shoulder surfing for passwords or other sensitive information. 3. Possible Solutions a) To solve this problem, have set times when employees can go to lunch. Only send 1/3 to ½ of the employees to lunch at a time. This way there will be a lot of people in the office who can watch each others backs, and deter an attacker from attempting to burglarize an employee’s desk. b) During clock in/out times, have a security guard or two roam the floor to watch for suspicious activity. The presence of a security guard will usually deter an attack. c) Ask employees to secure sensitive documents when they leave their desk. Also, it may work to ask other employees watch their desk when they go. d) Inform employees to not be trusting of strangers. Anytime the employee is using “something they have” as authorization to access restricted information or resources, ask the visitor to turn, or watch their eyes.
D. Psychological Social Engineering 1. Observations a) Most employees will try and help the “new guy”. b) Information about the internal workings of the company, such as the names and desk of employees in key roles, is sometimes freely given. 2. Security risks a) This is a risk of persuasion. If an attacker can persuade employees that he/she is new, a lot of employees will freely give him information to help the attacker get settled in. b) This can risk a piece-by-piece attack using impersonation and conformity. c) Possibility of a phishing attack using information gathered from other vulnerabilities.
3. Possible Solutions a) Make it a policy that employees who need help should ask their boss or a security guard—someone who knows what they can and cannot tell an individual. b) Inform employees what they should and should not tell people they do not know about the company. c) Inform employees what a phishing attack is, and tell them what they can expect management to ask them over the phone or through a memo, and what management would ask them in person.
To be continued..?