Conduct and Ethics in a Digital World

A Social Engineering Experiment

Let's conduct a little experiment.

Do you know the following information?

  • Your full name

  • Your Social Security Number

  • Your date of birth

  • Your mother's maiden name (her name before she was married)

  • Your pets name

Would you give this information to a stranger? To someone you just met? How about someone on the phone who says "your computer is hacked and they see your computer attacking them"? Your phone just rang. You pick it up and a man with a strange accent starts talking:

You: Hello?
Bob: Yes, my name is Bob Hammersmith from Professional Security Consultants.

You: Great, how can I help you?
Bob: I am sorry to bothering you, but our systems show that your computer is attacking one of our servers.

You: Wow, I am so sorry. How do you know it's my computer?
Bob: We are knowing because you have known malwares installed on your system.

You: Malware? What? I have antivirus! You must be joking.
Bob: No, no. I need you to go to your computer and search for the following files.

You: Ok.
Bob: Please search for *.pf file.

You: Ok, I have and I have 10 files on my computer.
Bob: Yes, yes. This is the malware I am speaking of.

You: Wow, I didn't know I had this!
Bob: Yes, yes. We need you to remove this malware.
Bob: Can you please send me your email address so I can send you a link to a malware cleaner.
Bob: You need to run this program on system...

What do you do? Do you give them your email? Do you run their program? How do you know that Bob and Professional Security Consultants is legitimate? How did they get your number? What you just read was an example of a scam ran out of Asia. Their focus is to scare you with information that sounds legitimate and hope you will install their backdoor. From there, they will steal all the personal information they can and possibly ransom the system for money. They do this by encrypting the hard drive and holding the key till payment.

How do we know it's a scam? As security professionals, we should ask questions to validate the person and company. Questions like:

  • How did you get my number?

  • What is my name?

  • What is your company's address?

  • What is your phone number? I am going to call you back.

  • Can you send me a website for your company?

  • What is a *.pf file?

  • What is the malware on my system? What is it supposed to do.

Social Engineering is the process of manipulating a person to give up confidential information. This information can include: PII, account information, system access, etc. Now some expert social engineers may already have these questions answered, come up with clever responses on the fly, or try to pressure you more. It's your job to not give into the pressure and do your homework.

For example: going back to the scam text, *.pf files are part of the Windows operating system. Every time you start a program, a prefetch file is created in the C:\Windows\Prefetch directory. We found this link in Google regarding prefetch. http://helpdeskgeek.com/windows-vista-tips/delete-disable-windows-xp-prefetch/

We should always be vigilant on the data we give out to strangers, websites, people in general. We should also be vigilant on the access we give to our computer systems. Let's talk about some types of data we may interact with.

Personal Identifiable Information (PII)

Personal Identifiable Information or PII is any information that can be used to identify you as a person. The fact is that any PII should always be private. You may be in middle or high school now, but eventually you may need to apply for a car or school loan. If an adversary were able to get a hold of this information, they can completely ruin your financial credibility. Many victims of identity fraud spend years to fix their credit and may have to take drastic measures like changing the social security number and have a third-party monitor their credit.

Sometimes companies that we trust to hold and responsibly protect our PII leak our information as a result of a compromise. This is commonly called a data breach. Here are some notable data breaches and their impact:

Year

Company

Effected

Cost

Description

2013

Target

70 million

~$250 Million

A vulnerability in the HVAC management system led to an adversary compromising Target's network and stealing over 40 million credit card accounts and personal information on 70 million of its customers.

2014

Sony Pictures Entertainment

3,000

$35 Million

A cyberattack against the Sony Pictures network led to leaked internal documents, corporate emails, and PII on current and former employees.

2015

Anthem

80 million

$8-16 Billion

A major health insurance company fell victim to a cyber attack where 80 million of its patient and employee records were stollen.

2015

Office of Personnel Management

21.5 Million

Undisclosed

With evidence of the compromise going back to 2014, adversaries were able to breach OPM and steal employee records from all U.S. government agencies. Data stolen included: personnel records, background checks, fingerprints, and clearance information

Internet-based Accounts

Most of us have various Internet based accounts to access: email, social media, cloud resources, etc. But what information are we freely giving them. Will they protect our data? The answer is probably not.

Like most IT professionals, most companies are focused on availability and functionality of IT systems and not on security. As a user of the Internet, we need to be careful of the information we give these companies. Does Yahoo! need to know your social security number? No. But does a bank like Bank of America or USAA? Practice the concept of least privilege with your data. Do not give your data to these companies if you feel they do not need it. Also do not be afraid to ask questions. Find an alternative if you feel the company will not adequately protect your data.

Here are some notable data breaches and their impact:

Year

Company

Effected

Cost

Description

2016

Yahoo!

1 Billion

Unknown

Hackers obtained access in 2013 and stole: usernames, passwords hashes, security questions, etc. Considered the largest data breach of today.

2016

LinkedIn

165 Million

Unknown

Hackers obtained access in 2012 and stole account information to include password hashes.

2014

JP Morgan Chase

76 Million households, 7 million small businesses

$1 Billion

A network compromise led to usernames, addresses, phone numbers, and emails leaked. No PII was reported to be stolen.

Proper Conduct in Cyberspace

Now that we know what PII is, we practice least privilege and only give out what is needed. But what about information regarding our daily lives? Do you post pictures of what you are eating in Snapchat? What about updates in Twitter? How about vacation photos on Facebook?

The advent of social media (e.g. Myspace, Facebook, Twitter) allows us to stay in constant contact with friends and family. But if we don't "lockdown" our account permissions, others can get important information about us and our activities. To prevent unauthorized access, use the following guidelines:

  • Use strong memorable passwords

  • Audit account permissions every 3 months

  • Scrub users (friend lists) of those you no longer communicate with

  • Do not give out passwords

  • Never leave your computer unlocked

Furthermore, do not post information about an activity until you return. This includes: vacations, military deployments, family visits, etc. If an adversary knows that your family will be on vacation for Spring Break, they know the perfect time to break into your home. Also, respect other's digital persona. Now days it is hard to find someone with no digital footprint and whatever we post could compromise their security as well. For example, many victims of crimes often hide from their attackers. Furthermore, most phones and cameras embed GPS coordinates into each taken photo. A posted picture could reveal the location of a victim to the attacker. Be vigilant.

Bottom Line Up Front

  • Keep private data private

  • Be respectful of other's digital persona

  • Think before you: post, text, or share

Operational Security (OPSEC)

Shifting gears a little, we will now talk about information assurance regarding a mission or operations. Operational Security or OPSEC is a five step process of determining the operational impact if there was a data breach. This process includes:

  1. Identify Critical Information

  2. Analysis of Threats

  3. Analysis of Vulnerabilities

  4. Assessment of Risk

  5. Apply Appropriate Measures

Identify Critical Information

What information is critical to your operation? What happens if this information got out? What would be the impact to the mission? Your people? Think about the big picture when it comes to your information. One or two minor details of an operation, combined could uncover a major detail. For example: photography of a downed aircraft seems harmless. But that photo has embedded details to include: date it was taken, who took it, and GPS coordinates of the aircraft.

Analysis of Threats

Who may be listening on your communication channels? Do you have unauthorized people around the base? Are they sympathetic to your cause or can they hurt it?

Analysis of Vulnerabilities

Are you communicating with teams across an unencrypted channel? Do you have news cameras 10 feet from your base of operation? Can anyone walk into your base and access any of the laptops? As security professionals you need to number (enumerate) all vulnerabilities in your system and discuss their potential impacts with leadership.

Assessment of Risk

This is a process where we take all the threats and vulnerabilities and assess the:

  • Impact of Loss

  • Possibility of Loss

Using this information, we can determined whether or not the risk is acceptable. For example: you are currently assigned to a missing person operation and use an Internet-based communications channel for all team communication. All team members are sharing an open wireless access point for Internet connectivity. We also know that the communications channel is using DES for its encryption. Lets take a look at the threats and vulnerabilities:

Threats:

anyone looking to gain more information about the operation

Vulnerabilities:

access point is not secured, communications channel uses an insecure protocol (DES)

The possibility of loss is HIGH because anyone can connect to the open wireless access point. They could also trivially break DES encryption to read team communications.

The impact of loss is also HIGH because we want to ensure the safety of our teams and the person that is missing. If the missing person is actually a victim of an attack, the attacker may use operational information to find thier victim

Apply Appropriate Measures

Now that we know our threats, vulnerabilities, and risk, we can now deploy safeguards to prevent loss of information. For the above example, we can:

  • Secure the wireless access point with WPA2

  • Use low-power radios to prevent people outside of the base from trying to connect to the WiFi

  • Use Triple-DES or AES to encrypt communications

Ethics in a Digital World

Ethics is essentially how we define right and wrong conduct. What does it mean to be "ethical" in a digital world? Right now Cyberspace may seem like the wild west, but as security professionals we need to hold ourselves to higher standards.

The United States Air Force Academy has the honor code of: I will not lie, cheat, or steal... but how does this apply to Cyberspace? We can use the following examples:

Real World

Digital World

Lie

Not telling the truth to a person's face

Impersonating someone or giving false information

Cheat

Obtaining and using test answers for a final

Hacking a voting machine to change an election or break into a school computer to change grades

Steal

Take money

Pirate software or send malware to someone that will hold their system ransom

Leaving Digital Evidence

Just like the real world, we leave digital fingerprints. Locard's Exchange Principle states that a perpetrator will always bring something and take something from the scene of the crime. Even though Cyberspace is a man-made domain, digital evidence can be collected to prove a crime was committed. This can include but not limited to:

  • Log files

  • Recovered files

  • Internet Service Provider information

  • Cellular phone service triangulation

  • Call history

  • Personal assistant activity logs (i.e. Amazon Alexa, Apple Siri)

Just because you "wiped your browser history" does not mean that there is not evidence in a log file that proves you downloaded or visited a site. Law enforcement and most cybersecurity professionals are trained to collect this evidence. This evidence could lead to the arrest and conviction of a criminal.

Certifications and Ethics

Most cybersecurity certifications like the CompTIA Security+ or ISC2 Computer Informations Systems Security Professional (CISSP) have codes of conduct for their members. All certification holders must adhere to these standards or risk loosing their certification for a period of time or forever. Here is an example of the CISSP Code of Ethics:

All information security professionals who are certified by (ISC)² recognize that such
certification is a privilege that must be both earned and maintained. In support of
this principle, all (ISC)² members are required to commit to fully support this Code
of Ethics (the "Code"). (ISC)² members who intentionally or knowingly violate any
provision of the Code will be subject to action by a peer review panel, which may
result in the revocation of certification. (ISC)² members are obligated to follow
the ethics complaint procedure upon observing any action by an (ISC)² member that
breach the Code. Failure to do so may be considered a breach of the Code pursuant to
Canon IV.

There are only four mandatory canons in the Code. By necessity, such high-level guidance
is not intended to be a substitute for the ethical judgment of the professional.

Code of Ethics Canons:
- Protect society, the common good, necessary public trust and confidence, and the
infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principles.
- Advance and protect the profession.

As a security professional, your credibility is paramount. Everyone that you professionally interact with need to know that you are trustworthy and have sound judgement. Especially if you choose to work for any government and receive a clearance. You also need to properly report any wrong doing, even if it is conducted by a friend. Use sound judgement and report wrong illegal activity or ethical violations to:

  • Teachers

  • Mentors

  • Parents

Last updated