Through the past 7 weeks, you learned a great deal about social engineering, and you have written a number of security policy statements. ?This week

Identity verification policy

There are several considerations to make when designing an identity verification system. One is evidence of the claimed identity, which in this case it can either be physical evidence or digital evidence. Physical evidence may entail an identity card or a passport, while digital evidence is information such as personal data. Those asking for the information will need to prove that the identity is theirs.

Another consideration is the validity of the identity. Wiley (2010) argues that hackers majorly capitalize on pretexting to impersonate people, even in physical cases. It can be avoided by counter-checking the person's physical identity document to see whether it is forged or genuine. This involves looking at the name and date of birth to ensure that what they claim is true. For digital cases of identity, those asking for information, the policy should be designed to ensure that the cryptographic features confirm the identity. The information should also not have been edited. The attendees can ask for personal information about the person to ensure that they conform to those in the system. Security Through Education. (2014) shows that framing can be used to present information to the victims to derail their decision-making. How the claimant presents, the data should be counter-checked to detect any form of framing.

Identity being claimed has existed over time? If new, then that is a red flag on the possibility of a forged identity. A history check can confirm whether the identity is for alive people since hackers can use the identities of dead people. If it is physical persons, have those people been in the organization over time, or are they new? If they are persons over the emails, b counter-check should be done on whether the same emails have been used before in the business interactions with the claimant. For text messages, the mobile phone number is counter-checked.Identity verification policy designs should also be done so that the identity belongs to the persons who are claiming to be theirs. This can be done to ensure that the person matches the photo in the document in physical and remote interactions. They must also match the biometric information being claimed, and also, they must be not wearing anything likely to hinder the identity verification.

Policy for Physical identity verification

For those customers seeking information about the company on their accounts. They must submit document identity documents or passports to confirm that they are the real individuals who own the documents and match up with those in the system. Personal information can also be asked and compared to those in the company's system to ensure that they appropriately and correctly coincide with those given by the claimants.

In addition, those claiming identity and personal information from the company physically must be identified to ensure that they have existed for some time in the company. If they are not or seem to be new, additional steps should be taken to confirm their identity, including a thorough counter-check of every bit of personal information. Customers must give proof of when they opened a particular account, if it deals with finances, or what might be the balance on their credit cards.

Digital identity verification policy

For those customers or identity claimants seeking information through digital means such as emails and short messages, several steps can verify their identity. Phone number for the case of short messages whose features like country code and use of virtual sim detections must be considered to ensure that this is the right identity as claimed by those asking for the specific information. Attendant must use IP address analysis to identify any attempts that might be made by use of VPN and proxies to identify any case of virtual personification. They can use the email address lookup and ensure that the domain of the identity is valid and detect whether the number may be suspicious. In advanced cases, the company may adopt artificial intelligence such as voice recognition to ensure that the identity of the rightful owner.

References

Security Through Education. (2014). Framing – Security Through Education. [online] Available at: https://www.social-engineer.org/framework/influencing-others/framing/ accessed May 20, 2022

Wiley(2010). Social engineering: The art of human hacking. John Wiley & Sons.

,

6

Information Gathering: My Dossier

Week 2

Part A: Dossier

To compile information about myself, I thought of the place where I visit regularly and provide important details about myself. As Solove (2004) asserts, with the digital age it is so easy to access people’s personal information. I thought of web browsers as they contain numerous information about me starting from my bank details, passwords, location, and my work. My browser stores a lot of sensitive information about which I know if attackers accessed it, it would affect me a lot. To compile a dossier, I collected information from;

· Visited websites

· HTTP Cookies

· Saved logins information

· Local storage

· Autofill

First, I decided to find out the type of information that is in the local storage of my browser. I browsed the top popular sites that I always visit. I used Mozilla Firefox to modify privacy using the OpenWPM measurement framework on the browser. I navigated several links on the websites but I did not access any user information as I was not unable to log onto any of the sites. Therefore, I focused on finding out about my physical location. Benson (2018) asserts that the sites use geolocation to send Ads to different places, load balance traffic, and customize the experience of users.

Next, I used Google Chrome to browse because I know that almost everyone uses it. I wanted to find out if there was any remainder and prove of my user accounts and activities on the different websites I visited that could be available my local storage. I created accounts in these sites, logged in, and performed various actions such as sending emails on a webmail serve and viewing documents on cloud storage. I was keen to see what I could find. I conducted all the activities manually so that I could get information that really represents me and my activities on the internet. I selected a subset of domains that are common in my profiles. These include google.com, youtube.com, facebook.com, twitter.com, instagram.com, netflix.com, whatsapp.com, and paypal.com.

Findings

From researching my browser in the first part, I found around 30 websites that had a certain amount of information about my geographical location. Around 35 websites recorded my IP address. The information included the popular websites I always visit such as Amazon, Walmart, and Alibaba, and news websites such as the New York Times and USA Today. This implies that anyone who visit these websites can access my physical location, understand my daily routine on the internet, my interests, and my finances through what I purchase from websites such as Amazon.

In the second part of my exercise, I extracted a lot of potentially sensitive items such as my email addresses, usernames, downloaded files, viewed documents, and many other items that attackers too can access and use them to their advantage. In browsers that saved my passwords, I was able to extract my usernames and passwords easily. That means that attackers can access my accounts and track my devices.

Part B: Policy

Information in the organization is always stored in paper and electronic formats. A policy is required to cover the disposal of all protected and sensitive information regardless of where they are stored within the organization. The purpose of this policy is to provide all members of the organization with options and standards for disposing sensitive and protected information.

#1: Protected information paper documents

All paper documents containing protected organizational data must be disposed through shredding. All shredded paper documents to be disposed will be dropped in trash containers in your departments whereby they will be collected by licensed companies that destroy documents. The head of any department without a trash container should contact the management to arrange for one.

#2: Sensitive information paper documents

The departments that produce all sensitive information paper documents are responsible for disposing the data that exists in those documents. The department will decide which method to use to dispose the sensitive information paper documents. However, they are free to use shredding as in the protected information paper documents and then dropping the papers in trash containers.

#3: Protected information electronic documents

All protected documents and media in electronic format will be disposed through deletion. However, all the information in electronic documents and media must be sent to the Information Technology (IT) and Information Security (IS) teams for secure deletion. The IT and IS teams will destroy any electronic information which cannot be processed as per this standard.

#4: Sensitive information electronic documents

Sensitive data in electronic format will be disposed through deletion by the departments that produced those documents. They should ensure the documents are securely deleted. They can utilize the ITS Information Security team to accomplish the same.

#5: Information outside the organization

Any protected or sensitive information document be it in paper or electronic form that is taken outside the organization by employees, partners, or representatives of the organization should be brought back to the organization for proper disposal using the methods 1, 2, 3, and 4. Any party that is allowed to destroy sensitive and protected information out there by the organization should use a licensed document destruction company. If they destroy electronic documents by themselves, they should follow the standards outlined by the organization which include deleting or returning them to the company for secure deletion.

References

Benson, R. (2018). How Criminals Can Build a “Web Dossier” from Your Browser. Information Security. Retrieved from https://www.exabeam.com/information-security/criminals-can-build-web-dossier-browser/

Solove, D. J. (2004). The digital person: Technology and privacy in the information age (Vol. 1). NyU Press.

,

Policy Statement

Policy Statement

The increasing security concerns regarding social engineering are remarkable. Therefore, organizations have been mandated to address the different social engineering threats as the central aspect of standard risk mitigation techniques. Therefore, this policy statement aims to act as an official procedure that the organization will rely on to deliver education to the employees regarding organizational policies and procedures that they should conform to when working with Information technology.

Purpose

The primary purpose of raising this awareness is to slim down the company's attention on security, establish sensitivity to the various vulnerabilities and threats of the computer systems, and identify the need to protect information, data, and strategy. The policy will focus on educating the staff on the key areas that include misuse of the networks or systems, password guessing, and abuse of privileges provided to them in the systems. Others contain accidental disclosure of sensitive information, malicious viruses, Trojan horses, and worms coming from the emails and the various files that have been downloaded. Also, the employees will be trained to include the multiple ways malicious individuals can target to steal technology devices, including laptops containing sensitive information.

Scope

This policy will apply to all staff within the faculty of Virtual Networks. Still, it will not be limited to part-time employees, full-time employees, contractors, trainees, temporary employees, volunteers, and vendors. It will apply to every individual who plays an essential role in the organization and has been granted access by the company to its sensitive information, including PII.

The PII, in this case, will stand for personally identifiable information, which is any information or data that poses the possibility of identifying a particular individual in the organization. This type of information can be that the organization uses to distinguish its employees from other people. Therefore, the organization will consider any form of identity recognition, such as passwords and biometric recognition, as PII.

The procedure of conducting the training

Onboarding staff will be mandated to complete the needed new hire security training 60 days after the recruitment. The Human Resource department will be accountable for instantly informing the Compliance Department of new recruitment to ensure that every employee is scheduled for training within the mandated timeframe. Every employee must complete the ongoing security training required by the security officer. IT will dispatch security awareness reminders regularly to employees. They are held accountable to read and implement any form of instructions integrated into the security awareness reminders. The training, auditing, and tracking of policy compliance will be conducted annually to keep employees up to date with the changes that are happening in the social engineering field.

,

Consequences of Policy Violation

Importance of Compliance

The employees will benefit significantly from the policy. It will provide them with measures that they can rely on to conduct functions in the organization without the fear of being attacked by an imposter. The policy will offer estimates on how employees can recognize hackers attempting to steal their information. The employees will be able to protect the information and data that they are using and collecting on behalf of the organization and, at the same time, protect the technology they are using. As a result, every employee will enjoy operating their devices in a safe IT environment full of supportive colleagues with whom they can work together to identify fake personas trying to steal information from them (Chen et al., 2015). Consequently, studying the guidelines and materials that the company will supply to the staff regularly will enable the employees to stay up to date with the changing criminal trends while allowing the employees to understand the reasons why the organization has implemented various procedures and practices. This is important in developing cohesiveness, which ensures that no employee will be left behind.

Consequences of Failure of Compliance

Failure of an employee to comply with the guidelines acquainted to them during the training will result in disciplinary actions, which can add up to termination of employment depending on the extremity to which the employee has violated the policy (Hu et al., 2011). Also, the disciplinary action will extend to legal measures implemented for the different violations that apply to various laws such as GLBA. Therefore, compliance with the company's social engineering policy will be enforced through inspection, oversight, corrective actions, and disciplinary and administrative measures.

Possible Ramifications

Failure to comply with the organizational policy will attract numerous ramifications that will affect both the employee and the organization at different intervals. The first ramification is that the organization will have to face lawsuits for confidentiality breach agreement with the employees. The business owner will be forced to compensate for damages committed after the employee's identity was stolen, involving large sums depending on the data disclosed. Hacking information revealing the company's trade secrets by a competitor will cost the organization a lot as they will be on the verge of losing revenue and market share. After revealing this type of information to the competitor, the ramification for the employee will attract punitive damages.

Non-compliance consequences extend to the organization's loss of relationships and clients due to a damaged reputation, which will make it difficult for the organization to establish trust with present and future clients. This is devastating to an organization's sustainability. On the other hand, the employee who breaches the social engineering policy guideline might be blacklisted, hindering them from securing employment with other organizations. Another consequence for non-compliance for the employees will include employment termination and any other form of provision seeking monetary damages to be executed by the organization, which will affect the liability credibility of the employee both now and in the future. In other scenarios, the policy breach can be severe to attract criminal charges, which leave the employee on the verge of possible ramifications.

References

Chen, Y. A. N., Ramamurthy, K. R. A. M., & Wen, K. W. (2015). Impacts of comprehensive information security programs on information security culture. Journal of Computer Information Systems, 55(3), 11-19.

Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees?. Communications of the ACM, 54(6), 54-60.

,

Week One Assignment

What is Social engineering

Social engineering is a way of manipulating people socially so that they trust the social engineer and eventually provide useable data or information. In other words, Social Engineering is when one person tricks another person into sharing confidential information, by posing as someone authorized to have access to that information. Social Engineering can come in different forms but the medium widely used to conduct social engineering attacks is one-to-one communication. People unknowingly reveal sensitive information by not conducting adequate security measures before sending the information. For example, social engineering preys accidentally share company’s trade secrets, social security numbers, when they do not encrypt the information, use two factor identification, or verify the requestor’s identity.

The Acme Corporation’s Background and History

The Acme Corporation is a name for the fictional partnership in Looney Tune and Disney Universe, showing up in different Warner Bros animation as a running gag. Founded in 1891 when Irish settlers Samuel Robinson and Robert Crawford opened a store in South Philadelphia, Acme has 161 supermarkets under the Acme umbrella in Connecticut, Delaware, Maryland, New Jersey, New York, and Pennsylvania etc.zaui0 In 1999, it became an auxiliary of Albertsons.

The Business

Acme is the third biggest food and drug retailer in the Delaware Valley, where its rivals’ chains such as Ahold Delhaize: Food Lion, Stop and Shop and albert, just to name few from the Ahold Delhaize family, Wakefern food corporation: ShopRite, and Walmart etc.

Acme was the territorial deals pioneer in the Philadelphia region for quite a long time before losing it to ShopRite in 2011. Acme is an innovator that offered customers self-checkouts stands and online grocery/ products market services long before its competitors commenced online shopping in 2009. Acme also used internet-based orders to complete customers’ orders.

add hot food bars to its stores.

Why a Social Engineering policy should be implemented

Social engineering is the act of using any method conceivable to convince a person/ an employee to give up passwords, computer access, or admittance to off-limits areas that a social engineer can use to steal PHI or access systems to install malware.

Social Engineering depends on human desire or nature to be helpful; it relies on the common psychological traits (The desire to be helpful and the tendency to trust unknown people), this is why most successful social engineering incidents happen in places where there is no guidance or training. Therefore, to protect this organization’s data Management would enact a social engineering policy, and reoccurring training would be available to ensure that employees are compliant to this policy.

Conclusion

A Q&A mandatory session will be set up to create awareness about Social Engineering with user stories test scenarios. The goal of the meeting is to empower employees by providing a platform to understand the different forms/types of social engineering attacks, and ways to avoid exploitation, and what to do if there is a social engineering attack or an attempt. A corporate policy will provide continuous training and stimulated test to help employees easily remember.

References

Maymi, F., & Harris, S. (2022). Chapter 1 : Confidentiality . In CISSP all-in-one exam guide, Ninth Edition (9th ed., p. 5). essay, McGraw-Hill Education.

Acme Corporation. Warner Bros. Entertainment Wiki. (n.d.). Retrieved April 20, 2022, from https://warnerbros.fandom.com/wiki/ACME_Corporation

About. (n.d.). Retrieved April 20, 2022, from https://www.aholddelhaize.com/en/about/

BJ's. (n.d.). BJ's Wholesale Club. Retrieved April 20, 2022, from https://www.bjs.com/

Our brands. Wakefern. (2021, March 29). Retrieved April 20, 2022, from https://www2.wakefern.com/our-brands/

What is social engineering? examples and. Webroot. (n.d.). Retrieved April 20, 2022, from https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering

,

Social Engineering Awareness Policy

Social Engineering Awareness Policy

Policy statement for securing sensitive information policy

The organization is responsible for maintaining high-security standards for any electronic information under its control. Any form of data stored once accessed by the company assets needs to be protected against any unintentional or intentional loss of privacy, availability, integrity, irrespective of location.

Purpose

The policy statement safeguards information and ensures the ability of the business to carry on its operations.

Scope

The policy relates to all the company staff, contractors, users and anyone else who uses information assets.

General

All computers, electronic systems and applications ought to have a known local data owner in charge of the data and has the power to act at the point of contact.

All devices will be administered and assessed on a continuing basis for necessary security actions by information technology support specialists within the given capacity.

Safeguarding assets

The following procedures and policies that need to be applied regarding securing sensitive assets:

All computing gadgets need to have specialized technical support who are well overseen to uphold information security. Staffing levels need to be suitable to ensure that the form of private information the organization is responsible for is well managed.

The setting up of devices will be done in line with the applicable information security guidelines and standards as stated by the organization.

Installation of newer versions, regular patching, and other forms of maintenance shall be conducted to safeguard the data. Automating settings or centralizing updated security patches is highly suggested for a majority of server and desktop-based hardware.

Accessing private data shall be subject to authentication by a password, with file access privileges distinguished by the data user.

The root level or administrator passwords need to be strong. The company shall use user accounts with fewer levels of privileges as an alternative of root accounts if probable. Regular review of employee access privileges needs to be evaluated regularly.

The use of portable flash disks is strictly prohibited without preceding authorization from the administrator. All data needs to be encrypted appropriately should the decision to use flash media be taken.

All the organization's computers shall have malware filters and antivirus software installed and regularly updated except for any devices with the prior permission of exclusion by the authorization.

Physical access to the computing devices need to be restricted, especially when not in use. Strictly, devices ought to be switched off when not in use. Personal computers need to be physically controlled using usual attachment devices, and servers need to be housed within a secure and appropriate physical facility.

Hosting security log files shall be configured and regularly revised for any irregularities.

Logs need to be of adequate size and offer helpful information in the case of security events.

Servers that store sensitive information needs to be regularly scanned with vulnerability testing software to reveal any vulnerabilities and allow corrective actions to be taken.

Periodic backup copies of data and software need to be made tested and securely stored. The removable media's physical security needs to be maintained, and plans need to be made to permit for recovery of any unforeseen problems.

Protecting deletion programs or mechanisms need to be used to delete any data from the media and hard disks before surplus, transfer, or disposal of hardware.

1. PROTECTION OF SENSITIVE DATA

The following actions needs to be taken to additional protection of sensitive information dependent on the sensitivity of data, requirements and classification;

1. All private data storage needs to be limited to a hardened file server.

2. Strictly restricting the duration and volume of the stored information

3. Data must be moved to a dedicated computer that does not hold any application or data.

4. Network access shall be limited to a list of specific devices or machines

5. Use either local non-routed IP networks or addresses that prevent access to or from the internet.

How to handle requests for sensitive information

1. When the request is received, the proposal ought to be received by the necessary supervisor or whoever is in charge of securing data.

2. The request needs to be made from an encrypted source for security purposes.

3. After reviewing, the customer or individual who has studied the stated data will receive an email via their email, which is bound to expire after some time.

4. The link will lead to a secure webpage where the documents or information requested can be viewed, but first, the recipient of the data will need to verify their information.

,