Social Engineering

1
Social Engineering Internal/External
ThreatsMarch 22, 2006 Leland
C.DudekLeland_dudek_at_ios.doi.gov
United States Department of the Interior

2
Agenda

• Whats at stake?
• DOI FY 2005 Threat/Incident Statistics
• Survey of Government Departments - Alarming
  Statistics
• Social Engineering Often the first vector of
  attack
• Internal and External Threats

3
Whats at Stake
Train2Secure

• Information Privacy - Confidentiality
• Provision of Services - Availability
• Data Manipulation - Integrity
• Critical Roles and Missions
• Critical Infrastructure
• Agency Reputation

4
DOI FY 2005 Threat/Incident Statistics

• Over 650 million suspicious probes/attacks
  blocked
• Over 3.4 million viruses, trojans, worms
  detected, deleted, cleaned

5
Survey of Government Departments - Alarming
Statistics
Train2Secure

• 99 use anti-virus software, yet 82 have been
  hit by viruses, worms, etc.
• 98 have firewalls and 73 have IDS, yet 36
  report penetration from the outside
• 90 detected computer security breaches
• 84 blame their most recent security breach on
  human error
• 80 attribute human error to lack of security
  knowledge, a lack of training or a failure to
  follow security procedures.
• 75 acknowledged financial losses due to breaches.

Sources 2003 CSI/FBI Computer Crime and Security
Survey 2004 CompTia Survey
6
Social Engineering

• Hey! I need to reset your password
• can you tell me your old one?
• Help Desk or Social Engineering?
• Can be either an internal or external threat

7
What is Social Engineering

• Social Engineering is the unauthorized
  acquisition of sensitive information or
  inappropriate access privileges by a potential
  threat source, based upon the building of an
  inappropriate trust relationship with a
  legitimate user of an information technology
  system.
• The goal of social engineering is to trick
  someone
• into providing valuable information or access to
  that information.

8
Social Engineering a Wikipedia definition

• In the field of computer security, social
  engineering is the practice of obtaining
  confidential information by manipulation of
  legitimate users. A social engineer will commonly
  use the telephone or Internet to trick people
  into revealing sensitive information or getting
  them to do something that is against typical
  policies. Perhaps the simplest, but still
  effective attack is tricking a user into thinking
  one is an administrator and requesting a password
  for various purposes. Users of Internet systems
  frequently receive messages that request password
  or credit card information in order to "set up
  their account" or "reactivate settings" or some
  other benign operation in what are called
  phishing attacks. Users must be warned early and
  frequently not to divulge passwords or any other
  sensitive information to anyone for any purpose,
  even to legitimate system administrators. In
  reality, administrators of computer systems
  rarely, if ever, need to know the user's password
  to perform administrative tasks.
• Social engineering also applies to the act of
  face-to-face manipulation to gain physical access
  to computer systems.
• In an IT security survey, 90 of office workers
  gave away their password in exchange for a cheap
  pen.

9
The Weakest Link in the IT Security Chain

• People are usually the weakest link in the
  security chain.
• Social engineering is still the most effective
  method used to get around security obstacles.
• A skilled social engineer will often try to
  exploit this weakness before spending time and
  effort on other methods to crack passwords.

10
The Weakest Link in the IT Security Chain

• Why try to hack through someones security system
  when you can get a user to open the door for you?
• Social engineering is the hardest form of attack
  to defend against because it cannot be defended
  with hardware or software alone.
• A successful defense depends on having good
  policies in place ensuring that all employees are
  trained to follow them.

11
Different Avenues of Persuasion

• In attempting to persuade someone to do
  something, there are two methods a persuader can
  employ
• The Direct Route
• the social engineer simply asks for the
  information or access with no set up
• often challenged and refused
• seldom used due to low probability of success
• The Peripheral Route
• Contrived situation - The more factors the target
  must consider in addition to the basic request,
  the more likely the target is to be persuaded.
• Forgot a password
• Manager on vacation
• Looming deadlines
• Personal Persuasion - Many social engineers are
  adept at using personal persuasion to overcome
  initial resistance.
• The goal is not to force compliance but to get
  voluntary action
• Target believes they are making the decision

12
Different Avenues of Persuasion

• A Direct Route uses
• Systematic
• logical arguments
• To
• stimulate a favorable response
• prompting the recipient to action

13
Different Avenues of Persuasion

• A Peripheral Route uses
• peripheral cues
• mental shortcuts
• misrepresent their objectives
• To
• trigger acceptance without thinking

14
Different Avenues of Persuasion

• One way in which the social engineer can make
  prospective victims more susceptible to
  Peripheral routes to persuasion is by making some
  statement at the outset that triggers a strong
  emotion such as
• Excitement
• The Chief of Staff is writing up an award
  nomination for you and needs some additional
  information!
• Fear
• The Chief Information Officer is waiting for
  this!

15
Perception

• In a typical transaction our perception about the
  request for service begins with a basic belief
  that each party is who they say they are.
• Some social engineering victims may tend to rely
  primarily on their belief that the person with
  whom they dealt was honest, and to give little
  thought to the activities.

16
Common Types of Social Engineering Exploit Methods

• Social engineering can be broken into
• Human based person-to-person interactions to
  retrieve the desired information
• Computer based computer software that attempts
  to retrieve the desired information.

17
Human-based

• Impersonation - Case studies indicate that help
  desks are the most frequent targets of social
  engineering attacks.
• A Social Engineer calls the help desk
• Help desk is helpful
• Social engineer will often know names of
  employees
• Important User - A common ploy is to pretend to
  be a senior executive.
• Help desk is less likely to turn down a request
  coming from a high-level official
• Social engineer may threaten to report the
  employee to their supervisor.

18
Human-based

• Third-party Authorization - The social engineer
  may have obtained the name of someone in the
  organization who has the authority to grant
  access to information.
• Mr. Martinez says its OK.
• Before he went on vacation, Mr. Martinez said I
  should call you to get this information.
• Tech Support - Social engineer pretends to be
  someone from the infrastructure-support groups.
• System is having a problem
• Needs them to log on to test the connection

19
Human-based

• In Person - The social engineer may enter the
  building and pretend to be an employee, guest or
  service personnel.
• May be dressed in a uniform
• Allowed to roam
• Becomes part of the cleaning crew
• Dumpster diving - Going through the trash
• Shoulder Surfing - Looking over a shoulder to see
  what someone is typing.
• Passwords
• Phone-card numbers

20
Computer-based

• Popup Windows - A window will appear on the
  screen telling the user they have lost their
  network connection and needs to reenter their
  user name and password.
• A program will then e-mail the intruder the
  information.
• Mail attachments - Programs can and are
  frequently hidden in e-mail attachments.
• Viruses
• Worms
• Trojans

21
Computer-based

• Spam, Chain Letters and Hoaxes - These all rely
  on social engineering to be spread.
• While they do not usually cause damage, they do
  cause a loss of productivity.
• Frequently used by entrepreneurs in African
  countries (e.g., Nigerian scams)
• They use valuable network resources.
• Websites - A common ploy is to offer something
• free or a chance to win a sweepstakes on a
  Website.
• To register requires an e-mail address and
  password.

22
Computer-based

• Hacking Made Easy (http//www.washingtonpost.com/w
  p-dyn/content/article/2006/03/16/AR2006031600916_p
  f.html)
• When Graeme Frost received an e-mail notice that
  an expensive digital camera had been charged to
  his credit card account, he immediately clicked
  on the Internet link included in the message that
  said it would allow him to dispute the charge.
  As the 29-year-old resident of southwestern
  England scoured the resulting Web page for the
  merchant's phone number, the site silently
  installed a password-stealing program that
  transmitted all of his personal and financial
  information.
• Frost is just one of thousands of victims whose
  personal data has been stolen by what security
  experts are calling one of the more brazen and
  sophisticated Internet fraud rings ever
  uncovered. The Web-based software employed by
  ring members to manage large numbers of illegally
  commandeered computers is just as easy to use as
  basic commercial office programs. No knowledge of
  computer programming or hacking techniques is
  required to operate the software, which allows
  the user to infiltrate and steal financial
  information from thousands of PCs simultaneously.
  
• The quality of the software tools cyber criminals
  are using to sort through the mountains of
  information they've stolen is a clear sign that
  they are seeking more efficient ways to monetize
  that data, experts say.

23
Computer-based

• Hacking Made Easy
• Frost's data, along with information stolen from
  thousands of other victims, made its way to a Web
  site hosted by a Russian Internet service
  provider. The site is currently the home base of
  a network of sites designed to break into
  computers through a security hole in Microsoft's
  Internet Explorer Web browser. The data thieves
  use the IE flaw to install programs known as
  "keyloggers" on computers that visit the
  specially coded Web pages. The keyloggers then
  copy the victims' stored passwords and computer
  keystrokes and upload that information to the
  database.
• The hacking software also features automated
  tools that allow the fraudsters to make minute
  adjustments or sweeping changes to their networks
  of hacked PCs. With the click of a mouse or a
  drag on a pull-down menu, users can add or delete
  files on infected computers.
• They can even update their spyware installations
  with new versions tailored to defeat the most
  recent anti-virus updates. With one click on the
  Web site's "Add New Exploit" button, users can
  simultaneously modify all of the keylogger
  programs already installed on their networks.
• Symantec and other security experts also have
  spotted earlier versions of the software
  installed on at least two other Web sites, one of
  which is still active and has harvested password
  information from nearly 30,000 victims, the bulk
  of whom reside in the United States and Brazil.

24
Computer-based

• Hacking Made Easy (http//www.washingtonpost.com/w
  p-dyn/content/article/2006/03/16/AR2006031600916_p
  f.html)
• Keyloggers Watching while you type
• Fast becoming among the most prevalent and
  insidious online threats More than half of the
  viruses, worms and other malicious computer code
  that Symantec now tracks are designed not to harm
  host machines but to surreptitiously gather data
  from them.
• These keylogger-control Web sites follow a trend
  toward automation in other realms of online
  fraud, such as virus-creation programs, spamming
  software and pre-packaged toolkits to help
  fraudsters set up "phishing" sites -- Web pages
  designed to trick people into giving away their
  personal and financial data at what looks like a
  legitimate e-commerce or banking site.
• "This type of plug-and-play, click-and-hack
  software simply represents the commercialization
  of criminal activity, and in many respects lowers
  the technical knowledge barrier of entry to this
  type of crime."
• Online criminals hack into thousands of
  small-merchant Web sites and embed code that
  silently install keyloggers when users browse the
  sites with Internet Explorer.
• A recent analysis for SANS estimated that nearly
  10 million U.S. households own a computer that is
  infected with some type of keystroke logging
  program. Although not every PC user whose
  keystrokes are being logged has experienced
  financial losses the analysis estimates that
  organized-crime groups have access to roughly 24
  billion in bank assets from accounts associated
  with the owners of infected machines.

25
Computer-based

• eBay, Yahoo, Microsoft All ask us to click Yes

26
Computer-based
27
Computer-based
Drag the window to Reveal the real info!
28
Computer-based

• Drive-by social engineering

Free game Sites! Hey we ALL love free stuff!
29
Computer-based
30
Computer-based
Each user session includes different exploit
content
31
Common Types of Social Engineering Exploit Methods

• Most dire request (e.g., recent PayPal e-mail
  phishing scams)
• Contrived situation (e.g., Nigerian e-mail scams)

32
Exploiting Human Nature and Personality Traits

• Social engineers prey on qualities of human
  nature and personality traits
• the desire to be helpful, cooperative, or a team
  player
• the tendency to trust people
• the fear of getting into trouble, moral
  obligation or duty, guilt
• The most skilled social engineer is able to
  obtain information without raising any suspicion
  as to what they are doing.

33
Personality Traits

• In the following discussion we will examine how
  various social engineering personality traits
  enhance the possibility of successful social
  engineering.
• When present, these traits increase the
  likelihood of compliance.

34
Personality Traits

• Diffusion of responsibility - The target is made
  to believe that they are not solely responsible
  for their actions.
• The social engineer creates situations with many
  factors that dilute personal responsibility for
  decision making.
• The social engineer may drop names.
• May claim someone higher up has made the
  decision.
• Chance for ingratiation - The target is lead to
  believe that compliance with the request will
  enhance their chances of receiving some sort of
  benefit.
• Gaining advantage over a competitor.
• Getting in good with the boss.

35
Personality Traits

• Trust Relationships - The social engineer expends
  time developing a trust relationship with the
  intended victim.
• Usually following a series of small interactions.
• Moral duty - Encouraging the target to act out of
  a sense of moral duty or moral outrage.
• Requires the social engineer to gather
  information on the target and the organization.
• Tries to get the target to believe that
  compliance will mitigate some sort of wrong that
  has been done.

36
Personality Traits

• Guilt-Most individuals attempt to avoid guilt
  feelings if possible.
• Social engineers create situations designed to
• tug at the heartstrings
• manipulate empathy
• create sympathy
• If granting a request will lead to avoidance of
  guilt, target is more likely to comply.
• Believing that not granting the request will lead
  to significant problems to the requestor is often
  enough to weigh the balance in favor of
  compliance with the request.

37
Personality Traits

• Identification - Trying to get the target to
  identify with the social engineer.
• The social engineer tries to build a connection
  with the target based on information gathered.
• Informality is another trait social engineers
  excel at.
• Desire to help - Social engineers rely on
  peoples desire to be helpful.
• Holding the door.
• Logging on to an account.
• Lack of assertiveness or refusal skills.

38
Personality Traits

• Cooperation - The less conflict with the target
  the better.
• Voice of reason
• logic
• patience

39
Social Engineering Example

• Mr. Smith Hello?
• Caller Hello, Mr. Smith. This is Fred
  Jones in tech support. Due to some disk space
  constraints,
• were going to be moving some
  users home directories to another disk at 800
  this evening.
• Your account will be part of
  this move, and will be unavailable temporarily.
• Mr. Smith Uh, okay. Ill be home by then,
  anyway.
• Caller Good. Be sure to log off before you
  leave. I just need to check a couple of things.
  What was
• your username again, smith?
• Mr. Smith Yes. Its smith. None of my files
  will be lost in the move, will they?
• Caller No sir. But Ill check your
  account just to make sure. What was the password
  on that account,
• so I can get in to check your
  files?
• Mr. Smith My password is Tuesday, in lower case
  letters.
• Caller Okay, Mr. Smith, thank you for your
  help. Ill make sure to check you account and
  verify all
• the files are there.
• Mr. Smith Thank you. Bye.

40
Potential Security Breaches

• Help Desks - They try too hard to be helpful.
• Websites - As we discussed before, setting up a
  bogus website to trap information (e.g., clone
  any well-known web site and cause people to click
  on a bogus link in an e-mail to enter their logon
  credentials phishing).
• A social engineer may simply walk in and behave
  like one of the employees.
• We tend NOT to challenge unfamiliar personnel
  often enough

41
Common Defenses

• Everyone that enters the building (contractors,
  business partners, vendors, employees) must show
  identification.
• Passwords should never be spoken over the phone.
• Passwords are not to be left lying around they
  must be stored in a secure location only
  accessible to the individual they were issued to.
• Caller ID technology can be used to help verify
  who you are speaking to.
• Properly destroy passwords and all sensitive but
  unclassified (SBU) information - invest in and
  properly use shredders and degaussers.

42
Recognize the Signs

• Recognize key signs that indicate you may be the
  target of a social engineering attack
• Refusal to give contact information
• I cannot be contacted
• Im on my cell phone and the battery is about to
  die
• The number they give you is a call out only
  number
• Rushing
• Name-dropping
• Intimidation
• Small mistakes
• Requesting sensitive information

43
Defense the 2 step (actually 4 step)

• Step 1
• If you cannot personally identify a caller who
  asks for Personal information about you or anyone
  else (including badge number or employee number),
  for information about your computer system, or
  for any other sensitive information, do not
  provide the information.
• Insist on verifying the callers identity by
  calling them back at their proper telephone
  number as listed in organizations telephone
  directory. This procedure creates minimal
  inconvenience to legitimate activity when
  compared with the scope of potential losses.

44
Defense the 2 step (actually 4 step)

• Step 2
• Remember that passwords are sensitive. A
  password for your personal account should be
  known ONLY to you.
• Systems administrators or maintenance
  technicians who need to do something to your
  account will not require your password. They
  have their own password with system privileges
  that will allow them to work on your account
  without the need for you to reveal you password.
• If a system administrator or maintenance
  technician asks you for your password, be
  suspicious, very suspicious.

45
Defense the 2 step (actually 4 step)

• Step 3
• Systems maintenance technicians from outside
  vendors who come on site should be accompanied by
  the local site administrator (who should be known
  to you).
• If the site administrator is not familiar to
  you, or if the technician comes alone, it is wise
  to give a call to your known site administrator
  to check if the technician should be there.
• Unfortunately, many people are reluctant to do
  this because it makes them look paranoid, and it
  is embarrassing to show that they do not trust a
  visitor.

46
Defense the 2 step (actually 4 step)

• Step 4
• If you feel you have thwarted or perhaps been
  victimized by an attempt at social engineering,
  report the incident to your manager and to
  security personnel immediately!

47
Final Thoughts

• A social engineer with enough time, patience and
  tenacity will eventually exploit some weakness in
  the security of an enterprise.
• The best defense against social engineering
  attacks combines raising the bar of awareness
  among employees, volunteers and contractors, a
  sense of personal responsibility to protect DOIs
  mission and IT assets, an understanding of the
  signs of social engineering attacks, and
  reporting any suspected incidents.

48
Credits (or who I stole this presentation from)

• Plagiarism is the greatest form of flattery
• With Permission from Stan Lowe (DOI BLM)
• Melissa Guenther
• Wikipedia
• Foundstone

49
Ready for a break?
Questions?
50
Social Engineering Internal/External
ThreatsMarch 22, 2006 Lawrence K.
RuffinLawrence_Ruffin_at_ios.doi.gov
United States Department of the Interior

51
Internal and External Threats

• The greatest security risks to an agency
  frequently come from the action, inaction, or
  inadvertent mistakes of people.
• Motivated internal threat agents pose the
  greatest risk due to their access to sensitive
  information and privileges
• External threats pose a risk to vulnerable
  systems and gaps in network security coverage.
• It is estimated that 99 of all reported
  intrusions result through exploitation of known
  vulnerabilities or configuration errors, for
  which safeguards and countermeasures were
  available.

52
Internal and External Threats

• Insider Threat Greatest at Financial
  Institutions
• By Allen Bernard _at_ CIOUpdate.com
• Internal attacks on information technology
  systems are surpassing external attacks at the
  world's largest financial institutions, according
  to the 2005 Global Security Survey by Deloitte
  Touche Tohmatsu (DTT).
• Thirty-five percent of respondents confirmed
  encountering attacks from inside their
  organization in 2005 (up from 14 in 2004)
  compared to 26 from external sources (up from
  23 in 2004).

53
Internal and External Threats

• Before We Do Anything
• Accept the FACT that vulnerabilities open doors
  to the unexpected.
• Accept that there is NO separation between the
  cyber world and the physical world.
• Weve become distracted insider threat is real
  growing.
• Terrorism is multifaceted. Traditional
  definitions must be adapted to the new realities.
• Change the way you THINK about future
  threatsdont be a security APPEASER.

54
Appeaser

• According to Websters Dictionary
• \Appeas"er\, n. One who appeases a pacifier.
• According to Vertons Dictionary
• \Appeas"er\, n. One who feeds a crocodile
  hoping it will eat him last.
• Sir Winston Churchill

55
What Do I Really Mean ByAppeasement?

• Maybe we are growing dangerously complacent?
• Maybe we do underestimate our enemies?
• Maybe we really do think this is as bad as it can
  get?
• Maybe the threat-independent model is not how we
  should be approaching these issues?

56
The Vulnerability Matrix

• 5,800 registered hospitals

Viruses, Worms
Home Users
5,000 airports 300 maritime ports
Wireless
3,000 govt. facilities
2,800 power plants 104 commercial nuclear
plants
Broadband Connections
26,000 FDIC institutions
EmergencyServices
Government
Transportation
Insiders
Configuration Problems
150,000 miles transmission lines
66,000 chemical plants
Banking
Chemical
130 overlapping grid controllers
300,000 production sites
Rail
Oil
Natural Gas
Telecom
Water Waste Water
120,000 miles of major rails
E-commerce 2 billion miles of cable
Natural Gas
2 million miles of pipelines
1,600 municipal wastewater facilities
80,000 Dams
57
IT Security - How Important Is It Really?

• Not only about Its about public safety too!
• Railroads.
• Water Wastewater Treatment.
• Uranium Mining.
• Oil Wells, Water Flood Operations.
• Airline Baggage Checking.
• Aug. 14 Power Failure.
• Online Information Control.

58
Risk Management

• Risk Threat Probability Impact
• Threat an entity likely to have intent and
  capability to exploit a vulnerability in a system
• Disgruntled Insiders (e.g., employees or
  contractors)
• Hackers for Hire (e.g., State- or non-State
  sponsored)
• Organized Crime
• Terrorists
• Probability Likelihood of someone having
  intent, motivation and capability to exploit a
  known weakness in a system
• Impact Potential magnitude of harm to
  information or an information system resulting
  from someone actually exploiting a known weakness

59
Cyber-Terrorism Controversial Topic

• The problem is that when you make a
  recommendation before an attack happens, people
  tend to think you're nuts.
• That's the kind of mind set that made it
  difficult for usthe institutional
  bureaucracycouldn't see the threat because it
  hadn't happened.

Richard Clarke Testifying at 9/11 Commission
Hearing, 3/24/04
60
Cyber-Terrorism Controversial Topic
Omar Bakri MuhammadBin Laden's man in London

• Syrian-born, radical, founder of Al-Muhajirun
• Spokesman for the International Islamic Front,
  the political wing of the International Islamic
  Front for Jihad Against Jews and Crusaders, led
  by Osama bin Laden
• Has recruited for Hamas, Hezbollah and various
  groups in Afghanistan
• FBI memo on July 10, 2001, noted a connection
  between Middle Eastern men in Phoenix-area flight
  schools and Bakri's London-based Al-Muhajirun.

61
Cyber-Terrorism Controversial Topic
Bakri On Cyber Attacks

• "In a matter of time, you will see attacks on the
  stock market."
• I would not be surprised if tomorrow I hear of a
  big economic collapse because of somebody
  attacking the main technical systems in big
  companies."
• "The third letter from Osama bin Ladenwas
  clearly addressing using the technology in order
  to destroy the economy of the capitalist states.
  This is a matter that is very clear."

62
Insider Threats

• Why spend RD money when you can steal it?
• Economic Espionage hundreds of billions
• Four forms of insider
• Internal (current/former employees, executives)
• External (contractor, maintenance, business
  partner)
• Collaborator (external working with internal)
• Rogue Ideologue (seeks hire for purpose of doing
  harm)
• Technology Complicates Internal Defenses
• The Perimeter is gone!
• USB devices, cell phone cameras, common
  configuration errors, lack of access controls,
  contractors, outsourcing

63
Insider Stats (2004)
64
Types of Data Being Stolen

• Computer source code
• Business plans and design specifications
• Customer and order information databases
• Motorola 2-way radio specifications
• Newest Intel chip specifications (twice)
• Sales and pricing data
• Oil and gas well logs and software used in the
  analysis of the information
• Engineering drawings for next generation of
  Gillette razor systems
• Eng. Drawings Next Generation Space Shuttle
• (inside or outside??)

65
Case Ramon

• An intellectual of sorts, highly educated,
  conservative in his politics, painfully
  introverted, somewhat arrogant and kind of a
  geek.
• Expert programmer who preferred communicating
  with associates through e-mail rather than in
  person.
• Hacked his employer's computer system without
  permission to show management that there were
  serious security gaps that needed to be fixed.

• Robert Hanssen The worst insider spy case in
  FBI history.

66
Insider Psychological Profile
Introverted A common characteristic of IT
specialists, which can pose a significant
management challenge. Frustrated Family or
social problems may be compounded by negative
attitudes toward authority. Computer-dependent
Such individuals often prefer online activity to
direct social interaction. Ethical flexibility
Dangerous insiders view malicious actions as
justified, given their circumstances.
Entitlement Feelings of being special
employeesfor example, the only ones with the
necessary training. Being overworked with no
rewards can lead to a desire for revenge.
Reduced loyalty Some insiders identify with the
IT/programming profession and not with the
organization that employs them. Lack of
empathy The impersonal nature of cyberspace
leads to a lack of regard for the impact of the
perpetrators actions on others.
67
Final Thoughts
Think differently the Threats do every day! New
frontiers and attack vectors continue to emerge
with advances in technology Instant Messaging
(IM) Year-on-year rises of over 800 increase
in exploitation of IM technology to introduce
viruses, worms, and trojans into unsuspecting
system.
A steady climb throughout 2005 showed a
disturbing trend. IM threats are more popular
than ever and this momentum is increasing.
November 2005 was the most dangerous month to
date with a record number of unique threats being
discovered. IM worms are the most dominant
threat type hitting the public IM networks and
all of the popular networks have been attacked
(AIM, ICQ, MSN, WM, Yahoo!).
68
Final Thoughts
Think differently the Threats do every day! New
frontiers and attack vectors continue to emerge
with advances in technology Wireless technology
and devices potentially open back-doors into
networks and bridges agency trusted networks with
un-trusted networks and the public infrastructure
(the Internet). Highly portable media with
enormous storage capacity on extremely small
footprints can be used to steal information.
69
Credits

• Dan Verton - Vice President Executive Editor,
  IT Security Magazine, FISSEA March 2005
  presentation on Cyber-Terrorism and Security

70
Thank You
Questions?