Nontechnical Methods Used for Scamming

It is evident that Scammers will utilize a variety of techniques to launch their scams.  For the past 10 weeks I have discussed some of their technical methods they utilized and in week 7 I briefly discussed nontechnical methods attackers (Hackers or Scammers) use in an effort to obtain your personal information or information about the organization you work for.
This week I want to provide you with more information about the nontechnical methods that attackers will use to obtain your valuable information.  In addition to technical methods, attackers will utilize psychological manipulation and physical acts to obtain valuable information.  These nontechnical methods are more commonly referred to as social engineering attacks in the information security field.
Psychological manipulation is a method that attempts to persuade you to do something through the use of flattery, conformity, empathy, urgency, or friendliness.  Attackers will employ a variety of psychological manipulation tactics that include but are not limited to: impersonation, phishing, spam, and hoaxes (Ciampa, 2012, p. 58).  Impersonation is the act of making others believe that you are some that you really are not.  According to Ciampa (2012) attackers will often take on the fictitious role of a repair person, an employee, a law enforcement official, a manager, or a trusted third party (p. 59).  So in other words, attackers can just about impersonate anyone; their imagination is their only limit.
I discussed phishing in previous post about 5 weeks ago.  It is one of the more preferred methods of attackers because it is very effective.  An area I failed to talk about in my post on phishing was various types of phishing attacks.  Some of the types of phishing attacks are as follows:
Pharming: when attackers alter a sever on the Internet to redirect users to a fake Web site.  Users often don't even know they are visiting a fake Web site.
Spear phishing: a customized phishing attack that is tailored for a certain recipient.
Whaling: similar to spear phishing but targets recipients in upper management or that have a lot of money.
Vishing: when an attacker launches their attack by calling a victim instead of e-mailing them.
Spam is those unwelcome emails you may receive that.  Like phishing, spamming is very effective and can net the person responsible for sending them thousands if not millions of dollars.  They normally appear as an advertisement that tries to get you to purchase a product.  However, they are commonly used by attackers to deliver viruses or other malicious code.
Hoaxes are normally delivered via email too.  They attempt to get you to do something by warning you about a false event.  In the end the event did not or will not occur and the directions may be a list of computer configurations that an attacker may need completed in order to gain access to a system.
As mentioned earlier, attackers also employ physical acts in order to obtain information.  Some attackers will even go through the trash looking for any information that may be of value to them.  Attackers are known to find documents in the trash that contain valuable information.  So double check that piece of paper for any information of value before you go to throw it away.
Another common physical act is known as tailgating.  Tailgating is when an attacker waits outside of a secured door that has an automated access control system and follows someone that has access in.  An easy way to defend against tailgating is to make sure that no one follows you in after you enter and that the door secures behind you.  Additionally, you should report any one hanging out by a secured entry point to your organization's security personnel.
Don't fall victim to a social engineering attack.  Educate yourself, employees, and family members on the methods attackers employ in an attempt to obtain your valuable information.  Also, follow the security measures your organization has hopefully implemented.  And, in this instance, common sense goes a long way.  Do not comply with the demands in an email, phone call, or face to face visit if there is any doubt as to the validity of it.
References:
Ciampa, M. (2012). Security+ guide to network security fundamentals (4th ed.). Boston, MA: Course Technology.

Firewalls: Protect Your Computer, Personal Information, and Help Prevent You From Getting Scammed

http://www.clker.com/clipart-1771.html

What kind of information do you store on your computer?  Do you store financial documents?  Are you one of those people that receive all of you bills via electronic statements and stores them on your computer?  Or maybe you are one of those people that has scanned and saved important documents like birth and marriage certificates.
The next question is what security measures have you implemented to safeguard that important information on your computer?  Many may reply to this question with stating they use antivirus software to protect their computer and information.  Well, that is a start; however, another line of defense to add to your information security arsenal should be to implement and maintain a firewall.
According to Audri and Jim Lanford, "Independent tests show that without a firewall, a standard PC that is connected to the Internet can be compromised in 10 to 20 minutes"  (http://www.scambusters.org/firewall.html).  If that statistic doesn't motivate you to learn more about firewalls and implement one at your home and maybe even your business then I don't know what will.  If you have decided to continue reading then I have probably got your attention.
A firewall is a shield that protects malicious content from the Internet from entering your network or computer.  They function by monitoring incoming Internet traffic for known malicious content or content that appears suspicious.  When known or suspected content is discovered a properly configured firewall will block the content and alert the user of the activity.
Firewalls come in two forms, hardware or software.  Home networks and computers often utilize firewall software.  This is mainly due to their ease of use and affordability.  Hardware firewalls are commonly used in organizations with extensive networks and can be quit complicated to configure.  They provide better protection and are more expensive when compared to software firewalls.  However, hardware firewall purchase costs continue to decrease which has triggered the implementation of them in homes and other small networks (Audri Lanford and Jim Lanford, n.d., http://www.scambusters.org/firewall.html).
It is apparent that a firewall can strengthen your information security by providing another line of defense that must be circumvented in order to get to your valued information.  It is important to note that a firewall doesn't always protect you from malicious attacks.  Scammers are constantly inventing new methods that attempt to evade your information security measures.  That is it is important to have multiple lines of defense (education, training, antivirus, etc.) to protect your personal information and lessen your chances of falling victim to a scam.

References:

Lanford, A., & Lanford, J. (n.d.). How does a firewall work and how can it protect your computer? Retrieved February 12, 2013, from http://www.scambusters.org/firewall.html

OCAL. (n.d.). Firewall network block communication data clip art [Image]. Retrieved from http://www.clker.com/clipart-1771.html

Enhancing Information Security Through the Use of Risk Management

http://blog.icorps.com/bid/134760/5-IT-Security-Mistakes-That-Companies-Still-Make

There is no escaping risk.  Risk is present in just about every activity that is conducted by an organization.   Risk is also present in the functions that we conduct on a daily basis at home.  If left unmanaged, risk can elevate to a level that could potentially have catastrophic and often irreversible affects especially in the information technology world.  On the other hand, risk that is managed reinforces a security program by controlling or mitigating risks.

In order to control and mitigate risk it is important to develop a risk management plan.  A risk management plan can be completed in 2 phases.  The first phase is risk identification and assessment.  During this phase assets are inventoried, threats and vulnerabilities are identified, and risk factors are calculated for each asset.  After, the risk factors are calculated each asset can be prioritized according to the given risk factor.  Last, controls in the form of policies, programs, and/or technical controls are developed for each threat with a vulnerability associated to it (Whitman & Mattord, 2010, p. 276-301).

The second phase of the risk management process is risk control.  During this phase risk control strategies are utilized to control the risks that are created by the vulnerabilities. According to Whitman and Mattord (2010) there are four strategies that can be utilized to control risk.  The four strategies are avoidance, transference, mitigation, and acceptance (p. 309).

Risk avoidance are techniques that are implemented through the use of policies, training and education, threat countering, and/or technical controls to fortify assets with vulnerabilities.  Risk transference is a method utilized to pass risk to another asset or organization.  Risk mitigation is a strategy used to lessen the severity of an incident or disaster by ensuring plans are prepared that address detection and rapid response.  Risk acceptance the strategy of accepting a risk for what it is because the cost of protection exceeds the value of the asset (Whitman & Mattord, 2010, p. 276-301).

Another strategy that Whitman & Mattord do not identify but is listed in National Institute of Standards and Technology (NIST) Special Publication 800-39 (2011) is risk sharing.  Risk sharing is similar to risk transference; however, it only shifts a portion of the risk whereas risk transference transfers the entire risk to asset or organization (p. 43).

One of the most important steps in the risk management process is monitoring and reevaluation.  Threats are constantly changing and new vulnerabilities are being discovered.  Therefore, risk assessments and strategies should be conducted regularly to ensure that the control is maintained and risks that are mitigated continue to be mitigated.

After all this you may be wondering how this all fits into Internet scams. Well, when properly conducted, an information security risk assessment should include the assets that could be affected by the threats that are associated with Internet scams.  After the assessment is completed and a risk rating factor is assigned to each asset, a single or combination of control strategies can be implemented to control and/or mitigate the risk related to each asset that can be affected by an Internet scam.  Or you can choose to not utilize the risk management process, roll the risk dice, and hope you have done everything you can to protect the assets under your control.

References:

NIST SP 800-39 managing information security risk. (2011, March). Retrieved February 5, 2013, from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

[Risk]. (2012, September 27). Retrieved from http://blog.icorps.com/bid/134760/ 5-IT-Security-Mistakes-That-Companies-Still-Make

Whitman, M., & Mattord, H. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology Cengage Learning.