Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff

Size: px
Start display at page:

Download "82-10-43 Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff"

Transcription

1 Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff Social engineering is the term that hackers use to describe attempts to obtain information about computer systems through nontechnical means. In most cases, hackers telephone unsuspecting system users and use a series of ruses to get the users to divulge their user identifiers and passwords. Although these techniques may seem ridiculous, hackers use them to obtain extremely valuable information. This article proposes that organizations benefit from these attacks by making them an integral part of a vulnerability analysis, especially where security awareness is poor. It also discusses typical attacks and describes methods for preventing them. Introduction Social engineering, or a hacker's attempt to obtain information about computer systems by nontechnical means, comes in many guises. Techniques include telephoning unsuspecting system users and, using a series of ruses, getting users to divulge their user identifiers and passwords, going through trash dumpsters for information, and obtaining a job within the targeted organization. Many people find these techniques ridiculous, but they can provide a hacker with extremely valuable information. Social engineering might seem like a fancy word for lying. It is, but it is also extremely effective. Social engineering specifically targets weaknesses in information systems security plans and procedures, as well as poor security awareness. These weaknesses are only detected after an attack has occurred, if the attack is detected at all. In addition, an attack may comprise several small attacks, each of which might be inconsequential. Unfortunately, the whole social engineering attack is greater than the sum of its parts. Small attacks probably go unnoticed, possibly occurring over several months. What is at stake in these attacks can be enormous. Many organizations have valuable information that justifies expensive protection mechanisms. This information may include corporate financial data, electronic funds transfers, access to financial assets, patient records, and personal information about clients or employees. Any compromise of this critical information can have serious consequences, including the loss of customers, filing of criminal charges or civil law cases against the organization, loss of funds, loss of trust in the organization, and the organization's collapse. Organizations respond to social engineering threats by implementing informationsecurity plans that establish control of information assets by specifying protection mechanisms. The plans usually rely heavily on technical security mechanisms, such as firewalls, user passwords, closed networks, and operating system protection mechanisms. In addition, physical protection mechanisms and other operational security issues are often discussed. The computer and information-security profession apparently believes that their employees understand the operational security requirements for protecting information. Unfortunately, this is not the case, except in defense-related organizations. Most employees actually have a low level of security awareness. In spite of this, most organizations funnel their information-security funding to technical mechanisms. Little revenue, if any, is designated for security awareness and operational security training. The disclosure of information through nontechnical means can and will occur. This type of disclosure can bypass millions of dollars of technical protection mechanisms. In many cases, if impending attackers want to gain access to a computer system, all they have to do is ask. Although this might seem ridiculous, vulnerability analyses performed for

2 large commercial organizations confirm that many people with computer access do not understand the value of the information to which they have access. Users have disclosed a variety of sensitive information, including the names of employees, organizational costing information, telephone numbers to organizational modems, and customer data. Surprisingly, user identifiers and passwords are extremely easy to obtain. When they are used in combination with the telephone numbers of the modems, passwords can be used with other technical intrusion methods to give attackers access to all of a company's information. Techniques Used in Social Engineering To hackers, social engineering usually means calling people up within a targeted organization and using a variety of ruses to obtain information from them. Hackers may claim to be from the computer support staff. They would say that they need a user's password to correct a problem with the computer system. In another type of social engineering, a hacker would obtain a job at the targeted organization. This technique might give the hacker access to the information that he desires. Even if direct access to the information is not acquired, the hacker might learn enough information to get additional access. A job as a janitor could be extremely valuable to a hacker because a janitor is usually given entry to areas of a building that an average employee do not have access to. Janitors can take their time to go through the garbage to obtain potentially valuable information and they can go through a person's desk or belongings after he or she leaves for the day. A recent edition of 2600: The Hackers' Quarterly includes an article on how to obtain a job as a janitor. Social engineering attacks may also involve going through trash dumpsters, referred to as dumpster diving. The Masters of Deception, who infiltrated the U.S. telecommunications system to the point that they could have crashed the system, were only able to access the system after obtaining user passwords from the garbage of the New York Telephone Company. Again, the tactic may seem to be almost comical, but it provides a hacker with very valuable information. It is well known that there are destruction procedures for classified materials in the defense community. Burn bags and shredders are common throughout the U.S. government. However, these procedures are almost unheard of in private industry. Other forms of social engineering include criminal actions. In several cases, foreign companies have hired former intelligence operatives to engage in industrial espionage by gathering economic intelligence. Such operatives steal equipment and break into corporate facilities. In addition, actions that thieves use to collect credit card numbers (e.g., shoulder surfing, in which someone eavesdrops on someone else entering a password) are being used to collect computer passwords. Social engineering gives an outside attacker the knowledge and abilities of internal employees. It can also give internal attackers more knowledge and abilities than they should have. Social engineering can bypass all technical security mechanisms to allow an attacker to obtain the information of their choosing. In some cases, an attacker can get all the desired information through a social engineering attack without having to resort to technical means. This is an extremely important concept. It indicates that a person who intends to obtain computer-based information does not need to know anything about computers. Liability Considerations The issue of liability is an additional element of social engineering that must be considered. A hacker who breaks into a computer system and obtains information is probably committing a crime. However, when a social engineer uses the telephone and asks someone for information, then there is definitely doubt as to whether a crime has occurred.

3 The person who gives out the information might be the person who is legally liable, possibly subjecting the organization to criminal or civil charges. If, for example, a person calls up a hospital, implies that he is from the Board of Health, and asks for and obtains the name of all patients diagnosed with AIDS, the patients whose lives were damaged by the disclosure of the information could sue the hospital. Essentially, social engineering attacks weaknesses in what is considered to be common sense. Weaknesses that Allow Social Engineering to Occur Because social engineers attack nontechnical weaknesses in security, these weaknesses must be discussed. Basically, two types of weaknesses allow social engineering to occur. A lack of security awareness facilitates most social engineering attacks. In other words, people do not know how to respond appropriately to compromising situations. Attacks are also facilitated by poor plans and procedures. In many cases, even though an organization designs plans and procedures to thwart a would-be attacker, they are not tested by an independent source to determine their adequacy. Poor Security Awareness Organizational information security plans usually address basic issues in computer security. These issues may include nondisclosure of passwords and not giving out sensitive data unless the identity of a caller is confirmed. However, most plans do not include realistic procedures for making employees aware of the security procedures. Many security experts assume that the general population understands basic security issues, such as the importance of a password. Computer and security personnel consider these issues to be common sense. However, before there can be common sense, there must be common knowledge. There is very little common knowledge when it comes to issues related to computer security. One such issue is the dissemination of computer passwords. An extremely large percentage of users do not understand the importance of a password for authentication and access to a computer system. They do not realize that their account can be accessed from anywhere in the world, given the proper access point. Users also do not understand the lengths that people will go to obtain the information that the users have access to on a daily basis. They also do not realize that throwing something in the garbage does not mean that the information is destroyed. What is garbage to a user might be extremely valuable to a hacker. Human Weaknesses People give out information for many reasons. In most cases, they just want to be helpful, because that is their job and/or nature. People can also be intimidated to release information, either by being made to believe that a superior wants the information or by just trying to make an annoying person go away. Corporate spies and many hackers understand what can be described as simultaneous good and bad personal attributes in a user, and they know how to exploit these attributes. Untested Plans and Procedures Although an organization might understand its vulnerabilities and the potential threats that hackers pose, and it may try to address these problems through proper operational procedures, it is difficult to determine if these procedures are adequate unless they are

4 tested. A good example of an untested procedure is the reliance on internal identifiers, which many organizations establish to authenticate an employee to another employee. Many organizations depend on Social Security numbers to identify people. However, an outside attacker can obtain a Social Security number with very little effort and then proceed to attempt to obtain desired information. Organizational procedures that require an authenticating mechanism must carry with them additional procedures that protect the mechanism. This is where a large number of security plans fail. Many organizations test a specific part of a security plan or procedure, but these plans and procedures must be tested as a whole. Preventing Social Engineering Attacks Because social engineering attacks can bypass even the most sophisticated technical protection mechanisms, it is probably impossible to prevent all forms of social engineering attacks. Many private organizations cannot go to the lengths that the U.S. intelligence community can to screen potential applicants, but they can establish a significant amount of prevention. The preventative methods described in this section are general to most organizations. However, specific industries and organizations have vulnerabilities that can only be identified when these entities experience a social engineering attack. Using Separate Internal Identifiers Many social engineering attackers are asked to authenticate themselves as real employees by providing their employee numbers. Fortunately for the attackers, the employee numbers are commonly used and easily obtained from real employees. Attackers can develop a list of employee numbers and are ready for any challenge. Companies should have a separate identifier for their computer-support activities. This procedure would separate personnel functions from support functions and provide additional security to both personnel and computer activities. Implementing Call-Back Procedures Many social engineering attacks can be prevented if company employees verify a caller's identity by calling him back at his proper telephone number, as listed in the company telephone directory. This procedure creates a minimal inconvenience to legitimate activities, but when compared with the scope of the potential losses, the inconvenience is greatly justified. If employees are required to call back anyone asking for personal or proprietary information, compromises of all natures can be minimized. Establishing a Security-Awareness Program Although it might appear ridiculous to think that a computer user would give out a password to a stranger, many users would find this innocuous. Companies spend millions of dollars to acquire state of the art hardware and software security devices, but they ignore general awareness programs. Computer professionals cannot assume that basic security practices are basic to noncomputer professionals. A good security-awareness program can be implemented for minimal cost and can save a company millions of dollars of losses. The commercial sector can learn a great deal about these techniques from the defense community, whose techniques include security-awareness briefings during employee indoctrinations, security-awareness weeks, and periodic newsletters. The Computer Security Institute (CSI) provides a service in which a company's name and logo can be placed on a monthly newsletter that CSI develops for the company. A company can also

5 use daily reminders, such as security-awareness posters and security warnings that are put on the message of the day and displayed when a user logs into a computer system. Identifying Direct Computer Support Analysts Every employee of a company must be personally familiar with a computer analyst. There should be one analyst for no more than 60 users. The analysts should be a focal point for all computer support, and should be the only computer support people who directly contact users. Users should be instructed to contact their analyst immediately if they are contacted by someone else claiming to be from computer support. Using Technical Security Features Operating systems come with many technical capabilities that can minimize the effects of social engineering. These security features can tell users when their account was last accessed and from where, or they can provide for the automatic expiration of passwords. Unfortunately, system administrators generally do not activate many of these security features. Although these functions can significantly minimize many threats to computer security, many users consider them annoying. System administrators should consider one-time password mechanisms, which can minimize the threats to computer security. In addition to combating social engineering attacks effectively, one-time passwords can prevent the exploitation of passwords that network sniffers gather. Creating a Security Alert System Attackers realize that even if their social engineering attack is detected, an employee usually has no method to alert other employees that an attack is occurring. This indicates that even if an attack is compromised, it can continue with minimal changes. Essentially, a compromise may only improve an attack by allowing the attackers learn what does not work. Employees should have some way to rapidly alert a computer security official that they might have been the target of an information-security-related attack. The information security staff should then evaluate the attack and be able to alert the entire organization that an attack may have occurred and to be aware of the potential for other types of attacks. Obviously, employees should be encouraged to report attacks that are both technical and nontechnical in nature. Having the Organization Attack Itself A company that wants to fully determine its vulnerabilities with regard to social engineering should attack itself just as an outsider would. This is particularly true of large organizations, where identifying the major vulnerabilities is difficult. This is the only method for determining how social engineers might infiltrate an organization, as well as seeing how far attackers might get and the level of damage they can do. Reverse Social Engineering Reverse social engineering is a very unique form of social engineering. In most social engineering attacks, the attacker goes to the victim to obtain information. In reverse social engineering, however, the victim unwittingly goes to the attacker. This statement may seem to be ridiculous. Why would anyone go to an attacker and hand him information? The trick is for the attacker to first use a traditional social

6 engineering attack to make victims believe that the attacker is a part of a legitimate organization, such as a support service, that is providing help for the victims. The problem is that the victims do not know that the person they call for assistance is an attacker instead of the person he claims to be. Because of the nature of reverse attacks, the hacker can receive much more information in these cases than they would from normal social engineering attacks. The attacker has immediate legitimacy because the victim is going to the attacker. This differs from a traditional social engineering attack, where the most difficult aspect for an attacker is attaining legitimacy in the victim's eyes. Obviously, the rewards of reverse social engineering can be great. Fortunately for potential victims, reverse attacks are much more difficult to complete successfully. How Reverse Social Engineering Is Accomplished In an example of reverse social engineering, the attacker physically intrudes into the targeted organization and posts signs stating who to contact for technical support. The sign carries the attacker's telephone number. In some cases, the attacker replaces a valid technical support telephone number with his own. Frequently, users do not know who to contact if there is a computer problem, and they welcome any offer of assistance. Obviously, these attacks require the victim to need technical support in order for the attacker to be contacted. Attackers can use a variety of methods to create this need. Creating a False Need for Technical Support To increase the likelihood of being contacted by their victims, attackers occasionally create the need for assistance through sabotage. By deleting a critical file or resetting system parameters during a physical intrusion, attackers create an immediate need for their services. Proper placement of the offers for help provides welcome relief for people who are panicking because they believe their system is destroyed. When such physical intrusions are not possible, an attacker might mail offers of technical support to the targeted organization. The book Secrets of a Super Hacker describes an incident where an attacker went through the garbage of a foreign embassy and found packaging for a modem. The attacker mailed the embassy a letter and a disk. The letter stated that there was a problem with one of the embassy's modem files and that the enclosed disk contained a file that would fix the problem. The letter provided a telephone number offering technical support that, of course, was actually the attacker's number. Naturally, the file on the disk sabotaged the computer system. Inevitably, embassy personnel called the attacker, and the attacker had the embassy staff manipulate their system in a way that permitted a future attack. Although this attack required an extreme amount of luck and planning, the rewards for the attacker were large. Attackers also use electronic versions of reverse social engineering attacks. Internet search tools allow potential attackers to search USENET Newsgroups for people that have mailing addresses from a specific organization. The Newsgroups also indicate the interests of the people posting the messages. After gathering names of employees and their interests, an attacker could mail the victims information about interesting Web sites or programs. If the victims obtain the advertised programs, which contain harmful software, the attack is successful. Again, the victim is going to the attacker or using the attacker's sabotaged tools, rather than the attacker going to the victim. This sort of reverse social engineering can work well for attackers with poor interpersonal skills, because there is no direct contact with the potential victims.

7 Preventing Reverse Social Engineering The factors that enable reverse social engineering to take place are very similar to those of social engineering. Basically, poor awareness and poor operational procedures cause individuals to respond incorrectly to compromising situations. As with social engineering, simple countermeasures such as the following can prevent the most sophisticated reverse attacks: Identifying direct computer support analysts. If users know who to go to for technical support, they would not likely respond to anonymous letters or postings. Users would also probably alert their support analysts if there were an unusual occurrence. A diligent analyst could then alert the rest of the organization of a possible attack. As part of this vigilance, computer support analysts should use due diligence when software updates are obtained. Preventing employees from retrieving programs off electronic forums. Many organizations have policies that prohibit the use of outside disks in organizational computer systems. These policies are important, but they must be updated to account for worldwide telecommunication systems, such as the Internet. People retrieve information from all over the world. Software inevitably gets retrieved as well. A company's policy should call for a ban on any utilities that do not come from the computer services organization. Other prevention mechanisms. This section only identifies two mechanisms to prevent reverse social engineering attacks. That actually is all that a company should need. Reverse social engineering requires that the victim perceive that the attacker is providing a critical service. If potential victims already have experts to consult, then they will not be vulnerable to false offers for help. Conclusion Although common sense would seem to be the best prevention for social engineering attacks, common sense is not the same for all computer users within an organization. Social engineering exploits operational security weaknesses that are often overlooked by information-security experts when plans and procedures are being written. These weaknesses have led to serious compromises of major computer systems that could not have been prevented through any technical protection. Security personnel must consider the limited common knowledge of the company's employees when they are developing plans and procedures. These plans and procedures are ineffective if no one is aware of them, and are useless if they do not address a coordinated attack on the system, which social engineering can present. Social engineering allows a person that is weak in computer skills to access information that people think that only a superhacker could obtain. Many more people are social engineers rather than superhackers, and the financial rewards or other desired results that social engineers are after can be just as great. Unfortunately, few people are addressing this area, which is just as significant as any technical attack. Author Biographies Ira S. Winkler Ira S. Winkler, CISSP, Chief Internet Security Strategist, National Computer Security Association, is one of the world's leading authorities on incident response and industrial espionage. His book, Corporate Espionage, discusses similar subjects.

The Non-Technical Threat to Computing SYstems

The Non-Technical Threat to Computing SYstems The Non-Technical Threat to Computing SYstems Ira S. Winkler Science Applications International Corporation ABSTRACT: Many companies spend millions of dollars to ensure corporate cãmputer security'. The

More information

Information Security Technology?...Don t Rely on It A Case Study in Social Engineering

Information Security Technology?...Don t Rely on It A Case Study in Social Engineering The following paper was originally published in the Proceedings of the Fifth USENIX UNIX Security Symposium Salt Lake City, Utah, June 1995. Information Security Technology?...Don t Rely on It A Case Study

More information

CASE STUDY OF INDUSTRIAL ESPIONAGE THROUGH SOCIAL ENGINEERING

CASE STUDY OF INDUSTRIAL ESPIONAGE THROUGH SOCIAL ENGINEERING CASE STUDY OF INDUSTRIAL ESPIONAGE THROUGH SOCIAL ENGINEERING Ira S. Winkler National Computer Security Association 10 South Courthouse Avenue Carlisle, Pennsylvania 17013 winkler@ncsa.com (717) 258-1816

More information

Guide to Preventing Social Engineering Fraud

Guide to Preventing Social Engineering Fraud Guide to Preventing Social Engineering Fraud GUIDE TO PREVENTING SOCIAL ENGINEERING FRAUD CONTENTS Social Engineering Fraud Fundamentals and Fraud Strategies... 4 The Psychology of Social Engineering (And

More information

HACKERS vs. THE I.T. TEAM

HACKERS vs. THE I.T. TEAM HACKERS vs. THE I.T. TEAM IT Staff Multifaceted role As custodians of the network your responsibilities include: supporting servers networking hardware Infrastructure disaster recovery workstations operating

More information

Client Education. Learn About Identity Theft

Client Education. Learn About Identity Theft Client Education Learn About Identity Theft 2 What is identity theft? 6 Detecting identity theft 10 Minimizing your risk 14 What to do if you re a victim The Federal Trade Commission (FTC) estimates that

More information

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1 Threats and Attacks Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to:

More information

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT Appendix A to 11-02-P1-NJOIT NJ OFFICE OF INFORMATION TECHNOLOGY P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT The Intent

More information

Government Worker Privacy Survey. Improper Exposure of Official Use, Sensitive, and Classified Materials

Government Worker Privacy Survey. Improper Exposure of Official Use, Sensitive, and Classified Materials Government Worker Privacy Survey Improper Exposure of Official Use, Sensitive, and Classified Materials 1 Introduction Data privacy is a growing concern for the US government as employees conduct business

More information

INTRODUCTION TO PENETRATION TESTING

INTRODUCTION TO PENETRATION TESTING 82-02-67 DATA SECURITY MANAGEMENT INTRODUCTION TO PENETRATION TESTING Stephen Fried INSIDE What is Penetration Testing? Terminology; Why Test? Types of Penetration Testing; What Allows Penetration Testing

More information

Identity Theft, Fraud & You. Prepare. Protect. Prevent.

Identity Theft, Fraud & You. Prepare. Protect. Prevent. Prepare. Protect. Prevent. Identity Theft, Fraud & You Fraud and identity theft incidents claimed fewer victims in 2010 than in previous years. But don t get too comfortable. Average out-of-pocket consumer

More information

Learn to protect yourself from Identity Theft. First National Bank can help.

Learn to protect yourself from Identity Theft. First National Bank can help. Learn to protect yourself from Identity Theft. First National Bank can help. Your identity is one of the most valuable things you own. It s important to keep your identity from being stolen by someone

More information

AUTHOR CONTACT DETAILS

AUTHOR CONTACT DETAILS AUTHOR CONTACT DETAILS Name Dinesh Shetty Profile Information Security Consultant Email ID dinesh.shetty@live.com Social Engineering Cyber security is an increasingly serious issue for the complete world

More information

1. Any email requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

1. Any email requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic. Your identity is one of the most valuable things you own. It s important to keep your identity from being stolen by someone who can potentially harm your good name and financial well-being. Identity theft

More information

Security Defense Strategy Basics

Security Defense Strategy Basics Security Defense Strategy Basics Joseph E. Cannon, PhD Professor of Computer and Information Sciences Harrisburg University of Science and Technology Only two things in the water after dark. Gators and

More information

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft) 1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction

More information

WRITTEN TESTIMONY OF

WRITTEN TESTIMONY OF WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you

More information

C-SAVE. Scenario #1 Jake and the Bad Virus. The two major C3 concepts this scenario illustrates are:

C-SAVE. Scenario #1 Jake and the Bad Virus. The two major C3 concepts this scenario illustrates are: Scenario #1 Jake and the Bad Virus The two major C3 concepts this scenario illustrates are: Cyber Security: Jake compromised his computer s security by providing personal information to an unknown online

More information

NATIONAL CYBER SECURITY AWARENESS MONTH

NATIONAL CYBER SECURITY AWARENESS MONTH NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the

More information

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How Network Security Is Breached Network Security Policy

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful. With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful. Breach Overview Q: Media reports are stating that Target experienced a data breach. Can you provide more

More information

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May 2014. TrustInAds.org. Keeping people safe from bad online ads

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May 2014. TrustInAds.org. Keeping people safe from bad online ads Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams May 2014 TrustInAds.org Keeping people safe from bad online ads OVERVIEW Today, even the most tech savvy individuals can find themselves

More information

Computer Security and Penetration Testing. Chapter 2 Reconnaissance

Computer Security and Penetration Testing. Chapter 2 Reconnaissance Computer Security and Penetration Testing Chapter 2 Reconnaissance Objectives Identify various techniques for performing reconnaissance Distinguish and discuss the methods used in social engineering Discuss

More information

86-10-15 The Self-Hack Audit Stephen James Payoff

86-10-15 The Self-Hack Audit Stephen James Payoff 86-10-15 The Self-Hack Audit Stephen James Payoff As organizations continue to link their internal networks to the Internet, system managers and administrators are becoming increasingly aware of the need

More information

Is the PCI Data Security Standard Enough?

Is the PCI Data Security Standard Enough? Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard

More information

Retail/Consumer Client. Internet Banking Awareness and Education Program

Retail/Consumer Client. Internet Banking Awareness and Education Program Retail/Consumer Client Internet Banking Awareness and Education Program Table of Contents Securing Your Environment... 3 Unsolicited Client Contact... 3 Protecting Your Identity... 3 E-mail Risk... 3 Internet

More information

SPEAR PHISHING UNDERSTANDING THE THREAT

SPEAR PHISHING UNDERSTANDING THE THREAT SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business

More information

What Spammers Don t Want You To Know About Permanently Blocking Their Vicious E-mails

What Spammers Don t Want You To Know About Permanently Blocking Their Vicious E-mails 2000 Linwood Ave Suite 19J Fort Lee, NJ 07024-3012 What Spammers Don t Want You To Know About Permanently Blocking Their Vicious E-mails Following Last Year s Hack Attack At Epsilon, You May Be Overwhelmed

More information

FIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL

FIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL FIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL Before the Subcommittee on Financial Institutions and Consumer

More information

Defensive Training for Social Engineering

Defensive Training for Social Engineering FISSEA 2009 22nd Annual Conference Defensive Training for Social Engineering Stacey Banks, CISSP, CCO, CSM Background Oxford Federal, LLC Information security solutions and services company providing certification

More information

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft Protect Your Personal Information Tips and tools to help safeguard you against identity theft Trademark of Visa International Service Association; Visa Canada Association is a licensed user. What is Identity

More information

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives Statement for the Record Richard Bejtlich Chief Security Strategist FireEye, Inc. Before the U.S. House of Representatives Committee on Energy and Commerce Subcommittee on Oversight and Investigations

More information

esoft Technical White Paper: Who Needs Firewall Protection?

esoft Technical White Paper: Who Needs Firewall Protection? esoft Technical White Paper: Who Needs Firewall Protection? "Without the protection of a firewall, which serves as a buffer between an organization s internal network and myriad external networks including

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Implementing an Incident Response Team (IRT)

Implementing an Incident Response Team (IRT) 1.0 Questions about this Document CSIRT 2362 Kanegis Dr Waldorf, MD 20603 Tel: 1-301-275-4433 - USA 24x7 Incident Response: Martinez@csirt.org Text Message: Text@csirt.org Implementing an Incident Response

More information

Protecting Yourself Against Identity Theft. Identity theft is a serious. What is Identity Theft?

Protecting Yourself Against Identity Theft. Identity theft is a serious. What is Identity Theft? Protecting Yourself Against Identity Theft Identity theft is a serious crime. Identity theft happens when someone steals your personal information and uses it without your permission. It is a growing threat

More information

Feedback Ferret. Security Incident Response Plan

Feedback Ferret. Security Incident Response Plan Feedback Ferret Security Incident Response Plan Document Reference Feedback Ferret Security Incident Response Plan Version 3.0 Date Created June 2013 Effective From 20 June 2013 Issued By Feedback Ferret

More information

National Cyber Security Month 2015: Daily Security Awareness Tips

National Cyber Security Month 2015: Daily Security Awareness Tips National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.

More information

Identity Theft Protection

Identity Theft Protection Identity Theft Protection Email Home EDUCATION on DANGER ZONES Internet Payments Telephone ID theft occurs when someone uses your personal information with out your knowledge to commit fraud. Some terms

More information

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide COUNTERINTELLIGENCE O F F I C E O F T H E N A T I O N A L C O U N T E R I N T E L L I G E N C E Protecting Key Assets: A Corporate Counterintelligence Guide E X E C U T I V E Counterintelligence for the

More information

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Data Privacy and Gramm- Leach-Bliley Act Section 501(b) Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement

More information

Network Security Essentials

Network Security Essentials Network Security Essentials Fifth Edition by William Stallings Chapter 1 Introduction On War The combination of space, time, and strength that must be considered as the basic elements of this theory of

More information

Information as an Asset How to Protect your Data. Citi Public May 15 th, 2013

Information as an Asset How to Protect your Data. Citi Public May 15 th, 2013 Information as an Asset How to Protect your Data May 15 th, 2013 Overview Define Information Security Information Security Risks Information Security Reviews 1 Agenda Information security - what is it?

More information

Software Engineering 4C03 Class Project. Computer Networks and Computer Security COMBATING HACKERS

Software Engineering 4C03 Class Project. Computer Networks and Computer Security COMBATING HACKERS Software Engineering 4C03 Class Project Computer Networks and Computer Security COMBATING HACKERS Done By: Ratinder Ricky Gill Student Number: 0048973 E-Mail: gillrr@mcmaster.ca Due: Tuesday April 5, 2005

More information

Protecting Yourself from Identity Theft

Protecting Yourself from Identity Theft Protecting Yourself from Identity Theft Identity theft is everywhere. In fact, according to a 2013 report by Javelin Research, there is one incident of identity fraud every two seconds. While we cannot

More information

Website Privacy Policy Statement

Website Privacy Policy Statement Website Privacy Policy Statement This website ( CRSF Website ) is operated by Cal Ripken, Sr. Foundation, Inc. ( Company ) and this policy applies to all websites owned, operated, controlled and otherwise

More information

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft Protect Your Personal Information Tips and tools to help safeguard you against identity theft Trademark of Visa International Service Association; Visa Canada Association is a licensed user. WHAT IS IDENTITY

More information

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers

More information

AN INFORMATION GOVERNANCE BEST

AN INFORMATION GOVERNANCE BEST SMALL BUSINESS ID THEFT AND FRAUD AN INFORMATION GOVERNANCE BEST PRACTICES GUIDE FOR SMALL BUSINESS IT IS NOT A MATTER OF IF BUT WHEN AN INTRUSION WILL BE ATTEMPTED ON YOUR BUSINESS COMPUTER SYSTEM IN

More information

How to Justify Your Security Assessment Budget

How to Justify Your Security Assessment Budget 2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER Introduction Penetration testing has been established as a standard security practice

More information

BSHSI Security Awareness Training

BSHSI Security Awareness Training BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement

More information

ICTN 4040. Enterprise Database Security Issues and Solutions

ICTN 4040. Enterprise Database Security Issues and Solutions Huff 1 ICTN 4040 Section 001 Enterprise Information Security Enterprise Database Security Issues and Solutions Roger Brenton Huff East Carolina University Huff 2 Abstract This paper will review some of

More information

Insider Threats in the Real World Eavesdropping and Unauthorized Access

Insider Threats in the Real World Eavesdropping and Unauthorized Access Insider Threats in the Real World Eavesdropping and Unauthorized Access A Visual Data Security Whitepaper Prepared by: OptioLabs Camden Yards 323 West Camden Street, Suite 801 Baltimore, Maryland 21201

More information

Identity Theft and Medical Theft. *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA

Identity Theft and Medical Theft. *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA 1 Identity Theft and Medical Theft *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA *Corresponding Author, 490 Piya Wiconi Road, Kyle-South Dakota (605) 455-6110 csarmiento@olc.edu Introduction

More information

A Guide to Information Technology Security in Trinity College Dublin

A Guide to Information Technology Security in Trinity College Dublin A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2

More information

Boston University Security Awareness. What you need to know to keep information safe and secure

Boston University Security Awareness. What you need to know to keep information safe and secure What you need to know to keep information safe and secure Introduction Welcome to Boston University s Security Awareness training. Depending on your reading speed, this presentation will take approximately

More information

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and

More information

Identity fraud explained. How to protect your identity

Identity fraud explained. How to protect your identity Identity fraud explained How to protect your identity Contents Raising the alarm 3 What is identity fraud? 4 When your identity is in danger 4 Keeping your identity safe 6 Spotting the warning signs 6

More information

Welcome to the Protecting Your Identity. Training Module

Welcome to the Protecting Your Identity. Training Module Welcome to the Training Module 1 Introduction Does loss of control over your online identities bother you? 2 Objective By the end of this module, you will be able to: Identify the challenges in protecting

More information

Website Security: How to Avoid a Website Breach. Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions

Website Security: How to Avoid a Website Breach. Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions Website Security: How to Avoid a Website Breach Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions www.caretech.com > 877.700.8324 An enterprise s website is now

More information

It may look like this all has to do with your password, but that s not the only factor to worry about.

It may look like this all has to do with your password, but that s not the only factor to worry about. Account Security One of the easiest ways to lose control of private information is to use poor safeguards on internet accounts like web-based email, online banking and social media (Facebook, Twitter).

More information

Security Basics: A Whitepaper

Security Basics: A Whitepaper Security Basics: A Whitepaper Todd Feinman, David Goldman, Ricky Wong and Neil Cooper PricewaterhouseCoopers LLP Resource Protection Services Introduction This paper will provide the reader with an overview

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Website Privacy Policy Statement. 1519 York Rd Lutherville, MD 21093. We may be reached via email at julie@juliereisler.com.

Website Privacy Policy Statement. 1519 York Rd Lutherville, MD 21093. We may be reached via email at julie@juliereisler.com. Website Privacy Policy Statement This website juliereisler.com is operated by Empowered Living, LLC and this policy applies to all websites owned, operated, controlled and otherwise made available by Company,

More information

Chapter 1: Information Security Fundamentals. Security+ Guide to Network Security Fundamentals Second Edition

Chapter 1: Information Security Fundamentals. Security+ Guide to Network Security Fundamentals Second Edition Chapter 1: Information Security Fundamentals Fundamentals Second Edition Objectives Identify the challenges for information security Define information security Explain the importance of information security

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

PBX Fraud Information

PBX Fraud Information PBX Fraud Information Increasingly, hackers are gaining access to corporate phone and/or voice mail systems. These individuals place long distance and international calls through major telecom networks

More information

Computer Security Incident Response Planning. Preparing for the Inevitable

Computer Security Incident Response Planning. Preparing for the Inevitable Computer Security Incident Response Planning Preparing for the Inevitable Introduction Computers and computer networks have been part of the corporate landscape for decades. But it s only in the last five

More information

Learn about identity theft. Investor education

Learn about identity theft. Investor education Learn about identity theft Investor education Protecting a vital asset: Your identity A 2013 report on identity theft by Javelin Strategy & Research found that more than 12 million Americans were the

More information

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME: The Computerworld Honors Program Summary developed the first comprehensive penetration testing product for accurately identifying and exploiting specific network vulnerabilities. Until recently, organizations

More information

Managed Security Monitoring: Network Security for the 21st Century

Managed Security Monitoring: Network Security for the 21st Century Managed Security Monitoring: Network Security for the 21st Century Introduction The importance of Security The Internet is critical to business. Companies have no choice but to connect their internal networks

More information

Why Data Security is Critical to Your Brand

Why Data Security is Critical to Your Brand Why Data Security is Critical to Your Brand Why security is critical to your brand Cybercriminals do not discriminate based on industry or business size. Security is expensive. At least, it is if you wait

More information

OIG Fraud Alert Phishing

OIG Fraud Alert Phishing U.S. EQUAL EMPLOYMENT OPPORTUNITY COMMISSION Washington, D.C. 20507 Office of Inspector General Aletha L. Brown Inspector General July 22, 2005 OIG Fraud Alert Phishing What is Phishing? Phishing is a

More information

TIME SYSTEM SECURITY AWARENESS HANDOUT

TIME SYSTEM SECURITY AWARENESS HANDOUT WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/21/13 2014 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer

More information

H. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

H. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION. H. R. 5005 11 (d) OTHER OFFICERS. To assist the Secretary in the performance of the Secretary s functions, there are the following officers, appointed by the President: (1) A Director of the Secret Service.

More information

Topic 1 Lesson 1: Importance of network security

Topic 1 Lesson 1: Importance of network security Topic 1 Lesson 1: Importance of network security 1 Initial list of questions Why is network security so important? Why are today s networks so vulnerable? How does Melissa virus work? How does I love you

More information

Social Engineering. Risks, Techniques and Safeguards. Social Engineering. Executive Summary

Social Engineering. Risks, Techniques and Safeguards. Social Engineering. Executive Summary Social Engineering Risks, Techniques and Safeguards CONTAINED WITHIN 2 What Is Social Engineering 2 Social Engineering Techniques 4 Why Do We Fall for It 4 What Can You Do 6 Conclusion Social Engineering

More information

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril. Cyber Security Personal and commercial information is the new commodity of choice for the virtual thief, argues Adrian Leppard, Commissioner for City of London Police, as he sets out the challenges facing

More information

Identity Theft PROTECT YOUR INFORMATION AND YOUR IDENTITY HIGHLIGHTS

Identity Theft PROTECT YOUR INFORMATION AND YOUR IDENTITY HIGHLIGHTS This publication is intended to provide general information only and is not a substitute for legal advice. HIGHLIGHTS 1 PROTECT YOUR INFORMATION AND YOUR IDENTITY 3 BE VIGILANT 3 CORRECTING INFORMATION

More information

Remote Access Security

Remote Access Security Glen Doss Towson University Center for Applied Information Technology Remote Access Security I. Introduction Providing remote access to a network over the Internet has added an entirely new dimension to

More information

Identity Theft. Occurs when someone uses your personal information without your permission for personal gain.

Identity Theft. Occurs when someone uses your personal information without your permission for personal gain. Identity Theft Identity Theft Occurs when someone uses your personal information without your permission for personal gain. Someone uses your personal information to open a department store credit account

More information

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT Rok Bojanc ZZI d.o.o. rok.bojanc@zzi.si Abstract: The paper presents a mathematical model to improve our knowledge of information security and

More information

Recognize Nefarious Cyber Activity and Catch Those Responsible with IBM InfoSphere Entity Analytic Solutions

Recognize Nefarious Cyber Activity and Catch Those Responsible with IBM InfoSphere Entity Analytic Solutions Building a Smarter Planet with Advanced Cyber Security Solutions Recognize Nefarious Cyber Activity and Catch Those Responsible with Highlights g Cyber Security Solutions from IBM InfoSphere Entity Analytic

More information

7 Steps to Protect Your Company from a Data Breach

7 Steps to Protect Your Company from a Data Breach 7 Steps to Protect Your Company from a Data Breach August 11, 2015 Michael Pinna and Stuart Nussbaum Millions of government personnel files were recently compromised as part of a malicious hacking of the

More information

Business Identity Fraud Prevention Checklist

Business Identity Fraud Prevention Checklist Business Identity Fraud Prevention Checklist 9 Critical Things Every Business Owner Should Do Business identity thieves and fraudsters are clever and determined, and can quickly take advantage of business

More information

I know what is identity theft but how do I know if mine has been stolen?

I know what is identity theft but how do I know if mine has been stolen? What is identity theft? You might hear stories on the news about stolen identities, but what is identity theft? When someone uses the personal information that identifies you, like your name, credit card

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

5 Simple Ways To Avoid Getting An Avalanche of Spam

5 Simple Ways To Avoid Getting An Avalanche of Spam Customer Education Series 5 Simple Ways To Avoid Getting An Avalanche of Spam A Business Owners Guide To Eliminating The 10-15 Most Unproductive Minutes Of Each Employee s Day 5 Easy Ways to Avoid Getting

More information

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. - 1. Policy Statement All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must

More information

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats Achieving Truly Secure Cloud Communications How to navigate evolving security threats Security is quickly becoming the primary concern of many businesses, and protecting VoIP vulnerabilities is critical.

More information

Practical Threat Intelligence. with Bromium LAVA

Practical Threat Intelligence. with Bromium LAVA Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful

More information

Cyber Security Breakout Session. Ed Rosenberg, Vice President & Chief Security Officer, BMO Financial Group Legal, Corporate & Compliance Group

Cyber Security Breakout Session. Ed Rosenberg, Vice President & Chief Security Officer, BMO Financial Group Legal, Corporate & Compliance Group Cyber Security Breakout Session Ed Rosenberg, Vice President & Chief Security Officer, BMO Financial Group Legal, Corporate & Compliance Group December 2014 Disclaimer: The material in this presentation

More information

Financial Transactions and Fraud Schemes

Financial Transactions and Fraud Schemes Financial Transactions and Fraud Schemes Asset Misappropriation: Cash Receipts 2016 Association of Certified Fraud Examiners, Inc. Fraud Tree 2016 Association of Certified Fraud Examiners, Inc. 2 of 27

More information

Information Security Awareness Training and Phishing

Information Security Awareness Training and Phishing Information Security Awareness Training and Phishing Audit Report Report Number IT-AR-16-001 October 5, 2015 Highlights The Postal Service s information security awareness training related to phishing

More information

When Fraud Comes Knocking

When Fraud Comes Knocking When Fraud Comes Knocking Identity theft occurs when someone uses your name, Social Security number, credit card number, or other personal information without your permission. It is a very serious crime.

More information

How to Deploy the Survey Below are some ideas and elements to consider when deploying this survey.

How to Deploy the Survey Below are some ideas and elements to consider when deploying this survey. SECURITY AWARENESS SURVEY Is a survey necessary A survey will give you insight into information security awareness within your company. The industry has increasingly realized that people are at least as

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

ELECTRONIC INFORMATION SECURITY A.R.

ELECTRONIC INFORMATION SECURITY A.R. A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy

More information