Human firewall

Interested in learningmore about security?

SANS InstituteInfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Human Being FirewallThis publication seeks to assist organizations in mitigating the risks from Human based attacks which iscapable of circumventing wide range of deployed controls by publishing the culture of Defending people bypeople , defining the new concept of Human being firewall , how it could be applied to maintain a goodsecurity posture & finally providing practical guidance on responding to incidents effectively andefficiently.

Copyright SANS InstituteAuthor Retains Full Rights

AD

http://www.sans.org/info/36923



http://www.sans.org/reading-room/click/622

GIAC (GCIH) Gold Certification

GIAC (GCIH) Gold Certification

Author:MuhammadEL‐Harmeel,[email protected]:JeffTurner

Accepted:December4th2008

Abstract

mateurs hack systems, professionals hack people.” Bruce Schneier. If you

really believe in this quote like me then it’s worth giving this paper a hit. This

publication seeks to assist organizations in mitigating the risks from Human-

based attacks, which are capable of circumventing a wide range of deployed controls by

publishing the culture of “defending people by people.” This paper defines the new

concept of the “Human being firewall,” how it could be applied to maintain a good

security posture, and finally providing practical guidance on responding to incidents

effectively and efficiently.

A

Human Being Firewall “It’s not a terminology…It’s a real methodology”

2

MuhammadEL‐[email protected]

Introduction

Why don’t we have people in our organizations whose main job is to detect and

react for human based attacks, we may have a firewall box that can defend against

computer based attacks but we still need a new trend that defend against human based

attacks.

A seasoned hacker from my perspective is not the one who is only equipped with

a lot of weapons talented by many years experience that could be manipulated in various

ways to successfully complete an attack, he is just having the passion driven by

innovation to successfully complete the attack with the minimal amount of time, using

the simplest tool available, as the wisdom voice would tell (Go for the easiest).

Awareness is considered a major issue when it comes to security, with respect to

this point of view I consider hacking humans is the niftiest weapon within the hacking

arsenal, it’s available to everyone, need no previous experience to realize how to handle

human beings and control their actions in a manner that makes them do whatever you

want to do in a stealthy way.

Security professionals should understand the limitations of both hardware and

software to provide a truly secure environment; they should go beyond this concept and

try to evaluate the real risk presented through the existence of humans as a vital factor in

the security chain which considered the weakest link of the security chain.

Through ages security geeks have been in a battle trying to secure their assets,

investing a lot of money in the process of hardening their networks with whatever they

can do to prevent intruders from penetrating their networks , but it was never going to be

like that, it’s all about the art of (where , when and how) to do this.

Have you ever figured out that investing money to protect people from such

attacks like social engineering worth it?.....can you tell what is the usefulness of a box

that’s secured with a stateful inspection firewall, censored with an IPS, armed with 24


3


digit password and multifactor authentication, has no capability to be managed remotely

and finally located in a secure room protected with biometric access control IF:

This box is administered by a careless admin who has no problem to leave the box

unlocked while getting a cup of tea!

1. Main Part 1.1. Definitions 1.1.1. Social Engineering

According to SearchSecurity.com Definitions

Social engineering is a term that describes a non-technical kind of intrusion that

relies heavily on human interaction and often involves tricking other people to break

normal security procedures. A social engineer runs what used to be called a "con game".

For example, a person using social engineering to break into a computer network

would try to gain the confidence of someone who is authorized to access the network in

order to get them to reveal information that compromises the network's security. They

might call the authorized employee with some kind of urgent problem; social engineers

often rely on the natural helpfulness of people as well as on their weaknesses. Appeal to

vanity, appeal to authority, and old-fashioned eavesdropping are typical social

engineering techniques.

1.1.2. Computer based attacks

It can be defined as that type of attacks that targets only computer systems and

has nothing to do with humans; the target is a pure box.

1.1.3. Human based attacks

It can be defined as that type of attacks that targets humans only, it doesn’t matter

if computer system get involved or not, in other words the target is a pure human

regardless the means used to accomplish this.


4


1.1.4. Human Being Firewall

An individual who is employed with the task of defending against human based

attacks which targets employees within the organization, using variety of methods (i.e.

awareness sessions, inspecting information traversing the organization and ensuring

confidentiality).

1.2. Analogy Regarding the analogy between using boxes and humans to defend and secure our

networks, we will go through mapping and applying this on the main device used to

secure networks, first we will pass by defining this device then demonstrating how its

roles can be assigned to humans to operate in a similar manner on order to defend against

human based attacks.

1.2.1. Firewall analogy

Webopedia.com has defined a firewall as a system designed to prevent

unauthorized access to or from a private network. Firewalls can be implemented in both

hardware and software, or a combination of both. Firewalls are frequently used to prevent

unauthorized Internet users from accessing private networks connected to the Internet,

especially intranets. All messages entering or leaving the intranet pass through the

firewall, which examines each message and blocks those that do not meet the specified

security criteria


5


MicrosoftCorporation.(August24,2001).[Graphillustrationtheoperationofthefirewall].

As stated, the main role of the firewall is to prevent unauthorized traffic in both

directions: inbound and outbound by mapping this concept into human being firewall we

will come through this:

Operational Modes

1. Packet filtering

2. Proxy server

3. Stateful packet filtering

This was for the network firewall, but what about human being firewall?

Basically there would be slice difference between network and human being firewall; the

mentioned modes could be mapped into the following modes related to human being

firewall like this

• (Information filtering mode) Human being firewall can operate in

information filtering mode, information should be classified into categories, any

communication is explicitly denied, a rule should be assigned defining any type of

communication that should be allowed.


6


• (Proxy mode) human being firewall should be doing any type of

communication acting on behalf of the communicator if the information is going to leave

or enter the entity.

• (Stateful information filtering mode) despite the previous modes where

it’s required to have policy which control actions, in this mode it will be up to the human

being firewall to decide which information should enter or leave the entity according to

each situation (more suitable for complex environments) without a prior permission for

each communication.

Hint: this mode is totally undesirable and should be avoided using the security

policy as a reference and decision maker, it’s not recommended to operate in this mode

with human being firewall with experience in this field less than 5 years.

After mapping the three Firewall technologies into human being firewall, we will

continue to map other concepts as well.

Defining Networks

Like any other network device it needs to be configured properly to get it work

efficiently, thus this person should be provided with a holistic overview of the entity, it’s

departments and the employees working within it, this would enhance the performance of

this person by familiarizing him with the valuable assets of the entity and what type of

information should be protected.

Access List

Firewall access list will be mapped into the security policy, as the access list will

be the decision maker of what should be passing through our network and what

shouldn’t, the same concept will be applied to the security policy that will guide this

person of what Information is allowed to enter or leave the entity.

AAA (Authentication-Authorization-Accounting)

The concept of AAA can be applied to human being firewall as well, we can

summarize this concept in the following questions:

1. Authentication = who are you?


7


The human being firewall should authenticate any user prior to allowing any type

of communication traversing the entity

2. Authorization = what you can do?

After passing the authentication process successfully authorization should be done

to ensure that the communicator has the right to do what he wants to do, for example a

user with in the RandD department for company X needs to communicate another user

within the RandD department for Y company, to allow this type of communication…two

actions should be done:

Firstly authenticating the user (ensuring that this user is really working for

company X and he is part of the RandD department)

Secondly authorizing the user (ensuring that this user has the right to directly

communicate with his destination), according to the security policy direct communication

isn’t allowed between RandD employees and any external entity, thus preventing

information leakage or red hunting

3. Accounting = what did you did?

The most important part of this portion is accounting or logging, any type of

communication should be logged for review if needed, this will ensure the following:

• Ability to track any process for later analysis if incident was in

place

• Creating a baseline for our Information security posture which

would help in detecting abnormal activities

VLANS

According to Wikipedia.com, A virtual LAN, commonly known as a VLAN, is a

group of hosts with a common set of requirements that communicate as if they were

attached to the Broadcast domain, regardless of their physical location. A VLAN has the

same attributes as a physical LAN, but it allows for end stations to be grouped together

even if they are not located on the same physical place.


8


It’s so simple to map this concept into our desired human being firewall, roles

will include the following:

• Dividing the organization into small entities, each entity will share the

same name and attributes

• Each entity will be assigned a security level that reflect its desired level of

importance

• Entities with higher security level will be able to communicate entities

with lower security level, vice versa will be denied

• Like VLANS, employees from the same entity might be located over

different physical locations and still able to communicate each other

Fault tolerance

Applying this concept here will differ a little from its traditional definition, this

means that this person shouldn't be the single point of failure in the security chain, having

another secondary human being firewall (substitute) for this person would help in case of

the unavailability of the primary one, also synchronization should be done within small

time intervals to keep both of them up to date.

Testing the process

Ensuring that the deployed human being firewall is operational and working fine

is extremely important, a test should be conducted to ensure how the human being

firewall will react to a real incident(where no place for single fault) , this would be

accomplished by trying to violate the approved security policy that control this process.

One thing to put in mind when doing this is the complete sudden of conducting

this test without any prior knowledge for the human being firewall, that would mimic

how would the deployed human being firewall react in case of real incident.


9


1.3. Case Study

1.3.1. Overview

Secure-n is an organization that works in the field of information technology as a

system integrator, it consist of three subsidiaries: network solutions, security and

multimedia.

The security department is responsible for providing security service for other

organizations by delivering state of art (network assessment-pen testing and risk

assessment service).In order to do this task, the security service team should be provided

with confidential information about the target organization like (network devices

configurations, web application source code and network diagrams).

First we will go through defining the individuals and entities embedded in this

scenario:

Entities

1-Secure-n Corporation: system integrator (the target).

2-Globa-n Corporation: Secure-n (competitor).

3-Global-x Corporation: Fake identity to mask the real identity of Global-n. Corp

(the attacker)

Individuals

1-Omar Yakan: the bad guy within Global-n, he has been assigned the task of

finding a way to disrupt Secure-n business activities.

2-Adam Mohamed: Security Presales Manager at Secure-n Corp.

3-Ahmed Noor: Senior Information Security Engineer at Secure-n Corp.

The attack


10


Global-n is a wild competitor for Secure-n Corporation, after Secure-n

Corporation has been a leading system integrator in the market Global-n is now in the

mission of bypassing Secure-n Corporation using any mean to get this done.

Global-n has contacted Secure-n Corporation with a fake identity (Global-x) for a

foreign company which is located outside the country claiming its need for a security

service solution, they asked for a contact person at Secure-n Corporation.

To do this a normal visit to Secure-n website revealed the e-mail address of the

security service

According to Global-x claim that they are located outside the country, Secure-n

Corporation has no options to communicate with Global-x other than via E-mails.After

getting the E-mail address of the Security Service department from Secure-n website

Global-n contacted Secure-n with the fake identity (Global-x)


11


After receiving this E-mail, Secure-n replied with the following


12


Till now it seems that everything is going to be fine with no abnormal or

suspicious activities that could render the curious of Secure-n staff. Now we can dive

deeply into the attack, the following was another bundle of words that’s even niftier than

CSRF attack.

The reply from Omar Yakan was such a professional one to continue in gaining

the trust without any doubts


13


Leveraging another e-mail from Omar Yakan to Ahmed Noor before he even

reply his old e-mail was another tactic used by Omar to push on Ahmed in order not to

give him the chance to investigate more about Global-x identity.


14


Ahmed was in trouble right now as he can’t disclose those reports to Global-x as

the signed non-disclosure agreement would subject him to legal penalties, but he also

doesn’t want to lose this wealthy client (Global-x).He also needs to prove the

professionalism of his work and state of art delivered services.After deep thinking

Ahmed has come into removing any data from the report that are related to the previous

customer and then sending the customized report for Global-x for further analysis.

Ahmed replied Omar with the following e-mail


15


To get familiar with what Ahmed could has been done with the report to obscure

the identity of the customer let’s take a look on the following shots taken from the

attached report


16



17



18



19


Now after we have got an over view of how this report would look like we will

explain how this could be a key element in leveraging a successful attack against Secure-

n Corporation.The main concern of Omar Yakan was to know the obscured identity of

this customer represented in that report.

It was clear that Ahmed Noor was able to mask or scramble any line of the report

that could disclose the name or even the IP related to the customer so he thought that

nothing else within the report could represent a real threat in revealing the identity of his

customer, But I am sorry to tell that he was totally wrong……let’s see why!

Omar was smart enough just to highlight one of the screen shots that could help

him in identifying the identity of the masked customer. Please take a deep look at the


20


following shot and think for a while what could be extracted from it to help revealing the

identity of the customer

After deep inspection Omar just took notes about this


21


1-The time at which this pen-test was conducted (may be it worth nothing for the

time to be known…Ahmed thought that).

2-The ISP which is providing the customer with internet services.

Far by now Omar was able to know valuable information that would help him in

the process of identifying the identity of the masked customer, but he still needs more

information to make sure whose report was that. More investigations were done by Omar

to collect information; surfing Secure-n web site may be a good idea……Omar thinks

Omar was right about this idea as he found the following page on the website


22


Navigating to that link resulted in the following page


23


For instance Omar thought that he has nothing to lose investigating this

Corporation (Thunder Gas), he tried to do more information gathering about this

corporation.A simple queries using Sam Spade and other WHOIS utilities was enough to

confirm that the sample report was really relevant to that Corporation (Thunder

Gas).......do you know why?

Remember the valuable information which was noted by Omar before? The time

at which the PEN-TEST was conducted and and the ISP serving this customer. It was

clear by now that Thunder Gas is served by the same ISP that was listed in the report


24


By now Omar was 70% sure that the report is related to Thunder Gas Corporation

but he still needs to make sure of that before carrying out the last phase of the attack.As

Omar believes that the internet is treasury place full of vital information, Omar decided to

search the internet for something that could help him more.

Trying the following search string in Google (Thunder+Gas+Secure-n) returned

many search results and simply the first link was an article of a public IT magazine

contains the following:

“Secure-n Delivers Thunder Gas Security Service (15/2/2008)

Thunder Gas, the biggest Petroleum Company in Egypt designated Secure-n to secure its infrastructure. The new process Secure-n implemented includes Assessing network infrastructure, web applications and compliance issues Due to Secure-n expansions; it became an urgent need to ensure the confidentiality of its data”


25


After Comparing the two dates listed in the report and the article Omar was totally

sure that the report was really related to Thunder Gas Corporation, by now Omar is

absolutely capable of doing damaging harm to Secure-n reputation by disclosing the

confidential data he got right now, more over, Secure-n may be subjected to Legal

accountability and other penalties according to the signed NDA.

1.4. The Defense

“An ounce of prevention is worth a pound of cure”, Benjamin Franklin

That’s our message that should be considered for every individual working within

the information security field.Before we delve into showing steps that should have been

taken to keep that attack has the minimal effect on the operation we will pass by some

preventive actions that a human being firewall would implement to help mitigating such

type of attacks.

1.4.1. Preventive Actions

Security awareness

Microsoft has its own vision regarding security awareness; it tells that People are

the last line of defense against threats such as malicious code, disgruntled employees, and

malicious third parties. Therefore, people need to be educated on what your organization

considers appropriate security-conscious behavior, and also what security best practices

they need to incorporate in their daily business activities. This kit was created to provide

guidance, samples, and templates for creating a security awareness program.

InfoSecurityLab stated that topics covered in security awareness training should

include:


26


• The nature of sensitive material and physical assets they may come in

contact with, such as trade secrets, privacy concerns and government

classified information.

• Never send sensitive information via email.

• Employee and contractor responsibilities in handling sensitive

information, including review of employee nondisclosure agreements.

• Do not cut and paste potentially sensitive information from any

proprietary or confidential business application into emails or otherwise

distribute sensitive information insecurely to customers.

• Only share customer data with internal personnel on a need-to-know basis.

• Requirements for proper handling of sensitive material in physical form,

including marking, transmission, storage and destruction.

• Proper methods for protecting sensitive information on computer systems,

including password policy and use of two-factor authentication.

• Other computer security concerns, including malware, phishing, social

engineering, etc.

• Workplace security, including building access, wearing of security badges,

reporting of incidents, forbidden articles, etc.

• Consequences of failure to properly protect information, including

potential loss of employment, economic consequences to the firm, damage

to individuals whose private records are divulged, and possible civil and

criminal penalties.

Being security aware means you understand that there is the potential for some

people to deliberately or accidentally steal, damage, or misuse the data that is stored

within a company's computer systems and throughout its organization. Therefore, it

would be prudent to support the assets of the institution (information, physical, and

personal) by trying to stop that from happening.


27


Data Loss Prevention (DLP)

“You have to understand what kind of sensitive data you have and do a risk

evaluation of what happens if data is exposed or gets in the wrong hands”. Thomas

Raschke

So you really shouldn’t underestimate the danger you would face if your business

secrets get disclosed.

“DLP solutions both protect sensitive data and provide insight into the use of

content within the enterprise. Few Enterprises classify data beyond that which is public,

and everything else. DLP helps organizations better understand their data and improved

their ability to classify and manage content.” Rich Mogull. (n.d) .Understanding and

selecting a DLP solution

You can expect the following after maintaining a good DLP solution according to

searchsecurity.techtarget.com.au:

• Protect information from accidental disclosure - Employees have access to an

organization's most sensitive information, but some simply are not aware of the

dangers inherent in sending data over the Internet. For example, a new finance

employee sending a confidential document to an offsite accounting firm may

decide to attach the document to an email without realizing that it's being sent in

clear text across the Internet. It is the responsibility of the organization to ensure

that the proper steps are taken to tag all confidential data. DLP products ensure

that confidential and critical information is appropriately tagged so that

employees cannot accidentally disclose it. Tagging is the process of classifying

which data on a system is confidential, and marking it appropriately. Because of

this labeling, an employee that accidentally or maliciously attempts to disclose

confidential information may be denied. For example, a sensitive file that is


28


tagged can be restricted from being sent via email and instant messaging

programs.

• Protecting information from malicious intent (internal and external) - Disgruntled

employees continue to be a primary driver of data theft. Implementing DLP can

restrict the channels in which employees can transfer data. DLP can also prevent

confidential data from being copied to USB devices, external hard drives and

iPods.

• Meeting regulatory compliance requirements - Many organizations need to

comply with certain government regulations, be it SOX, GLBA, HIPAA or all of

the above. DLP technology seems likely to play a major part in assisting with

regulatory compliance requirements this year. HIPAA, for example, requires that

all healthcare information remain confidential, and a DLP strategy is not only a

means of protecting such information, it's also a way to demonstrate that the

organization is taking the appropriate steps outlined in the regulation.

We should emphasize that we should expect the worst when implementing our

controls and hope for the best to happen, sooner or later an attack is going to occur, it’s

not a matter of “if” but “when”.

The next section will be demonstrating how a well planned incident handling

strategy will manage to help in fast healing from the effects of such attacks.Let’s Apply

the Six-Step process (preparation-identification-containment-eradication-recovery-lesson

learned) for incident handling.

1.5. Incident Handling Process

1.5.1. Preparation

This phase is almost the same in any case, as it outlines how we should be

prepared and ready for dealing with the incident in such a mature manner that would help


29


in fast recovery and ensuring the integrity of the evidences. Considering the following

guidelines would help in getting our team ready to handle incidents:

• Obtain management support (very important otherwise the whole plan will be

useless).

• Identify contacts in other organizations (legal, law enforcement, partners...).

• Identify your team members who will be working through the incident.

• Train the team, practice...practice...practice.

• consider out of band communications (as this won’t affect our scenario but it’s

really a vital step that mustn’t be ignored)

• Document every step you do.

• Update a disaster recovery plan.

Scenariomapping

Demonstrating how the new concept of Human Being Firewall could be merged

with the 6-steps process for incident handling if applicable.

• Mode of operation: The dedicated human being firewall will be operating

in the stateful information filtering mode, thus he has the rights to decide

what information should leave or enter the organization, as he has the

authority for doing that…he would be inspecting any attachments leaving

the entity for abnormal activities

• Defining networks: Human being firewall should be provided with

detailed information about the corporate structure, design and provided

services.

This should be supported with a well documentation showing the role and

authority of each employee within the corporation.The first thing comes to mind in this


30


phase is legal contracts and penalties, thus he should spend an adequate time

understanding the nature of Secure-n structure, tasks and even partners and competitors

in order to get a holistic overview .

• Defining the policy: as the most important part of a security process,

security policy should be defined

In her GSEC practical assignment Kerry D. McConnell illustrated those tips

briefly into the following:

a. Develop policies that you plan to enforce.

b. Develop security policies that do not require updates too frequently.

c. Differentiate between policy and standards or recommendation.

d. Include employees from other department in the development of the

policy.

e. Make it available to everyone.

f. Easily understood, far away from complicated terms.

Make sure your legal department is involved.

Till now all of the above actions will not affect our attack in a direct manner, it’s

just a proactive action that would help in maintaining a good preparation plan. If the

above tasks were executed precisely, we would maintain a well prepared human being

firewall who would be ready for identifying attacks and reacting for it in a mature

manner.

1.5.2. Identification

We can refer to identification as detecting deviation from the norm and attempts

to do harm. Identifying both the incident and the person who should identify it is a

critical mission, you should be able to know how do you identify an incident using (IDS

alerts, failed or unexplained events, system reboots, poor performance)...Correlating

evidences isn’t an easy task at all; you must be capable of determining whether it’s an


31


event or an incident? Keep in mind that reporting events as incidents (false positive)

would reduce your credibility, another thing to put in mind is notifying the correct

person.

Points to keep in mind:

• Be willing to alert early.

• Maintain situational awareness.

• Provide indications and warnings.

• Fuse or correlate information.

Scenario mapping

How would the human being firewall identify the attack?

Based on the provided information he has obtained from the preparation phases he

is supposed to successfully identify the attack. Applying the following concept would

significantly have an impact on identifying the attack

• Authentications: who are you?

Human being firewall should interfere with any type of communications that

traverse the entity, thus the first challenging task that would face him is to check the

identity of Global-x Corporation.Restrictive actions should be taken to ensure the success

of this task; if he was lucky enough to complete this task successfully he would render

the whole attack ineffective.

Another vector that would increase the probability of identifying the attack is

asking for a sample report, it’s not common for asking for things like that so it worth

investigating addressing a request like that. As supposed to alert early, the human being

firewall would prefer to alert early at this stage even there is probability to be false

positive alarm.After identifying the attack and alerting, communications should be done

between the human being firewall and the communicator to familiarize him with the

nature of attack and what could be expected as consequences from attacks like those


32


1.5.3. Containment

Enlarging the scale of the attack is mostly one of the goals a hacker will try to

achieve; causing a wide range of the infected systems would be his ultimate goal.From

this perspective we should successfully stop the danger vector from spreading across the

network, this should be done by keeping the effect of the attack down to the minimal

level. Things shouldn’t go worse. Decisions should be taken in a fast manner that stop the

damage

Scenario mapping

We aren’t supposed to be dealing with this phase right now if we were able to

identify the attack successfully at early stages and keep it useless in a manner that won’t

leave any effects that should be contained. But based on the defense in depth concept we

would suppose that the attack was executed, addressing how the human being firewall

would play a major role in the containment phase.

Ahmed Noor would be directed by the human being firewall to stop any type of

communication with the alleged customer Global-x, by doing such action we will be sure

by now that at least we would stop the bleeding and stop the attack from causing much

more damage.

1.5.4. Eradication

Now with the bleeding stopped, our goal is to get rid of the intruder’s artifacts.

Consider the following points:

• Fix the problem before going back online.

• Determine the cause not the symptoms.

• Improve defense.

• Make sure compromise doesn’t recur.

Scenario mapping


33


Removing the vulnerability that the attacker used to exploit is the goal of this

phase. It’s clear that lack of security awareness is the main reason that helped in

completing the attack successfully; more over it’s a clear violation for the policy as for

the policy states that individuals aren’t authorized to share customers date with external

personnel

It would be the human being firewall to apply the second pillar of AAA

2-Authorization: what can you do?

According to the policy Ahmed Noor should be advised that he isn’t authorized to

share customer’s data with external personnel. Far by now it’s supposed that the

vulnerability which caused the attack was eradicated in a manner that stops attackers

from exploiting it again.

1.5.5. Recovery

Our goal will be shifted to put the impacted items (items might include

computers, network devices and even individuals).

• Make sure you don’t restore compromised item (Code, workstation or

even an employee).

• Validate the system (verifying the operation was successful and the system

is in its normal state).

• Be careful deciding when to restore operations (System owner or

business).

• Monitor the restored item very closely.

Scenario mapping

There is no doubt that Ahmed Noor’s actions should be monitored by the human

being firewall closely for a period of time to ensure that he was back to normal operation

without any chance for being exploited again.


34


1.5.6. Lessons Learned

Improving our capabilities and operations to prevent it from happening again, one

way to improve is to learn from our mistakes and move on to make new mistakes instead

of repeating the old ones. This is the main goal of this phase. To obtain the ultimate

usefulness of this phase we are expected to have as many evidences as we can that would

show us that nature and tactic used by the attacker to complete his attack successfully.

Again, it’s the human being firewall task to implement the third pillar of AAA concept

3- Accounting = what did you did?

Documentation is a key element in case of incidents, remember that in case of incidents

there will be always lack of evidences so by documenting every type of communication

traversing the entity we still would have evidences that would support our legal situation

in case of being charged.

Key points to be considered:

• Identify the most relevant conclusions and areas for improvement.

• Develop a report and try to get consensus.

• Conduct a follow-up meeting within 24 hours of the end of the incident.

• Send recommendation to the management, including a cost analysis.

1.5.7. Conclusion


35


Through this paper we have gone through a real world scenario as a proof of

concept that there are new breeds of attacks already exists around us that could cause a

severe harm. We could mitigate those types of attacks by the new concept of “Defending

people by people”.

We do shouldn’t underestimate the danger that we face when we manipulate

attacks that targets humans, realizing that the most valuable asset we have is our

employees so we are expected to do a good job securing them and keeping them safe

from human based attacks.

Human being firewall should be considered the most valuable and effective way

in defending those type of attacks, it really should be considered in every organization

that do believe it needs to maintain a good security posture.

1.6. References Abby Christopher. The human firewall. Retrieved December 7, 2008 from

http://www.networkworld.com/research/2003/0526human.html?page=1

Articlesbase.com, (2007), Security Awareness, Retrieved December 10,2008 from

http://www.practicalecommerce.com/articles/170-eCommerce-Fraud-Build-a-

Human-Firewall

Cert.org (2008), Computer Security Incident Response Team FAQ, Retrieved December

12, 2008 from http://www.cert.org/csirts/csirt_faq.html

Kerry D. McConnell. (2002), How to Develop Good Security Policies and Tips on

Assessment and Enforcement, Retrieved December 17, 2008, from

www.giac.org/certified_professionals/practicals/gsec/1811.php


36


Microsoft Corporation. (n.d). Security Awareness. Retrieved December 9, 2008 from

http://technet.microsoft.com/en-us/security/cc165442.aspx

Microsoft Corporation. (August 24, 2001). Graph illustration the operation of the

firewall. Retrieved September 20, 2008 from

http://www.microsoft.com/middleeast/windows/windowsxp/home/using/howto/ho

menet/protect.aspx

National institute of standards and technology. (2003). Building an Information

Technology Security Awareness and Training Program. Retrieved December 7,

2008 from http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

National institute of standards and technology. (2003). Establishing a Computer Security

Incident Response Capability (CSIRC). Retrieved December 7, 2008 from

http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf

Rich Mogull. (n.d) .Understanding and selecting a DLP solution, Retrieved November

21, 2008,, from http://www.sans.org/reading_room/dlp/87.pdf

SearchSecurity.com Definitions. (2006),Retrieved October 2, 2008, from

http://www.searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html

Webopedia.com Definitions. (2004). Retrieved December 3, 2008, from

http://www.webopedia.com/TERM/f/firewall.html

Wikipedia.com (n.d.).VLAN definition, Retrieved December 1, 2008, from

http://en.wikipedia.org/wiki/VLAN

-

Last Updated: March 23rd, 2016

Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location

SANS Secure Europe 2016 Amsterdam, NL Apr 04, 2016 - Apr 16, 2016 Live Event

SANS Atlanta 2016 Atlanta, GAUS Apr 04, 2016 - Apr 09, 2016 Live Event

SANS Northern Virginia - Reston 2016 Reston, VAUS Apr 04, 2016 - Apr 09, 2016 Live Event

Threat Hunting and Incident Response Summit New Orleans, LAUS Apr 12, 2016 - Apr 19, 2016 Live Event

SANS Secure Canberra 2016 Canberra, AU Apr 18, 2016 - Apr 23, 2016 Live Event

SANS SEC301 London '16 London, GB Apr 18, 2016 - Apr 22, 2016 Live Event

SANS Pen Test Austin Austin, TXUS Apr 18, 2016 - Apr 23, 2016 Live Event

ICS Amsterdam 2016 Amsterdam, NL Apr 18, 2016 - Apr 23, 2016 Live Event

SANS Copenhagen 2016 Copenhagen, DK Apr 25, 2016 - Apr 30, 2016 Live Event

SANS Security West 2016 San Diego, CAUS Apr 29, 2016 - May 06, 2016 Live Event

SANS SEC542 Budapest Budapest, HU May 02, 2016 - May 07, 2016 Live Event

SANS FOR508 Hamburg in German Hamburg, DE May 09, 2016 - May 14, 2016 Live Event

SANS Houston 2016 Houston, TXUS May 09, 2016 - May 14, 2016 Live Event

SANS Baltimore Spring 2016 Baltimore, MDUS May 09, 2016 - May 14, 2016 Live Event

SANS Prague 2016 Prague, CZ May 09, 2016 - May 14, 2016 Live Event

SANS Stockholm 2016 Stockholm, SE May 09, 2016 - May 14, 2016 Live Event

SANS Melbourne 2016 Melbourne, AU May 16, 2016 - May 21, 2016 Live Event

Beta 2 Cincinnati - ICS456 Covington, KYUS May 16, 2016 - May 20, 2016 Live Event

Security Operations Center Summit & Training Crystal City, VAUS May 19, 2016 - May 26, 2016 Live Event

ICS410 at NFA Cybersikkerhet 2016 Oslo, NO May 23, 2016 - May 24, 2016 Live Event

SANS SEC401 Luxembourg en francais Luxembourg, LU May 30, 2016 - Jun 04, 2016 Live Event

SANSFIRE 2016 Washington, DCUS Jun 11, 2016 - Jun 18, 2016 Live Event

SANS Pen Test Berlin 2016 Berlin, DE Jun 20, 2016 - Jun 25, 2016 Live Event

SANS Philippines 2016 Manila, PH Jun 20, 2016 - Jun 25, 2016 Live Event

SANS Secure Singapore 2016 OnlineSG Mar 28, 2016 - Apr 09, 2016 Live Event

SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced


http://www.sans.org/link.php?id=40985

http://www.sans.org/secure-europe-2016


http://www.sans.org/atlanta-2016


http://www.sans.org/reston-2016


http://www.sans.org/threat-hunting-and-incident-response-summit-2016


http://www.sans.org/secure-canberra-2016


http://www.sans.org/sec301-london-2016


http://www.sans.org/pentest2016


http://www.sans.org/ics-amsterdam-2016


http://www.sans.org/copenhagen-2016


http://www.sans.org/sans-security-west-2016


http://www.sans.org/sec542-budapest-2016


http://www.sans.org/for508-hamburg-2016


http://www.sans.org/houston-2016


http://www.sans.org/baltimore-spring-2016


http://www.sans.org/prague-2016


http://www.sans.org/stockholm-2016


http://www.sans.org/melbourne-2016


http://www.sans.org/beta-2-ics456


http://www.sans.org/security-operations-center-summit-2016


http://www.sans.org/ics410-at-nfa-cybersikkerhet-2016


http://www.sans.org/SEC401-luxembourg-en-francais-2016


http://www.sans.org/sansfire-2016


http://www.sans.org/pen-test-berlin-2016


http://www.sans.org/philippines-2016


http://www.sans.org/secure-singapore-2016


http://www.sans.org/ondemand/about.php