Introduction to information risk management [CISMP]
Agent Smith: Information risk management
1h 4m

In this course, you’ll be looking at numerous aspects of the risk matrix including the risk and threats involved in big data, the Internet of Things (IoT), the dark web and social media. You'll also be exploring threat intelligence, unified threat management (UTM), and security risk. You'll also see how you can use open-source intelligence (OSINT) and Dark Web Threat Intelligence to help you establish, improve and refine your risk treatment. All of this ensures that your organisation is protected from and alert to the constantly evolving series of information security threats. 

However, before you go on to threat management, let's first review risk and see how it relates to cyber security. 


Agent Smith is a professional conman and cyber criminal. They've got a new target in their sights, a large consultancy with thousands of employees. The first step in their attack is to do some reconnaissance. They hang around outside the main entrance to the office listening to conversations and memorizing names to make sure they can name-drop and talk about the business as if they know it intimately. Once they've heard enough, Smith approaches a security guard and has a chat with him eventually asking where the toilets are. 

What the security guard doesn't know is that Smith has an RFID scanner in their backpack and that if they're within six feet of a target, the scanner can clone the ID card of that employee. Leaving the guard behind in the reception area, Smith now has a key card to get into the building. Smith heads out through the toilet and over to the cafe where they gain the trust of a few people by name-dropping some of the names they heard earlier on. When the employees head back in, Smith follows. They have access to the main security, thanks to the cloned ID card, and once through can tailgate the employees into their offices.

So, this is a social engineering attack and normally, a social engineering attack would be within our websites, but on this occasion, this was a physical approach to a building and their reconnoitering or reconnaissance and they're looking at potential vulnerabilities at the site itself. So, they're looking at opportunities. Now, anybody that started doing social engineering will have to be adaptable. They have to adapt to the scenarios and situations. 

This person has come prepared with a bag on their shoulder with an RFID scanner inside it. Now, RFID is a radio frequency identifier, that's what RFID scanner stands for and it can copy devices within six feet. A good example of that would be the BOSS cloning device which you can get online. People buy this online and this can be used. So, by going up to the security guard and just say can I use the toilet please? That was sufficient distance to copy the entire card itself. So, now the person's got full access to the building. So, now what they've done is approach some other people in the building, and trying to listen to the conversations that are going on with those people with the idea of getting names. 

So, we want the name of the security guard, we want names of people's badges that might be on display which obviously is useful because then they can then use that if they start talking to people as part of their sort of story as such and that can be obviously very useful. Obviously a technique they've used on this occasion is they've used a technique called tailgating, where they're following people behind. Obviously he's going to pass, which is fine. They'll get himself, get into the building. This tailgating is actually getting from the initial point of getting into the building itself actually getting access into some offices, which is what they're doing, tailgating. 

Another name for tailgating is piggybacking and that's the technique they're doing in relation to that scanning. So, I'll cover quite a few points in this because it's quite important. So, the first one is you've got be wearing your badge, don't wear a badge outside of work. So, make sure your badge is in  your pocket, out of sight. Just like a car, out of sight, then just like the police have said to people before, out of sight means that then they don't necessarily know you got anything there. That's obviously the most important one. Training awareness, obviously, of these type of things are very important. Training awareness will help to educate people about it. And multi-factor authentication. 

So, if you've got a badge, to defeat this type of cloning technology, if you have multi-factor authentication, so, like you've got the device and then, have a pin or device and biometrics. Biometrics could be your eyes, your fingers, that type of thing or voice. So, having a combination of those multi-factor authentication would be good. Conversations; I like the World War II expression, "Loose lips sink ships." So, be careful what you're saying. People will come down to the pub with you and listen to your conversations and they will listen to you on the trains, where you are and try to memorize stuff. I've got loads of stories of me on the underground listening to people which if I followed a bit further forward, I could quite easily get access to their systems. 

Piggybacking or the tailgating system which is trying to get access to a building. Lots of defenses that we can do there from a physical security perspective. Good one would be turnstile with swipe access that would obviously help to defend that type of activity. Challenging people if their badge  is not on display is obviously a good one as well. RFID wallets, radio frequency identifier wallet shields your device from any emanations coming from it. So, stops being able to clone those type of devices. 

And I'm mindful of an example of this where someone had a Christmas box and inside the Christmas box which was having Christmas wrapping paper around it, it was an RFID cage five decades which was blocked the signal. So, people were stealing items in the shop, putting all the items in the box, closing it. So, when it went through the security barrier it wouldn't set anything off because it was shielded from there. Fortunately, the security guard was observing what the person was doing and was able to intercept that type of activity. So, other thing for RFID wallets is to have multi-factor authentication, having for example biometrics; your eyes and your fingers or voice control or having a addition to the pass, having a pin code that  could  be the one that could use instead.


About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.