Uh-oh, it looks like your Internet Explorer is out of date.

For a better shopping experience, please upgrade now.

Techno Security's Guide to Managing Risks for IT Managers, Auditors, and Investigators

Techno Security's Guide to Managing Risks for IT Managers, Auditors, and Investigators

by Johnny Long

See All Formats & Editions

“This book contains some of the most up-to-date information available anywhere on a wide variety of topics related to Techno Security. As you read the book, you will notice that the authors took the approach of identifying some of the risks, threats, and vulnerabilities and then discussing the countermeasures to address them. Some of the topics and thoughts


“This book contains some of the most up-to-date information available anywhere on a wide variety of topics related to Techno Security. As you read the book, you will notice that the authors took the approach of identifying some of the risks, threats, and vulnerabilities and then discussing the countermeasures to address them. Some of the topics and thoughts discussed here are as new as tomorrow’s headlines, whereas others have been around for decades without being properly addressed. I hope you enjoy this book as much as we have enjoyed working with the various authors and friends during its development.” —Donald Withers, CEO and Cofounder of TheTrainingCo.

• Jack Wiles, on Social Engineering offers up a potpourri of tips, tricks, vulnerabilities, and lessons learned from 30-plus years of experience in the worlds of both physical and technical security.

• Russ Rogers on the Basics of Penetration Testing illustrates the standard methodology for penetration testing: information gathering, network enumeration, vulnerability identification, vulnerability exploitation, privilege escalation, expansion of reach, future access, and information compromise.

• Johnny Long on No Tech Hacking shows how to hack without touching a computer using tailgating, lock bumping, shoulder surfing, and dumpster diving.

• Phil Drake on Personal, Workforce, and Family Preparedness covers the basics of creating a plan for you and your family, identifying and obtaining the supplies you will need in an emergency.

• Kevin O’Shea on Seizure of Digital Information discusses collecting hardware and information from the scene.

• Amber Schroader on Cell Phone Forensics writes on new methods and guidelines for digital forensics.

• Dennis O’Brien on RFID: An Introduction, Security Issues, and Concerns discusses how this well-intended technology has been eroded and used for fringe implementations.

• Ron Green on Open Source Intelligence details how a good Open Source Intelligence program can help you create leverage in negotiations, enable smart decisions regarding the selection of goods and services, and help avoid pitfalls and hazards.

• Raymond Blackwood on Wireless Awareness: Increasing the Sophistication of Wireless Users maintains it is the technologist’s responsibility to educate, communicate, and support users despite their lack of interest in understanding how it works.

• Greg Kipper on What is Steganography? provides a solid understanding of the basics of steganography, what it can and can’t do, and arms you with the information you need to set your career path.

• Eric Cole on Insider Threat discusses why the insider threat is worse than the external threat and the effects of insider threats on a company.

• Internationally known experts in information security share their wisdom
• Free pass to Techno Security Conference for everyone who purchases a book—$1,200 value
• 2-HOUR DVD with cutting edge information on the future of information security

Product Details

Elsevier Science
Publication date:
Sold by:
Barnes & Noble
File size:
6 MB

Read an Excerpt

Techno Security's Guide to Managing Risks

By Jack Wiles


Copyright © 2007 Elsevier, Inc.
All right reserved.

ISBN: 978-0-08-055397-9

Chapter One

Social Engineering: Risks, Threats, Vulnerabilities, and Countermeasures by Jack Wiles

Jack Wiles is a security professional with over 30 years of experience in security-related fields, including computer security, disaster recovery, and physical security. He is a professional speaker and has trained federal agents, corporate attorneys, and internal auditors on many computer crime-related topics. He is a pioneer in presenting on subjects that are now being labeled "Homeland Security" topics. Jack is a co-founder and President of TheTrainingCo., which runs the well-known Techno Security and Techno Forensics trade shows. He is in frequent contact with members of many state and local law enforcement agencies as well as special agents with the U.S. Secret Service, FBI, U.S. Customs, the Department of Justice, and the Department of Defense. He was appointed the first President of the North Carolina InfraGard chapter, which is now one of the largest chapters in the country. He is also a founding member and "official" MC of the U.S. Secret Service South Carolina Electronic Crimes Task Force. Jack is also a Vietnam veteran who served with the 101st Airborne Division in Vietnam in 1967-68.


Some of the things I will discuss in this chapter have been on my mind since the mid-1980s. I believe it's time I put them in writing and present my thoughts on what I believe could be the most effective and dangerous threat to any security plan: social engineering! This age-old threat has taken on a new meaning as what I collectively call "bad guys" have continued to use the art of the con to gain access to intellectual property and, if necessary, the buildings that house it.

This chapter isn't meant to be read as a complete story from beginning to end. Social engineering and ways to prevent it are subjects with many meanings. This will be more of a potpourri of tips, tricks, vulnerabilities, and lessons learned from 30-plus years of dealing with these issues. As an inside penetration team leader, I used every exploit I could to conduct a successful inside penetration test. It was during those years that I gained most of my social engineering experience. These skills helped me eventually hang up my dumpster-diving penetration team clothes and retire from the tiger team world UNDETECTED! Although I came close several times, I was never stopped or reported to security as a possible burglar or corporate espionage agent, even though that's what I effectively was while I had our teams inside their buildings.

If you think this chapter has a strong risk management flavor, it was intentional. Just about every area of concern with security today is a risk management issue. This chapter, and most of the others in this book, are chock full of what I like to call Techno Tidbits of useful risk management countermeasures. Hopefully, many of them will be topics you might not have considered in the past as you put together your security plan. External, internal, and information system auditors should pick up a few ideas for things that should be added to their audit process.

How Easy Is It?

Way back in 1988, I was part of an internal security team for a large corporation. On several occasions, I had the opportunity to hear some of the conversations that went On when a cracker (bad guy hacker) group targeted a victim by calling them on the phone. They were using social engineering skills to gain access to proprietary information, including passwords. I'll never forget what I heard one experienced cracker say to a cracker-in-training: "Social engineering is the easiest way to break into a system." He then followed up that comment by saying "The stupidity of the average system administrator amazes me."

That was almost 20 years ago and it was the first time I had heard the words social engineering. Why do I think of it as a tool that could be used by any "bad guy" from a cracker to a terrorist? Social engineering is what I believe could be the most effective and dangerous outsider-insider threat to any security plan.

Over the past 15 years, I have learned firsthand just how easy it is to be an effective con man as I lead several inside penetration teams into clients' buildings who hired us to test their vulnerabilities. Not one time did we fail or get caught as we roamed their buildings pretending to be employees. Everyone we encountered while doing our thing thought we belonged there.

Human Nature: Human Weakness

This is certainly not the first time anyone has written about the effects of social engineering. It doesn't take much searching on the Internet to find material on the subject, and in almost every article you will note a common thread. In each case, the social engineer turns our normal human nature of wanting to be kind, helpful, and sympathetic into a weakness they can exploit.

If we looked at this through the eyes of a risk manager performing a risk assessment, our untrained and unaware human nature could be considered a major vulnerability, threatening just about everything important to our company. We'll talk about possible countermeasures to these threats throughout of the rest of the chapter.

The reason I digressed into a full discussion about a risk assessment of the threat of social engineering is because I don't think many people have performed a detailed risk analysis. Since social engineering is a truly formidable threat, you need to know how vulnerable you are (at work and home) and what you can do to reduce those risks.

Any risk assessment needs to consider at least four things: risks, threats, vulnerabilities, and countermeasures.

Risk Management: Performing a Mini Risk Assessment

I recently had the opportunity to purchase my first boat. It's not huge, but it is just big enough for me to use as a floating mini-office a couple of days a week when the weather is nice. Just for fun, let's do a mini risk assessment of some of the risks, threats, vulnerabilities, and countermeasures associated with my new floating office. This isn't intended to be extensive (I'm sure you will think of things I didn't mention here). I just wanted to give us practice using terms most associated with risk assessments and risk management.

What Do l Have at Risk?

Being out on the water all day, my life is the first thing that comes to mind as a risk. The boat itself is also at risk, though I have passed some of the financial risk along to an insurance company, which is what we do with a lot of risks where it makes sense. Any equipment on the boat is at risk of not only sinking but of possibly being dropped overboard, or being soaked by a large wave. A sudden thunderstorm could cause problems. Depending on lake conditions, too many other boats could cause a problem. The battery in the boat could die causing me to lose all power and even strand me on the lake. As you can see, when you consider what you have a risk, you will immediately start to consider some of the threats that could possibly increase your risks. What I have at risk on the boat is everything I could lose if something bad happened. Let's call all the bad things that could happen "possible threats."

What Are Some Possible Threats?

We've already mentioned a few possible threats, which are different than those surrounding my home office. Weather could certainly be a threat, as could simply hitting something as I was moving from one place to another on the lake. The threat of a sudden thunderstorm, or of being hit by another boat, always exists. There isn't much risk of being hit by a car (hopefully), or suffering from a commercial power outage while I'm aboard. The possible threat of theft should be small as long as I keep an eye on my equipment while I'm launching the boat. Overall, the threats, which could possibly hinder my ability to conduct business from my boat, would be lower than most places. (Am I looking for reasons to work from my boat or what?)

What Are Some of the Possible Vulnerabilities?

I would be much more vulnerable to severe weather changes out on the lake than in my home office. I would also be vulnerable to lake conditions in general at any given time. (This is a large lake about 20 miles long.) For a few days following a heavy rain, hundreds of semi-submerged items float down stream. I would certainly be vulnerable to someone losing control of his or her boat and crashing into mine. If I didn't know the depth of the water I was in, I could possibly run aground or hit something in water that was shallower than I thought it was. It would most likely just be an inconvenience, but as in any vehicle, I could run out of fuel. I mentioned not being affected by commercial power failures, but I could easily run my only battery down to where I couldn't start the engine to return to the marina. In addition, though I am always very careful, I could possibly fall overboard—a difficult problem when you're on the water alone.

What about My Countermeasures?

I really enjoy talking about countermeasures. The word even sounds cool. You have all of these things that you have identified as yours and they could be at risk out there in the boat. You have considered the possible threats and how vulnerable you might be as you encounter them. Now, what can you do to lower your risk and decrease your vulnerability?

I've learned a lot during the few months I have had this new floating mini-office. Some of my newfound countermeasures are

* I only try to be on the lake when most other boaters aren't out there.

* I check the weather forecast every time before I head to the lake.

* I will install a second marine battery to insure I always have power.

* I have made sure special waterproof cases are used for my computer and cell phone.

* I carry a small inverter onboard to provide me with 110 volts AC from the boat battery.

* I make sure the marina and my family are always notified of where I will be, and when I expect to return.

* I always carry a small marina radio onboard.

* All data on my computer and cell phone have backup copies on shore.

* I wear a self-inflating life vest at all times.

I'm sure many more issues could be addressed in this mini-assessment, but the point is we all need to at least be familiar with, and understand, our risks at home and work. Included in this book is a detailed chapter titled "Personal, Workforce, and Family Preparedness," which contains a wealth of information for lowering your risk in some of the most important areas of your life.

Outsider–Insider Threats

For my definition here, let's consider the outside threats as those coming at you from the Internet or dial-up modem (You do know where all of your dial-up modems are; don't you?), or a simple phone call from a total stranger. The reason I mention dial-up modems is because there are still many of them out there. Many maintenance ports on older PBXs, building environmental controls, air handling systems, and access control systems still use them and probably will continue to rely on them well into the future.

I'm not considering insider (current employee) activity in this chapter. Even though malicious insiders can use social engineering in a number of ways, the countermeasures for that kind of activity can be much different. For this discussion, let's consider outsider–insider threats as people who never were employees and didn't belong in the building.

This would be the category my inside penetration team would fit into. When we roamed through buildings unchallenged, we definitely didn't belong there (other than being hired to try to get there). Someone checking out your building for possible espionage or future terrorist activities would also fit in this category. In theory, some employee inside the building should eventually figure out that there is a "Trojan horse" in the camp. Someone who has gotten past whatever security there is at the perimeter where entry was gained. There is a good chance they used some form of social engineering to get there.


Excerpted from Techno Security's Guide to Managing Risks by Jack Wiles Copyright © 2007 by Elsevier, Inc. . Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Meet the Author

Johnny Long is a Christian by grace, a professional hacker by trade, a pirate by blood, a ninja in training, a security researcher and author. He can be found lurking at his website (http://johnny.ihackstuff.com). He is the founder of Hackers For Charity(http://ihackcharities.org), an organization that provides hackers with job experience while leveraging their skills for charities that need those skills.

Jack Wiles is a security professional with over 40 years' experience in security-related fields. This includes computer security, disaster recovery, and physical security. He is a professional speaker, and has trained federal agents, corporate attorneys, and internal auditors on a number of computer crime-related topics. He is a pioneer in presenting on a number of subjects, which are now being labeled "Homeland Security" topics. Well over 10,000 people have attended one or more of his presentations since 1988. Jack is also a co-founder and President of TheTrainingCo., and is in frequent contact with members of many state and local law enforcement agencies as well as Special Agents with the U.S. Secret Service, FBI, IRS-CID, U.S. Customs, Department of Justice, The Department of Defense, and numerous members of High-Tech Crime units. He was also appointed as the first President of the North Carolina InfraGard chapter, which is now one of the largest chapters in the country. He is also a founding member of the U.S. Secret Service South Carolina Electronic Crimes Task Force. Jack is also a Vietnam veteran who served with the 101st Airborne Division in Vietnam in 1967-68, where he was awarded two Bronze stars for his actions in combat. He recently retired from the U.S. Army Reserves as a lieutenant colonel and was assigned directly to the Pentagon for the final seven years of his career.

Russ Rogers (CISSP, CISM, IAM, IEM, Hon. Sc.D.), author of the popular "Hacking a Terror Network: The Silent Threat of Covert Channels" (Syngress, ISBN: 978-1-928994-98-5), co-author of multiple books, including the best-selling "Stealing the Network: How to Own a Continent" (Syngress, ISBN: 978-1-931836-05-0) and "Network Security Evaluation Using the NSA IEM" (Syngress, ISBN: 978-1-59749-035-1), and former editor-in-chief of The Security Journal, is currently a penetration tester for a federal agency and the co-founder and chief executive officer of Peak Security, Inc., a veteran-owned small business based in Colorado Springs, CO. Russ has been involved in information technology since 1980 and has spent the past 20 years working as both an IT and InfoSec consultant. Russ has worked with the U.S. Air Force (USAF), National Security Agency (NSA), Defense Information Systems Agency (DISA), and other federal agencies. He is a globally renowned security expert, speaker, and author who has presented at conferences around the world in Amsterdam, Tokyo, Singapore, São Paulo, Abu Dhabi, and cities all over the United States. Russ has an honorary doctorate of science in information technology from the University of Advancing Technology, a master's degree in computer systems management from the University of Maryland, a bachelor of science degree in computer information systems from the University of Maryland, and an associate's degree in applied communications technology from the Community College of the Air Force. He is a member of ISSA and (ISC)2® (CISSP). Russ also teaches at and fills the role of professor of network security for the University of Advancing Technology (www.uat.edu).

Phil Drake is Communications Manager for the Charlotte Observer in Charlotte, N. C. The Observer is a daily newspaper that serves readers throughout North and South Carolina. In addition to the newspaper, the Charlotte Observer produces specialty magazines, voice information, and Internet services.

Phil is responsible for all aspects of communications at Observer operations in both Carolinas, including telephone and data communications, wireless systems, conventional and trunked two-way radio, and satellite systems. He is also responsible for business continuity and disaster response planning and related budgeting. He is responsible for providing emergency communications facilities for reporters and photographers covering breaking news stories.

His background includes photojournalism, mainframe computer support, network management, telecommunications planning and management, and business continuity planning. Phil is a former chairman of the Contingency Planning Association of the Carolinas and currently serves as a Board Advisor of the organization. He is a Certified Business Continuity Professional with the Disaster Recovery Institute International.

Phil speaks to public and private sector groups and has been interviewed by and written for a number of national publications on a wide range of emergency communication issues and business/homeland defense planning. He leads business continuity training seminars for both the public and private sectors. He also has provided project management in business continuity and has advised major national clients in emergency planning, workforce protection, threat assessment, and incident response.

He enjoys backpacking, spending time in the outdoors, and has taught outdoor living skills to youth group leaders. He was appointed by the North Carolina Secretary of the Department of Environment and Natural Resources as a voting member of the NC Geological Survey Advisory Committee.

Ron Green (CISSP, ISSMP), a Senior Vice President within the Information Security Business Continuity division of Bank of America, currently serves as an Information Security Business Continuity Officer supporting the Bank’s Network Computing Group. He formerly managed a bank team dedicated to handling cyber investigations, computer forensics, and electronic discovery. Prior to joining Bank of America, Ron was a Secret Service Agent and part of the agency’s Electronic Crimes Agent Program (ECSAP). In addition to the investigative and protection work all agents perform, ECSAP agents perform cyber investigations and computer forensics for the agency. Ron started with the Secret Service in its Phoenix Field Office, and then transferred to the agency’s headquarters to become part of the Electronic Crimes Branch (ECB). While part of ECB he provided support to the ECSAP agents in the field. He also worked on national and international cyber crimes cases, initiatives, and laws. He was the project manager for Forward Edge and the Best Practice Guides for Seizing Electronic Evidence, version 2.0.

Ron graduated from the United States Military Academy at West Point earning a bachelor’s degree in Mechanical Engineering, and he earned a Graduate Certificate from George Washington University on Computer Security and Information Assurance. Ron currently serves as the Treasurer/Secretary for the Financial Services Information Sharing and Analysis Center (FS/ISAC) and as a Board Member for the Institute for Computer Forensic Professionals. Ron currently lives in North Carolina with his wife, Cheryl, and their four children.

Gregory Kipper is a futurist and strategic forecaster in emerging technologies. He specialized in IT security and information assurance for 17 years, working for the last 11 years in the fields of digital forensics and the impacts emerging technologies have on crime and crime fighting. Mr. Kipper has been the keynote speaker at select industry events, a digital forensics instructor, and a trusted advisor to both the government and commercial sectors. He has published books in the fields of digital forensics and emerging technologies, including: "Investigator's Guide to Steganography," "Wireless Crime and Forensic Investigation," and "Virtualization and Forensics."

Raymond Todd Blackwood is an IT Manager for a private university in Tempe, AZ, with over 12 years of experience in managing technology projects, teams, and systems. He currently oversees the development of technology projects at the university and provides lectures and training on leadership principles for technology geeks. Raymond teaches several courses that focus on thinking and brain performance, as well as managing technology, systems, and change.

Raymond started his career in digital film making, which took him from his southern roots to the Southwest, where he did his undergraduate studies and received his BA in Multimedia and Digital Animation and Production. Producing independent digital films led him into technology management as he began to design and implement technology for animation and multimedia applications. A series of events catalyzed by a passion for learning and working in all kinds of technology projects led Raymond to become a Manager of Information Technology in 2000 for the university. Soon thereafter Raymond began his graduate work and received his Masters of Business Administration and Technology Management in 2006.

Raymond is the comoderator of the Phoenix Future Salon through the Accelerated Studies Foundation. He also serves on the board of directors for the Greater Arizona eLearning Association and the Arizona Telecommunications and Information Council, and he is the faculty sponsor for DC480, the university’s hacking club.

Raymond wrote Chapter 7, “Wireless Awareness: Increasing the Sophistication of Wireless Users.”

Amber Schroader has been involved in the field of computer forensics for the past sixteen years. During this time, she has developed and taught numerous courses for the computer forensic arena, specializing in the field of wireless forensics as well as mobile technologies. Ms Schroader is the CEO of Paraben Corporation and continues to act as the driving force behind some of the most innovative forensic technologies. As a pioneer in the field, Ms Schroader has been key in developing new technology to help investigators with the extraction of digital evidence from hard drives, e-mail and, hand held and mobile devices. Ms Schroader has extensive experience in dealing with a wide array of forensic investigators ranging from federal, state, local, and corporate. With an aggressive development schedule, Ms Schroader continues to bring new and exciting technology to the computer forensic community world wide and is dedicated to supporting the investigator through new technologies and training services that are being provided through Paraben Corporation. Ms Schroader is involved in many different computer investigation organizations including The Institute of Computer Forensic Professionals (ICFP), HTCIA, CFTT, and FLETC.

Customer Reviews

Average Review:

Post to your social network


Most Helpful Customer Reviews

See all customer reviews