- Email: [email protected]
Indian call centres to be probed by British Government
CFS_Oct06.qxd
06/11/2006
10:39
Page 1
Featured this month
Contents
Social engineers sweet talk staff
NEWS
The formidable threat
Internet war: picking on the finance
Social engineering sounds like the stuff of spy movies, but it is very real-life as some recent high profile cases show. Social engineering works – it is very effective as it is a powerful psychological technique. The HP scandal that involved investigators impersonating board members, employees and journalists to obtain phone records shows just how far determined social engineers will go. Some HP employees took it slightly too far however, with directors having to file a statement with the US Securities and Exchange Commission (SEC) admitting to the company’s violations. Social engineering is a threat that has evolved in sophistication in the last decade, however, countermeasures have not kept pace. The one real countermeasure is to empower security awareness in staff. Staff need to be aware of attacks on two fronts. There are two types of social engineering: technology-based and human-based deception. Social engineers will often claim they are real employees, and will ask to be emailed confidential information at a valid address as well as an external one. All employees, especially those with privileged information, including executives, human resource personnel, and personal administrators, must know how to spot a fraudster a mile away. And employees must be coached into staying calm and not revealing their suspicions to the fraudster. Security experts Richard Power and Dario Forte dissect the sneaky tactics that staff should watch out for... Turn to page 17
sector – survey
2
US state CISOs lacking in security certificates
2
ISP bids to eradicate zombies and spam
3
FEATURES Protecting identity The empty safe
4
Security culture Cultivating an organizational information security culture
7
Security from the start The importance of incorporating security requirements within system architecture rather than incorporating retro fitting controls to an insecure design
Indian call centres to be probed by British Government The British Government is to launch an investigation into criminals obtaining customer financial records through call centres in India. The investigation follows the broadcast of a Channel 4 television programme, Dispatches, which revealed the buying and selling of personal information. A representative from the Information Commissioner said the investigation might lead to powers that could order “a company to stop processing personal information outside the UK.” David Smith, Deputy Commissioner, said: “It appears that some mobile phone companies’ call centres in India are being targeted by criminals intent on unlawfully obtaining UK citizens’ financial records and this will be the focus of our investigation.” He said that the Data Protection Act requires that companies have adequate security in place in a call centre whether in the UK or India. The television programme showed criminals offering to sell credit card numbers and other confidential information for around $15. Although bank details were sold, the financial information was not obtained through banks’ call centres. Instead it came from mobile phone companies.
12
Diary A day in the life of a digital forensic investigator
15
War & peace in cyberspace Social engineering: attacks have evolved, but countermeasures have not
17
REGULARS News in brief Events
3 20
ISSN 1361-3723/06 © 2006 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
06/11/2006
10:39
Page 1
Featured this month
Contents
Social engineers sweet talk staff
NEWS
The formidable threat
Internet war: picking on the finance
Social engineering sounds like the stuff of spy movies, but it is very real-life as some recent high profile cases show. Social engineering works – it is very effective as it is a powerful psychological technique. The HP scandal that involved investigators impersonating board members, employees and journalists to obtain phone records shows just how far determined social engineers will go. Some HP employees took it slightly too far however, with directors having to file a statement with the US Securities and Exchange Commission (SEC) admitting to the company’s violations. Social engineering is a threat that has evolved in sophistication in the last decade, however, countermeasures have not kept pace. The one real countermeasure is to empower security awareness in staff. Staff need to be aware of attacks on two fronts. There are two types of social engineering: technology-based and human-based deception. Social engineers will often claim they are real employees, and will ask to be emailed confidential information at a valid address as well as an external one. All employees, especially those with privileged information, including executives, human resource personnel, and personal administrators, must know how to spot a fraudster a mile away. And employees must be coached into staying calm and not revealing their suspicions to the fraudster. Security experts Richard Power and Dario Forte dissect the sneaky tactics that staff should watch out for... Turn to page 17
sector – survey
2
US state CISOs lacking in security certificates
2
ISP bids to eradicate zombies and spam
3
FEATURES Protecting identity The empty safe
4
Security culture Cultivating an organizational information security culture
7
Security from the start The importance of incorporating security requirements within system architecture rather than incorporating retro fitting controls to an insecure design
Indian call centres to be probed by British Government The British Government is to launch an investigation into criminals obtaining customer financial records through call centres in India. The investigation follows the broadcast of a Channel 4 television programme, Dispatches, which revealed the buying and selling of personal information. A representative from the Information Commissioner said the investigation might lead to powers that could order “a company to stop processing personal information outside the UK.” David Smith, Deputy Commissioner, said: “It appears that some mobile phone companies’ call centres in India are being targeted by criminals intent on unlawfully obtaining UK citizens’ financial records and this will be the focus of our investigation.” He said that the Data Protection Act requires that companies have adequate security in place in a call centre whether in the UK or India. The television programme showed criminals offering to sell credit card numbers and other confidential information for around $15. Although bank details were sold, the financial information was not obtained through banks’ call centres. Instead it came from mobile phone companies.
12
Diary A day in the life of a digital forensic investigator
15
War & peace in cyberspace Social engineering: attacks have evolved, but countermeasures have not
17
REGULARS News in brief Events
3 20
ISSN 1361-3723/06 © 2006 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.