Mark E.S. Bernard Introduction to Privacy Rights, Threats and Countermeasures in Canada

Compiled by Mark E.S. Bernard,

CRISC, CGEIT, CISM, CISSP, CISA, ISO 27001 Lead Auditor, PM, PA, CAN

Email; [email protected]

• Personal Information Defined

• Canadian Charter of Rights and Freedoms

• BC Personal Information Protection Act

• Observe, Orient, Decide, and Act

• Privacy Threat – “Social Engineering”

Defined by the Canadian Institute of Chartered Accountants (CICA) and the

American Institute of Certified Public Accountants (AICPA). Personally Identifiable

Information is any information relating to an identified or identifiable individual

broken into two of the following categories:

(a). 'Private Information' (PI) customerʹs name address, telephone number, social

security/insurance, other government identification numbers, employer, credit card

numbers, personal or family financial information, personal or family medical

information, employment history, history of purchases or other transactions, credit

records and similar information.

(b). 'Sensitive Private Information' medical or health conditions, racial or ethnic

origin, political opinions, religious or philosophical beliefs, trade union membership,

sexual preferences.

INSTRUCTIONAL OBJECTIVE: _Participants will leave this presentation with an

improved understanding of their privacy rights, threats to those rights associated with

social engineering and techniques to identify and counter those threats.

RATIONAL: We’ll review the Canadian Charter of Rights and Freedoms, BC Privacy

legislation, and the OODA Loop before we walk through several scenarios. As a result of

this activity participants will achieve a higher awareness of their privacy rights, threats to

their personal information and real-time tactic to defend against social engineering

attacks.

PRE-TEST: _How many participants attending today’s presentation have used social

engineering to obtain information that they would not otherwise have?

Web link; http://laws-lois.justice.gc.ca/eng/charter/


•Guarantee of Rights and Freedoms

•Fundamental Freedoms

•Democratic Rights

•Mobility Rights

•Legal Rights

•Equality Rights

•Official Languages of Canada

•Minority Language Educational Rights

•Enforcement

Web link; http://www.chrc-ccdp.ca/en/timeportals/milestones/113mile.asp

Canada's commitment to these "human rights" was first manifest in the passing of the

Canadian Bill of Rights. Yet, despite its good intentions, the Bill of Rights was a federal

law that was difficult to enforce. It would take a man of vision, Prime Minister Pierre

Elliott Trudeau, to realize the United Nations' dream of unassailable human rights.

At the turn of the century, human rights were at the mercy of

laws passed by the provincial and federal governments. This

instability opened the doors for discrimination. For instance,

Chinese-Canadians gained the vote because it was a popular

decision - not necessarily a "right" one. They could have easily

lost that right had public opinion turned against them. Prime Minister Pierre Elliott Trudeau

In 1982, Prime Minister Trudeau brought Canada's Constitution home, and with it, the

new Canadian Charter of Rights and Freedoms. The charter sought to protect individual

rights by preventing laws that unfairly discriminate or that take away human rights. It

acknowledged that everyone regardless of colour, religion, race, or belief possesses

certain fundamental rights that no government can remove without cause.


7. Everyone has the right to life, liberty and security of the person and the right not to be

deprived thereof except in accordance with the principles of fundamental justice.

8. Everyone has the right to be secure against unreasonable search or seizure.

Web link; http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/00_03063_01

• The PIPED Act incorporates the ten principles of the Canadian

Standards Association (CSA) Model Code for the Protection of

Personal Information (the CSA Model Code)

• BC Freedom of Information and Protection of Privacy Act

• BC Protection of Personal Information Act

• Substantially Similar January 1, 2004

The ten interrelated privacy principles derived from the Code specified in the PIPED Act

are:

• Accountability

• Identifying Purposes

• Consent

• Limiting Collection

• Limiting Use, Disclosure and Retention

• Accuracy

• Safeguards

• Openness

• Individual Access

• Challenging Compliance

1. Accountability – An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

2. Identifying Purposes – The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Web link; http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code

3. Consent – The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.


4. Limiting Collection – The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.


5. Limiting Use, Disclosure and Retention – Personal

information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

6. Accuracy – Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards – Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness – An organization shall make readily

available to individuals specific information

about its policies and practices relating to the

management of personal information.


9. Individual Access – Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.


10. Challenging Compliance– An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

Web link; http://en.wikipedia.org/wiki/OODA_loop


OODA is a concept originally applied to the combat operations process, often at the strategic

level in military operations. It is now also often applied to understand commercial

operations and learning processes. The concept was developed by military strategist and

USAF Colonel John Boyd.


Observer: The individual scans the environment and gathers information regarding

changes in the environment that affects them directly or indirectly, and how the

environment reacts to the strength, weakness, manoeuvres', and intentions of their actions.

Such observations aim to spot mismatches before the threat agent does.

Orient: Orientation is interpretation of the observed information, or converting

information into knowledge by developing concepts through analysis of information. The

way the individual interprets knowledge depends on culture, genetic heritage, ability to

analyze and synthesize, experience, and latest changes to information, and success

depends on such interpretation.


Decide: Decide is weighing the several options or alternatives available from the

concepts knowledge body generated during the orientation phase, and picking the best

one. For instance, the individual having realized the need for a countermeasure may

choose to launch a net-new strategy or repackage an existing strategy, based on what they

perceive the threat agent would do with the same knowledge. Decisions are at basic level

guesses, and as such, need to remain fluid or work-in-progress, ready to change as new

information comes.

Act: Act is carrying out or implementing the selected decision. This completes the

OODA loop and the feedback of the implementation is the basis for the next round of

observation.

Web link; http://en.wikipedia.org/wiki/Social_engineering_(security)

Social engineering, in the context of security, is understood to mean the art of

manipulating people into performing actions or divulging confidential information.

While it is similar to a confidence trick or simple fraud, it is typically trickery or

deception for the purpose of information gathering, fraud, or computer system access;

in most cases the attacker never comes face-to-face with the victims.

"Social engineering" as an act of psychological manipulation had previously been

associated with the social sciences, but its usage has caught on among computer

professionals.

1 - Information Gathering

2 - Gain Access

3 - Gain Privileged Access

4 - Hide Evidence

5 - Create Backdoors

6 - Expand Attack

Web link; http://en.wikipedia.org/wiki/Hacker_(computer_security)

• Social engineers use tactics to leverage trust, helpfulness, easily attainable information, knowledge of internal processes, authority, technology and any combination there of

• They often use several small attacks to put them in the position to reach their final goal

• Social engineering is all about taking advantage of others to gather information and infiltrate an attack

• The information gained in a phone book may lead to a phone call. The information gained in the phone call may lead to another phone call

• A social engineer builds on each tidbit of information he or she gains to eventually stage a final, deadly attack

• A successful social engineering attempt could result in great financial loss for the target company. A motivated attacker will be willing to gain information in any way possible

• Authority Attack (with or without artefact): using fake badge, utility service outfit to gain access or identify a key individual by name/title as supposed friend or acquaintance or claiming authority and demanding information (impersonation)

• Zero-Sum Knowledge Attack: Baiting someone to add, deny or clarify pseudo knowledge of the attacker, claiming to know more than you do, to solicit more information

• Exaggerated/Knee-jerk Response Attack: making an outlandish lie in order to get information response

• Persistent Attack: Continuous harassment using guilt, intimidation and other negative ways to reveal information

• Fake Survey/Questionnaire Attack: Win a free trip to Hawaii, just answer these questions about your network

• Stake-Out Attack: Analyze activity over time, people movement & actions, deliveries of supplies

• The 10 Attack: Using an attractive individual to gain information or access

• Rubber-Hose Attack: Brute force, threatening,

• Pay-olla Attack: Bribery, plain and simple $$$

• “The boy who cried wolf” Attack: Setting off a series of false alarms that cause the victim to disable their own alarm system

• Help Desk Attack: Impersonating a current or new end-use needing help with access to a network or server

• “Go with the Flow” Attack: Crowed venues are a great time and place to gain access and information, such as a corporate party that has hundreds of employees, just act like you’re one of them

Impersonating school staff

The ploy: You receive a phone call from someone who claims to be a Teacher at your school and asks for your combination lock code. He mentions the name of your Teacher and someone who’s in your class. He tells you there’s a problem with these locks and it could be prevented, but if not it could leaving you without access to the contents of your locker, unless you supply the information he needs for troubleshooting.

What should you do?

The reality: Good social engineers will do their homework and find out the names of real Teachers at your school. They'll even find a way to place the call from inside the school or have a plausible excuse for why it’s coming from outside (for example, saying that they're troubleshooting the problem from the lock company’s headquarters. The truth is, there’s rarely any reason a real Teacher would need to know your combination. If they need to get into your locker, they can simply use their administrative privileges to get access to whatever they want and access the locker that way.

Never give out your combination to someone claiming to be in your school unless you have an explicit protocol to follow (such as callback) to verify the person’s authenticity.

Playing the sympathy card

The ploy: A repairman comes to your door and tells you s/he’s from the phone company and needs to check the phone connections from inside the house. He says he’s new on the job and is supposed to get back to the office in an hour– he got lost trying to find your house and now he’s running way behind. He just needs to check out some wiring to follow up on a recent upgrade. He’s afraid he’ll be in big trouble if he doesn’t get back in time and he seems genuinely worried and upset.

What should you do?

The reality: It’s possible that he’s really on the up-and-up… but not likely. Throwing himself at your mercy is a textbook example of a sympathy ploy, no matter how good an actor he happens to be.

Never allow anyone to have physical access to home without your parents checking the name on their ID and calling their company to validate the employee name and need for access. It may be tempting to help this person out, but most companies have a formal process that they follow before showing up at your door: to give you an ironclad reason to resist such temptation and ensure that you and your family are not put at risk.

Wooing you with words

The ploy: For the past couple of months you’ve been dating a guy /girl who just starting working at the company you are working for the summer at. S/he has a lot of questions about how everything works in general, and it’s been fun showing off your knowledge and helping s/he learn the ropes. But lately, s/he’s begun asking fairly specific questions about when managers are in the office, and once or twice s/he’s asked you to share some information about how the cash floats are handled at the beginning shift and at the end of shifts, it seems innocent. You figure s/he’s just being curious, and you trust them, but it still seems like s/he should know better than to ask.

What should you do?

The reality: If the stakes are high enough, some social engineers will engage in

elaborate, long-term schemes that include slowly becoming your friend or even

developing a romantic relationship so that you eventually trust them enough to reveal

confidential information they can use to break into the company that you work for.

Never reveal sensitive information to an unauthorized person, even if it’s someone

you feel close to and think you can trust. If someone shows an interest in such

information, it should send up a red flag that something bad might be about to

happen.

Intimidation tactics

The ploy: You pick up your phone and an angry voice tells you that your coach has been unable to register you for the upcoming season. The person says she’s an assistant working with your coach and demands that you provide her with personal information that will allow her to complete the registration form. She tells you that the coach is THIS close to kicking you off the team, and failure to cooperate could result in exactly just that. Although some of this sounds like idle threats, it’s hard not to think about what could happen if you don’t play along.

What should you do?

The reality: Some social engineers take the intimidation route to try to extract personal information from their victims. They may threaten you over the phone or come storming in, identifying themselves as the coaches assistant, or an official from the league—someone with sufficient firepower to make you uneasy or downright scared. It takes a strong person to say ‘NO’ at the risk alienating an important person, get the team in trouble with the league, or stand up to the threat of being kicked off the team —but that’s exactly what you should do.

Never reveal personal information to unauthorized person, regardless of how they represent themselves or what consequences they threaten you with. Tell them that privacy act prohibits you from disclosing personal information without knowing who you are disclosing that information to. Nobody can second-guess you for adhering to the law.

Shoulder surfing

The ploy: One of the students in your class has a habit of walking around behind you

when you’re at your computer and hanging around to chat while you type. At first it

seemed innocent enough, although it’s fairly annoying. But you’ve noticed that sometimes,

he appears to be scanning your inbox or studying your screen as he talks. In fact, once or

twice he’s asked you to bring up a particular document, which would require you to log

onto the network or navigate to the school intranet page.

What should you do?

The reality: This situation is a little touchy, since you generally want to be polite to

other students and teachers who visit you while your working on your computer. On the

other hand, reading over your shoulder is nosy at best and a possible security risk at

worst.

Never allow someone to stand behind you and read your screen or watch what you

type, unless it’s someone who has access to the same information as you do or

there’s absolutely no personal or confidential information on your screen. A better

practice is to always ask anyone who tries to stand behind you to move. If they’re

innocent, they’ll be happy to comply; if they’re guilty of snooping, they’ll have to

comply to look innocent.

Something is just not right!

Even if you don’t think you’re a target of a scenario such as those we’ve looked at here,

you should trust your powers of observation and your instincts. When something seems

just a little out of kilter, it could be a clue that some social engineering is afoot. Here

are some examples:

• Someone you’re dealing with won’t provide contact information

• Someone is in an extreme rush for something you aren’t sure they should have

• Someone seems intent on dropping a lot of names to establish credibility or authority

• Someone leans on you for information, making you feel uncomfortable or intimidated

• Someone requests personal information

• Independence Day: Using an old space ship as cover for two humans to infiltrate the

alien mother ship and upload a virus to destroy it.

• Hackers: Dumpster diving in the target company's trash in order to obtain financial

data from printouts.

• War Games: Password cracking the military computer system by studying its creator.

• Ferris Bueller's Day Off: Faking a grandmother's death to get Ferris's girlfriend

excused from school through multiple phone calls and answering machine recordings.

• Star Wars: R2-D2 gaining access to the death star main computer and shutting down

the garbage dispensers.

• Bourne Identity: multiple passports, multiple identities

• Small pieces of information pulled together over a period of time

• Seemingly meaningless information to the source(s)

• Can be more difficult to detect when facilitated over a longer period of time

• There’s absolutely no need to rush if the goal is not time sensitive

• No need to compromise more than one person if only one is enough!!

• Gain the trust of the source before attempting to execute social engineering

• Sometimes by employ use of authority the social engineering attack can be accomplished quicker


Web link; http://www.cnn.com/SPECIALS/1999/mitnick.background/

CONCLUSION: The most important security control is your own knowledge and situational awareness. Humans can be the strongest or weakest links in the security chain. THOUGHT PROBLEM: Can anyone think of a situation in the past that they would have handled differently based on the knowledge that they have acquired today? POST-TEST: After you leave today try and test out your new skills and see if your friends can prevent you from Social Engineering them?

Canadian Justice Department - Canadian Charter of Rights and Freedoms

http://laws-lois.justice.gc.ca/eng/charter/

Canadian Standards Association – Model Code for Privacy

http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code

BC Freedom of Information and Protection of Privacy Act

http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/96165_00

BC Protection of Personal Information Act

http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/00_03063_01

Wikipedia Orient, Observe, Decide and Act description

http://en.wikipedia.org/wiki/OODA_loop

Wikipedia Social Engineering description

http://en.wikipedia.org/wiki/Social_engineering_(security)











http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/96165_00



http://en.wikipedia.org/wiki/OODA_loop

http://en.wikipedia.org/wiki/Social_engineering_(security)