Sample Electronic Fraud Prevention Guidelines:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 108: Line 108:


:* As with the Domain Name Takedown, the Name Server Takedown is normally a stopping point as Rock Phishers usually move on to another domain name at this point.  If they move to a new Name Server, repeat the above process.  If the Domain Name and Name Server are still active, proceed to IP Address Takedown.  Taking down the IPs will not stop the Rock Phisher since he probably has a whole botnet at his disposal, but it will force him to move to another machine and possibly buy some time during which unsuspecting customers will not be able to access the site.
:* As with the Domain Name Takedown, the Name Server Takedown is normally a stopping point as Rock Phishers usually move on to another domain name at this point.  If they move to a new Name Server, repeat the above process.  If the Domain Name and Name Server are still active, proceed to IP Address Takedown.  Taking down the IPs will not stop the Rock Phisher since he probably has a whole botnet at his disposal, but it will force him to move to another machine and possibly buy some time during which unsuspecting customers will not be able to access the site.
* '''IP Address Takedown'''
:* From  your earlier ping or nslookup, copy the IP address of the phishing domain.  An easy way to do this is right click in the command line window then left click on “Mark”.  Mouse-over the IP address while pressing the left mouse button to highlight the IP and then press “Enter”.  This will copy the IP address to the clipboard.
:* Go to the registry for the IP block you are working with.  I usually start out with ARIN if I don’t already know where the IP is located:  http://ws.arin.net/whois.  If the IP is not in ARIN’s registry, a link to the proper registry will be returned which is kinda helpful. 
:* Paste the IP in the whois search field and view the returned results.  You are looking for the “abuse” contact email address.  If no abuse contact is listed, use the closest match, usually under “technical contact” or “support”.  If this IP block is a direct allocation, there will likely be no other contacts available.  If however, this IP block is allocated from a higher authority, you will want to view that authority’s contact information and contact them as well.  As always, be sure to include the CERT / CSIRT contact for the country where the ISP is located.
* '''Hacked Site Phish'''
:* These phish are usually hosted on the compromised website of a legitimate domain. Find the IP address as before and notify the ISP as above.
:* Additionally, contact the legitimate website owner if the contact information is available on the legitimate portion of the website or in the domain registry.  Some websites have a contact form as part of the “contact us” function.  You can copy the body of your email to the ISP and paste it here.  Letting the owner know his site has been hacked usually gets their attention and they will move quickly to remove the phish content.
:* Often times, script kiddies will leave their shell behind on the hacked machine. They usually rename it from r57.php or c99.php to something else, but the size is fairly large and will stand out among the other php files.  Look in the directory structure for php files from 150k-300k.  Phish kits and possible customer info files can be downloaded using the hacker’s own tool. Fun stuff.  Remember, don’t delete anything from the server because that would be illegal.
:* As always, add the CERT / CSIRT info to the emails.
=='''III. Responsibilities'''==
The '''Chief Information Security Officer''' (CISO) approves the Electronic Fraud Prevention Guidelines. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Electronic Fraud Prevention Guidelines.<br>
<br>
Company management is responsible for ensuring that the Electronic Fraud Prevention Guidelines is properly communicated and understood within its respective organizational units. Company management also is responsible for planning vulnerability assessment activities.<br>
<br>
'''Asset Owners''' (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining process and procedures that are consistent with the Electronic Fraud Prevention Guidelines and associated guidelines; ensuring vulnerability assessments are performed; and participating in the planning and closing phases of vulnerability assessments.<br>
<br>
'''Asset Custodians''' (Custodians) are the managers, administrators and those designated by the Owner to manage process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information assets; participating in vulnerability assessments; assisting with prioritizing assessed vulnerabilities; and notifying appropriate Company personnel of identified and assessed vulnerabilities on information systems for which they are responsible.<br>
<br>
'''Users''' are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for reporting suspected or actual vulnerabilities to Information Security in a timely manner.<br>
<br>
=='''IV. Enforcement and Exception Handling'''==
Failure to comply with the '''Electronic Fraud Prevention Guidelines''' and associated procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the '''Electronic Fraud Prevention Guidelines''' should be submitted to the CISO in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the '''Electronic Fraud Prevention Guidelines'''.<br>
<br>
=='''V. Review and Revision'''==
<br>
The '''Electronic Fraud Prevention Guidelines''' will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Security Officer<br>
<br>

Latest revision as of 16:53, 22 September 2009

Document History


Version Date Revised By Description
1.0 1 August 2009 <Current date> Michael D. Peters <Owner's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document re-certification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document re-certification date: 1 August 2010 <Date>


Sample Electronic Fraud Prevention Guidelines

The <Your Company Name> (the "Company”) Electronic Fraud Prevention Guidelines defines objectives for establishing specific standards on the assessment and ongoing management of vulnerabilities.

The Electronic Fraud Prevention Guidelines builds on the objectives established in the Vulnerability Management Standard, and provides specific instructions and requirements for assessing and prioritizing vulnerabilities.

I. Scope

All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.

Information Assets are defined in the Asset Identification and Classification Standard.

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Risk refers to the likelihood of loss, damage, or injury to information assets. Risk is present if a threat can exploit an actual vulnerability to adversely impact a sensitive information asset.

Sensitive Information refers to information that is classified as Restricted or Confidential. Refer to the Information Classification Standard for confidentiality classification categories.

Threats are the intentional or accidental actions, activities or events that can adversely impact Company information assets, as well as the sources, such as the individuals, groups, or organizations, of these events and activities.

Vishing is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.

Vulnerabilities refer the weaknesses in information system and procedures including technical, organizational, procedural, administrative, or physical weaknesses.

II. Objectives

The below guidelines are to be followed when mitigating the risk brought about by the threat of Phishing and Vishing attacks against the Company:

Phishing and Vishing Detection Procedures

Phishing and Vishing take-down initiation can come from several sources. Customers as well as non-customers are encouraged to forward phishing emails or phone based Vishing attacks to the Company email address that is monitored by Information Security Incident Response team members. This email address is: abuse@yourcompany.com.

Customer Support

  • Phishing stuffers or other forms of written publications should encourage customers to be on the lookout for and report suspicious communications and obvious Phishing or Vishing activity to any Company representative who should in turn report this information to Information Security.


Third Party Support

  • Phishtank.com
  • Phonephishing.info
  • GonePhishing.org
  • Millersmiles.co.uk
  • Garwarner.blogspot.com: Gary Warner who performs malware and phishing research also sends notification to phished entities when he finds them on the web.


Vishing Site Takedown Procedures

Phishing phone calls usually appear to come from a well-known organization and ask for your personal information, such as credit card number, social security number, account number or password, and so forth. Usually, phone phishing attempts pretend to come from services or companies with which you do not even have anything to do.

While phishing e-mails usually tell you to click a link to a website and submit your personal information, phone-based phishing directly ask you for such information. Legitimate organizations would never request this information of you via email or phone.

  • Identification
  1. Using the caller’s phone number, perform a White Pages reverse lookup of the number:
    • Phonenumber.com/reversephone
    • Enter the phone number in the “Reverse Phone” lookup.
    • The name and service provider will be returned:
    • Make note of the name and phone number. Navigate to the service provider’s website (Google it if necessary). Search the service provider’s contact us information for their abuse contact email address. Since AT&T bought South Central Bell or Bell South, go to the AT&T website:
    • att.com
    • Email address: abuse@att.net
  2. Next, compose an email like the one below being sure to BCC the FBI:
    • This process is normally sufficient. If, for some reason, the Vishing attack persists, call the legal, abuse, or support line of the service provider. Explain the attack and that the authorities have been notified. Usually, the FBI will contact the service provider directly for the information on the subscriber for their case file and direct the subscriber to take down the line, which never fails.


Phishing Site Takedown Procedures

Phishing is a fraudulent attempt, usually made through email, to steal your personal information. The best way to be protected from phishing is to learn how to recognize a phish.

Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services and companies with which you do not even have an account.

In order for Internet criminals to successfully "phish" your personal information, they must get you to go from an email to a website. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would never request this information of you via email.

  • Rock Phish
  • Once the URL of the phishing website has been determined, ping the domain name to obtain the IP address. You can also do an nslookup to see the other IP addresses related to the phish. With Rock Phish there will be several IPs.
  • Go to http://internic.net/whois.html to determine the Registrar and NS entities. For domains ending in anything other than .aero, .arpa, .biz, .cat, .com, .coop, .edu, .info, .int, .jobs, .mobi, .museum, .name, .net, .org, .pro, and .travel, you’ll need to use the universal whois server of your choice for that domain. Try http://www.uwhois.com/.
  • Domain Name Takedown
  • Certain domain names infringe on <Company Name>’s name and/or trademarks. This is illegal and grounds for revocation of the domain name by the registrar, Rock Phish or otherwise. If there is no other legitimate content being hosted by the domain besides the phish, this is also grounds for domain revocation.
  • Once you have the Registrar information, go to their website and look up their contact information for support and/or abuse.
  • Name Server Takedown
  • The Whois lookup will usually include Name Server information. Find the NS owner and go to their website to find their contact information. Prepare a takedown email to the NS owner making sure to include the CERT / CSIRT authority in the TO: field.
  • Include the translation of your choice just to make sure your message gets across (not everybody in the world speaks English). Use your language translator of choice. Google Translate at http://translate.google.com is a good one. Not all languages may be available.
  • As with the Domain Name Takedown, the Name Server Takedown is normally a stopping point as Rock Phishers usually move on to another domain name at this point. If they move to a new Name Server, repeat the above process. If the Domain Name and Name Server are still active, proceed to IP Address Takedown. Taking down the IPs will not stop the Rock Phisher since he probably has a whole botnet at his disposal, but it will force him to move to another machine and possibly buy some time during which unsuspecting customers will not be able to access the site.
  • IP Address Takedown
  • From your earlier ping or nslookup, copy the IP address of the phishing domain. An easy way to do this is right click in the command line window then left click on “Mark”. Mouse-over the IP address while pressing the left mouse button to highlight the IP and then press “Enter”. This will copy the IP address to the clipboard.
  • Go to the registry for the IP block you are working with. I usually start out with ARIN if I don’t already know where the IP is located: http://ws.arin.net/whois. If the IP is not in ARIN’s registry, a link to the proper registry will be returned which is kinda helpful.
  • Paste the IP in the whois search field and view the returned results. You are looking for the “abuse” contact email address. If no abuse contact is listed, use the closest match, usually under “technical contact” or “support”. If this IP block is a direct allocation, there will likely be no other contacts available. If however, this IP block is allocated from a higher authority, you will want to view that authority’s contact information and contact them as well. As always, be sure to include the CERT / CSIRT contact for the country where the ISP is located.
  • Hacked Site Phish
  • These phish are usually hosted on the compromised website of a legitimate domain. Find the IP address as before and notify the ISP as above.
  • Additionally, contact the legitimate website owner if the contact information is available on the legitimate portion of the website or in the domain registry. Some websites have a contact form as part of the “contact us” function. You can copy the body of your email to the ISP and paste it here. Letting the owner know his site has been hacked usually gets their attention and they will move quickly to remove the phish content.
  • Often times, script kiddies will leave their shell behind on the hacked machine. They usually rename it from r57.php or c99.php to something else, but the size is fairly large and will stand out among the other php files. Look in the directory structure for php files from 150k-300k. Phish kits and possible customer info files can be downloaded using the hacker’s own tool. Fun stuff. Remember, don’t delete anything from the server because that would be illegal.
  • As always, add the CERT / CSIRT info to the emails.

III. Responsibilities

The Chief Information Security Officer (CISO) approves the Electronic Fraud Prevention Guidelines. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Electronic Fraud Prevention Guidelines.

Company management is responsible for ensuring that the Electronic Fraud Prevention Guidelines is properly communicated and understood within its respective organizational units. Company management also is responsible for planning vulnerability assessment activities.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining process and procedures that are consistent with the Electronic Fraud Prevention Guidelines and associated guidelines; ensuring vulnerability assessments are performed; and participating in the planning and closing phases of vulnerability assessments.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information assets; participating in vulnerability assessments; assisting with prioritizing assessed vulnerabilities; and notifying appropriate Company personnel of identified and assessed vulnerabilities on information systems for which they are responsible.

Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for reporting suspected or actual vulnerabilities to Information Security in a timely manner.

IV. Enforcement and Exception Handling

Failure to comply with the Electronic Fraud Prevention Guidelines and associated procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Electronic Fraud Prevention Guidelines should be submitted to the CISO in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Electronic Fraud Prevention Guidelines.

V. Review and Revision


The Electronic Fraud Prevention Guidelines will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer