Network Risk Assessment: Penetration Testing and Social Engineering

Electronic information systems, now de rigueur for recordkeeping, hold company and customer data, a majority of which may be confidential. If ineffective network security controls are in place, however, an intruder can enter from the outside and steal the data to exploit. The result may be identity theft, leaked private company information (think of the WikiLeaks fiasco), lawsuits, or dissatisfied customers. In order to meet industry standards, keep company information confidential, and maintain a satisfied customer base, implement an effective network security plan involving regular risk assessments.

Although an electronic information system’s data is often thought of as solely technical, a network risk assessment considers all ways in which this information could be stolen, including through physical or social means. As a result, a network engineer performing a risk assessment uses a combination of penetration testing and social engineering techniques.

Penetration testing involves using ethical hacking techniques to break into a network and identify vulnerabilities, or weak points in which an outside party can enter. A four-phase process is used: planning, discovery, attacking, and reporting. The first two phases involve gathering all basic information for the network, including port and service identifications, host names, IP addresses, employee names and contact information, operating system information, and application and service information. To access the interior, the engineer may be granted employee-level access to the system. With all information gathered, the engineer does a vulnerability analysis, comparing the network data with a vulnerability database.

All vulnerabilities identified become targets for ethical hacking in the attack stage. When performing the test, the engineer determines if an attack was successful, the level of complexity needed to break in, and the measures necessary to reduce future attacks. Because vulnerabilities often come in groups, the engineer may go back and forth between the discovery and attack phases before producing a full report.

Data about employees and the system serves as reference for the social engineering part of network risk assessment. Often a phishing scheme, social engineering involves tricking network users to reveal passwords or usernames. Because employees should never blindly give away such information, the engineer poses as an outsider by attempting to obtain such information through online or telephone conversations, instant messages, or emails.

Email phishing schemes are some of the more common approaches for attackers to obtain network information. Typically, an email appearing to be authentic, such as from the company, a bank, or internet service provider, is sent out and requests username or password information. The email then takes the user to an unsecure website to obtain the information, which, aside from a username and password, may be account, credit card, or social security numbers. With this information, the intruder breaks into the network to steal data to possibly exploit.

Certain individuals, such as executives, may be more important than others on a network, and in social engineering, a network engineer may target such employees.

Basic Social Networking Information

If you don’t know what social media networking is then you may wonder what it really is. Social networking is the grouping of individuals together into more specific and defined groups more like rural communities or possibly a neighborhood subdivision.

Although social media networking is possible in person like organizing a group of a specific interest today it is most popular with the use of internet where meeting new friends from all walks of life can be located in social networking sites that are being widely used worldwide.

The internet is filled with millions and millions of individuals who are looking forward to meeting new people, to gather, to share first-hand insider information and experiences about random things in life that on the latter, develops friendships and if possible, professional alliances. People also are now widely using social networking in their business endeavors and the services that they are offering. It is one way of having their company, products and services known all over the world. Social networking aids in driving more traffic to your website by bringing on line visitors to visit therefore which at one point in time bring you sales and new customers.

When talking about social communities, websites are the most commonly used platform to be able to engage in social networking. These websites are also known as social sites allowing users to network with each other. The socialization part may involve reading of profile pages and some personal information of other members in the community, being able to share confidential and public information and by social media networking; you can organize and merge them all in your online profile.

Making friends is just one of the many benefits of engaging yourself in the social networking websites. Another is the diversity because the internet gives you the chance to give out information since most the internet users gain access in the internet. Meaning, you are able to organize and combine all your profile into one page, giving out a more personal profile in real life today.

The friends that you are able to engage via in social networking give individuals the venue to share talents and other vital information that can be mutually beneficial to both parties. They can be mutually beneficial in the sense that they would be able to help each other bring business and from now only an online friendship but as business associates as well.

As stated, social networking is often involved in groupings, specifically individuals or organizations coming together into one bigger group. While some social community websites focus on a particular interest, others do not. Once you are in the social networking community, you are now free to create your own group with specific interests and have the freedom to accept and eliminate group members if they don’t meet your standards or if they don’t share a common interest with the rest of the group.

Moreover, social networking involves groupings and forming communities of specific interests and likes, and both social and business interests.

What Is CPNI (Consumer Proprietary Network Information)?

The Consumer Proprietary Network Information (CPNI) is information that telecommunication services (I.E. local, long distance and wireless telephone carriers) acquire about their subscribers. The information that is collected typically includes the services they use, as well as the amount that they use these services and the type of usage.

To be more specific, the type of information the CPNI includes is the various data displayed on a customer’s monthly phone bill, which may include:

• Telephone line type and its technical characteristics

• Service class

• Existing phone charges

• Local and long distance service billing records

• Directory assistant charges

• Usage data

• Calling patterns

• All optional services to which the customer has subscribed

• And so on

Although the CPNI collects all of the above information of telephone customers, the CPNI does not include the customer’s personal information, such as their name, address or phone number. The only parties that are privy to this personal information are the customer and their telecommunications company.

Furthermore, it is important to note that the Telecommunications Act of 1996, together with the clarification from the Federal Communications Commissions (FCC), usually forbids the use of any information that is collected about a customer, even for marketing purposes, unless express permission to use the information is first given by the customer. In addition, if a customer switches service providers, the previous telecommunications carrier they were with, is not permitted to use any information in an attempt to lure the customer back.

However, the CPNI does not prohibit everything. For example, the CPNI rules do not forbid the gathering and publishing of aggregate customer information. Moreover, the CPNI rules do not prohibit the use of telephone subscribers’ information for the purpose of creating directories.

Keep in mind, a telecommunication provider must have their customer’s permission first before they can share their customer’s CPNI with any third party, including other agents, affiliates, or parent companies. That being said, generally, when a customer allows a telecommunications provider to share their CPNI, this helps the provider to better serve the customer and meet their service needs. Nevertheless, a customer has the right to notify their carrier that they withdraw their consent to have their CPNI shared whenever they wish, and their carrier must comply with their request.

It is important that you know your rights so you have the chance to protect yourself and your personal information. Therefore, should you feel that your rights are ever being violated, you can find out who owns a phone number [http://www.whoownsthisphonenumber.com] and file a compliant with the FCC.