Scribd Logo
Hochladen

Willkommen bei Scribd!

  • LP32637

    Hochgeladen von

    jmz_13
    5 Ansichten3 Seiten
    Na

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Na

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    5 Ansichten3 Seiten

    LP32637

    Hochgeladen von

    jmz_13
    Na

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 3

    Security-Social Engineering

    What is Social Engineering


    Best Practices
    Example Situations
    LEVEL 2 Verification Process

    Enterprise request for information:


    Other Links

    This is an EXTREMELY important process. Please ensure that you are taking the utmost precautions for our user's accounts.
    ALWAYS assume any attempts to gain account information or access is an attempt to social engineer the support team. Not only for !
    LastPass, but for yourself as well.

    What is Social Engineering


    What is social engineering? http://en.wikipedia.org/wiki/Social_engineering_%28security%29

    Best Practices
    ALWAYS be skeptical and assume everyone is attempting to socially engineer you.
    NEVER give out or reference any sensitive account information that wasn't originally provided to you by the user
    Examples:
    Never give out credit card or payment information, we can only verify
    Never give out security emails - truncate the email to give a hint, but never give the entire email address
    Never give previous or new email address changes in full - again, this should be truncated to hint to users, but never
    give the entire address
    Never give out email addresses of other accounts
    And always remember -- Not sure? Something looks weird? ASK!

    Example Situations

    "I think my account has been hacked!"

    Anything similar where a user believes their account has been compromised we should be recommending they change their master
    password immediately and sending them this FAQ

    "I no longer have access to my email!"

    Any cases where a user no longer has access to their email, we MUST have them attempt to recover their email account on their end. Or
    otherwise follow our recommendation in this FAQ

    "I can't revert my account (or master password)"

    If the user cannot revert their account because they do not have access to their email - we first need to push the user to attempt to
    recover their email.
    If a user cannot recover their email (the only reasons for this should be - domain does not have recovery process, email no
    longer exists):
    Send an email to the LP account they no longer have access to letting them know of the request, and if there is no
    response (or you get an error response) - then you can proceed to attempt to assist using LEVEL 2 process. This email
    should also not give any extra information, just that a support request has been made that the following account is no
    longer accessible.
    LEVEL 2 Verification Process
    THIS IS A LAST DITCH EFFORT TO ASSIST AND SHOULD NEVER BE OFFERED IMMEDIATELY!

    5 or more unique sites you have saved in your vault (common sites like Amazon, and social and email domains do not count)
    Current and previous IP addresses (to match past successful IP logins)
    Detailed payment information (simple "Paypal" or "credit card" does not suffice)
    The master password hint (only the hint, not the actual password)
    Account creation date
    Time and date you last accessed LastPass
    What browser(s) used

    Enterprise request for information:


    Q: Can we provide information to our customers on which employee owns a private LastPass account?

    A: Yes, but… We need to consider the privacy and interest in confidentiality by our users who own a private account. So, we may provide the
    number of users owning an additional private account or just the private account, but never the details of who actually has a private account.
    Why? Because we have a direct relationship with the employee for a private LastPass account and we’d breach data protection laws if we share
    PII (personal identifiable information) with a third party (employer is considered a third party for the relationship the employee has with us) without
    prior explicit consent by the employee. In addition, the fact that the employee owns a private account might be also considered confidential and,
    thus, subject to any provisions in place in this regard.

    [Legal reference for the legal opinion above (translated into local laws in the member states): Article 7 of the current data protection directive 95
    /46/EC:

    Member States shall provide that personal data may be processed only if:
    (a) the data subject has unambiguously given his consent; or
    (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data
    subject prior to entering into a contract; or
    (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
    (d) processing is necessary in order to protect the vital interests of the data subject; or
    (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the
    controller or in a third party to whom the data are disclosed; or
    (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data
    are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require
    protection under Article 1 (1).

    Corresponding reference in the GDPR (General Data Protection Regulation; effective May 25, 2018) is Article 6 (not materially different to current
    regulation):

    Processing shall be lawful only if and to the extent that at least one of the following applies:
    (a)
    the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    (b)
    processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data
    subject prior to entering into a contract;
    (c)
    processing is necessary for compliance with a legal obligation to which the controller is subject;
    (d)
    processing is necessary in order to protect the vital interests of the data subject or of another natural person;
    (e)
    processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the
    controller;
    (f)
    processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are
    overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where
    the data subject is a child.
    Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.]

    Main Takeaway:

    We don’t share any account data for LastPass which isn’t account data the employer/customer owns directly as this is considered PII
    and, as such, it needs to be protected and only shared subject to prior explicit consent.
    Other Links
    Example of a successfully engineered ticket
    LastPass Security Policy and Procedures
    Lifehacker - Why Social Engineering Should Be Your Biggest Security Concern
    How Apple and Amazon Security Flaws Led to My Epic Hacking

    Das könnte Ihnen auch gefallen