Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)

TESTING

Your company may want to test employees on their mastery of the information presented in the security awareness training, before allowing computer system access. If you design tests to be given on line, many assessment design software programs allow you to readily analyze test results to determine areas of the training that need to be strengthened.

Your company may also consider providing a certificate testifying to the completion of the security training as a reward and employee motivator.

As a routine part of completing the program, it is recommended that each employee be asked to sign an agreement to abide by the security policies and principles taught in the program. Research suggests that a person who makes the commitment of signing such an agreement is more likely to make an effort to abide by the procedures.

ONGOING AWARENESS

Most people are aware that learning, even about important matters, tends to fade unless reinforced periodically. Because of the importance of keeping employees up to speed on the subject of defending against social engineering attacks, an ongoing awareness program is vital.

One method to keep security at the forefront of employee thinking is to make information security a specific job responsibility for every person in the enterprise. This encourages employees to recognize their crucial role in the overall security of the company. Otherwise there is a strong tendency to feel that security "is not my job."

While overall responsibility for an information security program is normally assigned to a person in the security department or the information technology department, development of an information security awareness program is probably best structured as a joint project with the training department.

The ongoing awareness program needs to be creative and use every available channel for communicating security messages in ways that are memorable so that employees are constantly reminded about good security habits. Methods should use all of the traditional channels, plus as many non-traditional ones as the people assigned to develop and implement the program can imagine. As with traditional advertising,

humor and cleverness help. Varying the wording of messages keeps them from becoming so familiar that they are ignored.

The list of possibilities for an ongoing awareness program might include:

Providing copies of this book to all employees.

Including informational items in the company newsletter: articles, boxed reminders (preferably short, attention-getting items), or cartoons, for example.

Posting a picture of the Security Employee of the Month.

Hanging posters in employee areas.

Posting bulletin-board notices.

Providing printed enclosures in paycheck envelopes.

Sending email reminders.

Using security-related screen savers.

Broadcasting security reminder announcements through the voice mail system.

Printing phone stickers with messages such as "Is your caller who he says he is?'!

Setting up reminder messages to appear on the computer when logging in, such as "If you are sending confidential information in an email, encrypt it."

Including security awareness as a standard item on employee performance reports and annual reviews.

Providing security awareness reminders on the intranet, perhaps using cartoons or humor, or in some other way enticing employees to read them.

Using an electronic message display board in the cafeteria, with a frequently changing security reminder.

Distributing flyers or brochures.

And think gimmicks, such as free fortune cookies in the cafeteria, each containing a security reminder instead of a fortune.

The threat is constant; the reminders must be constant as well.

WHAT'S IN IT FOR ME?"

In addition to security awareness and training programs, I strongly recommend an active and well-publicized reward program. You must

acknowledge employees who have detected and prevented an attempted social engineering attack, or in some other way significantly contributed to the success of the information security program. The existence of the reward program should be made known to employees at all security awareness sessions, and security violations should be widely publicized throughout the organization.

On the other side of the coin, people must be made aware of the consequences of failing to abide by information security policies, whether through carelessness or resistance. Though we all make mistakes, repeated violations of security procedures must not be tolerated.

Chapter 16

Recommended Corporate Information Security Policies

Nine out of every ten large corporations and government agencies have been attacked by computer intruders, to judge from the results of a survey conducted by the FBI and reported by the Associated Press in April 2002. Interestingly, the study found that only about one company in three reported or publicly acknowledged any attacks. That reticence to reveal their victimization makes sense. To avoid loss of customer confidence and to prevent further attacks by intruders who learn that a company may be vulnerable, most businesses do not publicly report computer security incidents.

It appears that there are no statistics on social engineering attacks, and if there were, the numbers would be highly unreliable; in most cases a company never knows when a social engineer has "stolen" information, so many attacks go unnoticed and unreported.

Effective countermeasures can be put into place against most types of social engineering attacks. But let's face reality here--unless everyone in the enterprise understands that security is important and makes it his or her business to know and adhere to a company's security policies, social engineering attacks will always present a grave risk to the enterprise.

In fact, as improvements are made if I the technological weapons against security breaches, the social engineering approach to using people to access proprietary company information or penetrate the corporate network will almost certainly become significantly more frequent and attractive to information thieves. An industrial spy will naturally attempt to

accomplish his or her objective using the easiest method and the one involving the least risk of detection. As a matter of fact, a company that has protected its computer systems and network by deploying state-of theart security technologies may thereafter be at more risk from attackers who use social engineering strategies, methods, and tactics to accomplish their objectives.

This chapter presents specific policies designed to minimize a company's risk with respect to social engineering attacks. The policies address attacks that are based not strictly on exploiting technical vulnerabilities. They involve using some kind of pretext or ruse to deceive a trusted employee into providing information or performing an action that gives the perpetrator access to sensitive business information or to enterprise computer systems and networks.

WHAT IS A SECURITY POLICY?

Security policies are clear instructions that provide the guidelines for employee behavior for safeguarding information, and are a fundamental building block in developing effective controls to counter potential security threats. These policies are even more significant when it comes to preventing and detecting social engineering attacks.

Effective security controls are implemented by training employees with well-documented policies and procedures. However, it is important to note that security policies, even if religiously followed by all employees, are not guaranteed to prevent every social engineering attack. Rather, the reasonable goal is always to mitigate the risk to an acceptable level.

The policies presented here include measures that, while not strictly focused on social engineering issues, nonetheless belong here because they deal with techniques commonly used in social engineering attacks. For example, policies about opening email attachments--which could install malicious Trojan Horse software allowing the attacker to take over the victim's computer--address a method frequently used by computer intruders.

Steps to Developing a Program

A comprehensive information security program usually starts with a risk assessment aimed at determining:

What enterprise information assets need to be protected?

What specific threats exist against these assets?

What damage would be caused to the enterprise if these potential threats were to materialize?

The primary goal of risk assessment is to prioritize which information assets are in need of immediate safeguards, and whether instituting safeguards will be cost-effective based on a cost-benefit analysis. Simply put, what assets are going to be protected first, and how much money should be spent to protect these assets?

It's essential that senior management buy into and strongly support the necessity of developing security policies and an information security program. As with any other corporate program, if a security program is to succeed, management must do more than merely provide an endorsement, it must demonstrate a commitment by personal example. Employees need to be aware that management strongly subscribes to the belief that information security is vital to the company's operation, that protection of company business information is essential for the company to remain in business, and that every employee's job may depend on the success of the program.

The person assigned to draft information security policies needs to understand that the policies should be written in a style free of technical jargon and readily understood by the non-technical employee. It's also important that the document make clear why each policy is important; otherwise employees may disregard some policies as a waste of time. The policy writer should create a document that presents the policies, and a separate document for procedures, because policies will probably change much less frequently than the specific procedures used to implement them.

In addition, the policy writer should be aware of ways in which security technologies can be used to enforce good information security practices. For example, most operating systems make it possible to require that user passwords conform to certain specifications such as length. In some companies, a policy prohibiting users from downloading programs can be controlled via local or global policy settings within the operating system. The policies should require use of security technology whenever costeffective to remove human-based decision-making.

Employees must be advised of the consequences for failing to comply with security policies and procedures. A set of appropriate consequences for violating the policies should be developed and widely publicized. Also, a reward program should be created for employees who demonstrate

good security practices or who recognize and report a security incident. Whenever an employee is rewarded for foiling a security breach, it should