Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)
.pdfbe widely publicized throughout the company, for example in an article in the company newsletter.
One goal of a security awareness program is to communicate the importance of security policies and the harm that can result from failure to follow such rules. Given human nature, employees will, at times, ignore or circumvent policies that appear unjustified or too time-consuming. It is a management responsibility to insure that employees understand the importance of the policies and are motivated to comply, rather than treating them as obstacles to be circumvented.
It's important to note that information security policies cannot be written in stone. As business needs change, as new security technologies come to market, and as security vulnerabilities evolve, the policies need to be modified or supplemented. A process for regular review and updating should be put into place. Make the corporate security policies and procedures available via the corporate intranet or maintain such policies in a publicly available folder. This increases the likelihood that such policies and procedures will be reviewed more frequently, and provides a convenient method for employees to quickly find the answer to any information-security related question.
Finally, periodic penetration tests and vulnerability assessments using social engineering methods and tactics should be conducted to expose any weakness in training or lack of adherence to company policies and procedures. Prior to using any deceptive penetration-testing tactics, employees should be put on notice that such testing may occur from time to time.
How to Use These Policies
The detailed policies presented in this chapter represent only a subset of the information security policies I believe are necessary to mitigate all security risks. Accordingly, the policies included here should not be considered as a comprehensive list of information security policies. Rather, they are the basis for building a comprehensive body of security policies appropriate to the specific needs of your company.
Policy writers for an organization will have to choose the policies that are appropriate based on their company's unique environment and business goals. Each organization, having different security requirements based on business needs, legal requirements, organizational culture, and the
information systems used by the company, will take what it needs from the policies presented, and omit the rest.
There are also choices to be made about how stringent policies will be in each category. A smaller company located in a single facility where most employees know one another does not need to be much concerned about an attacker calling on the phone and pretending to be an employee (although of course an imposter may masquerade as a vendor). Also, despite the increased risks, a company framed around a casual, relaxed corporate culture may wish to adopt only a limited subset of recommended policies to meet its security objectives.
DATA CLASSIFICATION
A data classification policy is fundamental to protecting an organization's information assets, and sets up categories for governing the release of sensitive information. This policy provides a framework for protecting corporate information by making all employees aware of the level of sensitivity of each piece of information.
Operating without a data classification policy--the status quo in almost all companies today--leaves most of these decisions in the hands of individual workers. Naturally, employee decisions are largely based on subjective factors, rather than on the sensitivity, criticality, and value of information. Information is also released because employees are ignorant of the possibility that in responding to a request for the information, they may be putting it into the hands of an attacker.
The data classification policy sets forth guidelines for classifying valuable information into one of several levels. With each item assigned a classification, employees can follow a set of data-handling procedures that protect the company from inadvertent or careless release of sensitive information. These procedures mitigate the possibility that employees will be duped into revealing sensitive information to unauthorized persons.
Every employee must be trained on the corporate data classification policy, including those who do not typically use computers or corporate communications systems. Because every member of the corporate workforce--including the cleaning crew, building guards, and copy-room staff, as well as consultants, contractors, and even interns--may have access to sensitive information, anyone could be the target of an attack.
Management must assign an Information Owner to be responsible for any information that is currently in use at the company. Among other things, the Information Owner is responsible for the protection of the information
assets. Ordinarily, the Owner decides what level of classification to assign based on the need to protect the information, periodically
reassesses the classification level assigned, and decides if any changes are needed. The Information Owner may also delegate the responsibility of protecting the data to a Custodian or Designee.
Classification Categories. and Definitions
Information should be separated into varying levels of classification based on its sensitivity. Once a particular classification system is set up, it's an expensive and time-consuming process to reclassify information into new categories. In our example policy I chose four classification levels, which is appropriate for most medium-to-large businesses. Depending on the number and types of sensitive information, business may choose to add more categories to further control specific types of information. In smaller businesses, a three-level classification scheme may be sufficient. Remember--the more complex the classification scheme, the more expense to the organization in training employees and enforcing the system.
Confidential. This category of information is the most sensitive. Confidential information is intended for use only within the organization. In most cases, it should only be shared with a very limited number of people with an absolute need to know. The nature of Confidential information is such that any unauthorized disclosure could seriously impact the company, its shareholders, its business partners, and/or its customers. Items of Confidential information generally fall into one of these categories:
Information concerning trade secrets, proprietary source code, technical or functional specifications, or product information that could be of advantage to a competitor.
Marketing and financial information not available to the public.
Any other information that is vital to the operation of the company such as future business strategies.
Private. This category covers information of a personal nature that is intended for use only within the organization. Any unauthorized disclosure of Private information could seriously impact employees, or the company if obtained by any unauthorized persons (especially social engineers). Items of Private information would include employee medical
history, health benefits, bank account information, salary history, or any other personal identifying information that is not of public record.
NOTE
The Internal category of information is often termed Sensitive by security personnel. I have to use Internal because the term itself explains the intented audience. I have used the term Sensitive not as a security classification but as a convenient method of referring to Confidential, Private, and Internal information; put another way, Sensitive refers to any company information that is not specifically designated as Public.
Internal. This category of information can be freely provided to any persons employed by the organization. Ordinarily, unauthorized disclosure of Internal information is not expected to cause serious harm to the company, its shareholders, its business partners, its customers, or its employees. However, persons adept in social engineering skills can use this information to masquerade as an authorized employee, contractor, or vendor to deceive unsuspecting personnel into providing more sensitive information that would result in unauthorized access to corporate computer systems.
A confidentiality agreement must be signed before Internal information may be disclosed to third parties, such as employees of vendor firms, contractor labor, partner firms, and so on. Internal information generally includes anything used in the course of daily business activity that should not be released to outsiders, such as corporate organizational charts, network dial-up numbers, internal system names, remote access procedures, cost center codes, and so on.
Public. Information that is specifically designated for release to the public. This type of information can be freely distributed to anyone, such as press releases, customer-support contact information, or product brochures. Note that any information not specifically designated as Public should be treated as Sensitive information.
Classified Data Terminology
Based on its classification, data should be distributed to certain categories of people. A number of policies in this chapter refer to information being given to an Unverified Person. For the purposes of these policies, an Unverified Person is someone whom the employee does not personally know to be an active employee or to b an employee with the proper rank to have access to information, or who has not been vouched for by a trusted third party.
For the purposes of these policies, a Trusted Person is a person you have met face-to-face who is known to you as a company employee, customer, or consultant to the company with the proper rank to have access to information. A Trusted Person might also be an employee of a company having an established relationship, with your company (for example, a customer, vendor, or strategic business partner that has signed a nondisclosure agreement).
In third party vouching, a Trusted Person provides verification of a person's employment or status, and the person's authority to request information or an action. Note that in some instances, these policies require you to verify that the Trusted Person is still employed by the company before responding to a request for information or action by someone for whom they have vouched.
A privileged account is a computer or other account requiring access permission beyond the basic user account, such as a systems administrator account. Employees with privileged accounts typically have the ability to modify user privileges or perform system functions.
A general departmental mailbox is a voice mailbox answered with a generic message for the department. Such a mailbox is used in order to protect names and phone extensions of employees who work in a particular department.
VERIFICATION AND AUTHORIZATION PROCEDURES
Information thieves commonly use deceptive tactics to access or obtain confidential business information by masquerading as legitimate employees, contractors, vendors, or business partners. To maintain effective information security, an employee receiving a request to perform an action or provide sensitive information must positively identify the caller and verify his authority prior to granting a request.
The recommended procedures given in this chapter are designed to help an employee who receives a request via any communication method such as telephone, email, or fax to determine whether the request and the person making it are legitimate.
Requests from a Trusted Person
A request for information or action from a Trusted Person may require:
Verification that the company actively employs or has a relationship with the person where such a relationship is a condition of access to this category of information. This is to prevent terminated employees, vendors, contractors, and others who no longer are associated with the company from masquerading as active personnel.
Verification that the person has a need to know, and is authorized to have access to the information or to request the action.
Requests from an Unverified Person
When a request is made by an Unverified Person, a reasonable verification process must be deployed to positively identify the person making the request as authorized to receive the requested information, especially when the request in any way involves computers or computerrelated equipment. This process is the fundamental control to prevent successful social engineering attacks: If these verification procedures are followed, they will dramatically reduce successful social engineering attacks.
It is important that you not make the process so cumbersome that it is cost-prohibitive, or that employees ignore it.
As detailed below, the verification process involves three steps:
Verifying that the person is who he or she claims to be.
Determining that the requester is currently employed or shares a need-to- know relationship with the company.
Determining that the person is authorized to receive the specific information or to call for the requested action.
Step One: Verification of Identity
The recommended steps for verification are listed below in order of effectiveness--the higher the number, the more effective the method. Also included with each item is a statemen.t about the weakness of that particular method, and the way in which a social engineer can defeat or circumvent the method to deceive an employee.
1.Caller ID (assuming this feature is included in the company telephone system). From the caller ID display, ascertain whether the call is from inside or outside the company, and that the name or telephone number displayed matches the identity provided by the caller.
Weakness: External caller ID information can be falsified by anyone with access to a PBX or telephone switch connected to digital phone service.
2.Callback. Look up the requester in the company directory, and call back to the listed extension to verify that the requester is an employee.
Weakness: An attacker with sufficient knowledge can call-forward a company extension so that, when the employee places the verification call to the listed phone number, the call is transferred to the attacker's outside phone number.
3.Vouching. A Trusted Person who vouches for the requester's identity verifies the requester.
Weakness: Attackers using a pretext are frequently able to convince another employee of their identity, and get that employee to vouch for them.
4.Shared Secret. Use an enterprise-wide shared secret, such as a password or daily code.
Weakness." If many people know the shared secret, it may be easy for an attacker to learn it.
5.Employee's Supervisor/Manager. Telephone the employee's immediate supervisor and request verification.
Weakness: If the requester has provided the telephone number for reaching his or her manager, the person the employee reaches when calling the number may not be the real manager but may, in fact, be an accomplice of the attacker.