Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)
.pdf6. Secure Email. Request a digitally signed message.
Weakness: If an attacker has already compromised an employee's computer and installed a keystroke logger to obtain the employee's pass phrase, he can send digitally signed email that appears to be from the employee.
7.Personal Voice Recognition. The person receiving the request has dealt with the requester (preferably face-to-face), knows for certain that the person actually is a Trusted Person, and is familiar enough with the person to recognize his or her voice on the telephone.
Weakness: This is a fairly secure method, not easily circumvented by an attacker, but is of no use if the person receiving the request has never met or spoken with the requester.
8.Dynamic Password Solution. The requester authenticates himself or herself through the use of a dynamic password solution such as a Secure ID.
Weakness: To defeat this method, an attacker would have to obtain one of the dynamic password devices, as well the accompanying PIN of the employee to whom the device rightfully belongs, or would have to deceive an employee into reading the information on the display of the device and
providing the PIN.
9.In Person with ID. The requester appears in person and presents an employee badge or other suitable identification, preferably a picture ID.
Weakness: Attackers are often able to steal an employee badge, or create a phony badge that appears authentic; however, attackers generally shun this approach because appearing in person puts the attacker at significant risk of being identified and apprehended.
Step Two: Verification of Employment Status
The greatest information security threat is not from the professional social engineer, nor from the skilled computer intruder, but from someone much closer: the just-fired employee seeking revenge or hoping to set himself up in business using information stolen from the company. (Note that a version of this procedure can also be used to verify that someone still enjoys another kind of business relationship with your company, such as a vendor, consultant, or contract worker.)
Before providing Sensitive information to another person or accepting instructions for actions involving the computer or computer-related equipment, verify that the requester is still a current employee by using one of these methods:
Employee Directory Check. If the company maintains an online employee directory that accurately reflects active employees, verify that the requester is still listed.
Requester's Manager Verification. Call the requester's manager using a phone number listed in the company directory, not a number provided by the requester.
Requester's Department or Workgroup Verification. Call the requester's department or workgroup and determine from anyone in that department or workgroup that the requester is still employed by the company.
Step Three: Verification of Need to Know
Beyond verifying that the requester is a current employee or has a relationship with your company, there still remains the issue of whether the requester is authorized to have access to the information being requested, or is authorized to request that specific actions affecting computers or computer-related equipment be taken.
This determination may be made by using one of these methods:
Consult job title/workgroup/responsibilities lists. A company can provide ready access to authorization information by publishing lists of which employees are entitled to what information. These lists may be organized in terms of employee job title, employee departments and workgroups, employee responsibilities, or by some combination of these. Such lists
would need to be maintained on line to be kept current and provide quick access to authorization information. Ordinarily, Information Owners would be responsible for overseeing the creation and maintenance of the lists for access to information under the Owner's control.
NOTE
It is important to note that maintaining such lists is an invitation to the social engineer. Consider: If an attacker targets a company becomes aware that the company maintains such lists, there is a strong motivation to obtain one. Once in hand, such a list opens many doors to the attacker and puts the company at serious risk.
Obtain Authority from a Manager. An employee contacts his or her own manager, or the manager of the requester, for authority to comply with the request.
Obtain Authority from the Information Owner or a Designee. The information Owner is the ultimate judge of whether a particular person should be granted access. The process for computer-based access control is for the employee to contact his or her immediate manager to approve a request for access to information based on existing job profiles. If such a profile does not exist, it is the manager's responsibility to contact the relevant data Owner for permission. This chain of command should be followed so that Information Owners are not barraged with requests when there is a frequent need to know.
Obtain Authority by Means of a Proprietary Software Package. For a large company in a highly competitive industry, it may be practical to develop a proprietary software package that provides need-to-know authorization. Such a database stores employee names and access privileges to classified information. Users would not be able to look up each individual's access rights, but instead would enter the requester's name, and the identifier associated with the information being sought. The software then provides a response indicating whether or not the employee is authorized to access such information. This alternative avoids the danger of creating a list of personnel with respective access rights to valuable, critical, or sensitive information that could be stolen.
MANAGEMENT POLICIES
The following policies pertain to management-level employees. These are divided into the areas of Data Classification, Information Disclosure, Phone Administration, and Miscellaneous Policies. Note that each category of policies uses a unique numbering structure for easy identification of individual policies.
Data Classification Policies
Data Classification refers to how your company classifies the sensitivity of information and who should have access to that information.
1-1 Assign data classification
Policy: All valuable, sensitive, or critical business information must be assigned to a classification category by the designated Information Owner or delegate.
Explanation/Notes: The designated Owner or delegate will assign the appropriate data classification to any information routinely used to accomplish business goals. The Owner also controls who can access such information and what use can be made of it. The Owner of the information may reassign the classification and may designate a time period for automatic declassification.
Any item not otherwise marked should be classified as Sensitive.
1-2 Publish classified handling procedures
Policy: The company must establish procedures governing the release of information in each category.
Explanation/Notes." Once classifications are established, procedures for release of information to employees and to outsiders must be set up, as detailed in the Verification and Authorization Procedures outlined earlier in this chapter.
1-3 Label all items
Policy." Clearly mark both printed materials and media storage containing Confidential, Private, or Internal information to show the appropriate data classification.
Explanation/Notes." Hard copy documents must have a cover sheet, with a classification label prominently displayed, and a classification label on every page that is visible when the document is open.
All electronic files that cannot easily be labeled with appropriate data classifications (database or raw data files) must be protected via access controls to insure that such information is not improperly disclosed, and that it cannot be changed, destroyed, or made inaccessible.
All computer media such as floppy disks, tapes, and CD-ROMs must be labeled with the highest classification of any information contained therein.
Information Disclosure
Information disclosure involves the release of information to various parties based on their identity and need to know.
2-1 Employee verification procedure
Policy: The company should establish comprehensive procedures to be used by employees for verifying the identity, employment status, and authorization of an individual before releasing Confidential or Sensitive information or performing any task that involves use of any computer hardware or software.
Explanation/Notes: Where justified by size of company and security needs, advanced security technologies should be used to authenticate identity. The best security practice would be to deploy authentication tokens in combination with a shared secret to positively identify persons making requests. While this practice would substantially minimize risk, the cost may be prohibitive for some businesses. In those circumstances, the company should use a company-wide shared secret, such as a daily password or code.
2-2 Release of information to third parties
Policy: A set of recommended information disclosure procedures must be made available and all employees should be trained to follow them.
Explanation/Notes: Generally, distribution procedures need to be established for:
Information made available within the company.
Distribution of information to individuals and employees of organizations having an established relationship with the company, such as consultants, temporary workers, interns, employees of organizations that have a vendor relationship or strategic partnership arrangement with the company, and so on.
Information made available outside the company.
Information at each classification level, when the information is being delivered in person, by telephone, by email, by facsimile, by voice mail, by postal service, by signature delivery service, and by electronic transfer.
2-3 Distribution of Confidential information
Policy: Confidential information, which is company information that could cause substantial harm if obtained by unauthorized persons, may be delivered only to a Trusted Person who is authorized to receive it.
Explanation/Notes: Confidential information in a physical form (that is, printed copy or on a removable storage medium) may be delivered:
In person.
By internal mail, sealed and marked with the Confidential classification.
Outside the company by a reputable delivery service (that is, FedEx, UPS, and so on) with signature of recipient required, or by a postal service using a certified or registered class of mail.
Confidential information in electronic form (computer files, database files, email) may be delivered:
Within the body of encrypted email.
By email attachment, as an encrypted file.
By electronic transfer to a server within the company internal network.
By a fax program from a computer, provided that only the intended recipient uses the destination machine, or that the intended recipient is waiting at the destination machine while the fax is being sent. As an alternative, facsimiles can be sent without the recipient present if sent over an encrypted telephone link to a password-protected fax server.
Confidential information may be discussed in person; by telephone within the company; by telephone outside the company if encrypted; by encrypted satellite transmission; by encrypted videoconferencing link; and by encrypted Voice Over Internet Protocol (VoIP).
For transmission by fax machine, the recommended method calls for the sender to transmit a cover page; the recipient, on receiving the page, transmits a page in response, demonstrating that he/she is at the fax machine. The sender then transmits the fax.
The following means of communication are not acceptable for discussing or distributing Confidential information: unencrypted email, voice mail message, regular mail, or any wireless communication method (cellular, Short Message Service, or cordless).
2-4 Distribution of Private information
Policy: Private information, which is personal information about an employee or employees that, if disclosed, could be used to harm employees or the company, may be delivered only to a Trusted Person who is authorized to receive it.
Explanation/Notes: Private information in a physical form (that is, hardcopy or data on a removable storage medium) may be delivered:
In person
By internal mail, sealed and marked with the Private classification
By regular mail
Private information in electronic form (computer files, database files, email) may be delivered:
By internal email.
By electronic transfer to a server within the company internal network.
By facsimile, provided that only the intended recipient uses the destination machine, or that the intended recipient is waiting at the destination machine while the fax is being sent. Facsimiles can also be sent to password-protected fax servers. As an alternative, facsimiles can be sent without the recipient present if sent over an encrypted telephone link to a password-protected fax server.
Private information may be discussed in person; by telephone; by satellite transmission; by videoconferencing link; and by encrypted Vole
The following means of communication are not acceptable for discussing or distributing Private information: unencrypted email, voice mail message, regular mail, and by any wireless communication method (cellular, SMS, or cordless).