Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)
.pdfin those prefixes, to locate those that answer with a modem. To speed up the process, these programs are configured to wait for one or two rings for a modem response before going on to try the next number. When a company sets the auto answer on modem lines to at least four rings, scanning programs will fail to recognize the line as a modem line.
7-1 7 Antivirus software
Policy: Every computer system shall have current versions of antivirus software installed and activated.
Explanation/Notes: For those businesses that do not automatically push down antivirus software and pattern files (programs that recognize patterns common to virus software to recognize new viruses) to user desktops or workstations, individual users must take the responsibility for installing and maintaining the software on their own systems, including any computer systems used for accessing the corporate network remotely.
If feasible, this software must be set for automatic update of virus and Trojan signatures nightly. When pattern or signature flies are not pushed down to user desktops, computer users shall have the responsibility to update pattern files at least on a weekly basis.
These provisions apply to all desktop machines and laptops used to access company computer systems, and apply whether the computer is company property or personally owned.
7-18 Incoming email attachments (high security requirements)
Policy: In an organization with high security requirements, the corporate firewall shall be configured to filter out all email attachments.
Explanation/Notes: This policy applies only to businesses with high security requirements, or to those that have no business need to receive attachments through electronic mail.
7-19 Authentication of software
Policy: All new software or software fixes or upgrades, whether on physical media or obtained over the Internet, must be verified as authentic prior to installation. This policy is especially relevant to the information technology department when installing any software that requires system privileges.
Explanation/Notes: Computer software referred to in this policy includes operating system components, application software, hot fixes,
patches, or any software updates. Many software manufacturers have implemented methods whereby customers can check the integrity of any distribution, usually by a digital signature. In any case where the integrity cannot be verified, the manufacturer must be consulted to verify that the software is authentic.
Computer attackers have been known to send software to a victim, packaged to appear as if the software manufacturer had produced it and shipped it to the company. It is essential that you verify any software you receive as authentic, especially if unsolicited, before installing it on company systems.
Note that a sophisticated attacker might find out that your organization has ordered software from a manufacturer. With that information in hand, the attacker can cancel the order with the real manufacturer, and order the software himself. The software is then modified to perform some malicious function, and is shipped or delivered to your company, in the original packaging, with shrink-wrapping if necessary. Once the product is installed, the attacker is in control.
7-20 Default passwords
Policy: All operating system software and hardware devices that initially have a password set to a default value must have their passwords reset in accordance with the company password policy.
Explanation/Notes: Several operating systems and computer-related devices are shipped with default passwords--that is, with the same password enabled on every unit sold. Failure to change default passwords is a grave mistake that places the company at risk.
Default passwords are widely known and are available on Internet Web sites. In an attack, the first password an intruder tries is the manufacturer s default password.
7-21 Invalid access attempts lockout (low to medium security)
Policy: Especially in an organization with low to medium security requirements, whenever a specified number of successive invalid login attempts to a particular account have been made, the account should be locked out for a period of time.
Explanation/Notes: All company workstations and servers must be set
to limit the number of successive invalid attempts to sign in. This policy is necessary to prevent password guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.
The system administrator must configure the security settings to lock out an account whenever the desired threshold of successive invalid attempts has been reached. It is recommended that an account be locked out for at least thirty minutes after seven successive login attempts.
7-22 Invalid access attempts account disabled (high security)
Policy: In an organization with high security requirements, whenever a specified number of successive invalid login attempts to a particular account has been made, the account should be disabled until reset by the group responsible for providing account support.
Explanation/Notes: All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is a necessary control to prevent password guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.
The system administrator must configure the security settings to disable the account after five invalid login attempts. Following such an attack, the account holder will need to call technical support or the group responsible for account support to enable the account. Prior to resetting the account, the department responsible must positively identify the account holder, following the Verification and Authorization Procedures.
7-23 Periodic change of privileged
Policy: All privileged account holders shall be required to change their passwords at least every thirty days.
Explanation/Notes: Depending on operating system limitations, the systems administrator must enforce this policy by configuration of security parameters in system software.
7-24 Periodic change of user passwords
Policy: All account holders must change their passwords at least every sixty days.
Explanation/Notes: With operating systems that provide this feature, the systems administrator must enforce this policy by configuration of security parameters in the software.
7-25 New account password set up
Policy: New computer accounts must be established with an initial password that is pre-expired, requiring the account holder to select a new password upon initial use.
Explanation/Notes: This requirement ensures that only the account holder will have knowledge of his or her password.
7-26 Boot-up passwords
Policy: All computer systems must be configured to require a bootup password.
Explanation/Notes: Computers must be configured so that when the computer is turned on, a password is required before the operating system will boot. This prevents any unauthorized person from turning on and using another person's computer. This policy applies to all computers on company premises.
7-27 Password requirements for privileged accounts
Policy: M1 privileged accounts must have a strong password: The password must:
Not be a word found in a dictionary in any language
Be mixed upper and lower case with at least one letter, one symbol, and one numeral
Be at least 12 characters in length
Not be related to the company or individual in any way.
Explanation/Notes: In most cases computer intruders will target specific accounts that have system privileges. Occasionally the attacker will exploit other vulnerabilities to gain full control over the system.
The first passwords an intruder will try are the simple, commonly used words found in a dictionary. Selecting strong passwords enhances the security by reducing the chance an attacker will find the password by trial and error, dictionary attack, or brute force attack.
7-28 Wireless access points
Policy: All users who access a wireless network must use VPN (Virtual Private Network) technology to protect the corporate network.
Explanation/Notes: Wireless networks are being attacked by a new technique called war driving. This technique involves simply driving or walking around with a laptop equipped with an 802.11B NIC card until a wireless network is detected.
Many companies have deployed wireless networks without even enabling WEP (wireless equivalency protocol), which is used to secure the wireless connection through use of encryption. But even when activated, the current version of WEP (mid-2002) is ineffective: It has been cracked wide open, and several Web sites are devoted to providing the means for locating open wireless systems and cracking WEP-enabled wireless access points.
Accordingly, it is essential to add a layer of protection around the 802.11B protocol by deploying VPN technology.
7-29 Updating antivirus pattern files
Policy: Every computer system must be programmed to automatically update antivirus/anti-Trojan pattern files.
Explanation/Notes: At a minimum, such updates shall occur at least weekly. In businesses where employees leave their computers turned on, it 302 is highly recommended that pattern files be updated on a nightly basis.
Antivirus software is ineffective if it is not updated to detect all new forms of malicious code. Since the threat of virus, worm, and Trojan Horse infections is substantially increased if pattern files are not updated, it is essential that antivirus or malicious code products be kept up to date.
Computer Operations
8-1 Entering commands or running programs
Policy.: Computer operations personnel must not enter commands or run programs at the request of any person not known to them. If a situation arises where an Unverified Person seems to have reason to make such a request, it should not be complied with without first getting manager approval.
Explanation/Notes.: Computer operations employees are popular targets of social engineers, since their positions usually require privileged account access, and the attacker expects that they will be less experienced
and less knowledgeable about company procedures than other IT workers. The intention of this policy is to add an appropriate check and balance to prevent social engineers from duping computer operations personnel.
8-2 Workers with privileged accounts
Policy: Employees with privileged accounts must not provide assistance or information to any Unverified Person. In particular this refers to not providing computer help (such as training on application use), accessing any company database, downloading software, or revealing names of personnel who have remote access capabilities,
Explanation/Notes: Social engineers often target employees with privileged accounts. The intent of this policy is to direct IT staff with privileged accounts to successfully handle calls that might represent social engineering attacks.
8-3 Internal systems information
Policy: Computer Operations staff must never disclose any information related to enterprise computer systems or related devices without positively verifying the identity of the requester.
Explanation/Notes: Computer intruders often contact computer operations employees to obtain valuable information such as system access procedures, external points for remote access, and dial-in telephone numbers that are of substantial value to the attacker.
In companies that have technical support staff or a help desk, requests
to the computer operations staff for information about computer systems or related devices should be considered unusual. Any information request should be scrutinized under the corporate data classification policy to determine whether the requester is authorized to have such information. When the class of information cannot be determined, the information should be considered to be Internal.
In some cases, outside vendor technical support will need to communicate with persons who have access to enterprise computer systems. Vendors must have specific contacts in the IT department so that those individuals can recognize each other for verification purposes.
8-4 Disclosure of passwords
Policy: Computer operations staff must never reveal their password, or any other passwords entrusted to them, without prior approval of an information technology manager.