Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)
.pdfExplanation/Notes: In general terms, revealing any password to another is strictly prohibited. This policy recognizes that operations personnel may need to disclose a password to a third party when exigent situations arise. This exception to the general policy prohibiting disclosure
of any password requires specific approval of an information technology manager. For extra precaution, this responsibility of disclosing authentication information should be limited to a small group of individuals who have received special training on verification procedures.
8-5 Electronic media
Policy: All electronic media that contains information not designated for public release shall be locked in a physically secure location.
Explanation/Notes: The intention of this policy is to prevent physical theft of Sensitive information stored on electronic media.
8-6 Backup media
Policy: Operations personnel should store backup media in a company safe or other secure location.
Explanation/Notes: Backup media is another prime target of computer intruders. An attacker is not going to spend time attempting to compromise a computer system or network when the weakest link in the chain might be physically unprotected backup media. Once backup media is stolen, the attacker can compromise the confidentiality of any data stored on it, unless the data is encrypted. Therefore, physically securing backup media is an essential process to protect the confidentiality of corporate information.
POLICIES FOR ALL EMPLOYEES
Whether in IT or human resources, the accounting department, or the maintenance staff, there are certain security policies that every employee of your company must know. These policies fall into the categories of General, Computer Use, Email Use, policies for Telecommuters, Phone Use, Fax Use, Voice Mail Use, and Passwords.
General
9-1 Reporting suspicious calls
Policy: Employees who suspect that they may be the subject of a security violation, including any suspicious requests to disclose information or to perform action items on a computer, must immediately report the event to the company's incident reporting group.
Explanation/Notes.: When a social engineer fails to convince his or her target to comply with a demand, the attacker will always try someone else. By reporting a suspicious call or event, an employee takes the first step in alerting the company that an attack may be under way. Thus, individual employees are the first line of defense against social engineering attacks.
9-2 Documenting suspicious calls
Policy: In the event of a suspicious phone call that appears to be a social engineering attack, the employee shall, to the extent practical, draw out the caller to learn details that might reveal what the attacker is attempting to accomplish, and make notes of these details for reporting purposes.
Explanation/Notes: When reported to the incident reporting group, such details can help them spot the object or pattern of an attack.
9-3 Disclosure of dial-up numbers
Policy: Company personnel must not disclose company modem telephone numbers, but should always refer such requests to the help desk or to technical support personnel.
Explanation/Notes: Dial-up telephone numbers must be treated as Internal information, to be provided only to employees who have a need to know such information to carry out their job responsibilities.
Social engineers routinely target employees or departments that are likely to be less protective of the requested information. For example, the attacker may call the accounts payable department masquerading as a telephone company employee who is trying to resolve a billing problem. The attacker then asks for any known fax or dial-in numbers in order to resolve the problem. The intruder often targets an employee who is unlikely to realize the danger of releasing such information, or who lacks training with respect to company disclosure policy and procedures.
9-4 Corporate ID badges
Policy: Except when in their immediate office area, all company personnel, including management and executive staff, must wear their employee badges at all times.
Explanation/Notes: All workers, including corporate executives, should be trained and motivated to understand that wearing an ID badge is
mandatory everywhere on company premises other than public areas and the person's own office or workgroup area.
9-5 Challenging ID badge violations
Policy: All employees must immediately challenge any unfamiliar person who is not wearing an employee badge or visitor's badge.
Explanation/Notes: While no company wants to create a culture where eagle-eyed employees look for a way to ensnare co-workers for venturing into the hallway without their badges, nonetheless any company concerned with protecting its information needs to take seriously the threat of a social engineer wandering its facilities unchallenged. Motivation for employees who prove diligent in helping enforce the badges-always policy may be acknowledged in familiar ways, such as recognition in the company newspaper or on bulletin boards; a few hours off with pay; or a letter of commendation in their personnel records.
9-6 Piggybacking (passing through secure entrances)
Policy: Employees entering a building must not allow anyone not personally known to them to follow behind them when they have used a secure means, such as a card key, to gain entrance (piggybacking).
Explanation/Notes." Employees must understand that it is not rude to require unknown persons to authenticate themselves before helping them enter a facility or access a secure area.
Social engineers frequently use a technique known as piggybacking, in which they lie in wait for another person who is entering a facility or Sensitive area, and then simply enter with them. Most people feel uncomfortable challenging others, assuming that they are probably legitimate employees. Another piggybacking technique is to carry several boxes so that an unsuspecting worker opens or holds the door to help.
9-7 Shredding Sensitive documents
Policy: Sensitive documents to be discarded must be cross-shredded; media including hard drives that have ever contained Sensitive information or materials must be destroyed in accordance with the procedures set forth by the group responsible for information security.
Explanation/Notes: Standard shredders do not adequately destroy documents; cross-shredders turn documents into pulp. The best security practice is to presume that the organization's chief competitors will be rifling through discarded materials looking for any intelligence that could be beneficial to them.
Industrial spies and computer attackers regularly obtain Sensitive information from materials tossed in the trash. In some cases, business competitors have been known to attempt bribery of cleaning crews to turn over company trash. In one recent example, an employee at Goldman Sachs discovered items that were used in an insider-trading scheme from the trash.
9-8 Personal identifiers
Policy: Personal identifiers such as employee number, social security number, driver's license number, date and place of birth, and mother's maiden name should never be used as a means of verifying identity. These identifiers are not secret and can be obtained by numerous means.
Explanation/Notes: A social engineer can obtain other people's personal identifiers for a price. And in fact, contrary to popular belief, anyone with a credit card and access to the Internet can obtain these pieces of personal identification. Yet despite the obvious danger, banks, utility companies, and credit card companies commonly use these identifiers. This is one reason that identity theft is the fastest growing crime of the decade.
9-9 Organization charts
Policy." Details shown on the company's organization chart must not be disclosed to anyone other than company employees.
Explanation/Notes: Corporate structure information includes organization charts, hierarchy charts, departmental employee lists, reporting structure, employee names, employee positions, internal contact numbers, employee numbers, or similar information.
In the first phase of a social engineering attack, the goal is to gather information about the internal structure of the company. This information is then used to strategize an attack plan. The attacker can also analyze this information to determine which employees are likely to have access to the data that he seeks. During the attack, the information makes the attacker appear as a knowledgeable employee; making it more likely he'll dupe his victim into compliance.
9-10 Private information about employees
Policy.: Any requests for private employee information must be referred to human resources.
Explanation/Notes: An exception to this policy may be the telephone number for an employee who needs to be contacted regarding a workrelated issue or who is acting in an on-call role. However, it is always preferable to get the requester's phone number, and have the employee call him or her back.
Computer Use
10-1 Entering commands into a computer
Policy: Company personnel should never enter commands into a computer or computer-related equipment at the request of another person unless the requester has been verified as an employee of the information technology department.
Explanation/Notes: One common ploy of social engineers is to request that an employee enter a command that makes a change to the system's configuration, allows the attacker to access the victim's computer without providing authentication, or allows the attacker to retrieve information that can be used to facilitate a technical attack.
10-2 Internal naming conventions
Policy: Employees must not disclose the internal names of computer systems or databases without prior verification that the requester is employed by the company.
Explanation/Notes: Social engineers will sometimes attempt to obtain the names of company computer systems; once the names are known, the attacker places a call to the company and masquerades as a legitimate employee having trouble accessing or using one of the systems. By knowing the internal name assigned to the particular system, the social engineer gains credibility.
10-3 Requests to run programs
Policy: Company personnel should never run any computer applications or programs at the request of another person unless the requester has been verified as an employee of the information technology department.
Explanation/Notes: Any request to run programs, applications, or perform any activity on a computer must be refused unless the requester is positively identified as an employee in the information technology department. If the request involves revealing Confidential information from any
file or electronic message, responding to the request must be in accordance with the procedures for releasing Confidential information. See Information Disclosure Policy.
Computer attackers deceive people into executing programs that enable the intruder to gain control of the system. When an unsuspecting user runs a program planted by an attacker, the result may give the intruder access to the victim's computer system. Other programs record the activities of the computer user and return that information to the attacker. While a social engineer can trick a person into executing computer instructions that may do damage, a technically based attack tricks the computer's operating system into executing computer instructions that may cause the same sort of damage.
10-4 Downloading or installing software
Policy: Company personnel must never download or install software at the request of another person, unless the requester has been verified as an employee with the information technology department.
Explanation/Notes: Employees should be on the alert for any unusual request that involves any sort of transaction with computer-related equipment.
A common tactic used by social engineers is to deceive unsuspecting victims into downloading and installing a program that helps the attacker accomplish his or her goal of compromising computer or network security. In some instances, the program may covertly spy on the user or allow the attacker to take control of the computer system through use of a covert remote control application.
10-5 Plain text passwords and email
Policy: Passwords shall not be sent through email unless encrypted. Explanation/Notes: While it's discouraged, this policy may be waived by e-commerce sites in certain limited circumstances, such as:
Sending passwords to customers who have registered on the site.
Sending passwords to customers who have lost or forgotten their passwords.
10-6 Security-related software
Policy: Company personnel must never remove or disable antivirus/ Trojan Horse, firewall, or other security-related software without prior approval from the information technology department.
Explanation/Notes: Computer users sometimes disable security-related software without provocation, thinking it will increase the speed of their computer.
A social engineer may attempt to deceive an employee into disabling or removing software that is needed to protect the company against securityrelated threats.
10-7 Installation of modems
Policy.. No modems may be connected to any computer until prior approval has been obtained from the IT department.
Explanation/Notes.: It is important to recognize that modems on desktops or workstations in the workplace pose a substantial security threat, especially if connected to the corporate network. Accordingly, this policy controls modem connection procedures.
Hackers use a technique called war dialing to identify any active modem lines within a range of telephone numbers. The same technique may be used to locate telephone numbers connected to modems within the enterprise. An attacker can easily compromise the corporate network if he or she identifies a computer system connected to a modem running vulnerable remote access software, which is configured with an easily guessed password or no password at all.
10-8 Modems and auto-answer settings
Policy: M1 desktops or workstations with IT-approved modems shall have the modem auto-answer feature disabled to prevent anyone from dialing into the computer system.
Explanation/Notes.- Whenever feasible, the information technology department should deploy a dial-out modem pool for those employees who need to dial out to external computer systems via modem.
10-9 Cracking tools