Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)

Policy: Employees will not download or use any software tools designed to defeat software protection mechanisms.

Explanation/Notes: The Internet has dozens of sites devoted to software designed to crack shareware and commercial software products. The use of these tools not only violates a software owner's copyright, but also is extremely dangerous. Because these programs originate from unknown sources, they may contain hidden malicious code that may cause damage to the user's computer or plant a Trojan Horse that gives the author of the program access to the user's computer.

10-10 Posting company information on line

Policy: Employees shall not disclose any details regarding company hardware or software in any public newsgroup, forum, or bulletin board, and shall not disclose contact information other than in accordance with policy.

Explanation/Notes: Any message posted to the Usenet, on-line forums, bulletin boards, or mailing lists can be searched to gather intelligence on a target company or a target individual. During the research phase of a social engineering attack, the attacker may search the Internet for any posts that contain useful information about the company, its products or its people.

Some posts contain very useful tidbits of information that the attacker can use to further an attack. For example, a network administrator may post a question about configuring firewall filters on a particular brand and model of firewall. An attacker who discovers this message will learn valuable information about the type and configuration of the companys firewall that enables him to circumvent it to gain access to the enterprise network.

This problem can be reduced or avoided by implementing a policy that allows employees to post to newsgroups from anonymous accounts that do not identify the company from which they originated. Naturally, the policy must require employees not to include any contact information that may identify the company.

10-11 Floppy disks and other electronic media

Policy: If media used to store computer information, such as floppy

disks or CD-ROMS have been left in a work area or on an employee's desk, and that media is from an unknown source, it must not be inserted into any computer system.

Explanation/Notes: One method used by attackers to install malicious code is to place programs onto a floppy or CD-ROM and label it with something very enticing (for example, "Personnel Payroll Data-- Confidential"). They then drop several copies in areas used by employees. If a single copy is inserted into a computer and the files on it opened, the attacker's malicious code is executed. This may create a backdoor, which is used to compromise the system, or may cause other damage to the network.

10-1 2 Discarding removable media

Policy: Before discarding any electronic media that ever contained Sensitive company information, even if that information has been deleted, the item shall be thoroughly degaussed or damaged beyond recovery.

Explanation/Notes: While shredding hard-copy documents is commonplace these days, company workers may overlook the threat of discarding electronic media that contained Sensitive data ar any rime. Computer attackers attempt to recover any data stored on discarded electronic media. Workers may presume that by just deleting files, they ensure that those files cannot be recovered. This presumption is absolutely incorrect and can cause confidential business information to fall into the wrong hands. Accordingly, all electronic media that contains or previously contained information not designated as Public must be wiped clean or destroyed using the procedures approved by the responsible group.

10-1 3 Password-protected screen savers

Policy: All computer users must set a screen saver password and the inactivity time-out limit to lock the computer after a certain period of inactivity.

Explanation/Notes: All employees are responsible for setting a screen saver password, and setting the inactivity timeout for no more than ten minutes. The intention of this policy is to prevent any unauthorized person from using another person's computer. Additionally, this policy protects company computer systems from being easily accessed by outsiders who have gained access to the building.

10-1 4 Disclosure or sharing of passwords statement

Policy: Prior to creation of a new computer account, the employee or contractor must sign a written statement acknowledging that he or she

understands that passwords must never be disclosed or shared with anyone, and that he or she agrees to abide by this policy.

Explanation/Notes: The agreement should also include a notice that violation of such agreement may lead to disciplinary action up to and including termination.

Email Use

1 1-1 Email attachments

Policy: Email attachments must not be opened unless the attachment was expected in the course of business or was sent by a Trusted Person.

Explanation/Notes: All email attachments must be scrutinized closely. You may require that prior notice be given by a Trusted Person that an email attachment is being sent before the recipient opens any attachment. This will reduce the risk of attackers using social engineering tactics to deceive people into opening attachments.

One method of compromising a computer system is to trick an

employee into running a malicious program that creates a vulnerability, providing the attacker with access to the system. By sending an email attachment that has executable code or macros, the attacker may be able to gain control of the user's computer.

A social engineer may send a malicious email attachment, then call and attempt to persuade the recipient to open the attachment.

11-2 Automatic forwarding to external addresses

Policy: Automatic forwarding of incoming email to an external email address is prohibited.

Explanation/Notes: The intention of this policy is to prevent an outsider from receiving email sent to an internal email address.

Employees occasionally set up email forwarding of their incoming mail to an email address outside the company when they will be away from the office. Or an attacker may be able to deceive an employee into setting up an internal email address that forwards to an address outside the company. The attacker can then pose as a legitimate insider by having an internal

company email address and get people to email Sensitive information to the internal email address.

1 1-3 Forwarding emails

Policy: Any request from an Unverified Person to relay an electronic mail message to another Unverified Person requires verification of the requester's identity.

1 1-4 Verifying email

Policy: An email message that appears to be from a Trusted Person that contains a request to provide information not designated as Public, or to perform an action with any computer-related equipment, requires an additional form of authentication. See Verification and Authorization Procedures.

Explanation/Notes: An attacker can easily forge an email message and its header, making it appear as if the message originated from another email address. An attacker can also send an email message from a compromised computer system, providing phony authorization to disclose information or perform an action. Even by examining the header of an email message you cannot detect email messages sent from a compromised internal computer system.

Phone Use

12-1 Participating in telephone surveys

Policy: Employees may not participate in surveys by answering any questions from any outside organization or person. Such requests must be referred to the public relations department or other designated person.

Explanation/Notes: A method used by social engineers to obtain valuable information that may be used against the enterprise is to call an employee and claim to be doing a survey. It's surprising how many people are happy to provide information about the company and themselves to strangers when they believe they're taking part in legitimate research. Among the innocuous questions, the caller will insert a few questions that the attacker wants to know. Eventually, such information may be used to compromise the corporate network.

12-2 Disclosure of internal telephone numbers

Policy: If an Unverified Person asks an employee for his phone number the employee may make a reasonable determination of whether disclosure is necessary to conduct company business.

Explanation/Notes: The intention of this policy is to require employees to make a considered decision on whether disclosure of their telephone

extension is necessary. When dealing with people who have not demonstrated a genuine need to know the extension, the safest course is to require them to call the main company phone number and be transferred.

1 2-3 Passwords in voice mail messages

Policy.: Leaving messages containing password information on anyone's voice mailbox is prohibited.

Explanation/Notes: A social engineer can often gain access to an employee's voice mailbox because it is inadequately protected with an easy-to-guess access code. In one type of attack, a sophisticated computer intruder is able to create his own phony voice mailbox and persuade another employee to leave a message relaying password information. This policy defeats such a ruse.

Fax Use

13-1 Relaying faxes

Policy: No fax may be received and forwarded to another party without verification of the requester's identity.

Explanation/Notes: Information thieves may trick trusted employees into faxing sensitive information to a fax machine located on the company's premises. Prior to the attacker giving the fax number to the victim, the imposter telephones an unsuspecting employee, such as a secretary or administrative assistant, and asks if a document can be faxed to them for later pickup. Subsequently, after the unsuspecting employee receives the fax, the attacker telephones the employee and requests that the fax be sent to another location, perhaps claiming that it is needed for an urgent meeting. Since the person asked to relay the fax usually has no understanding of the value of the information, he or she complies with the request.

1 3-2 Verification of faxed authorizations

Policy: Prior to carrying out any instructions received by facsimile, the sender must be verified as an employee or other Trusted Person. Placing a telephone call to the sender to verify the request is usually sufficient.

Explanation/Notes: Employees must exercise caution when unusual requests are sent by fax, such as a request to enter commands into a computer or disclose information. The data in the header of a faxed document can be falsified by changing the settings of the sending fax

machine. Therefore the header on a fax must not be accepted as a means of establishing identity or authorization.