Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)

1 3-3 Sending sensitive information by fax

Policy: Before sending Sensitive information by fax to a machine that is located in an area accessible to other personnel, the sender shall transmit a cover page. The recipient, on receiving the page, transmits a page in response, demonstrating that he/he is physically present at the fax machine. The sender then transmits the fax.

Explanation/Notes: This handshake process assures the sender that the recipient is physically present at the receiving end. Moreover, this process verifies that the receiving fax telephone number has not been forwarded to another location.

1 3-4 Faxing passwords prohibited

Policy: Passwords must not be sent via facsimile under any circumstances.

Explanation/Notes: Sending authentication information by facsimile is not secure. Most fax machines are accessible to a number of employees. Furthermore, they rely on the public telephone switched network, which can be manipulated by call forwarding the phone number for the receiving fax machine so that the fax is actually sent to the attacker at another number.

Voice Mail Use

14-1 Voice mail passwords

Policy: Voice mail passwords must never be disclosed to anyone for any purpose. In addition, voice mail passwords must be changed every ninety days or sooner.

Explanation/Notes: Confidential company information may be left in voice mail messages. To protect this information, employees should change their voice mail passwords frequently, and never disclose them. In addition, voice mail users should not use the same or similar voice mail passwords within a twelve-month period.

14-2 Passwords on multiple systems

Policy.. Voice mail users must not use the same password on any other phone or computer system, whether internal or external to the company.

Explanation/Notes." Use of a similar or identical password for multiple devices, such as voice mail and computer, makes it easier for social engineers to guess all the passwords of a user after identifying only one.

14-3 Setting voice mail passwords

Policy: Voice mail users and administrators must create voice mail passwords that are difficult to guess. They must not be related in any way to the person using it, or the company, and should not contain a predictable pattern that is likely to be guessed.

Explanation/Notes: Passwords must not contain sequential or repeating digits (i.e. 1111, 1234, 1010), must not be the same as or based on the telephone extension number, and must not be related to address, zip code, birth date, license plate, phone number, weight, I.Q., or other predictable personal information.

1 4-4 Mail messages marked as "old"

Policy: When previously unheard voice mail messages are not marked as new messages, the voice mail administrator must be notified of a possible security violation and the voice mail password must immediately be changed.

Explanation/Notes: Social engineers may gain access to a voice mailbox in a variety of ways. An employee who becomes aware that messages they have never listened to are not being announced as new messages must assume that another person has obtained unauthorized access to the voice mailbox and listened to the messages themselves.

1 4-5 External voice mail greetings

Policy: Company workers shall limit their disclosure of information on their external outgoing greeting on their voice mail. Ordinarily information related to a worker's daily routine or travel schedule should not be disclosed.

Explanation/Notes: An external greeting (played to outside callers) should not include last name, extension, or reason for absence (such as travel, vacation schedule, or daily itinerary). An attacker can use this information to develop a plausible story in his attempt to dupe other personnel.

1 4-6 Voice mail password patterns

Policy: Voice mail users shall not select a password where one part of the password remains fixed, while another part changes in a predictable pattern.

Explanation/Notes: For example, do not use a password such as 743501, 743502, 743503, and so on, where the last two digits correspond to the current month.

1 4-7 Confidential or Private information

Policy: Confidential or Private information shall not be disclosed in a voice mail message.

Explanation/Notes: The corporate telephone system is typically more vulnerable than corporate computer systems. The passwords are usually a string of digits, which substantially limits the number of possibilities for an attacker to guess. Further, in some organizations, voice mail passwords may be shared with secretaries or another administrative staff who have the responsibility of taking messages for their managers. In light of the above, no Sensitive information should ever be left on anyone's voice mail.

Passwords

1 5-1 Telephone security

Policy: Passwords shall not be disclosed over the telephone at any time.

Explanation/Notes: Attackers may find ways to listen in to phone conversations, either in person or through a technological device.

1 5-2 Revealing computer passwords

Policy: Under no circumstances shall any computer user reveal his or her password to anyone for any purpose without prior written consent of the responsible information technology manager.

Explanation/Notes: The goal of many social engineering attacks involves deceiving unsuspecting persons into revealing their account names and passwords. This policy is a crucial step in reducing the risk of successful social engineering attacks against the enterprise. Accordingly, this policy needs to be followed religiously throughout the company.

1 5-3 Internet passwords

Policy: Personnel must never use a password that is the same as or similar to one they are using on any corporate system on an Internet site.

Explanation/Notes: Malicious Web site operators may set up a site that purports to offer something of value or the possibility of winning a prize. To register, a visitor to the site must enter an email address, username, and password. Since many people use the same or similar sign-on information repeatedly, the malicious Web site operator will attempt to use the chosen password and variations of it for attacking the target's

workor homecomputer system. The visitor's work computer can sometimes be identified by the email address entered during the registration process.

1 5-4 Passwords on multiple systems

Policy: Company personnel must never use the same or a similar password in more than one system. This policy pertains to various types of devices (computer or voice mail); various locations of devices (home or work); and various types of systems, devices (router or firewall), or programs (database or application).

Explanation/Notes: Attackers rely on human nature to break into computer systems and networks. They know that, to avoid the hassle of keeping track of several passwords, many people use the same or a similar password on every system they access. As such, the intruder will attempt to learn the password of one system where the target has an account. Once obtained, it's highly likely that this password or a variation thereof will give access to other systems and devices used by the employee.

1 5-5 Reusing passwords

Policy: No computer user shall use the same or a similar password within the same eighteen-month period.

Explanation/Note: If an attacker does discover a user's password, frequent changing of the password minimizes the damage that can be done. Making the new password unique from previous passwords makes it harder for the attacker to guess it.

1 5-6 Password patterns

Policy." Employees must not select a password where one part remains fixed, and another element changes in a predictable pattern.

Explanation/Notes: For example, do not use a password such as Kevin01, Kevin02, Kevin03, and so on, where the last two digits correspond to the current month.

1 5-7 Choosing passwords

Policy: Computer users should create or choose a password that adheres to the following requirements. The password must:

Be at least eight characters long for standard user accounts and at least twelve characters long for privileged accounts.

Contain at least one number, at least one symbol (such as $, -, I, &), at least one lowercase letter, and at least one upper-case letter (to the extent that such variables are supported by the operating system).

Not be any of the following items: words in a dictionary in any language; any word that is related to an employee's family, hobbies, vehicle, work, license plate, social security number, address, telephone, pet's name, birthday, or phrases containing those words.

Not be a variation of a previously used password, with one element remaining the same and another element changing, such as kevin, kevin 1, kevin2; or kevinjan, kevinfeb.

Explanation/Notes: The parameters listed above will produce a password that is difficult for the social engineer to guess. Another option is the consonant-vowel method, which provides an easy-to-remember and pronounceable password. To construct this kind of password substitute consonants for each letter C and vowels for the letter V, using the mask of "CVCVCVCV." Examples would be MIXOCASO; CUSOJENA.

1 5-8 Writing passwords down

Policy: Employees should write passwords down only when they store them in a secure location away from the computer or other password protected device.

Explanation/Notes: Employees are discouraged from ever writing down passwords. Under certain conditions, however, it may be necessary; for example, for an employee who has multiple accounts on different computer systems. Any written passwords must be secured in a safe place away from the computer. Under no circumstances may a password be stored under the keyboard or attached to the computer display.

1 5-9 Plaintext passwords in computer files

Policy: Plaintext passwords shall not be saved in any computer file or stored as text called by pressing a function key. When necessary, passwords may be saved using an encryption utility approved by the IT department to prevent any unauthorized disclosures.

Explanation/Notes: Passwords can be easily recovered by an attacker if stored in unencrypted form in computer data files, batch files, terminal function keys, login files, macro or scripting programs, or any data files which contain passwords to FTP sites.

POLICIES FOR TELECOMMUTERS

Telecommuters are outside the corporate firewall, and therefore more vulnerable to attack. These policies will help you prevent social engineers from using your telecommuter employees as a gateway to your data.

16-1 Thin clients

Policy: All company personnel who have been authorized to connect via remote access shall use a thin client to connect to the corporate network.

Explanation/Notes: When an attacker analyzes an attack strategy, he or she will try to identify users who access the corporate network from external locations. As such, telecommuters are prime targets. Their computers are less likely to have stringent security controls, and may be a weak link that may compromise the corporate network.

Any computer that connects to a trusted network can be booby-trapped with keystroke loggers, or their authenticated connection can be hijacked. A thin client strategy can be used to avoid problems. A thin client is similar to a diskless workstation or a dumb terminal; the remote computer does not have storage capabilities but instead the operating system, application programs, and data all reside on the corporate network. Accessing the network via a thin client substantially reduces the risk posed by un-patched systems, outdated operating systems, and malicious code. Accordingly, managing the security of telecommuters is effective and made easier by centralizing security controls. Rather than relying on the inexperienced telecommuter to properly manage security-related issues, these responsibilities are better left with trained system, network, or security administrators.

16-2 Security software for telecommuter computer systems

Policy: Any external computer system that is used to connect to the corporate network must have antivirus software, anti-Trojan software, and a personal firewall (hardware or software). Antivirus and anti-Trojan pattern files must be updated at least weekly.

Explanation/Notes: Ordinarily, telecommuters are not skilled on securityrelated issues, and may inadvertently" or negligently leave their computer system and the corporate network open to attack. Telecommuters