Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)

company property, where the company has a legal right to protect the containers and their contents.

POLICIES FOR RECEPTIONISTS

Receptionists are often on the front lines when it comes to dealing with social engineers, yet they are rarely given enough security training to recognize and stop an invader. Institute these policies to help your receptionist better protect your company and its data.

19-1 Internal directory

Policy: Disclosure of information in the internal company directory should be limited to persons employed by the company.

Explanation/Notes: All employee titles, names, telephone numbers, and addresses contained within the company directory should be considered Internal information, and should only be disclosed in accordance with the policy related to data classification and Internal information.

Additionally, any calling party must have the name or extension of the party they are trying to contact. Although the receptionist can put a call through to an individual when a caller does not know the extension, telling the caller the extension number should be prohibited. (For those curious folks who follow by example, you can experience this procedure by calling any U.S. government agency and asking the operator to provide an extension.)

19-2 Telephone numbers for specific departments/groups

Policy: Employees shall not provide direct telephone numbers for the company help desk, telecommunications department, computer operations, or system administrator personnel without verifying that the requester has a legitimate need to contact these groups. The receptionist, when transferring a call to these groups, must announce the caller's name.

Explanation/Notes: Although some organizations may find this policy overly restrictive, this rule makes it more difficult for a social engineer to masquerade as an employee by deceiving other employees into transferring the call from their extension (which in some phone systems causes the call to appear to originate from within the company), or demonstrating knowledge of these extensions to the victim in order to create a sense of authenticity.

1 9-3 Relaying information

Policy: Telephone operators and receptionists should not take messages or relay information on behalf of any party not personally known to be an active employee.

Explanation/Notes: Social engineers are adept at deceiving employees into inadvertently vouching for their identity. One social engineering trick is to obtain the telephone number of the receptionist and, on a pretext, ask the receptionist to take any messages that may come for him. Then, during a call to the victim, the attacker pretends to be an employee, asks for some sensitive information or to perform a task, and gives the main switchboard number as a call back number. The attacker later calls back to the receptionist and is given any message left for him by the unsuspecting victim.

19-4 Items left for pickup

Policy: Before releasing any item to a messenger or other Unverified Person, the receptionist or security guard must obtain picture identification and enter the identification information into the pickup log as required by approved procedures.

Explanation/Notes." One social engineering tactic is to deceive an employee into releasing sensitive materials to another supposedly authorized employee by dropping off such materials at the receptionist or lobby desk for pickup. Naturally, the receptionist or security guard assumes the package is authorized for release. The social engineer either shows up himself or has a messenger service pick up the package.

POLICIES FOR THE INCIDENT REPORTING GROUP

Every company should set up a centralized group that should be notified when any form of attack on corporate security is identified. What follows are some guidelines for setting up and structuring the activities of this group.

20-1 Incident reporting group

Policy: An individual or group must be designated and employees should be instructed to report security incidents to them. All employees should be provided with the contact information for the group.

Explanation/Notes: Employees must understand how to identify a security threat, and be trained to report any threat to a specific incident reporting group. It is also important that an organization establish specific procedures and authority for such a group to act when a threat is reported.

20-2 Attacks in progress

Policy: Whenever the incident reporting group has received reports of an ongoing social engineering attack they shall immediately initiate procedures for alerting all employees assigned to the targeted groups.

Explanation/Notes: The incident reporting group or responsible manager should also make a determination about whether to send a company wide alert. Once the responsible person or group has a good faith belief that an attack may be in progress, mitigation of damage must be made a priority by notifying company personnel to be on their guard.

Security at a Glance

The lists and charts reference version of following provide quick social engineering methods discussed in Chapters 2 to 14, and verification procedures detailed in Chapter 16. Modify this information for your organization, and make it available for employees to refer to when an information security question arises.

IDENTIFYING A SECURITY ATTACK

These tables and checklists will assist you in spotting a social engineering attack.

The Social Engineering Cycle

ACTION / DESCRIPTION

Research

May include open source information such as SEC filings and annual reports, marketing brochures,

patent applications, press clippings, industry magazines, Web site content. Also Dumpster diving.

Developing rapport and trust

Use of insider information, misrepresenting identity, citing those known to victim, need for help, or authority.

Exploiting trust

Asking for information or an action on the part of the victim. In reverse sting, manipulate victim to ask attacker for help.

Utilize information

If the information obtained is only a step to final goal, attacker returns to earlier steps in cycle till goal is reached.

Common Social Engineering Methods

Posing as a fellow employee

Posing as an employee of a vendor, partner company, or law enforcement Posing as someone in authority

Posing as a new employee requesting help

Posing as a vendor or systems manufacturer calling to offer a system patch or update

Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call them for help

Sending free software or patch for victim to install Sending a virus or Trojan Horse as an email attachment

Using a false pop-up window asking user to log in again or sign on with password

Capturing victim keystrokes with expendable computer system or program

Leaving a floppy disk or CD around the workplace with malicious software on it

Using insider lingo and terminology to gain trust

Offering a prize for registering at a Web site with username and password

Dropping a document or file at company mail room for intraoffice delivery

Modifying fax machine heading to appear to come from an internal location

Asking receptionist to receive then forward a fax

Asking for a file to be transferred to an apparently internal location Getting a voice mailbox set up so call backs perceive attacker as internal Pretending to be from remote office and asking for email access locally

Warning Signs of an Attack

Refusal to give call back number

Out-of-ordinary request

Claim of authority

Stresses urgency

Threatens negative consequences of non compliance

Shows discomfort when questioned

Name dropping

Compliments or flattery

Flirting

Common Targets of Attacks

TARGET TYPE / EXAMPLES

Unaware of value of information

Receptionists, telephone operators, administrative assistants, security guards.

Special privileges

Help desk or technical support, system administrators, computer operators, telephone system administrators.

Manufacturer / vendor

Computer hardware, software manufacturers, voice mail systems vendors.

Specific departments

Accounting, human resources.

Factors That Make Companies More Vulnerable to Attacks

Large number of employees

Multiple facilities

Information on employee whereabouts left in voice mail messages Phone extension information made available

Lack of security training

Lack of data classification system

No incident reporting/response plan in place

VERIFICATION AN D DATA CLASSIFICATION

These tables and charts will help you to respond to requests for information or action that may be social engineering attacks.

Verification of Identity Procedure ACTION / DESCRIPTION

Caller ID

Verify call is internal, and name or extension number matches the identity of the caller.

Callback

Look up requester in company directory and call back the listed extension.

Vouching

Ask a trusted employee to vouch for requester's identity.

Shared common secret

Request enterprise-wide shared secret, such as a password or daily code.

Supervisor or manager

Contact employee's immediate supervisor and request verification of identity and employment status.

Secure email

Request a digitally signed message.

Personal voice recognition

For a caller known to employee, validate by caller's voice.

Dynamic passwords

Verify against a dynamic password solution such as Secure ID or other strong authentication device.

In person

Require requester to appear in person with an employee badge or other identification.

Verification of Employment Status Procedure

ACTION / DESCRIPTION