The Art of Deception

Chapter 25

Explanation/Notes: Where justified by size of company and security needs, advanced security technologies should be used to authenticate ident.i.ty. The best security practice would be to deploy authentication tokens in combination with a shared secret to positively identify persons making requests. While this practice would substantially minimize risk, the cost may be prohibitive for some businesses. In those circ.u.mstances, the company should use a company-wide shared secret, such as a daily pa.s.sword or code. Where justified by size of company and security needs, advanced security technologies should be used to authenticate ident.i.ty. The best security practice would be to deploy authentication tokens in combination with a shared secret to positively identify persons making requests. While this practice would substantially minimize risk, the cost may be prohibitive for some businesses. In those circ.u.mstances, the company should use a company-wide shared secret, such as a daily pa.s.sword or code.

2-2 Release of information to third parties Policy: A set of recommended information disclosure procedures must be made available and all employees should be trained to follow them.

Explanation/Notes: Generally, distribution procedures need to be established for: Information made available within the company. Generally, distribution procedures need to be established for: Information made available within the company.

Distribution of information to individuals and employees of organizations having an established relations.h.i.+p with the company, such as consultants, temporary workers, interns, employees of organizations that have a vendor relations.h.i.+p or strategic partners.h.i.+p arrangement with the company, and so on.

Information made available outside the company.

Information at each cla.s.sification level, when the information is being delivered in person, by telephone, by email, by facsimile, by voice mail, by postal service, by signature delivery service, and by electronic transfer.

2-3 Distribution of Confidential information Policy: Confidential information, which is company information that could cause substantial harm if obtained by unauthorized persons, may be delivered only to a Trusted Person who is authorized to receive it.

Explanation/Notes: Confidential information in a physical form (that is, printed copy or on a removable storage medium) may be delivered: In person.

By internal mail, sealed and marked with the Confidential cla.s.sification.

Outside the company by a reputable delivery service (that is, FedEx, UPS, and so on) with signature of recipient required, or by a postal service using a certified or registered cla.s.s of mail.

Confidential information in electronic form (computer files, database files, email) may be delivered: Within the body of encrypted email.

By email attachment, as an encrypted file.

By electronic transfer to a server within the company internal network.

By a fax program from a computer, provided that only the intended recipient uses the destination machine, or that the intended recipient is waiting at the destination machine while the fax is being sent. As an alternative, facsimiles can be sent without the recipient present if sent over an encrypted telephone link to a pa.s.sword-protected fax server.

Confidential information may be discussed in person; by telephone within the company; by telephone outside the company if encrypted; by encrypted satellite transmission; by encrypted videoconferencing link; and by encrypted Voice Over Internet Protocol (VoIP).

For transmission by fax machine, the recommended method calls for the sender to transmit a cover page; the recipient, on receiving the page, transmits a page in response, demonstrating that he/she is at the fax machine. The sender then transmits the fax.

The following means of communication are not acceptable for discussing or distributing Confidential information: unencrypted email, voice mail message, regular mail, or any wireless communication method (cellular, Short Message Service, or cordless).

2-4 Distribution of Private information Policy: Private information, which is personal information about an employee or employees that, if disclosed, could be used to harm employees or the company, may be delivered only to a Trusted Person who is authorized to receive it.

Explanation/Notes: Private information in a physical form (that is, hard-copy or data on a removable storage medium) may be delivered: In person Private information in a physical form (that is, hard-copy or data on a removable storage medium) may be delivered: In person By internal mail, sealed and marked with the Private cla.s.sification By regular mail Private information in electronic form (computer files, database files, email) may be delivered: By internal email.

By electronic transfer to a server within the company internal network.

By facsimile, provided that only the intended recipient uses the destination machine, or that the intended recipient is waiting at the destination machine while the fax is being sent. Facsimiles can also be sent to pa.s.sword-protected fax servers. As an alternative, facsimiles can be sent without the recipient present if sent over an encrypted telephone link to a pa.s.sword-protected fax server.

Private information may be discussed in person; by telephone; by satellite transmission; by videoconferencing link; and by encrypted Vole The following means of communication are not acceptable for discussing or distributing Private information: unencrypted email, voice mail message, regular mail, and by any wireless communication method (cellular, SMS, or cordless).

2-5 Distribution of Internal information Policy: Internal information is information to be shared only within the company or with other Trusted persons who have signed a nondisclosure agreement. You must establish guidelines for the distribution of Internal information.

Explanation/Notes: Internal information may be distributed in any form, including internal email, but may not be distributed outside the company in email form unless encrypted.

2-6 Discussing Sensitive information over the telephone Policy: Prior to releasing any information that is not designated as Public over the telephone, the person releasing such information must personally recognize the requester's voice through prior business contact, or the company phone system must identify the call as being from an internal telephone number that has been a.s.signed to the requester.

Explanation/Notes: If the requester's voice is not known, call the requester's internal phone number to verify the requester voice through a recorded voice mail message, or have the requester's manager verify the requester's ident.i.ty and need to know.

2-7 Lobby or reception personnel procedures Policy: Lobby personnel must obtain photo identification prior to releasing any package to any person who is not known to be an active employee. A log should be kept for recording the person's name, driver's license number, birth date, the item picked up, and the date and time of such pickup.

Explanation/Notes: This policy also applies to handing over outgoing packages to any messenger or courier service such as FedEx, UPS, or Airborne Express.

These companies issue identification cards that can be used to verify employee ident.i.ty.

2-8 Transfer of software to third parties Policy: Prior to the transfer or disclosure of any software, program, or computer instructions, the requester's ident.i.ty must be positively verified, and it must be established whether such release is consistent with the data cla.s.sification a.s.signed to such information. Ordinarily, software developed in-house in source-code format is considered highly proprietary, and cla.s.sified Confidential.

Explanation/Notes: Determination of authorization is usually based on whether the requester needs access to the software to do his or her job.

2-9 Sales and marketing qualification of customer leads Policy: Sales and marketing personnel must qualify leads before releasing internal callback numbers, product plans, product group contacts, or other Sensitive information to any potential customer.

Explanation/Notes: It is a common tactic for industrial spies to contact a sales and marketing representative and make him believe that a big purchase may be in the offing. In an effort to take advantage of the sales opportunity, sales and marketing reps often release information that can be used by the attacker as a poker chip to obtain access to Sensitive information.

2-10 Transfer of files or data Policy: Files or other electronic data should not be transferred to any removable media unless the requester is a Trusted Person whose ident.i.ty has been verified and who has a need to have such data in that format.

Explanation/Notes: A social engineer can easily dupe an employee by providing a plausible request for having Sensitive information copied to a tape, Zip disc, or other removable media, and sent to him or held in the lobby for pickup.

Phone Administration Phone administration policies ensure that employees can verify caller ident.i.ty, and protect their own contact information from those calling into the company.

3-1 Call forwarding on dial-up or fax numbers Policy: Call forwarding services that permit forwarding calls to external telephone numbers will not be placed on any dial-up modem or fax telephone numbers within the company.

Explanation/Notes: Sophisticated attackers may attempt to dupe telephone company personnel or internal telecom workers into forwarding internal numbers to an external phone line under control of an attacker. This attack allows the intruder to intercept faxes, request Confidential information to be faxed within the company (personnel a.s.sume that faxing within the organization must be safe) or dupe dial-in users into providing their account pa.s.swords by forwarding the dial-up lines to a decoy computer that simulates the login process.

Depending on the telephone service used within the company, the call forwarding feature may be under control of the communications provider, rather than the telecommunications department. In such circ.u.mstances, a request will be made to the communications provider to insure the call forwarding feature is not present on the telephone numbers a.s.signed to dial-up and fax lines.

3-2 Caller ID Policy: The corporate telephone system must provide caller line identification (caller ID) on all internal telephone sets, and, if possible, enable distinctive ringing to indicate when a call is from outside the company.

Explanation/Notes: If employees can verify the ident.i.ty of telephone calls from outside the company it may help them prevent an attack, or identify the attacker to appropriate security personnel.

3-3 Courtesy phones Policy: To prevent visitors from masquerading

Explanation/Notes." If the caller ID for internal calls shows extension number only, appropriate provision must be made for calls placed from company phones in the reception area and any other public areas. It must not be possible for an attacker to place a call from one of these phones and deceive an employee into believing that the call has been placed internally from an employee telephone.

3-4 Manufacturer default pa.s.swords s.h.i.+pped with phone systems Policy: The voice mail administrator should change all default pa.s.swords that were s.h.i.+pped with the phone system prior to use by company personnel.

Explanation/Notes: Social engineers can obtain lists of default pa.s.swords from manufacturers and use these to access administrator accounts.

3-5 Department voice mailboxes Policy." Set up a generic voice mailbox for every department that ordinarily has contact with the public.

Explanation/Notes: The first step of social engineering involves gathering information about the target company and its personnel. By limiting the accessibility of the names and telephone numbers of employees, a company makes it more difficult for the social engineer to identify targets in the company, or names of legitimate employees for use in deceiving other personnel.

3-6 Verification of telephone system vendor Policy: No vendor-support technicians will be permitted to remotely access the company telephone system without positive identification of vendor and authorization to perform such work.

Explanation/Notes: Computer intruders who gain access to corporate telephone systems gain the ability to create voice mailboxes, intercept messages intended for other users, or make free phone calls at the corporation's expense.

3-7 Configuration of phone system Policy." The voice mail administrator will enforce security requirements by configuring the appropriate security parameters in the telephone system.

Explanation/Notes: Phone systems can be set up with greater or lesser degrees of security for voice mail messages. The administrator should be aware of company security concerns, and work with security personnel to configure the phone system to protect Sensitive data.

3-8 Call trace feature Policy: Depending on limitations of the communications provider, the call trace feature will be enabled globally to allow employees to activate the trap-and-trace feature when the caller is suspected of being an attacker.

Explanation/Notes: Employees must be trained on call trace usage and the appropriate circ.u.mstances when it should be used. A call trace should be initiated when the caller is clearly attempting to gain unauthorized access to corporate computer systems or requesting Sensitive information. Whenever an employee activates the call trace feature, immediate notification must be sent to the Incident Reporting Group.

3-9 Automated phone systems Policy." If the company uses an automated phone answering system, the system must be programmed so that telephone extensions are not announced when transferring a call to an employee or department.

Explanation/Notes: Attackers can use a company's automated telephone system to map employee names to telephone extensions. Attackers can then use knowledge of those extensions to convince call recipients that they are employees with a right to insider information.

3-10 Voice mailboxes to become disabled after successive invalid access attempts Policy: Program the corporate telephone system to lock out any voice mail account whenever a specified number of successive invalid access attempts have been made.

Explanation/Notes." The Telecommunications administrator must lock out a voice mailbox after five successive invalid attempts to log in. The administrator must then reset any voice mail lockouts manually.

3-11 Restricted telephone extensions Policy." All internal telephone extensions to departments or workgroups that ordinarily do not receive calls from external callers (help desk, computer room, employee technical support, and so on) should be programmed so that these telephones can be reached only from internal extensions. Alternately, they can be pa.s.sword-protected so that employees and other authorized persons calling from the outside must enter the correct pa.s.sword.

Explanation/Notes: While use of this policy will block most attempts by amateur social engineers to reach their likely targets, it should be noted that a determined attacker will sometimes be able to talk an employee into calling the restricted extension and asking the person who answers the phone to call the attacker, or simply conference in the restricted extension. During security training, this method of tricking employees into a.s.sisting the intruder should be discussed to raise employee awareness about these tactics. While use of this policy will block most attempts by amateur social engineers to reach their likely targets, it should be noted that a determined attacker will sometimes be able to talk an employee into calling the restricted extension and asking the person who answers the phone to call the attacker, or simply conference in the restricted extension. During security training, this method of tricking employees into a.s.sisting the intruder should be discussed to raise employee awareness about these tactics.

Miscellaneous 4-1 Employee badge design Policy: Employee badges must be designed to include a large photo that can be recognized from a distance.

Explanation/Notes: The photograph on corporate ID badges of standard design is, for security purposes, only slightly better than worthless. The distance between a person entering the building and the guard or receptionist who has the responsibility to check identification is usually great enough that the picture is too small to recognize when the person walks by. For the photo to be of value in this situation, a redesign of the badge is necessary.

4-2 Access rights review when changing position or responsibilities Policy: Whenever a company employee changes positions or is given increased or decreased job responsibilities, the employee's manager will notify IT of the change in the employee's responsibilities so that the appropriate security profile can be a.s.signed.

Explanation/Notes: Managing the access rights of personnel is necessary to limit disclosure of protected information. The rule of least privilege will apply: The access rights a.s.signed to users will be the minimum necessary to perform their jobs. Any requests for changes that result in elevated access rights must be in accordance with a policy on granting elevated access rights.

The worker's manager or the human resources department will have the responsibility of notifying the information technology department to properly adjust the account holder's access rights as needed.

4-3 Special identification for non employees Policy: Your company should issue a special photo company badge to trusted delivery people and non employees who have a business need to enter company premises on a regular basis.

Explanation/Notes: Non employees who need to enter the building regularly (for example, to make food or beverage deliveries to the cafeteria, or to repair copying machines or make telephone installations) can pose a threat to your company. In addition to issuing identification to these visitors, make sure your employees are trained to spot a visitor without a badge and know how to act in that situation.

4-4 Disabling computer accounts for contractors Policy: Whenever a contractor who has been issued a computer account has completed his or her a.s.signment, or when the contract expires, the responsible manager will immediately notify the information technology department to disable the contractor's computer accounts, including any accounts used for database access, dial-up, or Internet access from remote locations.

Explanation/Notes: W-hen a worker's employment is terminated, there is a danger that he or she will use knowledge of your company's systems and procedures to gain access to data. All computer accounts used by or known to the worker must be promptly disabled. This includes accounts that provide access to production databases, remote dial-in accounts, and any accounts used to access computer-related devices. W-hen a worker's employment is terminated, there is a danger that he or she will use knowledge of your company's systems and procedures to gain access to data. All computer accounts used by or known to the worker must be promptly disabled. This includes accounts that provide access to production databases, remote dial-in accounts, and any accounts used to access computer-related devices.

4-5 Incident reporting organization Policy: An incident reporting organization must be established or, in smaller companies, an incident reporting individual and backup person designated, for receiving and distributing alerts concerning possible security incidents in progress.

Explanation/Notes: By centralizing the reporting of suspected security incidents, an attack that may otherwise have gone unnoticed can be detected. In the event that systematic attacks across the organization are detected and reported, the incident reporting organization may be able to determine what the attacker is targeting so that special efforts can be made to protect those a.s.sets.

Employees a.s.signed to receive incident reports must become familiar with social engineering methods and tactics, enabling them to evaluate to reports and recognize when an attack may be in progress.

4-6 Incident reporting hotline Policy: A hotline to the incident reporting organization or person, which may consist of an easy-to-remember phone extension, must be established.

Explanation/Notes: When employees suspect that they are the target of a social engineering attack, they must be able to immediately notify the incident reporting organization. In order for the notification to be timely, all company telephone operators and receptionists must have the number posted or otherwise immediately available to them.

A company-wide early warning system can substantially aid the organization in detecting and responding to an ongoing attack. Employees must be sufficiently well trained that one who suspects he or she has been the target of a social engineering attack will immediately call the incident reporting hotline. In accordance with published procedures, the incident reporting personnel will immediately notify the targeted groups that an intrusion may be in progress so personnel will be on alert. In order for the notification to be timely, the reporting hotline number must be widely distributed throughout the company.

4-7 Sensitive areas must be secured Policy: A security guard will screen access to sensitive or secure areas and should require two forms of authentication.

Explanation/Notes: One acceptable form of authentication uses a digital electronic lock that requires an employee to swipe his employee badge and enter an access code. The best method to secure sensitive areas is to post a security guard who observes any access-controlled entry. In organizations where this is not cost-effective, two forms of authentication should be used to validate ident.i.ty.

Depending on risk and cost, a biometric-enabled access card is recommended.

4-8 Network and phone cabinets Policy: Cabinets, closets, or rooms containing network cabling, phone wiring, or network access points must be secured at all times.

Explanation/Notes: Only authorized personnel will be permitted access to telephone and network closets, rooms, or cabinets. Any outside maintenance people or vendor personnel must be positively identified using the procedures published by the department responsible for information security.

Access to phone lines, network hubs, switches, bridges, or other related equipment could be used by an attacker to compromise computer and network security.

4-9 Intracompany mail bins Policy: Intracompany mail bins must not be located in publicly accessible areas.

Explanation/Notes: Industrial spies or computer intruders who have access to any intracompany mail pickup points can easily send forged authorization letters or internal forms that authorize personnel to release Confidential information or to perform.an action that a.s.sists the attacker.

Additionally, the attacker can mail a floppy disk or electronic media with instructions to install a software update, or open a file that has embedded macro commands that serve the intruder's objectives. Naturally, any request received by intracompany mail is a.s.sumed to be authentic by the party who receives it.

4-10 The company bulletin board Policy: Bulletin boards for the benefit of company workers should not be posted in locations where the public has access.

Explanation/Notes: Many businesses have bulletin boards where private company or personnel information is posted for anyone to read. Employer notices, employee lists, internal memorandums, employee home contact numbers listed in advertis.e.m.e.nts, and other, similar information are frequently posted on the board.

Bulletin boards may be located near company cafeterias, or in close proximity to smoking or break areas where visitors have free access. This type of information should not be made available to visitors or the public.

4-11 Computer center entrance Policy: The computer room or data center should be locked at all times and personnel must authenticate their ident.i.ty prior to entering.

Explanation/Notes: Corporate security ought to consider deploying an electronic badge or access card reader so all entries can be electronically logged and audited. Corporate security ought to consider deploying an electronic badge or access card reader so all entries can be electronically logged and audited.

4-12 Customer accounts with service providers Policy: Company personnel who place service orders with vendors that supply critical services to the company must set up an account pa.s.sword to prevent unauthorized persons from placing orders on behalf of the company.

Explanation/Notes: Utility companies and many other vendors allow customers to set up a pa.s.sword on request; the company should establish pa.s.swords with all vendors that provide mission-critical services. This policy is especially critical to telecommunication and Internet services. Any time critical services can be affected, a shared secret is necessary to verify that the caller is authorized to place such orders. Note, too, identifiers such as social security number, corporate taxpayer identification number, mother's maiden name, or similar identifiers must not be used. A social engineer might, for example, call the telephone company and give orders to add features such as call forwarding to dial-in modem lines, or make a request to the Internet Service Provider to change translation information to provide a bogus IP address when users perform a hostname lookup.

4-13 Departmental contact person Policy: Your company may inst.i.tute a program under which each department or workgroup a.s.signs an employee the responsibility of acting as a point contact so that any personnel can easily verify the ident.i.ty of unknown persons claiming to be from that department. For example, the help desk may contact the departmental point person to verify the ident.i.ty of an employee who is requesting support.

Explanation/Notes: This method of verifying ident.i.ty reduces the pool of employees who are authorized to vouch for employees within their department when such employees request support such as resetting pa.s.swords or other computer account-related issues.

Social engineering attacks are successful in part because technical support personnel are pressed for time and do not properly verify the ident.i.ty of requesters. Typically support staff cannot personally recognize all authorized personnel because of the number of employees in larger organizations. The point-person method of vouching limits the number of employees that technical support staff need to be personally familiar with for verification purposes.

4-14 Customer pa.s.swords Policy: Customer service representatives shall not have the ability to retrieve customer account pa.s.swords.

Explanation/Notes: Social engineers frequently call customer service departments and, under a pretext, attempt to obtain a customer's authentication information, such as the pa.s.sword or social security number. With this information, the social engineer can then call another service representative, pretend to be the customer, and obtain information or place fraudulent orders.

To prevent these attempts from succeeding, customer service software must be designed so that representatives can only type in the authentication information provided by the caller, and receive a response from the system indicating whether the pa.s.sword is correct or not.

4-15 Vulnerability testing Policy: Notification of company use of social engineering tactics to test security vulnerabilities is required during security awareness training and employee orientation.

Explanation/Notes: Without notification of social engineering-penetration testing, company personnel may suffer embarra.s.sment, anger, or other emotional trauma from the use of deceptive tactics used against them by other employees or contractors. By placing new hires on notice during the orientation process that they may be subject to this testing, you prevent such conflict. Without notification of social engineering-penetration testing, company personnel may suffer embarra.s.sment, anger, or other emotional trauma from the use of deceptive tactics used against them by other employees or contractors. By placing new hires on notice during the orientation process that they may be subject to this testing, you prevent such conflict.

4-16 Display of company Confidential information Policy: Company information not designated for public release shall not be displayed in any publicly accessible areas.

Explanation/Notes: In addition to Confidential product or procedure information, internal contact information such as internal telephone or employee lists, or building rosters that contain a list of management personnel for each department within the company must also be kept out of view.



Theme Customizer


Customize & Preview in Real Time

Menu Color Options

Layout Options

Navigation Color Options
Solid
Gradient

Solid

Gradient