Chapter 27
7-21 Invalid access attempts lockout (low to medium security) Policy: Especially in an organization with low to medium security requirements, whenever a specified number of successive invalid login attempts to a particular account have been made, the account should be locked out for a period of time.
Explanation/Notes: All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is necessary to prevent pa.s.sword guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.
The system administrator must configure the security settings to lock out an account whenever the desired threshold of successive invalid attempts has been reached. It is recommended that an account be locked out for at least thirty minutes after seven successive login attempts.
7-22 Invalid access attempts account disabled (high security) Policy: In an organization with high security requirements, whenever a specified number of successive invalid login attempts to a particular account has been made, the account should be disabled until reset by the group responsible for providing account support.
Explanation/Notes: All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is a necessary control to prevent pa.s.sword guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access. All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is a necessary control to prevent pa.s.sword guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.
The system administrator must configure the security settings to disable the account after five invalid login attempts. Following such an attack, the account holder will need to call technical support or the group responsible for account support to enable the account. Prior to resetting the account, the department responsible must positively identify the account holder, following the Verification and Authorization Procedures.
7-23 Periodic change of privileged Policy: All privileged account holders shall be required to change their pa.s.swords at least every thirty days.
Explanation/Notes: Depending on operating system limitations, the systems administrator must enforce this policy by configuration of security parameters in system software.
7-24 Periodic change of user pa.s.swords Policy: All account holders must change their pa.s.swords at least every sixty days.
Explanation/Notes: With operating systems that provide this feature, the systems administrator must enforce this policy by configuration of security parameters in the software.
7-25 New account pa.s.sword set up Policy: New computer accounts must be established with an initial pa.s.sword that is pre-expired, requiring the account holder to select a new pa.s.sword upon initial use.
Explanation/Notes: This requirement ensures that only the account holder will have knowledge of his or her pa.s.sword.
7-26 Boot-up pa.s.swords Policy: All computer systems must be configured to require a bootup pa.s.sword.
Explanation/Notes: Computers must be configured so that when the computer is turned on, a pa.s.sword is required before the operating system will boot. This prevents any unauthorized person from turning on and using another person's computer. This policy applies to all computers on company premises.
7-27 Pa.s.sword requirements for privileged accounts Policy: M1 privileged accounts must have a strong pa.s.sword: The pa.s.sword must: Not be a word found in a dictionary in any language Be mixed upper and lower case with at least one letter, one symbol, and one numeral Be at least 12 characters in length Not be related to the company or individual in any way.
Explanation/Notes: In most cases computer intruders will target specific accounts that have system privileges. Occasionally the attacker will exploit other vulnerabilities to gain full control over the system.
The first pa.s.swords an intruder will try are the simple, commonly used words found in a dictionary. Selecting strong pa.s.swords enhances the security by reducing the chance an attacker will find the pa.s.sword by trial and error, dictionary attack, or brute force attack.
7-28 Wireless access points Policy: All users who access a wireless network must use VPN (Virtual Private Network) technology to protect the corporate network.
Explanation/Notes: Wireless networks are being attacked by a new technique called war driving. This technique involves simply driving or walking around with a laptop equipped with an 802.11B NIC card until a wireless network is detected.
Many companies have deployed wireless networks without even enabling WEP (wireless equivalency protocol), which is used to secure the wireless connection through use of encryption. But even when activated, the current version of WEP (mid-2002) is ineffective: It has been cracked wide open, and several Web sites are devoted to providing the means for locating open wireless systems and cracking WEP-enabled wireless access points.
Accordingly, it is essential to add a layer of protection around the 802.11B protocol by deploying VPN technology.
7-29 Updating antivirus pattern files Policy: Every computer system must be programmed to automatically update antivirus/anti-Trojan pattern files.
Explanation/Notes: At a minimum, such updates shall occur at least weekly. In businesses where employees leave their computers turned on, it 302 is highly recommended that pattern files be updated on a nightly basis.
Antivirus software is ineffective if it is not updated to detect all new forms of malicious code. Since the threat of virus, worm, and Trojan Horse infections is substantially increased if pattern files are not updated, it is essential that antivirus or malicious code products be kept up to date.
Computer Operations 8-1 Entering commands or running programs Policy.: Computer operations personnel must not enter commands or run programs at the request of any person not known to them. If a situation arises where an Unverified Person seems to have reason to make such a request, it should not be complied with without first getting manager approval.
Explanation/Notes.: Computer operations employees are popular targets of social engineers, since their positions usually require privileged account access, and the attacker expects that they will be less experienced and less knowledgeable about company procedures than other IT workers. The intention of this policy is to add an appropriate check and balance to prevent social engineers from duping computer operations personnel. Computer operations employees are popular targets of social engineers, since their positions usually require privileged account access, and the attacker expects that they will be less experienced and less knowledgeable about company procedures than other IT workers. The intention of this policy is to add an appropriate check and balance to prevent social engineers from duping computer operations personnel.
8-2 Workers with privileged accounts Policy: Employees with privileged accounts must not provide a.s.sistance or information to any Unverified Person. In particular this refers to not providing computer help (such as training on application use), accessing any company database, downloading software, or revealing names of personnel who have remote access capabilities, Explanation/Notes: Social engineers often target employees with privileged accounts. The intent of this policy is to direct IT staff with privileged accounts to successfully handle calls that might represent social engineering attacks.
8-3 Internal systems information Policy: Computer Operations staff must never disclose any information related to enterprise computer systems or related devices without positively verifying the ident.i.ty of the requester.
Explanation/Notes: Computer intruders often contact computer operations employees to obtain valuable information such as system access procedures, external points for remote access, and dial-in telephone numbers that are of substantial value to the attacker.
In companies that have technical support staff or a help desk, requests to the computer operations staff for information about computer systems or related devices should be considered unusual. Any information request should be scrutinized under the corporate data cla.s.sification policy to determine whether the requester is authorized to have such information. When the cla.s.s of information cannot be determined, the information should be considered to be Internal.
In some cases, outside vendor technical support will need to communicate with persons who have access to enterprise computer systems. Vendors must have specific contacts in the IT department so that those individuals can recognize each other for verification purposes.
8-4 Disclosure of pa.s.swords Policy: Computer operations staff must never reveal their pa.s.sword, or any other pa.s.swords entrusted to them, without prior approval of an information technology manager.
Explanation/Notes: In general terms, revealing any pa.s.sword to another is strictly prohibited. This policy recognizes that operations personnel may need to disclose a pa.s.sword to a third party when exigent situations arise. This exception to the general policy prohibiting disclosure of any pa.s.sword requires specific approval of an information technology manager. For extra precaution, this responsibility of disclosing authentication information should be limited to a small group of individuals who have received special training on verification procedures.
8-5 Electronic media Policy: All electronic media that contains information not designated for public release shall be locked in a physically secure location.
Explanation/Notes: The intention of this policy is to prevent physical theft of Sensitive information stored on electronic media.
8-6 Backup media Policy: Operations personnel should store backup media in a company safe or other secure location.
Explanation/Notes: Backup media is another prime target of computer intruders.
An attacker is not going to spend time attempting to compromise a computer system or network when the weakest link in the chain might be physically unprotected backup media. Once backup media is stolen, the attacker can compromise the confidentiality of any data stored on it, unless the data is encrypted. Therefore, physically securing backup media is an essential process to protect the confidentiality
POLICIES FOR ALL EMPLOYEES.
Whether in IT or human resources, the accounting department, or the maintenance staff, there are certain security policies that every employee of your company must know. These policies fall into the categories of General, Computer Use, Email Use, policies for Telecommuters, Phone Use, Fax Use, Voice Mail Use, and Pa.s.swords.
General 9-1 Reporting suspicious calls Policy: Employees who suspect that they may be the subject of a security violation, including any suspicious requests to disclose information or to perform action items on a computer, must immediately report the event to the company's incident reporting group.
Explanation/Notes.: When a social engineer fails to convince his or her target to comply with a demand, the attacker will always try someone else. By reporting a suspicious call or event, an employee takes the first step in alerting the company that an attack may be under way. Thus, individual employees are the first line of defense against social engineering attacks.
9-2 Doc.u.menting suspicious calls Policy: In the event of a suspicious phone call that appears to be a social engineering attack, the employee shall, to the extent practical, draw out the caller to learn details that might reveal what the attacker is attempting to accomplish, and make notes of these details for reporting purposes.
Explanation/Notes: When reported to the incident reporting group, such details can help them spot the object or pattern of an attack.
9-3 Disclosure of dial-up numbers Policy: Company personnel must not disclose company modem telephone numbers, but should always refer such requests to the help desk or to technical support personnel.
Explanation/Notes: Dial-up telephone numbers must be treated as Internal information, to be provided only to employees who have a need to know such information to carry out their job responsibilities.
Social engineers routinely target employees or departments that are likely to be less protective of the requested information. For example, the attacker may call the accounts payable department masquerading as a telephone company employee who is trying to resolve a billing problem. The attacker then asks for any known fax or dial-in numbers in order to resolve the problem. The intruder often targets an employee who is unlikely to realize the danger of releasing such information, or who lacks training with respect to company disclosure policy and procedures.
9-4 Corporate ID badges Policy: Except when in their immediate office area, all company personnel, including management and executive staff, must wear their employee badges at all times.
Explanation/Notes: All workers, including corporate executives, should be trained and motivated to understand that wearing an ID badge is mandatory everywhere on company premises other than public areas and the person's own office or workgroup area.
9-5 Challenging ID badge violations Policy: All employees must immediately challenge any unfamiliar person who is not wearing an employee badge or visitor's badge.
Explanation/Notes: While no company wants to create a culture where eagle-eyed employees look for a way to ensnare co-workers for venturing into the hallway without their badges, nonetheless any company concerned with protecting its information needs to take seriously the threat of a social engineer wandering its facilities unchallenged. Motivation for employees who prove diligent in helping enforce the badges-always policy may be acknowledged in familiar ways, such as recognition in the company newspaper or on bulletin boards; a few hours off with pay; or a letter of commendation in their personnel records.
9-6 Piggybacking (pa.s.sing through secure entrances) Policy: Employees entering a building must not allow anyone not personally known to them to follow behind them when they have used a secure means, such as a card key, to gain entrance (piggybacking).
Explanation/Notes." Employees must understand that it is not rude to require unknown persons to authenticate themselves before helping them enter a facility or access a secure area.
Social engineers frequently use a technique known as piggybacking, in which they lie in wait for another person who is entering a facility or Sensitive area, and then simply enter with them. Most people feel uncomfortable challenging others, a.s.suming that they are probably legitimate employees. Another piggybacking technique is to carry several boxes so that an unsuspecting worker opens or holds the door to help.
9-7 Shredding Sensitive doc.u.ments Policy: Sensitive doc.u.ments to be discarded must be cross-shredded; media including hard drives that have ever contained Sensitive information or materials must be destroyed in accordance with the procedures set forth by the group responsible for information security.
Explanation/Notes: Standard shredders do not adequately destroy doc.u.ments; cross-shredders turn doc.u.ments into pulp. The best security practice is to presume that the organization's chief compet.i.tors will be rifling through discarded materials looking for any intelligence that could be beneficial to them.
Industrial spies and computer attackers regularly obtain Sensitive information from materials tossed in the trash. In some cases, business compet.i.tors have been known to attempt bribery of cleaning crews to turn over company trash. In one recent example, an employee at Goldman Sachs discovered items that were used in an insider-trading scheme from the trash.
9-8 Personal identifiers Policy: Personal identifiers such as employee number, social security number, driver's license number, date and place of birth, and mother's maiden name should never be used as a means of verifying ident.i.ty. These identifiers are not secret and can be obtained by numerous means.
Explanation/Notes: A social engineer can obtain other people's personal identifiers for a price. And in fact, contrary to popular belief, anyone with a credit card and access to the Internet can obtain these pieces of personal identification. A social engineer can obtain other people's personal identifiers for a price. And in fact, contrary to popular belief, anyone with a credit card and access to the Internet can obtain these pieces of personal identification.
Yet despite the obvious danger, banks, utility companies, and credit card companies commonly use these identifiers. This is one reason that ident.i.ty theft is the fastest growing crime of the decade.
9-9 Organization charts Policy." Details shown on the company's organization chart must not be disclosed to anyone other than company employees.
Explanation/Notes: Corporate structure information includes organization charts, hierarchy charts, departmental employee lists, reporting structure, employee names, employee positions, internal contact numbers, employee numbers, or similar information. Corporate structure information includes organization charts, hierarchy charts, departmental employee lists, reporting structure, employee names, employee positions, internal contact numbers, employee numbers, or similar information.
In the first phase of a social engineering attack, the goal is to gather information about the internal structure of the company. This information is then used to strategize an attack plan. The attacker can also a.n.a.lyze this information to determine which employees are likely to have access to the data that he seeks.
During the attack, the information makes the attacker appear as a knowledgeable employee; making it more likely he'll dupe his victim into compliance.
9-10 Private information about employees Policy.: Any requests for private employee information must be referred to human resources.
Explanation/Notes: An exception to this policy may be the telephone number for an employee who needs to be contacted regarding a work-related issue or who is acting in an on-call role. However, it is always preferable to get the requester's phone number, and have the employee call him or her back.
Computer Use 10-1 Entering commands into a computer Policy: Company personnel should never enter commands into a computer or computer-related equipment at the request of another person unless the requester has been verified as an employee of the information technology department.
Explanation/Notes: One common ploy of social engineers is to request that an employee enter a command that makes a change to the system's configuration, allows the attacker to access the victim's computer without providing authentication, or allows the attacker to retrieve information that can be used to facilitate a technical attack.
10-2 Internal naming conventions Policy: Employees must not disclose the internal names of computer systems or databases without prior verification that the requester is employed by the company.
Explanation/Notes: Social engineers will sometimes attempt to obtain the names of company computer systems; once the names are known, the attacker places a call to the company and masquerades as a legitimate employee having trouble accessing or using one of the systems. By knowing the internal name a.s.signed to the particular system, the social engineer gains credibility.
10-3 Requests to run programs Policy: Company personnel should never run any computer applications or programs at the request of another person unless the requester has been verified as an employee of the information technology department.
Explanation/Notes: Any request to run programs, applications, or perform any activity on a computer must be refused unless the requester is positively identified as an employee in the information technology department. If the request involves revealing Confidential information from any file or electronic message, responding to the request must be in accordance with the procedures for releasing Confidential information. See Information Disclosure Policy. file or electronic message, responding to the request must be in accordance with the procedures for releasing Confidential information. See Information Disclosure Policy.
Computer attackers deceive people into executing programs that enable the intruder to gain control of the system. When an unsuspecting user runs a program planted by an attacker, the result may give the intruder access to the victim's computer system. Other programs record the activities of the computer user and return that information to the attacker. While a social engineer can trick a person into executing computer instructions that may do damage, a technically based attack tricks the computer's operating system into executing computer instructions that may cause the same sort of damage.
10-4 Downloading or installing software Policy: Company personnel must never download or install software at the request of another person, unless the requester has been verified as an employee with the information technology department.
Explanation/Notes: Employees should be on the alert for any unusual request that involves any sort of transaction with computer-related equipment.
A common tactic used by social engineers is to deceive unsuspecting victims into downloading and installing a program that helps the attacker accomplish his or her goal of compromising computer or network security. In some instances, the program may covertly spy on the user or allow the attacker to take control of the computer system through use of a covert remote control application.
10-5 Plain text pa.s.swords and email Policy: Pa.s.swords shall not be sent through email unless encrypted.
Explanation/Notes: While it's discouraged, this policy may be waived by e-commerce sites in certain limited circ.u.mstances, such as: Sending pa.s.swords to customers who have registered on the site.
Sending pa.s.swords to customers who have lost or forgotten their pa.s.swords.
10-6 Security-related software Policy: Company personnel must never remove or disable antivirus/ Trojan Horse, firewall, or other security-related software without prior approval from the information technology department.
Explanation/Notes: Computer users sometimes disable security-related software without provocation, thinking it will increase the speed of their computer. Computer users sometimes disable security-related software without provocation, thinking it will increase the speed of their computer.
A social engineer may attempt to deceive an employee into disabling or removing software that is needed to protect the company against security- related threats.
10-7 Installation of modems Policy.. No modems may be connected to any computer until prior approval has been obtained from the IT department.
Explanation/Notes.: It is important to recognize that modems on desktops or workstations in the workplace pose a substantial security threat, especially if connected to the corporate network. Accordingly, this policy controls modem connection procedures. It is important to recognize that modems on desktops or workstations in the workplace pose a substantial security threat, especially if connected to the corporate network. Accordingly, this policy controls modem connection procedures.
Hackers use a technique called war dialing to identify any active modem lines within a range of telephone numbers. The same technique may be used to locate telephone numbers connected to modems within the enterprise. An attacker can easily compromise the corporate network if he or she identifies a computer system connected to a modem running vulnerable remote access software, which is configured with an easily guessed pa.s.sword or no pa.s.sword at all.
10-8 Modems and auto-answer settings Policy: M1 desktops or workstations with IT-approved modems shall have the modem auto-answer feature disabled to prevent anyone from dialing into the computer system.
Explanation/Notes.- Whenever feasible, the information technology department should deploy a dial-out modem pool for those employees who need to dial out to external computer systems via modem.
10-9 Cracking tools Policy: Employees will not download or use any software tools designed to defeat software protection mechanisms.
Explanation/Notes: The Internet has dozens of sites devoted to software designed to crack shareware and commercial software products. The use of these tools not only violates a software owner's copyright, but also is extremely dangerous.
Because these programs originate from unknown sources, they may contain hidden malicious code that may cause damage to the user's computer or plant a Trojan Horse that gives the author of the program access to the user's computer.
10-10 Posting company information on line Policy: Employees shall not disclose any details regarding company hardware or software in any public newsgroup, forum, or bulletin board, and shall not disclose contact information other than in accordance with policy.
Explanation/Notes: Any message posted to the Usenet, on-line forums, bulletin boards, or mailing lists can be searched to gather intelligence on a target company or a target individual. During the research phase of a social engineering attack, the attacker may search the Internet for any posts that contain useful information about the company, its products or its people.
Some posts contain very useful tidbits of information that the attacker can use to further an attack. For example, a network administrator may post a question about configuring firewall filters on a particular brand and model of firewall. An attacker who discovers this message will learn valuable information about the type and configuration of the companys firewall that enables him to circ.u.mvent it to gain access to the enterprise network.
This problem can be reduced or avoided by implementing a policy that allows employees to post to newsgroups from anonymous accounts that do not identify the company from which they originated. Naturally, the policy must require employees not to include any contact information that may identify the company.
10-11 Floppy disks and other electronic media Policy: If media used to store computer information, such as floppy disks or CD-ROMS have been left in a work area or on an employee's desk, and that media is from an unknown source, it must not be inserted into any computer system.
Explanation/Notes: One method used by attackers to install malicious code is to place programs onto a floppy or CD-ROM and label it with something very enticing (for example, "Personnel Payroll Data-- Confidential"). They then drop several copies in areas used by employees. If a single copy is inserted into a computer and the files on it opened, the attacker's malicious code is executed.
This may create a backdoor, which is used to compromise the system, or may cause other damage to the network.
10-12 Discarding removable media Policy: Before discarding any electronic media that ever contained Sensitive company information, even if that information has been deleted, the item shall be thoroughly degaussed or damaged beyond recovery.
Explanation/Notes: While shredding hard-copy doc.u.ments is commonplace these days, company workers may overlook the threat of discarding electronic media that contained Sensitive data ar any rime. Computer attackers attempt to recover any data stored on discarded electronic media. Workers may presume that by just deleting files, they ensure that those files cannot be recovered. This presumption is absolutely incorrect and can cause confidential business information to fall into the wrong hands. Accordingly, all electronic media that contains or previously contained information not designated as Public must be wiped clean or destroyed using the procedures approved by the responsible group.
10-13 Pa.s.sword-protected screen savers Policy: All computer users must set a screen saver pa.s.sword and the inactivity time-out limit to lock the computer after a certain period of inactivity.