The Art of Deception: Controlling the Human Element of Security (33 page)

4-16 Display of company Confidential information Policy: Company information not designated for public release shall not be displayed in any publicly accessible areas.

Explanation/Notes: In addition to Confidential product or procedure information, internal contact information such as internal telephone or employee lists, or building rosters that contain a list of management personnel for each department within the company must also be kept out of view.

4-17 Security awareness training Policy: All persons employed by the company must complete a security awareness training course during employee orientation. Furthermore, each employee must take a security awareness refresher course at periodic intervals, not to exceed twelve months, as required by the department assigned with security-training responsibility.

Explanation/Notes: Many organizations disregard end-user awareness training altogether. According to the 2001 Global Information Security Survey, only 30 percent of the surveyed organizations spend money on awareness training for their user-community. Awareness training is an essential requirement to mitigate successful security breaches utilizing social engineering techniques.

4-18 Security training course for computer access Policy: Personnel must attend and successfully complete a security information course before being given access to any corporate computer systems.

Explanation/Notes: Social engineers frequently target new employees, knowing that as a group they are generally the people least likely to be aware of the company's security policies and the proper procedures to determine classification and handling of sensitive information. Training should include an opportunity for employees to ask questions about security policies. After training, the account holder should be required to sign a document acknowledging their understanding of the security policies, and their agreement to abide by the policies.

4-19 Employee badge must be color-coded Policy: Identification badges must be color-coded to indicate whether the badge holder is an employee, contractor, temporary, vendor, consultant, visitor, or intern. Explanation/Notes: The color of the badge is an excellent way to determine

the status of a person from a distance. An alternative would be to use large lettering to indicate the badge holder's status, but using a color-coded scheme is unmistakable and easier to see.

A common social engineering tactic to gain access to a physical building is to dress up as a delivery person or repair technician. Once inside the facility, the attacker will masquerade as another employee or lie about his status to obtain cooperation from unsuspecting employees. The purpose of this policy is to prevent people from entering the building legitimately and then entering areas they should not have access to. For example, a person entering the facility as a telephone repair technician would not be able to masquerade as an employee: The color of the badge would give him away.

INFORMATION TECHNOLOGY POLICIES The information technology department of any company has a special need for policies that help it protect the organizations information assets. To reflect the typical structure of IT operations in an organization, I have divided the IT policies into General, Help Desk, Computer Administration, and Computer Operations.

General 5-1 IT department employee contact information Policy: Phone numbers and email addresses of individual IT department employees should not be disclosed to any person without a need to know.

Explanation/Notes: The purpose of this policy is to prevent contact information from being abused by social engineers. By only disclosing a general contact number or email address for IT, outsiders will be blocked from contacting IT department personnel directly. The email address for site administrative and technical contacts should only consist of generic names such as [email protected]; published telephone numbers should connect to a departmental voice mailbox, not to individual workers. When direct contact information is available, it becomes easy for a computer intruder to reach specific IT employees and trick them into providing information that can be used in an attack, or to impersonate IT employees by using their names and contact information.

5-2 Technical support requests Policy: All technical support requests must be referred to the group that handles such requests.

Explanation/Notes: Social engineers may attempt to target IT personnel who do not ordinarily handle technical support issues, and who may not be aware of the proper security procedures when handling such requests. Accordingly, IT staff must be trained to deny these requests and refer the caller to the group that has the responsibility of providing support.

Help Desk 6-1 Remote access procedures Policy: Help desk personnel must not divulge details or instructions regarding remote access, including external network access points or dialup numbers, unless the requester has been:

Verified as authorized to receive Internal information; and,

Verified as authorized to connect to the corporate network as an external user. Unless known on a person-to-person basis, the requester must be positively identified in accordance with the Verification and Authorization Procedures outlined at the beginning of this chapter.

Explanation/Notes: The corporate help desk is often a primary target for the social engineer, both because the nature of their work is to assist users with computer-related issues, and because they usually have elevated system privileges. All help desk personnel must be trained to act as a human firewall to prevent unauthorized disclosure of information that will assist any unauthorized persons from gaining access to company resources. The simple rule is to never disclose remote access procedures to anyone until positive verification of identity has been made.

6-2 Resetting passwords Policy: The password to a user account may be reset only at the request of the account holder.

Explanation/Notes: The most common ploy used by social engineers is to have another person's account password reset or changed. The attacker poses as the employee using the pretext that their password was lost or forgotten. In an effort to reduce the success of this type of attack, an IT employee receiving a request for a password reset must call the employee back prior to taking any action; the call back must not be made to a phone number provided by the requester, but to a number obtained from the employee telephone directory. See Verification and Authorization Procedures for more about this procedure.

6-3 Changing access privileges Policy: All requests to increase a user's privileges or access rights must be approved in writing by the account holder's manager. When the change is made a confirmation must be sent to the requesting manager via intracompany mail. Furthermore, such requests must be verified as authentic in accordance with the Verification and Authorization Procedures.

Explanation/Notes: Once a computer intruder has compromised a standard user account, the next step is to elevate his or her privileges so that the attacker has complete control over the compromised system. An attacker who has knowledge of the authorization process can spoof an authorized request when email, fax, or telephone are used to transmit it. For example, the attacker may phone technical support or the help desk and attempt to persuade a technician to grant additional access rights to the compromised account.

6-4 New account authorization Policy: A request to create a new account for an employee, contractor, or other authorized person must be made either in writing and signed by the employee's manager, or sent by digitally signed electronic mail. These requests must also be verified by sending a confirmation of the request through intracompany mail.

Explanation/Notes: Because passwords and other information useful in breaking into computer systems are the highest priority targets of information thieves for gaining access, special precautions are necessary. The intention of this policy is to prevent computer intruders from impersonating authorized personnel or forging requests for new accounts. Therefore, all such requests must be positively verified using the Verification and Authorization Procedures.

6-5 Delivery of new passwords Policy: New passwords must be handled as company Confidential information, delivered by secure methods including in person; by a signature-required delivery service such as registered mail; or by UPS or FedEx. See policies concerning distribution of Confidential information. Explanation/Notes: Intracompany mail may also be used, but it is recommended that passwords be sent in secure envelopes that obscure the content. A suggested method is to establish a computer point person in each department who has the responsibility of handling distribution of new account details and vouching for the identity of personnel who lose or forget their passwords. In these circumstances, support personnel would always be working with a smaller group of employees that would be personally recognized.

6-6 Disabling an account Policy: Prior to disabling a user's account you must require positive verification that the request was made by authorized personnel.

Explanation/Notes: The intention of this policy is to prevent an attacker from spoofing a request to disable an account, and then calling to troubleshoot the user's inability to access the computer system. When the social engineer calls posing as a technician with pre-existing knowledge of the user's inability to log in, the victim often complies with a request to reveal his or her password during the troubleshooting process.

6-7 Disabling network ports or devices Policy: No employee should disable any network device or port for any unverified technical support personnel.

Explanation/Notes: The intention of this policy is to prevent an attacker from spoofing a request to disable a network port, and then calling the worker to troubleshoot his or her inability to access the network.

When the social engineer, posing as a helpful technician, calls with pre-existing knowledge of the user's network problem, the victim often complies with a request to reveal his or her password during the troubleshooting process.

6-8 Disclosure of procedures for wireless access Policy: No personnel should disclose procedures for accessing company systems over wireless networks to any parties not authorized to connect to the wireless network.

Explanation/Notes: Always obtain prior verification of a requester as a person authorized to connect to the corporate network as an external user before releasing wireless access information. See Verification and Authorization Procedures. 6-9 User trouble tickets

Policy: The names of any employees who have reported computer-related problems should not be revealed outside the information technology department.

Explanation/Notes: In a typical attack, a social engineer will call the help desk and request the names of any personnel who have reported recent computer problems. The caller may pretend to be an employee, vendor, or an employee of the telephone company. Once he obtains the names of persons reporting trouble, the social engineer, posing as a help desk or technical support person, contacts the employee and says he/she is calling to troubleshoot the problem. During the call, the attacker deceives the victim into providing the desired information or into performing an action that facilitates the attacker's objective.

6-10 Initiating execute commands or running programs Policy: Personnel employed in the IT department who have privileged accounts should not execute any commands or run any application programs at the request of any person not personally known to them.

Explanation/Notes: A common method attackers use to install a Trojan Horse program or other malicious software is to change the name of an existing program, and then call the help desk complaining that an error message is displayed whenever an attempt is made to run the program. The attacker persuades the help desk technician to run the program himself. When the technician complies, the malicious software inherits the privileges of the user executing the program and performs a task, which gives the attacker the same computer privileges as the help desk employee. This may allow the attacker to take control of the company system. This policy establishes a countermeasure to this tactic by requiring that support personnel verify employment status prior to running any program at the request of a caller.

Computer Administration 7-1 Changing global access rights Policy: A request to change the global access rights associated with an electronic job profile must be approved by the group assigned the responsibility of managing access rights on the corporate network.

Explanation/Notes: Authorized personnel will analyze each such request to determine whether the change might entail a threat to information security. If so, the responsible employee will address the pertinent issues with the requester and jointly arrive at a decision about the changes to be made. 7-2 Remote access requests Policy: Remote computer access will only be provided to personnel who have a demonstrated need to access corporate computer systems from off-site locations. The request must be made by an employee's manager and verified as described in the Verification and Authorization Procedures section.

Explanation/Notes: Recognizing the need for off-site access into the corporate network by authorized personnel, limiting such access only to people with a need may dramatically reduce risk and management of remote access users. The smaller the number of people with external dialup privileges, the smaller the pool of potential targets for an attacker. Never forget that the attacker also may target remote users with the intent of hijacking their connection into the corporate network, or by masquerading as them during a pretext call.

7-3 Resetting privileged account passwords Policy: A request to reset a password to a privileged account must be approved by the system manager or administrator responsible for the computer on which the account exists. The new password must be sent through intracompany mail or delivered in person.

Explanation/Notes." Privileged accounts have access to all system resources and files stored on the computer system. Naturally, these accounts deserve the greatest protection possible.