The Art of Deception: Controlling the Human Element of Security (34 page)

7-4 Outside support personnel remote access Policy: No outside support person (such as software or hardware vendor personnel) may be given any remote access information or be allowed to access any company computer system or related devices without positive verification of identity and authorization to perform such services. If the vendor requires privileged access to provide support services, the password to the account used by the vendor shall be changed immediately after the vendor services have been completed.

Explanation/Notes: Computer attackers may pose as vendors to gain access to corporate computer or telecommunication networks. Therefore, it is essential that the identity of the vendor be verified in addition to their authorization to perform any work on the system. Moreover, the doors into the system must be slammed shut once their job is done by changing the account password used by the vendor.

No vendor should be allowed to pick his or her own password for any account, even temporarily. Some vendors have been known to use the same or similar passwords across multiple customer systems. For example, one network security company set up privileged accounts on all their customers' systems with the same password, and, to add insult to injury, with outside Telnet access enabled.

7-5 Strong authentication for remote access to corporate systems Policy: All connection points into the corporate network from remote locations must be protected through the use of strong authentication devices, such as dynamic passwords or biometrics.

Explanation/Notes: Many businesses rely on static passwords as the sole means of authentication for remote users. This practice is dangerous because it is insecure: computer intruders target any remote access point that might be the weak link in the victim's network. Remember that you never know when someone else knows your password.

Accordingly, any remote access points must be protected with strong authentication such as time-based tokens, smart cards, or biometric devices, so that intercepted passwords are of no value to an attacker.

When authentication based on dynamic passwords is impractical, computer users must religiously adhere to the policy for choosing hard-to- guess passwords.

7-6 Operating system configuration Policy: Systems administrators shall ensure that, wherever possible, operating systems are configured so that they are consistent with all pertinent security policies and procedures.

Explanation/Notes: Drafting and distributing security policies is a fundamental step toward reducing risk, but in most cases, compliance is necessarily left up to the individual employee. There are, however, any number of computer-related policies that can be made mandatory through operating-system settings, such as the required length of passwords. Automating security policies by configuration of operating system parameters effectively takes the decision out of the human element's hands, increasing the overall security of the organization.

7-7 Mandatory expiration Policy: All computer accounts must be set to expire after one year.

Explanation/Notes: The intention of this policy is to eliminate the existence of computer accounts that are no longer being used, since computer intruders commonly target dormant accounts. The process insures that to any computer accounts belonging to former employees or contractors that have been inadvertently left in place are automatically disabled. At management discretion, you may require that employees must take a security refresher training course at renewal time, or must review information security policies and sign an acknowledgment of their agreement to adhere to them.

7-8 Generic email addresses Policy: The information technology department shall set up a generic email address for each department within the organization that ordinarily communicates with the. public.

Explanation/Notes: The generic email address can be released to the public by the telephone receptionist or published on the company Web site. Otherwise, each employee shall only disclose his or her personal email address to people who have genuine need to know.

During the first phase of a social engineering attack, the attacker often tries to obtain telephone numbers, names, and titles of employees. In most cases, this information is publicly available on the company Web site or just for the asking. Creation of generic voice mailboxes and/or email addresses makes it difficult to associate employee names with particular departments or responsibilities.

7-9 Contact information for domain registrations Policy: When registering for acquisition of Internet address space or host names, the contact information for administrative, technical, or other personnel should not identify any individual personnel by name. Instead, you should list a generic email address and the main corporate telephone number.

Explanation/Notes: The purpose of this policy is to prevent contact information from being abused by a computer intruder. When the names and phone numbers of individuals are provided, an intruder can use this information to contact the individuals and attempt to deceive them into revealing system information, or to perform an action item that facilitates an attacker's objective. Or the social engineer can impersonate a listed person in an effort to deceive other company personnel. Instead of an email address to a particular employee, contact information

must be in the form of [email protected]. Telecommunications department personnel can establish a generic voice mailbox for administrative or technical contacts so as to limit information disclosure that would be useful in a social engineering attack.

7-10 Installation of security and operating system updates Policy: All security patches for operating system and application software shall be installed as soon as they become available. If this policy conflicts with the operation of mission-critical productions systems, such updates should be performed as soon as practicable.

Explanation/Notes: Once a vulnerability has been identified, the software manufacturer should be contacted immediately to determine whether a patch or a temporary fix ha been made available to close the vulnerability. An un-patched computer system represents one of the greatest security threats to the enterprise. When system administrators procrastinate about applying the necessary fixes, the window of exposure is open wide so that any attacker can climb through.

Dozens of security vulnerabilities are identified and published weekly on the Internet. Until information technology staff are vigilant in their efforts to apply all security patches and fixes as soon as practical, despite these systems being behind the company firewall, the corporate network will always be at risk of suffering a security incident. It is extremely important to keep apprised of published security vulnerabilities identified in the operating system or any application programs used during the course of business.

7-11 Contact information on Web sites Policy: The company's external Web site shall not reveal any details of corporate structure or identify any employees by name.

Explanation/Notes: Corporate structure information such as organization charts, hierarchy charts, employee or departmental lists, reporting structure, names, positions, internal contact numbers, employee numbers, or similar information that is used for internal processes should not be made available on publicly accessible Web sites.

Computer intruders often obtain very useful information on a target's Web site. The attacker uses this information to appear as a knowledgeable 206 employee when using a pretext or ruse. The social engineer is more likely to establish credibility by having this information at his or her disposal. Moreover, the attacker can analyze this information to find out the likely targets who have access to valuable, sensitive, or critical information.

7-12 Creation of privileged accounts Policy." No privileged account should be created or system privileges granted to any account unless authorized by the system administrator or system manager.

Explanation/Notes." Computer intruders frequently pose as hardware or software vendors in an attempt to dupe information technology personnel into creating unauthorized accounts. The intention of this policy is to block these attacks by establishing greater control over the creation of privileged accounts. The system manager or administrator of the computer system must approve any request to create an account with elevated privileges.

7-13 Guest accounts Policy: Guest accounts on any computer systems or related networked devices shall be disabled or removed, except for an FTP (file transfer protocol) server approved by management with anonymous access enabled.

Explanation/Notes: The intention of the guest account is to provide temporary access for persons who do not need to have their own account. Several operating systems are installed by default with a guest account enabled. Guest accounts should always be disabled because their existence violates the principle of user accountability. IT should be able to audit any computer-related activity and relate it to a specific user.

Social engineers are easily able to take advantage of these guest accounts for gaining unauthorized access, either directly or by duping authorized personnel into using a guest account.

7-14 Encryption of off-site backup data Policy: Any company data that is stored off site should be encrypted to prevent unauthorized access.

Explanation/Notes: Operations staff must insure that all data is recoverable in the event that any information needs to be restored. This requires regular test decryption of a random sampling of encrypted files to make sure the data can be recovered. Furthermore, keys used to encrypt data shall be escrowed with a trusted manager in the event the encryption keys are lost or unavailable.

7-15 Visitor access to network connections Policy: All publicly accessible Ethernet access points must be on a segmented network to prevent unauthorized access to the internal network.

Explanation/Notes: The intention of this policy is to prevent any outsiders from connecting to the internal network when on company premises. Ethernet jacks installed in conference rooms, the cafeteria, training centers, or other areas accessible to visitors shall be filtered to prevent unauthorized access by visitors to the corporate computer systems.

The network or security administrator may choose to set up a virtual LAN in a switch, if available, to control access from these locations. 7-16 Dial-in modems Policy: Modems used for dial-in calls shall be set to answer no earlier than the fourth ring.

Explanation/Notes: As depicted in the movie War Games, hackers use a technique known as war dialing to locate telephone lines that have modems connected to them. The process begins with the attacker identifying the telephone prefixes used in the area where the target company is located. A scanning program is then used to try every telephone number in those prefixes, to locate those that answer with a modem. To speed up the process, these programs are configured to wait for one or two rings for a modem response before going on to try the next number. When a company sets the auto answer on modem lines to at least four rings, scanning programs will fail to recognize the line as a modem line.

7-17 Antivirus software Policy: Every computer system shall have current versions of antivirus software installed and activated.

Explanation/Notes: For those businesses that do not automatically push down antivirus software and pattern files (programs that recognize patterns common to virus software to recognize new viruses) to user desktops or workstations, individual users must take the responsibility for installing and maintaining the software on their own systems, including any computer systems used for accessing the corporate network remotely.

If feasible, this software must be set for automatic update of virus and Trojan signatures nightly. When pattern or signature flies are not pushed down to user desktops, computer users shall have the responsibility to update pattern files at least on a weekly basis.

These provisions apply to all desktop machines and laptops used to access company computer systems, and apply whether the computer is company property or personally owned.

7-18 Incoming email attachments (high security requirements) Policy: In an organization with high security requirements, the corporate firewall shall be configured to filter out all email attachments.

Explanation/Notes: This policy applies only to businesses with high security requirements, or to those that have no business need to receive attachments through electronic mail. 7-19 Authentication of software Policy: All new software or software fixes or upgrades, whether on physical media or obtained over the Internet, must be verified as authentic prior to installation. This policy is especially relevant to the information technology department when installing any software that requires system privileges.

Explanation/Notes: Computer software referred to in this policy includes operating system components, application software, hot fixes, patches, or any software updates. Many software manufacturers have implemented methods whereby customers can check the integrity of any distribution, usually by a digital signature. In any case where the integrity cannot be verified, the manufacturer must be consulted to verify that the software is authentic.

Computer attackers have been known to send software to a victim, packaged to appear as if the software manufacturer had produced it and shipped it to the company. It is essential that you verify any software you receive as authentic, especially if unsolicited, before installing it on company systems. Note that a sophisticated attacker might find out that your organization has ordered software from a manufacturer. With that information in hand, the attacker can cancel the order with the real manufacturer, and order the software himself. The software is then modified to perform some malicious function, and is shipped or delivered to your company, in the original packaging, with shrink-wrapping if necessary. Once the product is installed, the attacker is in control.

7-20 Default passwords Policy: All operating system software and hardware devices that initially have a password set to a default value must have their passwords reset in accordance with the company password policy.