The Art of Deception: Controlling the Human Element of Security (35 page)

Explanation/Notes: Several operating systems and computer-related devices are shipped with default passwords--that is, with the same password enabled on every unit sold. Failure to change default passwords is a grave mistake that places the company at risk. Default passwords are widely known and are available on Internet Web sites. In an attack, the first password an intruder tries is the manufacturer s default password.

7-21 Invalid access attempts lockout (low to medium security) Policy: Especially in an organization with low to medium security requirements, whenever a specified number of successive invalid login attempts to a particular account have been made, the account should be locked out for a period of time.

Explanation/Notes: All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is necessary to prevent password guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.

The system administrator must configure the security settings to lock out an account whenever the desired threshold of successive invalid attempts has been reached. It is recommended that an account be locked out for at least thirty minutes after seven successive login attempts.

7-22 Invalid access attempts account disabled (high security) Policy: In an organization with high security requirements, whenever a specified number of successive invalid login attempts to a particular account has been made, the account should be disabled until reset by the group responsible for providing account support.

Explanation/Notes: All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is a necessary control to prevent password guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.

The system administrator must configure the security settings to disable the account after five invalid login attempts. Following such an attack, the account holder will need to call technical support or the group responsible for account support to enable the account. Prior to resetting the account, the department responsible must positively identify the account holder, following the Verification and Authorization Procedures.

7-23 Periodic change of privileged Policy: All privileged account holders shall be required to change their passwords at least every thirty days.

Explanation/Notes: Depending on operating system limitations, the systems administrator must enforce this policy by configuration of security parameters in system software.

7-24 Periodic change of user passwords Policy: All account holders must change their passwords at least every sixty days.

Explanation/Notes: With operating systems that provide this feature, the systems administrator must enforce this policy by configuration of security parameters in the software. 7-25 New account password set up Policy: New computer accounts must be established with an initial password that is pre-expired, requiring the account holder to select a new password upon initial use.

Explanation/Notes: This requirement ensures that only the account holder will have knowledge of his or her password.

7-26 Boot-up passwords Policy: All computer systems must be configured to require a bootup password.

Explanation/Notes: Computers must be configured so that when the computer is turned on, a password is required before the operating system will boot. This prevents any unauthorized person from turning on and using another person's computer. This policy applies to all computers on company premises.

7-27 Password requirements for privileged accounts Policy: M1 privileged accounts must have a strong password: The password must: Not be a word found in a dictionary in any language Be mixed upper and lower case with at least one letter, one symbol, and one numeral Be at least 12 characters in length Not be related to the company or individual in any way.

Explanation/Notes: In most cases computer intruders will target specific accounts that have system privileges. Occasionally the attacker will exploit other vulnerabilities to gain full control over the system.

The first passwords an intruder will try are the simple, commonly used words found in a dictionary. Selecting strong passwords enhances the security by reducing the chance an attacker will find the password by trial and error, dictionary attack, or brute force attack.

7-28 Wireless access points Policy: All users who access a wireless network must use VPN (Virtual Private Network) technology to protect the corporate network.

Explanation/Notes: Wireless networks are being attacked by a new technique called war driving. This technique involves simply driving or walking around with a laptop equipped with an 802.11B NIC card until a wireless network is detected. Many companies have deployed wireless networks without even enabling WEP (wireless equivalency protocol), which is used to secure the wireless connection through use of encryption. But even when activated, the current version of WEP (mid-2002) is ineffective: It has been cracked wide open, and several Web sites are devoted to providing the means for locating open wireless systems and cracking WEP-enabled wireless access points.

Accordingly, it is essential to add a layer of protection around the 802.11B protocol by deploying VPN technology.

7-29 Updating antivirus pattern files Policy: Every computer system must be programmed to automatically update antivirus/anti-Trojan pattern files.

Explanation/Notes: At a minimum, such updates shall occur at least weekly. In businesses where employees leave their computers turned on, it 302 is highly recommended that pattern files be updated on a nightly basis.

Antivirus software is ineffective if it is not updated to detect all new forms of malicious code. Since the threat of virus, worm, and Trojan Horse infections is substantially increased if pattern files are not updated, it is essential that antivirus or malicious code products be kept up to date.

Computer Operations 8-1 Entering commands or running programs Policy.: Computer operations personnel must not enter commands or run programs at the request of any person not known to them. If a situation arises where an Unverified Person seems to have reason to make such a request, it should not be complied with without first getting manager approval.

Explanation/Notes.: Computer operations employees are popular targets of social engineers, since their positions usually require privileged account access, and the attacker expects that they will be less experienced and less knowledgeable about company procedures than other IT workers. The intention of this policy is to add an appropriate check and balance to prevent social engineers from duping computer operations personnel.

8-2 Workers with privileged accounts Policy: Employees with privileged accounts must not provide assistance or information to any Unverified Person. In particular this refers to not providing computer help (such as training on application use), accessing any company database, downloading software, or revealing names of personnel who have remote access capabilities, Explanation/Notes: Social engineers often target employees with privileged accounts. The intent of this policy is to direct IT staff with privileged accounts to successfully handle calls that might represent social engineering attacks.

8-3 Internal systems information Policy: Computer Operations staff must never disclose any information related to enterprise computer systems or related devices without positively verifying the identity of the requester.

Explanation/Notes: Computer intruders often contact computer operations employees to obtain valuable information such as system access procedures, external points for remote access, and dial-in telephone numbers that are of substantial value to the attacker.

In companies that have technical support staff or a help desk, requests to the computer operations staff for information about computer systems or related devices should be considered unusual. Any information request should be scrutinized under the corporate data classification policy to determine whether the requester is authorized to have such information. When the class of information cannot be determined, the information should be considered to be Internal.

In some cases, outside vendor technical support will need to communicate with persons who have access to enterprise computer systems. Vendors must have specific contacts in the IT department so that those individuals can recognize each other for verification purposes.

8-4 Disclosure of passwords Policy: Computer operations staff must never reveal their password, or any other passwords entrusted to them, without prior approval of an information technology manager.

Explanation/Notes: In general terms, revealing any password to another is strictly prohibited. This policy recognizes that operations personnel may need to disclose a password to a third party when exigent situations arise. This exception to the general policy prohibiting disclosure of any password requires specific approval of an information technology manager. For extra precaution, this responsibility of disclosing authentication information should be limited to a small group of individuals who have received special training on verification procedures.

8-5 Electronic media Policy: All electronic media that contains information not designated for public release shall be locked in a physically secure location. Explanation/Notes: The intention of this policy is to prevent physical theft of Sensitive information stored on electronic media. 8-6 Backup media Policy: Operations personnel should store backup media in a company safe or other secure location.

Explanation/Notes: Backup media is another prime target of computer intruders. An attacker is not going to spend time attempting to compromise a computer system or network when the weakest link in the chain might be physically unprotected backup media. Once backup media is stolen, the attacker can compromise the confidentiality of any data stored on it, unless the data is encrypted. Therefore, physically securing backup media is an essential process to protect the confidentiality of corporate information.

POLICIES FOR ALL EMPLOYEES Whether in IT or human resources, the accounting department, or the maintenance staff, there are certain security policies that every employee of your company must know. These policies fall into the categories of General, Computer Use, Email Use, policies for Telecommuters, Phone Use, Fax Use, Voice Mail Use, and Passwords.

General 9-1 Reporting suspicious calls Policy: Employees who suspect that they may be the subject of a security violation, including any suspicious requests to disclose information or to perform action items on a computer, must immediately report the event to the company's incident reporting group.

Explanation/Notes.: When a social engineer fails to convince his or her target to comply with a demand, the attacker will always try someone else. By reporting a suspicious call or event, an employee takes the first step in alerting the company that an attack may be under way. Thus, individual employees are the first line of defense against social engineering attacks.

9-2 Documenting suspicious calls

Policy: In the event of a suspicious phone call that appears to be a social engineering attack, the employee shall, to the extent practical, draw out the caller to learn details that might reveal what the attacker is attempting to accomplish, and make notes of these details for reporting purposes. Explanation/Notes: When reported to the incident reporting group, such details can help them spot the object or pattern of an attack.

9-3 Disclosure of dial-up numbers Policy: Company personnel must not disclose company modem telephone numbers, but should always refer such requests to the help desk or to technical support personnel.

Explanation/Notes: Dial-up telephone numbers must be treated as Internal information, to be provided only to employees who have a need to know such information to carry out their job responsibilities. Social engineers routinely target employees or departments that are likely to be less protective of the requested information. For example, the attacker may call the accounts payable department masquerading as a telephone company employee who is trying to resolve a billing problem. The attacker then asks for any known fax or dial-in numbers in order to resolve the problem. The intruder often targets an employee who is unlikely to realize the danger of releasing such information, or who lacks training with respect to company disclosure policy and procedures.

9-4 Corporate ID badges Policy: Except when in their immediate office area, all company personnel, including management and executive staff, must wear their employee badges at all times.

Explanation/Notes: All workers, including corporate executives, should be trained and motivated to understand that wearing an ID badge is mandatory everywhere on company premises other than public areas and the person's own office or workgroup area.

9-5 Challenging ID badge violations Policy: All employees must immediately challenge any unfamiliar person who is not wearing an employee badge or visitor's badge.

Explanation/Notes: While no company wants to create a culture where eagle- eyed employees look for a way to ensnare co-workers for venturing into the hallway without their badges, nonetheless any company concerned with protecting its information needs to take seriously the threat of a social engineer wandering its facilities unchallenged. Motivation for employees who prove diligent in helping enforce the badges-always policy may be acknowledged in familiar ways, such as recognition in the company newspaper or on bulletin boards; a few hours off with pay; or a letter of commendation in their personnel records. 9-6 Piggybacking (passing through secure entrances) Policy: Employees entering a building must not allow anyone not personally known to them to follow behind them when they have used a secure means, such as a card key, to gain entrance (piggybacking).

Explanation/Notes." Employees must understand that it is not rude to require unknown persons to authenticate themselves before helping them enter a facility or access a secure area. Social engineers frequently use a technique known as piggybacking, in which they lie in wait for another person who is entering a facility or Sensitive area, and then simply enter with them. Most people feel uncomfortable challenging others, assuming that they are probably legitimate employees. Another piggybacking technique is to carry several boxes so that an unsuspecting worker opens or holds the door to help.