The Art of Deception: Controlling the Human Element of Security (38 page)

POLICIES FOR TELECOMMUTERS Telecommuters are outside the corporate firewall, and therefore more vulnerable to attack. These policies will help you prevent social engineers from using your telecommuter employees as a gateway to your data.

16-1 Thin clients Policy: All company personnel who have been authorized to connect via remote access shall use a thin client to connect to the corporate network.

Explanation/Notes: When an attacker analyzes an attack strategy, he or she will try to identify users who access the corporate network from external locations. As such, telecommuters are prime targets. Their computers are less likely to have stringent security controls, and may be a weak link that may compromise the corporate network.

Any computer that connects to a trusted network can be booby-trapped with keystroke loggers, or their authenticated connection can be hijacked. A thin client strategy can be used to avoid problems. A thin client is similar to a diskless workstation or a dumb terminal; the remote computer does not have storage capabilities but instead the operating system, application programs, and data all reside on the corporate network. Accessing the network via a thin client substantially reduces the risk posed by un-patched systems, outdated operating systems, and malicious code. Accordingly, managing the security of telecommuters is effective and made easier by centralizing security controls. Rather than relying on the inexperienced telecommuter to properly manage security-related issues, these responsibilities are better left with trained system, network, or security administrators. 16-2 Security software for telecommuter computer systems Policy: Any external computer system that is used to connect to the corporate network must have antivirus software, anti-Trojan software, and a personal firewall (hardware or software). Antivirus and anti-Trojan pattern files must be updated at least weekly. Explanation/Notes: Ordinarily, telecommuters are not skilled on security- related issues, and may inadvertently" or negligently leave their computer system and the corporate network open to attack. Telecommuters therefore pose a serious security risk if they are not properly trained. In addition to installing antivirus and anti-Trojan Horse software to protect against malicious code, a firewall is necessary to block any hostile users from obtaining access to any services enabled on the telecommuter's system.

The risk of not deploying the minimal security technologies to prevent malicious code from propagating cannot be underestimated, as an attack on Microsoft proves. A computer system belonging to a Microsoft telecommuter, used to connect to Microsoft's corporate network, became infected with a Trojan Horse program. The intruder or intruders were able to use the telecommuter's trusted connection to Microsoft's development network to steal developmental source code.

POLICIES FOR HUMAN RESOURCES Human resources departments have a special charge to protect employees from those attempting to discover personal information through their workplace. HR professionals also have a responsibility to protect their company from the actions of unhappy ex-employees.

17-1 Departing employees Policy: Whenever a person employed by the company leaves or is terminated, Human Resources must immediately do the following:

Remove the person's listing from the on-line employee/telephone directory and disable or forward their voice mail;

Notify personnel at building entrances or company lobbies; and

Add the employee's name to the employee departure list, which shall be emailed to all personnel no less often than once a week.

Explanation/Notes: Employees who are stationed at building entrances must be notified to prevent a former employee from re-entering the premises. Further, notifying other personnel may prevent the former employee from successfully masquerading as an active employee and duping personnel into taking some action damaging to the company.

In some circumstances, it may be necessary to require every user within the former employee's department to change his or her passwords. (When I was terminated from GTE solely because of my reputation as a hacker, the company required all employees throughout the company to change their password.)

17-2 IT department notification Policy: Whenever a person employed by the company leaves or is terminated, Human Resources should immediately notify the information technology department to disable the former employee's computer accounts, including any accounts used for database access, dial-up, or Internet access from remote locations.

Explanation/Notes: It's essential to disable any former worker's access to all computer systems, network devices, databases, or any other computer- related devices immediately upon termination. Otherwise, the company may leave the door wide open for a disgruntled employee to access company computer systems and cause significant damage.

17-3 Confidential information used in hiring process Policy: Advertisements and other forms of public solicitation of candidates to fill job openings should, to the extent possible, avoid identifying computer hardware and software used by the company.

Explanation/Notes: Managers and human resources personnel should only disclose information related to enterprise computer hardware and software that is reasonably necessary to obtain resumes from qualified candidates.

Computer intruders read newspapers and company press releases, and visit Internet sites, to find job listings. Often, companies disclose too much information about the types of hardware and software used to attract prospective employees. Once the intruder has knowledge of the target's information systems, he is armed for the next phase of attack. For example, by knowing that a particular company uses the VMS operating system, the attacker may place pretext calls to determine the release version, and then send a phony emergency security patch made to appear as if it came from the software developer. Once the patch is installed, the attacker is in.

17-4 Employee personal information

Policy: The human resources department must never release personal information about any current or former employee, contractor, consultant, temporary worker, or intern, except with prior express written consent of the employee or human resources manager. Explanation/Notes: Head-hunters, private investigators, and identity thieves target private employee information such as employee numbers, social security numbers, birth dates, salary history, financial data including direct deposit information, and health-related benefit information. The social engineer may obtain this information so as to masquerade as the individual. In addition, disclosing the names of new hires may be extremely valuable to information thieves. New hires are likely to comply with any request by persons with seniority or in a position of authority, or anyone claiming to be from corporate security.

17-5 Background checks Policy: A background check should be required for all new hires, contractors, consultants, temporary workers, or interns prior to an offer of employment or establishing of a contractual relationship.

Explanation/Notes: Because of cost considerations, the requirement for background checks may be limited to specific positions of trust. Note, however, that any person who is given physical access to corporate offices may be a potential threat. For example, cleaning crews have access to personnel offices, which gives them access to any computer systems located there. An attacker with physical access to a computer can install a hardware keystroke logger in less than a minute to capture passwords.

Computer intruders will sometimes go to the effort of obtaining a job as a means of gaining access to a target company's computer systems and networks. An attacker can easily obtain the name of a company's cleaning contractor by calling the responsible employee at the target company, claiming to be from a janitorial company looking for their business, and then obtaining the name of the company that is currently providing such services.

POLICIES FOR PHYSICAL SECURITY Though social engineers try to avoid showing up in person at a workplace they want to target, there are times when they will violate your space. These policies will help you to keep your physical premises secure from threat.

18-1 Identification for non employees Policy: Delivery people and other non employees who need to enter company premises on a regular basis must have a special badge or other form of identification in accordance with policy established by corporate security.

Explanation/Notes: Non employees who need to enter the building regularly (for example, to make food or beverage deliveries to the cafeteria, or to repair copying machines or install telephones) should be issued a special form of company identification badge provided for this purpose. Others who need to enter only occasionally or on a one-time basis must be treated as visitors and should be escorted at all times.

18-2 Visitor identification Policy: All visitors must present a valid driver's license or other picture identification to be admitted to the premises.

Explanation/Notes: The security staff or receptionist should make a photocopy of the identification document prior to issuing a visitor's badge. The copy should be kept with the visitor's log. Alternatively, the identification information can be recorded in the visitor's log by the receptionist or guard; visitors should not be permitted to write down their own ID information. Social engineers seeking to gain entrance to a building will always write false information in the log. Even though it's not difficult to obtain false ID and to learn the name of an employee he or she can claim to be visiting, requiring that the responsible employee must log the entry adds one level of security to the process.

18-3 Escorting visitors Policy: Visitors must be escorted or in the company of an employee at all times.

Explanation/Notes.: One popular ruse of social engineers is to arrange to visit a company employee (for example, visiting with a product engineer on the pretext of being the employee of a strategic partner). After being escorted to the initial meeting, the social engineer assures his host that he can find his own way back to the lobby. By this means he gains the freedom to roam the building and possibly gain access to Sensitive information.

18-4 Temporary badges Policy: Company employees from-another location who do not have their employee badges with them must present a valid driver's license or other picture ID and be issued a temporary visitor's badge.

Explanation/Notes: Attackers often pose as employees from a different office or branch of a company to gain entrance to a company.

18-5 Emergency evacuation Policy: In any emergency situation or drill, security personnel must ensure that everybody has evacuated the premises. Explanation/Notes: Security personnel must check for any stragglers that may be left behind in restrooms or office areas. As authorized by the fire department or other authority in charge of the scene, the security force needs to be on the alert for anyone departing the building long after the evacuation.

Industrial spies or sophisticated computer intruders may cause a diversion to gain access to a building or secure area. One diversion used is to release a harmless chemical known as butyl mercaptan into the air. The effect is to create the impression that there is a natural gas leak. Once personnel start evacuation procedures, the bold attacker uses this diversion to either steal information or to gain access to enterprise computer systems. Another tactic used by information thieves involves remaining behind, sometimes in a restroom or closet, at the time of a scheduled evacuation drill, or after setting off a smoke flare or other device to cause an emergency evacuation.

18-6 Visitors in mail room Policy: No visitors should be permitted in the mail room without the supervision of a company worker.

Explanation/Notes: The intention of this policy is to prevent an outsider from exchanging, sending, or stealing intracompany mail.

18-7 Vehicle license plate numbers Policy: If the company has a guarded parking area, security staff shall log vehicle license plate numbers for any vehicle entering the area. 18-8 Trash Dumpsters Policy: Trash Dumpsters must remain on company premises at all times and should be inaccessible to the public.

Explanation/Notes: Computer attackers and industrial spies can obtain valuable information from company trash bins. The courts have held that trash is considered legally abandoned property, so the act of Dumpster diving is perfectly legal, as long as the trash receptacles are on public property. For this reason, it is important that trash receptacles be situated on

company property, where the company has a legal right to protect the containers and their contents.

POLICIES FOR RECEPTIONISTS Receptionists are often on the front lines when it comes to dealing with social engineers, yet they are rarely given enough security training to recognize and stop an invader. Institute these policies to help your receptionist better protect your company and its data. 19-1 Internal directory Policy: Disclosure of information in the internal company directory should be limited to persons employed by the company.

Explanation/Notes: All employee titles, names, telephone numbers, and addresses contained within the company directory should be considered Internal information, and should only be disclosed in accordance with the policy related to data classification and Internal information.

Additionally, any calling party must have the name or extension of the party they are trying to contact. Although the receptionist can put a call through to an individual when a caller does not know the extension, telling the caller the extension number should be prohibited. (For those curious folks who follow by example, you can experience this procedure by calling any U.S. government agency and asking the operator to provide an extension.)

19-2 Telephone numbers for specific departments/groups Policy: Employees shall not provide direct telephone numbers for the company help desk, telecommunications department, computer operations, or system administrator personnel without verifying that the requester has a legitimate need to contact these groups. The receptionist, when transferring a call to these groups, must announce the caller's name. Explanation/Notes: Although some organizations may find this policy overly restrictive, this rule makes it more difficult for a social engineer to masquerade as an employee by deceiving other employees into transferring the call from their extension (which in some phone systems causes the call to appear to originate from within the company), or demonstrating knowledge of these extensions to the victim in order to create a sense of authenticity.