What damage would be caused to the enterprise if these potential threats were to materialize?
The primary goal of risk a.s.sessment is to prioritize which information a.s.sets are in need of immediate safeguards, and whether inst.i.tuting safeguards will be cost-effective based on a cost-benefit a.n.a.lysis. Simply put, what a.s.sets are going to be protected first, and how much money should be spent to protect these a.s.sets?
It"s essential that senior management buy into and strongly support the necessity of developing security policies and an information security program. As with any other corporate program, if a security program is to succeed, management must do more than merely provide an endors.e.m.e.nt, it must demonstrate a commitment by personal example. Employees need to be aware that management strongly subscribes to the belief that information security is vital to the company"s operation, that protection of company business information is essential for the company to remain in business, and that every employee"s job may depend on the success of the program.
The person a.s.signed to draft information security policies needs to understand that the policies should be written in a style free of technical jargon and readily understood by the non-technical employee. It"s also important that the doc.u.ment make clear why each policy is important; otherwise employees may disregard some policies as a waste of time. The policy writer should create a doc.u.ment that presents the policies, and a separate doc.u.ment for procedures, because policies will probably change much less frequently than the specific procedures used to implement them.
In addition, the policy writer should be aware of ways in which security technologies can be used to enforce good information security practices. For example, most operating systems make it possible to require that user pa.s.swords conform to certain specifications such as length. In some companies, a policy prohibiting users from downloading programs can be controlled via local or global policy settings within the operating system. The policies should require use of security technology whenever cost-effective to remove human-based decision-making.
Employees must be advised of the consequences for failing to comply with security policies and procedures. A set of appropriate consequences for violating the policies should be developed and widely publicized. Also, a reward program should be created for employees who demonstrate good security practices or who recognize and report a security incident. Whenever an employee is rewarded for foiling a security breach, it should be widely publicized throughout the company, for example in an article in the company newsletter.
One goal of a security awareness program is to communicate the importance of security policies and the harm that can result from failure to follow such rules.
Given human nature, employees will, at times, ignore or circ.u.mvent policies that appear unjustified or too time-consuming. It is a management responsibility to insure that employees understand the importance of the policies and are motivated to comply, rather than treating them as obstacles to be circ.u.mvented.
It"s important to note that information security policies cannot be written in stone.
As business needs change, as new security technologies come to market, and as security vulnerabilities evolve, the policies need to be modified or supplemented.
A process for regular review and updating should be put into place. Make the corporate security policies and procedures available via the corporate intranet or maintain such policies in a publicly available folder. This increases the likelihood that such policies and procedures will be reviewed more frequently, and provides a convenient method for employees to quickly find the answer to any information-security related question.
Finally, periodic penetration tests and vulnerability a.s.sessments using social engineering methods and tactics should be conducted to expose any weakness in training or lack of adherence to company policies and procedures. Prior to using any deceptive penetration-testing tactics, employees should be put on notice that such testing may occur from time to time.
How to Use These Policies The detailed policies presented in this chapter represent only a subset of the information security policies I believe are necessary to mitigate all security risks.
Accordingly, the policies included here should not be considered as a comprehensive list of information security policies. Rather, they are the basis for building a comprehensive body of security policies appropriate to the specific needs of your company.
Policy writers for an organization will have to choose the policies that are appropriate based on their company"s unique environment and business goals.
Each organization, having different security requirements based on business needs, legal requirements, organizational culture, and the information systems used by the company, will take what it needs from the policies presented, and omit the rest.
There are also choices to be made about how stringent policies will be in each category. A smaller company located in a single facility where most employees know one another does not need to be much concerned about an attacker calling on the phone and pretending to be an employee (although of course an imposter may masquerade as a vendor). Also, despite the increased risks, a company framed around a casual, relaxed corporate culture may wish to adopt only a limited subset of recommended policies to meet its security objectives.
DATA CLa.s.sIFICATION.
A data cla.s.sification policy is fundamental to protecting an organization"s information a.s.sets, and sets up categories for governing the release of sensitive information. This policy provides a framework for protecting corporate information by making all employees aware of the level of sensitivity of each piece of information.
Operating without a data cla.s.sification policy--the status quo in almost all companies today--leaves most of these decisions in the hands of individual workers. Naturally, employee decisions are largely based on subjective factors, rather than on the sensitivity, criticality, and value of information. Information is also released because employees are ignorant of the possibility that in responding to a request for the information, they may be putting it into the hands of an attacker.
The data cla.s.sification policy sets forth guidelines for cla.s.sifying valuable information into one of several levels. With each item a.s.signed a cla.s.sification, employees can follow a set of data-handling procedures that protect the company from inadvertent or careless release of sensitive information. These procedures mitigate the possibility that employees will be duped into revealing sensitive information to unauthorized persons.
Every employee must be trained on the corporate data cla.s.sification policy, including those who do not typically use computers or corporate communications systems. Because every member of the corporate workforce--including the cleaning crew, building guards, and copy-room staff, as well as consultants, contractors, and even interns--may have access to sensitive information, anyone could be the target of an attack.
Management must a.s.sign an Information Owner to be responsible for any information that is currently in use at the company. Among other things, the Information Owner is responsible for the protection of the information a.s.sets.
Ordinarily, the Owner decides what level of cla.s.sification to a.s.sign based on the need to protect the information, periodically rea.s.sesses the cla.s.sification level a.s.signed, and decides if any changes are needed. The Information Owner may also delegate the responsibility of protecting the data to a Custodian or Designee.
Cla.s.sification Categories. and Definitions Information should be separated into varying levels of cla.s.sification based on its sensitivity. Once a particular cla.s.sification system is set up, it"s an expensive and time-consuming process to recla.s.sify information into new categories. In our example policy I chose four cla.s.sification levels, which is appropriate for most medium-to-large businesses. Depending on the number and types of sensitive information, business may choose to add more categories to further control specific types of information. In smaller businesses, a three-level cla.s.sification scheme may be sufficient. Remember--the more complex the cla.s.sification scheme, the more expense to the organization in training employees and enforcing the system.
Confidential. This category of information is the most sensitive. Confidential information is intended for use only within the organization. In most cases, it should only be shared with a very limited number of people with an absolute need to know. The nature of Confidential information is such that any unauthorized disclosure could seriously impact the company, its shareholders, its business partners, and/or its customers. Items of Confidential information generally fall into one of these categories: Information concerning trade secrets, proprietary source code, technical or functional specifications, or product information that could be of advantage to a compet.i.tor.
Marketing and financial information not available to the public.
Any other information that is vital to the operation of the company such as future business strategies.
Private. This category covers information of a personal nature that is intended for use only within the organization. Any unauthorized disclosure of Private information could seriously impact employees, or the company if obtained by any unauthorized persons (especially social engineers). Items of Private information would include employee medical history, health benefits, bank account information, salary history, or any other personal identifying information that is not of public record.
NOTE.
The Internal category of information is often termed Sensitive by security personnel. I have to use Internal because the term itself explains the intented audience. I have used the term Sensitive not as a security cla.s.sification but as a convenient method of referring to Confidential, Private, and Internal information; put another way, Sensitive refers to any company information that is not specifically designated as Public.
Internal. This category of information can be freely provided to any persons employed by the organization. Ordinarily, unauthorized disclosure of Internal information is not expected to cause serious harm to the company, its shareholders, its business partners, its customers, or its employees. However, persons adept in social engineering skills can use this information to masquerade as an authorized employee, contractor, or vendor to deceive unsuspecting personnel into providing more sensitive information that would result in unauthorized access to corporate computer systems. This category of information can be freely provided to any persons employed by the organization. Ordinarily, unauthorized disclosure of Internal information is not expected to cause serious harm to the company, its shareholders, its business partners, its customers, or its employees. However, persons adept in social engineering skills can use this information to masquerade as an authorized employee, contractor, or vendor to deceive unsuspecting personnel into providing more sensitive information that would result in unauthorized access to corporate computer systems.
A confidentiality agreement must be signed before Internal information may be disclosed to third parties, such as employees of vendor firms, contractor labor, partner firms, and so on. Internal information generally includes anything used in the course of daily business activity that should not be released to outsiders, such as corporate organizational charts, network dial-up numbers, internal system names, remote access procedures, cost center codes, and so on.
Public. Information that is specifically designated for release to the public. This type of information can be freely distributed to anyone, such as press releases, customer-support contact information, or product brochures. Note that any information not specifically designated as Public should be treated as Sensitive information.
Cla.s.sified Data Terminology Based on its cla.s.sification, data should be distributed to certain categories of people. A number of policies in this chapter refer to information being given to an Unverified Person. For the purposes of these policies, an Unverified Person is someone whom the employee does not personally know to be an active employee or to b an employee with the proper rank to have access to information, or who has not been vouched for by a trusted third party.
For the purposes of these policies, a Trusted Person is a person you have met face-to-face who is known to you as a company employee, customer, or consultant to the company with the proper rank to have access to information. A Trusted Person might also be an employee of a company having an established relationship, with your company (for example, a customer, vendor, or strategic business partner that has signed a nondisclosure agreement).
In third party vouching, a Trusted Person provides verification of a person"s employment or status, and the person"s authority to request information or an action. Note that in some instances, these policies require you to verify that the Trusted Person is still employed by the company before responding to a request for information or action by someone for whom they have vouched.
A privileged account is a computer or other account requiring access permission beyond the basic user account, such as a systems administrator account.
Employees with privileged accounts typically have the ability to modify user privileges or perform system functions.
A general departmental mailbox is a voice mailbox answered with a generic message for the department. Such a mailbox is used in order to protect names and phone extensions of employees who work in a particular department.
VERIFICATION AND AUTHORIZATION PROCEDURES.
Information thieves commonly use deceptive tactics to access or obtain confidential business information by masquerading as legitimate employees, contractors, vendors, or business partners. To maintain effective information security, an employee receiving a request to perform an action or provide sensitive information must positively identify the caller and verify his authority prior to granting a request.
The recommended procedures given in this chapter are designed to help an employee who receives a request via any communication method such as telephone, email, or fax to determine whether the request and the person making it are legitimate.
Requests from a Trusted Person A request for information or action from a Trusted Person may require: Verification that the company actively employs or has a relationship with the person where such a relationship is a condition of access to this category of information. This is to prevent terminated employees, vendors, contractors, and others who no longer are a.s.sociated with the company from masquerading as active personnel.
Verification that the person has a need to know, and is authorized to have access to the information or to request the action.
Requests from an Unverified Person When a request is made by an Unverified Person, a reasonable verification process must be deployed to positively identify the person making the request as authorized to receive the requested information, especially when the request in any way involves computers or computer-related equipment. This process is the fundamental control to prevent successful social engineering attacks: If these verification procedures are followed, they will dramatically reduce successful social engineering attacks.
It is important that you not make the process so c.u.mbersome that it is cost-prohibitive, or that employees ignore it.
As detailed below, the verification process involves three steps: Verifying that the person is who he or she claims to be.
Determining that the requester is currently employed or shares a need-to-know relationship with the company.
Determining that the person is authorized to receive the specific information or to call for the requested action.
Step One: Verification of Ident.i.ty The recommended steps for verification are listed below in order of effectiveness--the higher the number, the more effective the method. Also included with each item is a statemen.t about the weakness of that particular method, and the way in which a social engineer can defeat or circ.u.mvent the method to deceive an employee.
1. Caller ID (a.s.suming this feature is included in the company telephone system). From the caller ID display, ascertain whether the call is from inside or outside the company, and that the name or telephone number displayed matches the ident.i.ty provided by the caller.
Weakness: External caller ID information can be falsified by anyone with access to a PBX or telephone switch connected to digital phone service.
2. Callback. Look up the requester in the company directory,and call back to the listed extension to verify that therequester is an employee.
Weakness: An attacker with sufficient knowledge can call-forward a company extension so that, when the employee places the verification call to the listed phone number, the call is transferred to the attacker"s outside phone number.
3. Vouching. A Trusted Person who vouches for the requester"s ident.i.ty verifies the requester.
Weakness: Attackers using a pretext are frequently able to convince another employee of their ident.i.ty, and get that employee to vouch for them. Attackers using a pretext are frequently able to convince another employee of their ident.i.ty, and get that employee to vouch for them.
4. Shared Secret. Use an enterprise-wide shared secret, such as apa.s.sword or daily code. Use an enterprise-wide shared secret, such as apa.s.sword or daily code.
Weakness." If many people know the shared secret, it may be easy for an attacker to learn it.
Employee"s Supervisor/Manager. Telephone the employee"simmediate supervisor and request verification.
Weakness: If the requester has provided the telephone number for reaching his or her manager, the person the employee reaches when calling the number may not be the real manager but may, in fact, be an accomplice of the attacker. If the requester has provided the telephone number for reaching his or her manager, the person the employee reaches when calling the number may not be the real manager but may, in fact, be an accomplice of the attacker.
6. Secure Email. Request a digitally signed message.
Weakness: If an attacker has already compromised an employee"s computer and installed a keystroke logger to obtain the employee"s pa.s.s phrase, he can send digitally signed email that appears to be from the employee.
7. Personal Voice Recognition. The person receiving the request has dealt with the requester (preferably face-to-face),knows for certain that the person actually is a Trusted Person, and is familiar enough with the person to recognize his or her voice on the telephone.
Weakness: This is a fairly secure method, not easily circ.u.mvented by an attacker, but is of no use if the person receiving the request has never met or spoken with the requester.
8. Dynamic Pa.s.sword Solution. The requester authenticates himself or herself through the use of a dynamic pa.s.sword solution such as a Secure ID.
Weakness: To defeat this method, an attacker would have to obtain one of the dynamic pa.s.sword devices, as well the accompanying PIN of the employee to whom the device rightfully belongs, or would have to deceive an employee into reading the information on the display of the device and providing the PIN.
9. In Person with ID. The requester appears in person andpresents an employee badge or other suitable identification,preferably a picture ID.
Weakness: Attackers are often able to steal an employee badge, or create a phony badge that appears authentic; however, attackers generally shun this approach because appearing in person puts the attacker at significant risk of being identified and apprehended.
Step Two: Verification of Employment Status The greatest information security threat is not from the professional social engineer, nor from the skilled computer intruder, but from someone much closer: the just-fired employee seeking revenge or hoping to set himself up in business using information stolen from the company. (Note that a version of this procedure can also be used to verify that someone still enjoys another kind of business relationship with your company, such as a vendor, consultant, or contract worker.) Before providing Sensitive information to another person or accepting instructions for actions involving the computer or computer-related equipment, verify that the requester is still a current employee by using one of these methods: Employee Directory Check. If the company maintains an online employee directory that accurately reflects active employees, verify that the requester is still listed.
Requester"s Manager Verification. Call the requester"s manager using a phone number listed in the company directory, not a number provided by the requester.
Requester"s Department or Workgroup Verification. Call the requester"s department or workgroup and determine from anyone in that department or workgroup that the requester is still employed by the company.
Step Three: Verification of Need to Know Beyond verifying that the requester is a current employee or has a relationship with your company, there still remains the issue of whether the requester is authorized to have access to the information being requested, or is authorized to request that specific actions affecting computers or computer-related equipment be taken.
This determination may be made by using one of these methods: Consult job t.i.tle/workgroup/responsibilities lists. A company can provide ready access to authorization information by publishing lists of which employees are ent.i.tled to what information. These lists may be organized in terms of employee job t.i.tle, employee departments and workgroups, employee responsibilities, or by some combination of these. Such lists would need to be maintained on line to be kept current and provide quick access to authorization information. Ordinarily, Information Owners would be responsible for overseeing the creation and maintenance of the lists for access to information under the Owner"s control. company can provide ready access to authorization information by publishing lists of which employees are ent.i.tled to what information. These lists may be organized in terms of employee job t.i.tle, employee departments and workgroups, employee responsibilities, or by some combination of these. Such lists would need to be maintained on line to be kept current and provide quick access to authorization information. Ordinarily, Information Owners would be responsible for overseeing the creation and maintenance of the lists for access to information under the Owner"s control.
NOTE.
It is important to note that maintaining such lists is an invitation to the social engineer. Consider: If an attacker targets a company becomes aware that the company maintains such lists, there is a strong motivation to obtain one. Once in hand, such a list opens many doors to the attacker and puts the company at serious risk.
Obtain Authority from a Manager. An employee contacts his or her own manager, or the manager of the requester, for authority to comply with the request.
Obtain Authority from the Information Owner or a Designee. The information Owner is the ultimate judge of whether a particular person should be granted access. The process for computer-based access control is for the employee to contact his or her immediate manager to approve a request for access to information based on existing job profiles. If such a profile does not exist, it is the manager"s responsibility to contact the relevant data Owner for permission. This chain of command should be followed so that Information Owners are not barraged with requests when there is a frequent need to know.
Obtain Authority by Means of a Proprietary Software Package. For a large company in a highly compet.i.tive industry, it may be practical to develop a proprietary software package that provides need-to-know authorization. Such a database stores employee names and access privileges to cla.s.sified information. of a Proprietary Software Package. For a large company in a highly compet.i.tive industry, it may be practical to develop a proprietary software package that provides need-to-know authorization. Such a database stores employee names and access privileges to cla.s.sified information.
Users would not be able to look up each individual"s access rights, but instead would enter the requester"s name, and the identifier a.s.sociated with the information being sought. The software then provides a response indicating whether or not the employee is authorized to access such information. This alternative avoids the danger of creating a list of personnel with respective access rights to valuable, critical, or sensitive information that could be stolen.
MANAGEMENT POLICIES.
The following policies pertain to management-level employees. These are divided into the areas of Data Cla.s.sification, Information Disclosure, Phone Administration, and Miscellaneous Policies. Note that each category of policies uses a unique numbering structure for easy identification of individual policies.
Data Cla.s.sification Policies Data Cla.s.sification refers to how your company cla.s.sifies the sensitivity of information and who should have access to that information.
1-1 a.s.sign data cla.s.sification Policy: All valuable, sensitive, or critical business information must be a.s.signed to a cla.s.sification category by the designated Information Owner or delegate.
Explanation/Notes: The designated Owner or delegate will a.s.sign the appropriate data cla.s.sification to any information routinely used to accomplish business goals. The Owner also controls who can access such information and what use can be made of it. The Owner of the information may rea.s.sign the cla.s.sification and may designate a time period for automatic decla.s.sification.
Any item not otherwise marked should be cla.s.sified as Sensitive.
1-2 Publish cla.s.sified handling procedures Policy: The company must establish procedures governing the release of information in each category.
Explanation/Notes." Once cla.s.sifications are established, procedures for release of information to employees and to outsiders must be set up, as detailed in the Verification and Authorization Procedures outlined earlier in this chapter.
1-3 Label all items Policy." Clearly mark both printed materials and media storage containing Confidential, Private, or Internal information to show the appropriate data cla.s.sification.
Explanation/Notes." Hard copy doc.u.ments must have a cover sheet, with a cla.s.sification label prominently displayed, and a cla.s.sification label on every page that is visible when the doc.u.ment is open.
All electronic files that cannot easily be labeled with appropriate data cla.s.sifications (database or raw data files) must be protected via access controls to insure that such information is not improperly disclosed, and that it cannot be changed, destroyed, or made inaccessible.
All computer media such as floppy disks, tapes, and CD-ROMs must be labeled with the highest cla.s.sification of any information contained therein.
Information Disclosure Information disclosure involves the release of information to various parties based on their ident.i.ty and need to know.
2-1 Employee verification procedure Policy: The company should establish comprehensive procedures to be used by employees for verifying the ident.i.ty, employment status, and authorization of an individual before releasing Confidential or Sensitive information or performing any task that involves use of any computer hardware or software.