Explanation/Notes: All employees are responsible for setting a screen saver pa.s.sword, and setting the inactivity timeout for no more than ten minutes. The intention of this policy is to prevent any unauthorized person from using another person"s computer. Additionally, this policy protects company computer systems from being easily accessed by outsiders who have gained access to the building.
10-14 Disclosure or sharing of pa.s.swords statement Policy: Prior to creation of a new computer account, the employee or contractor must sign a written statement acknowledging that he or she understands that pa.s.swords must never be disclosed or shared with anyone, and that he or she agrees to abide by this policy. understands that pa.s.swords must never be disclosed or shared with anyone, and that he or she agrees to abide by this policy.
Explanation/Notes: The agreement should also include a notice that violation of such agreement may lead to disciplinary action up to and including termination.
Email Use 11-1 Email attachments Policy: Email attachments must not be opened unless the attachment was expected in the course of business or was sent by a Trusted Person.
Explanation/Notes: All email attachments must be scrutinized closely. You may require that prior notice be given by a Trusted Person that an email attachment is being sent before the recipient opens any attachment. This will reduce the risk of attackers using social engineering tactics to deceive people into opening attachments.
One method of compromising a computer system is to trick an employee into running a malicious program that creates a vulnerability, providing the attacker with access to the system. By sending an email attachment that has executable code or macros, the attacker may be able to gain control of the user"s computer.
A social engineer may send a malicious email attachment, then call and attempt to persuade the recipient to open the attachment.
11-2 Automatic forwarding to external addresses Policy: Automatic forwarding of incoming email to an external email address is prohibited.
Explanation/Notes: The intention of this policy is to prevent an outsider from receiving email sent to an internal email address.
Employees occasionally set up email forwarding of their incoming mail to an email address outside the company when they will be away from the office. Or an attacker may be able to deceive an employee into setting up an internal email address that forwards to an address outside the company. The attacker can then pose as a legitimate insider by having an internal company email address and get people to email Sensitive information to the internal email address.
11-3 Forwarding emails Policy: Any request from an Unverified Person to relay an electronic mail message to another Unverified Person requires verification of the requester"s ident.i.ty.
11-4 Verifying email Policy: An email message that appears to be from a Trusted Person that contains a request to provide information not designated as Public, or to perform an action with any computer-related equipment, requires an additional form of authentication. See Verification and Authorization Procedures.
Explanation/Notes: An attacker can easily forge an email message and its header, making it appear as if the message originated from another email address. An attacker can also send an email message from a compromised computer system, providing phony authorization to disclose information or perform an action. Even by examining the header of an email message you cannot detect email messages sent from a compromised internal computer system.
Phone Use 12-1 Partic.i.p.ating in telephone surveys Policy: Employees may not partic.i.p.ate in surveys by answering any questions from any outside organization or person. Such requests must be referred to the public relations department or other designated person.
Explanation/Notes: A method used by social engineers to obtain valuable information that may be used against the enterprise is to call an employee and claim to be doing a survey. It"s surprising how many people are happy to provide information about the company and themselves to strangers when they believe they"re taking part in legitimate research. Among the innocuous questions, the caller will insert a few questions that the attacker wants to know. Eventually, such information may be used to compromise the corporate network.
12-2 Disclosure of internal telephone numbers Policy: If an Unverified Person asks an employee for his phone number the employee may make a reasonable determination of whether disclosure is necessary to conduct company business.
Explanation/Notes: The intention of this policy is to require employees to make a considered decision on whether disclosure of their telephone extension is necessary. When dealing with people who have not demonstrated a genuine need to know the extension, the safest course is to require them to call the main company phone number and be transferred. extension is necessary. When dealing with people who have not demonstrated a genuine need to know the extension, the safest course is to require them to call the main company phone number and be transferred.
12-3 Pa.s.swords in voice mail messages Policy.: Leaving messages containing pa.s.sword information on anyone"s voice mailbox is prohibited. Leaving messages containing pa.s.sword information on anyone"s voice mailbox is prohibited.
Explanation/Notes: A social engineer can often gain access to an employee"s voice mailbox because it is inadequately protected with an easy-to-guess access code. In one type of attack, a sophisticated computer intruder is able to create his own phony voice mailbox and persuade another employee to leave a message relaying pa.s.sword information. This policy defeats such a ruse.
Fax Use 13-1 Relaying faxes Policy: No fax may be received and forwarded to another party without verification of the requester"s ident.i.ty. No fax may be received and forwarded to another party without verification of the requester"s ident.i.ty.
Explanation/Notes: Information thieves may trick trusted employees into faxing sensitive information to a fax machine located on the company"s premises. Prior to the attacker giving the fax number to the victim, the imposter telephones an unsuspecting employee, such as a secretary or administrative a.s.sistant, and asks if a doc.u.ment can be faxed to them for later pickup. Subsequently, after the unsuspecting employee receives the fax, the attacker telephones the employee and requests that the fax be sent to another location, perhaps claiming that it is needed for an urgent meeting. Since the person asked to relay the fax usually has no understanding of the value of the information, he or she complies with the request.
13-2 Verification of faxed authorizations Policy: Prior to carrying out any instructions received by facsimile, the sender must be verified as an employee or other Trusted Person. Placing a telephone call to the sender to verify the request is usually sufficient. Prior to carrying out any instructions received by facsimile, the sender must be verified as an employee or other Trusted Person. Placing a telephone call to the sender to verify the request is usually sufficient.
Explanation/Notes: Employees must exercise caution when unusual requests are sent by fax, such as a request to enter commands into a computer or disclose information. The data in the header of a faxed doc.u.ment can be falsified by changing the settings of the sending fax machine. Therefore the header on a fax must not be accepted as a means of establishing ident.i.ty or authorization.
13-3 Sending sensitive information by fax Policy: Before sending Sensitive information by fax to a machine that is located in an area accessible to other personnel, the sender shall transmit a cover page.
The recipient, on receiving the page, transmits a page in response, demonstrating that he/he is physically present at the fax machine. The sender then transmits the fax.
Explanation/Notes: This handshake process a.s.sures the sender that the recipient is physically present at the receiving end. Moreover, this process verifies that the receiving fax telephone number has not been forwarded to another location.
13-4 Faxing pa.s.swords prohibited Policy: Pa.s.swords must not be sent via facsimile under any circ.u.mstances.
Explanation/Notes: Sending authentication information by facsimile is not secure. Sending authentication information by facsimile is not secure.
Most fax machines are accessible to a number of employees. Furthermore, they rely on the public telephone switched network, which can be manipulated by call forwarding the phone number for the receiving fax machine so that the fax is actually sent to the attacker at another number.
Voice Mail Use 14-1 Voice mail pa.s.swords Policy: Voice mail pa.s.swords must never be disclosed to anyone for any purpose.
In addition, voice mail pa.s.swords must be changed every ninety days or sooner.
Explanation/Notes: Confidential company information may be left in voice mail messages. To protect this information, employees should change their voice mail pa.s.swords frequently, and never disclose them. In addition, voice mail users should not use the same or similar voice mail pa.s.swords within a twelve-month period.
14-2 Pa.s.swords on multiple systems Policy.. Voice mail users must not use the same pa.s.sword on any other phone or computer system, whether internal or external to the company.
Explanation/Notes." Use of a similar or identical pa.s.sword for multiple devices, such as voice mail and computer, makes it easier for social engineers to guess all the pa.s.swords of a user after identifying only one.
14-3 Setting voice mail pa.s.swords Policy: Voice mail users and administrators must create voice mail pa.s.swords that are difficult to guess. They must not be related in any way to the person using it, or the company, and should not contain a predictable pattern that is likely to be guessed.
Explanation/Notes: Pa.s.swords must not contain sequential or repeating digits (i.e.
1111, 1234, 1010), must not be the same as or based on the telephone extension number, and must not be related to address, zip code, birth date, license plate, phone number, weight, I.Q., or other predictable personal information.
14-4 Mail messages marked as "old"
Policy: When previously unheard voice mail messages are not marked as new messages, the voice mail administrator must be notified of a possible security violation and the voice mail pa.s.sword must immediately be changed.
Explanation/Notes: Social engineers may gain access to a voice mailbox in a variety of ways. An employee who becomes aware that messages they have never listened to are not being announced as new messages must a.s.sume that another person has obtained unauthorized access to the voice mailbox and listened to the messages themselves.
14-5 External voice mail greetings Policy: Company workers shall limit their disclosure of information on their external outgoing greeting on their voice mail. Ordinarily information related to a worker"s daily routine or travel schedule should not be disclosed.
Explanation/Notes: An external greeting (played to outside callers) should not include last name, extension, or reason for absence (such as travel, vacation schedule, or daily itinerary). An attacker can use this information to develop a plausible story in his attempt to dupe other personnel.
14-6 Voice mail pa.s.sword patterns Policy: Voice mail users shall not select a pa.s.sword where one part of the pa.s.sword remains fixed, while another part changes in a predictable pattern.
Explanation/Notes: For example, do not use a pa.s.sword such as 743501, 743502, 743503, and so on, where the last two digits correspond to the current month.
14-7 Confidential or Private information Policy: Confidential or Private information shall not be disclosed in a voice mail message.
Explanation/Notes: The corporate telephone system is typically more vulnerable than corporate computer systems. The pa.s.swords are usually a string of digits, which substantially limits the number of possibilities for an attacker to guess.
Further, in some organizations, voice mail pa.s.swords may be shared with secretaries or another administrative staff who have the responsibility of taking messages for their managers. In light of the above, no Sensitive information should ever be left on anyone"s voice mail.
Pa.s.swords 15-1 Telephone security Policy: Pa.s.swords shall not be disclosed over the telephone at any time.
Explanation/Notes: Attackers may find ways to listen in to phone conversations, either in person or through a technological device.
15-2 Revealing computer pa.s.swords Policy: Under no circ.u.mstances shall any computer user reveal his or her pa.s.sword to anyone for any purpose without prior written consent of the responsible information technology manager.
Explanation/Notes: The goal of many social engineering attacks involves deceiving unsuspecting persons into revealing their account names and pa.s.swords. This policy is a crucial step in reducing the risk of successful social engineering attacks against the enterprise. Accordingly, this policy needs to be followed religiously throughout the company.
15-3 Internet pa.s.swords Policy: Personnel must never use a pa.s.sword that is the same as or similar to one they are using on any corporate system on an Internet site.
Explanation/Notes: Malicious Web site operators may set up a site that purports to offer something of value or the possibility of winning a prize. To register, a visitor to the site must enter an email address, username, and pa.s.sword. Since many people use the same or similar sign-on information repeatedly, the malicious Web site operator will attempt to use the chosen pa.s.sword and variations of it for attacking the target"s work- or home- computer system. The visitor"s work computer can sometimes be identified by the email address entered during the registration process.
15-4 Pa.s.swords on multiple systems Policy: Company personnel must never use the same or a similar pa.s.sword in more than one system. This policy pertains to various types of devices (computer or voice mail); various locations of devices (home or work); and various types of systems, devices (router or firewall), or programs (database or application).
Explanation/Notes: Attackers rely on human nature to break into computer systems and networks. They know that, to avoid the ha.s.sle of keeping track of several pa.s.swords, many people use the same or a similar pa.s.sword on every system they access. As such, the intruder will attempt to learn the pa.s.sword of one system where the target has an account. Once obtained, it"s highly likely that this pa.s.sword or a variation thereof will give access to other systems and devices used by the employee.
15-5 Reusing pa.s.swords Policy: No computer user shall use the same or a similar pa.s.sword within the same eighteen-month period.
Explanation/Note: If an attacker does discover a user"s pa.s.sword, frequent changing of the pa.s.sword minimizes the damage that can be done. Making the new pa.s.sword unique from previous pa.s.swords makes it harder for the attacker to guess it.
15-6 Pa.s.sword patterns Policy." Employees must not select a pa.s.sword where one part remains fixed, and another element changes in a predictable pattern.
Explanation/Notes: For example, do not use a pa.s.sword such as Kevin01, Kevin02, Kevin03, and so on, where the last two digits correspond to the current month.
15-7 Choosing pa.s.swords Policy: Computer users should create or choose a pa.s.sword that adheres to the following requirements. The pa.s.sword must: Be at least eight characters long for standard user accounts and at least twelve characters long for privileged accounts.
Contain at least one number, at least one symbol (such as $, -, I, &), at least one lowercase letter, and at least one upper-case letter (to the extent that such variables are supported by the operating system).
Not be any of the following items: words in a dictionary in any language; any word that is related to an employee"s family, hobbies, vehicle, work, license plate, social security number, address, telephone, pet"s name, birthday, or phrases containing those words.
Not be a variation of a previously used pa.s.sword, with one element remaining the same and another element changing, such as kevin, kevin 1, kevin2; or kevinjan, kevinfeb.
Explanation/Notes: The parameters listed above will produce a pa.s.sword that is difficult for the social engineer to guess. Another option is the consonant-vowel method, which provides an easy-to-remember and p.r.o.nounceable pa.s.sword. To construct this kind of pa.s.sword subst.i.tute consonants for each letter C and vowels for the letter V, using the mask of "CVCVCVCV." Examples would be MIXOCASO; CUSOJENA. The parameters listed above will produce a pa.s.sword that is difficult for the social engineer to guess. Another option is the consonant-vowel method, which provides an easy-to-remember and p.r.o.nounceable pa.s.sword. To construct this kind of pa.s.sword subst.i.tute consonants for each letter C and vowels for the letter V, using the mask of "CVCVCVCV." Examples would be MIXOCASO; CUSOJENA.
15-8 Writing pa.s.swords down Policy: Employees should write pa.s.swords down only when they store them in a secure location away from the computer or other pa.s.sword protected device.
Explanation/Notes: Employees are discouraged from ever writing down pa.s.swords. Under certain conditions, however, it may be necessary; for example, for an employee who has multiple accounts on different computer systems. Any written pa.s.swords must be secured in a safe place away from the computer. Under no circ.u.mstances may a pa.s.sword be stored under the keyboard or attached to the computer display.
15-9 Plaintext pa.s.swords in computer files Policy: Plaintext pa.s.swords shall not be saved in any computer file or stored as text called by pressing a function key. When necessary, pa.s.swords may be saved using an encryption utility approved by the IT department to prevent any unauthorized disclosures.
Explanation/Notes: Pa.s.swords can be easily recovered by an attacker if stored in unencrypted form in computer data files, batch files, terminal function keys, login files, macro or scripting programs, or any data files which contain pa.s.swords to FTP sites.
POLICIES FOR TELECOMMUTERS.
Telecommuters are outside the corporate firewall, and therefore more vulnerable to attack. These policies will help you prevent social engineers from using your telecommuter employees as a gateway to your data.
16-1 Thin clients Policy: All company personnel who have been authorized to connect via remote access shall use a thin client to connect to the corporate network.
Explanation/Notes: When an attacker a.n.a.lyzes an attack strategy, he or she will try to identify users who access the corporate network from external locations. As such, telecommuters are prime targets. Their computers are less likely to have stringent security controls, and may be a weak link that may compromise the corporate network.
Any computer that connects to a trusted network can be b.o.o.by-trapped with keystroke loggers, or their authenticated connection can be hijacked. A thin client strategy can be used to avoid problems. A thin client is similar to a diskless workstation or a dumb terminal; the remote computer does not have storage capabilities but instead the operating system, application programs, and data all reside on the corporate network. Accessing the network via a thin client substantially reduces the risk posed by un-patched systems, outdated operating systems, and malicious code. Accordingly, managing the security of telecommuters is effective and made easier by centralizing security controls.
Rather than relying on the inexperienced telecommuter to properly manage security-related issues, these responsibilities are better left with trained system, network, or security administrators.
16-2 Security software for telecommuter computer systems Policy: Any external computer system that is used to connect to the corporate network must have antivirus software, anti-Trojan software, and a personal firewall (hardware or software). Antivirus and anti-Trojan pattern files must be updated at least weekly.
Explanation/Notes: Ordinarily, telecommuters are not skilled on security- related issues, and may inadvertently" or negligently leave their computer system and the corporate network open to attack. Telecommuters therefore pose a serious security risk if they are not properly trained. In addition to installing antivirus and anti-Trojan Horse software to protect against malicious code, a firewall is necessary to block any hostile users from obtaining access to any services enabled on the telecommuter"s system.
The risk of not deploying the minimal security technologies to prevent malicious code from propagating cannot be underestimated, as an attack on Microsoft proves. A computer system belonging to a Microsoft telecommuter, used to connect to Microsoft"s corporate network, became infected with a Trojan Horse program. The intruder or intruders were able to use the telecommuter"s trusted connection to Microsoft"s development network to steal developmental source code.
POLICIES FOR HUMAN RESOURCES.
Human resources departments have a special charge to protect employees from those attempting to discover personal information through their workplace. HR professionals also have a responsibility to protect their company from the actions of unhappy ex-employees.
17-1 Departing employees Policy: Whenever a person employed by the company leaves or is terminated, Human Resources must immediately do the following: Remove the person"s listing from the on-line employee/telephone directory and disable or forward their voice mail; Notify personnel at building entrances or company lobbies; and Add the employee"s name to the employee departure list, which shall be emailed to all personnel no less often than once a week.
Explanation/Notes: Employees who are stationed at building entrances must be notified to prevent a former employee from re-entering the premises. Further, notifying other personnel may prevent the former employee from successfully masquerading as an active employee and duping personnel into taking some action damaging to the company. Employees who are stationed at building entrances must be notified to prevent a former employee from re-entering the premises. Further, notifying other personnel may prevent the former employee from successfully masquerading as an active employee and duping personnel into taking some action damaging to the company.
In some circ.u.mstances, it may be necessary to require every user within the former employee"s department to change his or her pa.s.swords. (When I was terminated from GTE solely because of my reputation as a hacker, the company required all employees throughout the company to change their pa.s.sword.) 17-2 IT department notification the company required all employees throughout the company to change their pa.s.sword.) 17-2 IT department notification Policy: Whenever a person employed by the company leaves or is terminated, Human Resources should immediately notify the information technology department to disable the former employee"s computer accounts, including any accounts used for database access, dial-up, or Internet access from remote locations.
Explanation/Notes: It"s essential to disable any former worker"s access to all computer systems, network devices, databases, or any other computer- related devices immediately upon termination. Otherwise, the company may leave the door wide open for a disgruntled employee to access company computer systems and cause significant damage. It"s essential to disable any former worker"s access to all computer systems, network devices, databases, or any other computer- related devices immediately upon termination. Otherwise, the company may leave the door wide open for a disgruntled employee to access company computer systems and cause significant damage.
17-3 Confidential information used in hiring process Policy: Advertis.e.m.e.nts and other forms of public solicitation of candidates to fill job openings should, to the extent possible, avoid identifying computer hardware and software used by the company.
Explanation/Notes: Managers and human resources personnel should only disclose information related to enterprise computer hardware and software that is reasonably necessary to obtain resumes from qualified candidates. Managers and human resources personnel should only disclose information related to enterprise computer hardware and software that is reasonably necessary to obtain resumes from qualified candidates.
Computer intruders read newspapers and company press releases, and visit Internet sites, to find job listings. Often, companies disclose too much information about the types of hardware and software used to attract prospective employees. Once the intruder has knowledge of the target"s information systems, he is armed for the next phase of attack. For example, by knowing that a particular company uses the VMS operating system, the attacker may place pretext calls to determine the release version, and then send a phony emergency security patch made to appear as if it came from the software developer. Once the patch is installed, the attacker is in.
17-4 Employee personal information Policy: The human resources department must never release personal information about any current or former employee, contractor, consultant, temporary worker, or intern, except with prior express written consent of the employee or human resources manager.
Explanation/Notes: Head-hunters, private investigators, and ident.i.ty thieves target private employee information such as employee numbers, social security numbers, birth dates, salary history, financial data including direct deposit information, and health-related benefit information. The social engineer may obtain this information so as to masquerade as the individual. In addition, disclosing the names of new hires may be extremely valuable to information thieves. New hires are likely to comply with any request by persons with seniority or in a position of authority, or anyone claiming to be from corporate security.
17-5 Background checks Policy: A background check should be required for all new hires, contractors, consultants, temporary workers, or interns prior to an offer of employment or establishing of a contractual relationship.
Explanation/Notes: Because of cost considerations, the requirement for background checks may be limited to specific positions of trust. Note, however, that any person who is given physical access to corporate offices may be a potential threat. For example, cleaning crews have access to personnel offices, which gives them access to any computer systems located there. An attacker with physical access to a computer can install a hardware keystroke logger in less than a minute to capture pa.s.swords. Because of cost considerations, the requirement for background checks may be limited to specific positions of trust. Note, however, that any person who is given physical access to corporate offices may be a potential threat. For example, cleaning crews have access to personnel offices, which gives them access to any computer systems located there. An attacker with physical access to a computer can install a hardware keystroke logger in less than a minute to capture pa.s.swords.
Computer intruders will sometimes go to the effort of obtaining a job as a means of gaining access to a target company"s computer systems and networks. An attacker can easily obtain the name of a company"s cleaning contractor by calling the responsible employee at the target company, claiming to be from a janitorial company looking for their business, and then obtaining the name of the company that is currently providing such services.
POLICIES FOR PHYSICAL SECURITY.
Though social engineers try to avoid showing up in person at a workplace they want to target, there are times when they will violate your s.p.a.ce. These policies will help you to keep your physical premises secure from threat.
18-1 Identification for non employees Policy: Delivery people and other non employees who need to enter company premises on a regular basis must have a special badge or other form of identification in accordance with policy established by corporate security.
Explanation/Notes: Non employees who need to enter the building regularly (for example, to make food or beverage deliveries to the cafeteria, or to repair copying machines or install telephones) should be issued a special form of company identification badge provided for this purpose. Others who need to enter only occasionally or on a one-time basis must be treated as visitors and should be escorted at all times.
18-2 Visitor identification Policy: All visitors must present a valid driver"s license or other picture identification to be admitted to the premises.
Explanation/Notes: The security staff or receptionist should make a photocopy of the identification doc.u.ment prior to issuing a visitor"s badge. The copy should be kept with the visitor"s log. Alternatively, the identification information can be recorded in the visitor"s log by the receptionist or guard; visitors should not be permitted to write down their own ID information.
Social engineers seeking to gain entrance to a building will always write false information in the log. Even though it"s not difficult to obtain false ID and to learn the name of an employee he or she can claim to be visiting, requiring that the responsible employee must log the entry adds one level of security to the process.
18-3 Escorting visitors Policy: Visitors must be escorted or in the company of an employee at all times.
Explanation/Notes.: One popular ruse of social engineers is to arrange to visit a company employee (for example, visiting with a product engineer on the pretext of being the employee of a strategic partner). After being escorted to the initial meeting, the social engineer a.s.sures his host that he can find his own way back to the lobby. By this means he gains the freedom to roam the building and possibly gain access to Sensitive information.