The Art of Deception

Chapter 16. Modify this information for your organization, and make it available for employees to refer to when an information security question arises.

18-4 Temporary badges Policy: Company employees from-another location who do not have their employee badges with them must present a valid driver"s license or other picture ID and be issued a temporary visitor"s badge.

Explanation/Notes: Attackers often pose as employees from a different office or branch of a company to gain entrance to a company.

18-5 Emergency evacuation Policy: In any emergency situation or drill, security personnel must ensure that everybody has evacuated the premises.

Explanation/Notes: Security personnel must check for any stragglers that may be left behind in restrooms or office areas. As authorized by the fire department or other authority in charge of the scene, the security force needs to be on the alert for anyone departing the building long after the evacuation.

Industrial spies or sophisticated computer intruders may cause a diversion to gain access to a building or secure area. One diversion used is to release a harmless chemical known as butyl mercaptan into the air. The effect is to create the impression that there is a natural gas leak. Once personnel start evacuation procedures, the bold attacker uses this diversion to either steal information or to gain access to enterprise computer systems. Another tactic used by information thieves involves remaining behind, sometimes in a restroom or closet, at the time of a scheduled evacuation drill, or after setting off a smoke flare or other device to cause an emergency evacuation.

18-6 Visitors in mail room Policy: No visitors should be permitted in the mail room without the supervision of a company worker.

Explanation/Notes: The intention of this policy is to prevent an outsider from exchanging, sending, or stealing intracompany mail.

18-7 Vehicle license plate numbers Policy: If the company has a guarded parking area, security staff shall log vehicle license plate numbers for any vehicle entering the area.

18-8 Trash Dumpsters Policy: Trash Dumpsters must remain on company premises at all times and should be inaccessible to the public.

Explanation/Notes: Computer attackers and industrial spies can obtain valuable information from company trash bins. The courts have held that trash is considered legally abandoned property, so the act of Dumpster diving is perfectly legal, as long as the trash receptacles are on public property. For this reason, it is important that trash receptacles be situated on company property, where the company has a legal right to protect the containers and their contents.

POLICIES FOR RECEPTIONISTS.

Receptionists are often on the front lines when it comes to dealing with social engineers, yet they are rarely given enough security training to recognize and stop an invader. Inst.i.tute these policies to help your receptionist better protect your company and its data.

19-1 Internal directory Policy: Disclosure of information in the internal company directory should be limited to persons employed by the company.

Explanation/Notes: All employee t.i.tles, names, telephone numbers, and addresses contained within the company directory should be considered Internal information, and should only be disclosed in accordance with the policy related to data cla.s.sification and Internal information.

Additionally, any calling party must have the name or extension of the party they are trying to contact. Although the receptionist can put a call through to an individual when a caller does not know the extension, telling the caller the extension number should be prohibited. (For those curious folks who follow by example, you can experience this procedure by calling any U.S. government agency and asking the operator to provide an extension.) 19-2 Telephone numbers for specific departments/groups Policy: Employees shall not provide direct telephone numbers for the company help desk, telecommunications department, computer operations, or system administrator personnel without verifying that the requester has a legitimate need to contact these groups. The receptionist, when transferring a call to these groups, must announce the caller"s name.

Explanation/Notes: Although some organizations may find this policy overly restrictive, this rule makes it more difficult for a social engineer to masquerade as an employee by deceiving other employees into transferring the call from their extension (which in some phone systems causes the call to appear to originate from within the company), or demonstrating knowledge of these extensions to the victim in order to create a sense of authenticity.

19-3 Relaying information Policy: Telephone operators and receptionists should not take messages or relay information on behalf of any party not personally known to be an active employee.

Explanation/Notes: Social engineers are adept at deceiving employees into inadvertently vouching for their ident.i.ty. One social engineering trick is to obtain the telephone number of the receptionist and, on a pretext, ask the receptionist to take any messages that may come for him. Then, during a call to the victim, the attacker pretends to be an employee, asks for some sensitive information or to perform a task, and gives the main switchboard number as a call back number. Social engineers are adept at deceiving employees into inadvertently vouching for their ident.i.ty. One social engineering trick is to obtain the telephone number of the receptionist and, on a pretext, ask the receptionist to take any messages that may come for him. Then, during a call to the victim, the attacker pretends to be an employee, asks for some sensitive information or to perform a task, and gives the main switchboard number as a call back number.

The attacker later calls back to the receptionist and is given any message left for him by the unsuspecting victim.

19-4 Items left for pickup Policy: Before releasing any item to a messenger or other Unverified Person, the receptionist or security guard must obtain picture identification and enter the identification information into the pickup log as required by approved procedures.

Explanation/Notes." One social engineering tactic is to deceive an employee into releasing sensitive materials to another supposedly authorized employee by dropping off such materials at the receptionist or lobby desk for pickup.

Naturally, the receptionist or security guard a.s.sumes the package is authorized for release. The social engineer either shows up himself or has a messenger service pick up the package.

POLICIES FOR THE INCIDENT REPORTING GROUP.

Every company should set up a centralized group that should be notified when any form of attack on corporate security is identified. What follows are some guidelines for setting up and structuring the activities of this group.

20-1 Incident reporting group Policy: An individual or group must be designated and employees should be instructed to report security incidents to them. All employees should be provided with the contact information for the group.

Explanation/Notes: Employees must understand how to identify a security threat, and be trained to report any threat to a specific incident reporting group. It is also important that an organization establish specific procedures and authority for such a group to act when a threat is reported.

20-2 Attacks in progress Policy: Whenever the incident reporting group has received reports of an ongoing social engineering attack they shall immediately initiate procedures for alerting all employees a.s.signed to the targeted groups.

Explanation/Notes: The incident reporting group or responsible manager should also make a determination about whether to send a company wide alert. Once the responsible person or group has a good faith belief that an attack may be in progress, mitigation of damage must be made a priority by notifying company personnel to be on their guard.

Security at a Glance The lists and charts reference version of following provide quick social engineering methods discussed in Chapters 2 to 14, and verification procedures detailed in Chapter 16. Modify this information for your organization, and make it available for employees to refer to when an information security question arises.

IDENTIFYING A SECURITY ATTACK.

These tables and checklists will a.s.sist you in spotting a social engineering attack.

The Social Engineering Cycle ACTION / DESCRIPTION.

Research May include open source information such as SEC filings and annual reports, marketing brochures, patent applications, press clippings, industry magazines, Web site content. Also Dumpster diving.

Developing rapport and trust Use of insider information, misrepresenting ident.i.ty, citing those known to victim, need for help, or authority.

Exploiting trust Asking for information or an action on the part of the victim. In reverse sting, manipulate victim to ask attacker for help.

Utilize information If the information obtained is only a step to final goal, attacker returns to earlier steps in cycle till goal is reached.

Common Social Engineering Methods Posing as a fellow employee Posing as an employee of a vendor, partner company, or law enforcement Posing as someone in authority Posing as a new employee requesting help Posing as a vendor or systems manufacturer calling to offer a system patch or update Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call them for help Sending free software or patch for victim to install Sending a virus or Trojan Horse as an email attachment Using a false pop-up window asking user to log in again or sign on with pa.s.sword Capturing victim keystrokes with expendable computer system or program Leaving a floppy disk or CD around the workplace with malicious software on it Using insider lingo and terminology to gain trust Offering a prize for registering at a Web site with username and pa.s.sword Dropping a doc.u.ment or file at company mail room for intraoffice delivery Modifying fax machine heading to appear to come from an internal location Asking receptionist to receive then forward a fax Asking for a file to be transferred to an apparently internal location Getting a voice mailbox set up so call backs perceive attacker as internal Pretending to be from remote office and asking for email access locally Warning Signs of an Attack Refusal to give call back number Out-of-ordinary request Claim of authority Stresses urgency Threatens negative consequences of non compliance Shows discomfort when questioned Name dropping Compliments or flattery Flirting Common Targets of Attacks TARGET TYPE / EXAMPLES.

Unaware of value of information Receptionists, telephone operators, administrative a.s.sistants, security guards.

Special privileges Help desk or technical support, system administrators, computer operators, telephone system administrators.

Manufacturer / vendor Computer hardware, software manufacturers, voice mail systems vendors.

Specific departments Accounting, human resources.

Factors That Make Companies More Vulnerable to Attacks Large number of employees Multiple facilities Information on employee whereabouts left in voice mail messages Phone extension information made available Lack of security training Lack of data cla.s.sification system No incident reporting/response plan in place VERIFICATION AN D DATA CLa.s.sIFICATION.

These tables and charts will help you to respond to requests for information or action that may be social engineering attacks.

Verification of Ident.i.ty Procedure ACTION / DESCRIPTION.

Caller ID Verify call is internal, and name or extension number matches the ident.i.ty of the caller.

Callback Look up requester in company directory and call back the listed extension.

Vouching Ask a trusted employee to vouch for requester"s ident.i.ty.

Shared common secret Request enterprise-wide shared secret, such as a pa.s.sword or daily code.

Supervisor or manager Contact employee"s immediate supervisor and request verification of ident.i.ty and employment status.

Secure email Request a digitally signed message.

Personal voice recognition recognition For a caller known to employee, validate by caller"s voice.

Dynamic pa.s.swords Verify against a dynamic pa.s.sword solution such as Secure ID or other strong authentication device.

In person Require requester to appear in person with an employee badge or other identification.

Verification of Employment Status Procedure ACTION / DESCRIPTION / DESCRIPTION.

Employee directory check Verify that requester is listed in online directory.

Requester"s manager verification Call requester"s manager using phone number listed in company directory.

Requester"s department or workgroup verification Call requester"s department or workgroup and determine that requester is still employed by company. Call requester"s department or workgroup and determine that requester is still employed by company.

Procedure to Determine Need to Know ACTION / DESCRIPTION.

Consult job tide/ workgroup/ responsibilities list Check published lists of which employees are ent.i.tled to specific cla.s.sified information. Check published lists of which employees are ent.i.tled to specific cla.s.sified information.

Obtain authority from manager Contact your manager, or the manager of the requester, for authority to comply with the request.

Obtain authority from the information Owner or designee Ask Owner of information if requester has a need to know. Ask Owner of information if requester has a need to know.

Obtain authority with an automated tool Check proprietary software database for authorized personnel.

Criteria for Verifying Non-Employees CRITERION / ACTION.

Relationship Verify that requester"s firm has a vendor, strategic partner, or other appropriate relationship.

Ident.i.ty Verify requester"s ident.i.ty and employment status at the vendor/partner firm.

Nondisclosure Verify that the requester has a signed nondisclosure agreement on file.

Access Refer the request to management when the information is cla.s.sified above Internal.

Data Cla.s.sification CLa.s.sIFICATION / DESCRIPTION / PROCEDURE.

Public Can be freely released to the public No need to verify.

Internal For use within the company Verify ident.i.ty of requester as active employee or verify nondisclosure agreement on file and management approval for non employees.

Data Cla.s.sification (Continued) CLa.s.sIFICATION / DESCRIPTION / PROCEDURE.

Private Information of a personal nature personal nature intended for use intended for use only within only within the organization the organization Verify ident.i.ty of requester as active employee or only within non employee with the organization, authorization. Check with human resources department to disclose Private information to authorized employees or external requesters.

Confidential Shared only with people with an absolute need to know within the organization Verify ident.i.ty of requester and need to know from designated information Owner. Release only with prior written consent of manager, or information Owner or designee. Check for nondisclosure agreement on file. Only management personnel may disclose to persons not employed by the company.

SOURCES.

CHAPTER 1.

BloomBecker, Buck. 1990. Spectacular Computer Crimes: What They Are and How They Cost American Business Half a Billion Dollars a Dar. Irwin Professional Publishing.

Littman, Jonathan. 1997. The Fugitive Game: Online with Kevin Mitnick. Little Brown & Co.

Penenberg, Adam L. April 19, 1999. "The Demonizing of a Hacker." Forbes.

CHAPTER 2.

The Stanley Rifldn story is based on the following accounts: Computer Security Insitute. Undated. "Financial losses due to Internet intrusions, trade secret theft and other cyber crimes soar." Press release. Epstein, Edward Jay. Unpublished. "The Diamond Invention." Holwick, Rev. David. Unpublished account.

Mr. Rifkin himself was gracious in acknowledging that accounts of his exploit differ because he has protected his anonymity by declining to be interviewed.

CHAPTER 16.

Cialdini, Robert B. 2000. Influence: Science and Practice, 4th edition. Allyn and Bacon.

Cialdini, Robert B. February 2001. "The Science of Persuasion." Scientific American. 284:2.

CHAPTER 17.

Some policies in this chapter are based on ideas contained in: Wood, Charles Cresson. 1999. "Information Security Policies Made Easy." Baseline Software.