4-17 Security awareness training Policy: All persons employed by the company must complete a security awareness training course during employee orientation. Furthermore, each employee must take a security awareness refresher course at periodic intervals, not to exceed twelve months, as required by the department a.s.signed with security-training responsibility.
Explanation/Notes: Many organizations disregard end-user awareness training altogether. According to the 2001 Global Information Security Survey, only 30 percent of the surveyed organizations spend money on awareness training for their user-community. Awareness training is an essential requirement to mitigate successful security breaches utilizing social engineering techniques.
4-18 Security training course for computer access Policy: Personnel must attend and successfully complete a security information course before being given access to any corporate computer systems.
Explanation/Notes: Social engineers frequently target new employees, knowing that as a group they are generally the people least likely to be aware of the company"s security policies and the proper procedures to determine cla.s.sification and handling of sensitive information.
Training should include an opportunity for employees to ask questions about security policies. After training, the account holder should be required to sign a doc.u.ment acknowledging their understanding of the security policies, and their agreement to abide by the policies.
4-19 Employee badge must be color-coded Policy: Identification badges must be color-coded to indicate whether the badge holder is an employee, contractor, temporary, vendor, consultant, visitor, or intern.
Explanation/Notes: The color of the badge is an excellent way to determine the status of a person from a distance. An alternative would be to use large lettering to indicate the badge holder"s status, but using a color-coded scheme is unmistakable and easier to see.
A common social engineering tactic to gain access to a physical building is to dress up as a delivery person or repair technician. Once inside the facility, the attacker will masquerade as another employee or lie about his status to obtain cooperation from unsuspecting employees. The purpose of this policy is to prevent people from entering the building legitimately and then entering areas they should not have access to. For example, a person entering the facility as a telephone repair technician would not be able to masquerade as an employee: The color of the badge would give him away.
INFORMATION TECHNOLOGY POLICIES.
The information technology department of any company has a special need for policies that help it protect the organizations information a.s.sets. To reflect the typical structure of IT operations in an organization, I have divided the IT policies into General, Help Desk, Computer Administration, and Computer Operations.
General 5-1 IT department employee contact information Policy: Phone numbers and email addresses of individual IT department employees should not be disclosed to any person without a need to know.
Explanation/Notes: The purpose of this policy is to prevent contact information from being abused by social engineers. By only disclosing a general contact number or email address for IT, outsiders will be blocked from contacting IT department personnel directly. The email address for site administrative and technical contacts should only consist of generic names such as [email protected]; published telephone numbers should connect to a departmental voice mailbox, not to individual workers.
When direct contact information is available, it becomes easy for a computer intruder to reach specific IT employees and trick them into providing information that can be used in an attack, or to impersonate IT employees by using their names and contact information.
5-2 Technical support requests Policy: All technical support requests must be referred to the group that handles such requests.
Explanation/Notes: Social engineers may attempt to target IT personnel who do not ordinarily handle technical support issues, and who may not be aware of the proper security procedures when handling such requests. Accordingly, IT staff must be trained to deny these requests and refer the caller to the group that has the responsibility of providing support.
Help Desk 6-1 Remote access procedures Policy: Help desk personnel must not divulge details or instructions regarding remote access, including external network access points or dialup numbers, unless the requester has been: Verified as authorized to receive Internal information; and, Verified as authorized to connect to the corporate network as an external user.
Unless known on a person-to-person basis, the requester must be positively identified in accordance with the Verification and Authorization Procedures outlined at the beginning of this chapter.
Explanation/Notes: The corporate help desk is often a primary target for the social engineer, both because the nature of their work is to a.s.sist users with computer-related issues, and because they usually have elevated system privileges. All help desk personnel must be trained to act as a human firewall to prevent unauthorized disclosure of information that will a.s.sist any unauthorized persons from gaining access to company resources. The simple rule is to never disclose remote access procedures to anyone until positive verification of ident.i.ty has been made.
6-2 Resetting pa.s.swords Policy: The pa.s.sword to a user account may be reset only at the request of the account holder.
Explanation/Notes: The most common ploy used by social engineers is to have another person"s account pa.s.sword reset or changed. The attacker poses as the employee using the pretext that their pa.s.sword was lost or forgotten. In an effort to reduce the success of this type of attack, an IT employee receiving a request for a pa.s.sword reset must call the employee back prior to taking any action; the call back must not be made to a phone number provided by the requester, but to a number obtained from the employee telephone directory. See Verification and Authorization Procedures for more about this procedure.
6-3 Changing access privileges Policy: All requests to increase a user"s privileges or access rights must be approved in writing by the account holder"s manager. When the change is made a confirmation must be sent to the requesting manager via intracompany mail.
Furthermore, such requests must be verified as authentic in accordance with the Verification and Authorization Procedures.
Explanation/Notes: Once a computer intruder has compromised a standard user account, the next step is to elevate his or her privileges so that the attacker has complete control over the compromised system. An attacker who has knowledge of the authorization process can spoof an authorized request when email, fax, or telephone are used to transmit it. For example, the attacker may phone technical support or the help desk and attempt to persuade a technician to grant additional access rights to the compromised account.
6-4 New account authorization Policy: A request to create a new account for an employee, contractor, or other authorized person must be made either in writing and signed by the employee"s manager, or sent by digitally signed electronic mail. These requests must also be verified by sending a confirmation of the request through intracompany mail.
Explanation/Notes: Because pa.s.swords and other information useful in breaking into computer systems are the highest priority targets of information thieves for gaining access, special precautions are necessary. The intention of this policy is to prevent computer intruders from impersonating authorized personnel or forging requests for new accounts. Therefore, all such requests must be positively verified using the Verification and Authorization Procedures. Because pa.s.swords and other information useful in breaking into computer systems are the highest priority targets of information thieves for gaining access, special precautions are necessary. The intention of this policy is to prevent computer intruders from impersonating authorized personnel or forging requests for new accounts. Therefore, all such requests must be positively verified using the Verification and Authorization Procedures.
6-5 Delivery of new pa.s.swords Policy: New pa.s.swords must be handled as company Confidential information, delivered by secure methods including in person; by a signature-required delivery service such as registered mail; or by UPS or FedEx. See policies concerning distribution of Confidential information.
Explanation/Notes: Intracompany mail may also be used, but it is recommended that pa.s.swords be sent in secure envelopes that obscure the content. A suggested method is to establish a computer point person in each department who has the responsibility of handling distribution of new account details and vouching for the ident.i.ty of personnel who lose or forget their pa.s.swords. In these circ.u.mstances, support personnel would always be working with a smaller group of employees that would be personally recognized.
6-6 Disabling an account Policy: Prior to disabling a user"s account you must require positive verification that the request was made by authorized personnel.
Explanation/Notes: The intention of this policy is to prevent an attacker from spoofing a request to disable an account, and then calling to troubleshoot the user"s inability to access the computer system. When the social engineer calls posing as a technician with pre-existing knowledge of the user"s inability to log in, the victim often complies with a request to reveal his or her pa.s.sword during the troubleshooting process.
6-7 Disabling network ports or devices Policy: No employee should disable any network device or port for any unverified technical support personnel.
Explanation/Notes: The intention of this policy is to prevent an attacker from spoofing a request to disable a network port, and then calling the worker to troubleshoot his or her inability to access the network. The intention of this policy is to prevent an attacker from spoofing a request to disable a network port, and then calling the worker to troubleshoot his or her inability to access the network.
When the social engineer, posing as a helpful technician, calls with pre-existing knowledge of the user"s network problem, the victim often complies with a request to reveal his or her pa.s.sword during the troubleshooting process.
6-8 Disclosure of procedures for wireless access Policy: No personnel should disclose procedures for accessing company systems over wireless networks to any parties not authorized to connect to the wireless network.
Explanation/Notes: Always obtain prior verification of a requester as a person authorized to connect to the corporate network as an external user before releasing wireless access information. See Verification and Authorization Procedures.
6-9 User trouble tickets Policy: The names of any employees who have reported computer-related problems should not be revealed outside the information technology department.
Explanation/Notes: In a typical attack, a social engineer will call the help desk and request the names of any personnel who have reported recent computer problems. The caller may pretend to be an employee, vendor, or an employee of the telephone company. Once he obtains the names of persons reporting trouble, the social engineer, posing as a help desk or technical support person, contacts the employee and says he/she is calling to troubleshoot the problem. During the call, the attacker deceives the victim into providing the desired information or into performing an action that facilitates the attacker"s objective. In a typical attack, a social engineer will call the help desk and request the names of any personnel who have reported recent computer problems. The caller may pretend to be an employee, vendor, or an employee of the telephone company. Once he obtains the names of persons reporting trouble, the social engineer, posing as a help desk or technical support person, contacts the employee and says he/she is calling to troubleshoot the problem. During the call, the attacker deceives the victim into providing the desired information or into performing an action that facilitates the attacker"s objective.
6-10 Initiating execute commands or running programs Policy: Personnel employed in the IT department who have privileged accounts should not execute any commands or run any application programs at the request of any person not personally known to them.
Explanation/Notes: A common method attackers use to install a Trojan Horse program or other malicious software is to change the name of an existing program, and then call the help desk complaining that an error message is displayed whenever an attempt is made to run the program. The attacker persuades the help desk technician to run the program himself. When the technician complies, the malicious software inherits the A common method attackers use to install a Trojan Horse program or other malicious software is to change the name of an existing program, and then call the help desk complaining that an error message is displayed whenever an attempt is made to run the program. The attacker persuades the help desk technician to run the program himself. When the technician complies, the malicious software inherits the privileges of the user executing the program and performs a task, which gives the attacker the same computer privileges as the help desk employee. This may allow the attacker to take control of the company system. privileges of the user executing the program and performs a task, which gives the attacker the same computer privileges as the help desk employee. This may allow the attacker to take control of the company system.
This policy establishes a countermeasure to this tactic by requiring that support personnel verify employment status prior to running any program at the request of a caller.
Computer Administration 7-1 Changing global access rights Policy: A request to change the global access rights a.s.sociated with an electronic job profile must be approved by the group a.s.signed the responsibility of managing access rights on the corporate network.
Explanation/Notes: Authorized personnel will a.n.a.lyze each such request to determine whether the change might entail a threat to information security. If so, the responsible employee will address the pertinent issues with the requester and jointly arrive at a decision about the changes to be made.
7-2 Remote access requests Policy: Remote computer access will only be provided to personnel who have a demonstrated need to access corporate computer systems from off-site locations.
The request must be made by an employee"s manager and verified as described in the Verification and Authorization Procedures section.
Explanation/Notes: Recognizing the need for off-site access into the corporate network by authorized personnel, limiting such access only to people with a need may dramatically reduce risk and management of remote access users. The smaller the number of people with external dialup privileges, the smaller the pool of potential targets for an attacker. Never forget that the attacker also may target remote users with the intent of hijacking their connection into the corporate network, or by masquerading as them during a pretext call. Recognizing the need for off-site access into the corporate network by authorized personnel, limiting such access only to people with a need may dramatically reduce risk and management of remote access users. The smaller the number of people with external dialup privileges, the smaller the pool of potential targets for an attacker. Never forget that the attacker also may target remote users with the intent of hijacking their connection into the corporate network, or by masquerading as them during a pretext call.
7-3 Resetting privileged account pa.s.swords Policy: A request to reset a pa.s.sword to a privileged account must be approved by the system manager or administrator responsible for the computer on which the account exists. The new pa.s.sword must be sent through intracompany mail or delivered in person.
Explanation/Notes." Privileged accounts have access to all system resources and files stored on the computer system. Naturally, these accounts deserve the greatest protection possible.
7-4 Outside support personnel remote access Policy: No outside support person (such as software or hardware vendor personnel) may be given any remote access information or be allowed to access any company computer system or related devices without positive verification of ident.i.ty and authorization to perform such services. If the vendor requires privileged access to provide support services, the pa.s.sword to the account used by the vendor shall be changed immediately after the vendor services have been completed.
Explanation/Notes: Computer attackers may pose as vendors to gain access to corporate computer or telecommunication networks. Therefore, it is essential that the ident.i.ty of the vendor be verified in addition to their authorization to perform any work on the system. Moreover, the doors into the system must be slammed shut once their job is done by changing the account pa.s.sword used by the vendor.
No vendor should be allowed to pick his or her own pa.s.sword for any account, even temporarily. Some vendors have been known to use the same or similar pa.s.swords across multiple customer systems. For example, one network security company set up privileged accounts on all their customers" systems with the same pa.s.sword, and, to add insult to injury, with outside Telnet access enabled.
7-5 Strong authentication for remote access to corporate systems Policy: All connection points into the corporate network from remote locations must be protected through the use of strong authentication devices, such as dynamic pa.s.swords or biometrics.
Explanation/Notes: Many businesses rely on static pa.s.swords as the sole means of authentication for remote users. This practice is dangerous because it is insecure: computer intruders target any remote access point that might be the weak link in the victim"s network. Remember that you never know when someone else knows your pa.s.sword. Many businesses rely on static pa.s.swords as the sole means of authentication for remote users. This practice is dangerous because it is insecure: computer intruders target any remote access point that might be the weak link in the victim"s network. Remember that you never know when someone else knows your pa.s.sword.
Accordingly, any remote access points must be protected with strong authentication such as time-based tokens, smart cards, or biometric devices, so that intercepted pa.s.swords are of no value to an attacker.
When authentication based on dynamic pa.s.swords is impractical, computer users must religiously adhere to the policy for choosing hard-to- guess pa.s.swords.
7-6 Operating system configuration Policy: Systems administrators shall ensure that, wherever possible, operating systems are configured so that they are consistent with all pertinent security policies and procedures.
Explanation/Notes: Drafting and distributing security policies is a fundamental step toward reducing risk, but in most cases, compliance is necessarily left up to the individual employee. There are, however, any number of computer-related policies that can be made mandatory through operating-system settings, such as the required length of pa.s.swords. Automating security policies by configuration of operating system parameters effectively takes the decision out of the human element"s hands, increasing the overall security of the organization.
7-7 Mandatory expiration Policy: All computer accounts must be set to expire after one year.
Explanation/Notes: The intention of this policy is to eliminate the existence of computer accounts that are no longer being used, since computer intruders commonly target dormant accounts. The process insures that to any computer accounts belonging to former employees or contractors that have been inadvertently left in place are automatically disabled. The intention of this policy is to eliminate the existence of computer accounts that are no longer being used, since computer intruders commonly target dormant accounts. The process insures that to any computer accounts belonging to former employees or contractors that have been inadvertently left in place are automatically disabled.
At management discretion, you may require that employees must take a security refresher training course at renewal time, or must review information security policies and sign an acknowledgment of their agreement to adhere to them.
7-8 Generic email addresses Policy: The information technology department shall set up a generic email address for each department within the organization that ordinarily communicates with the. public.
Explanation/Notes: The generic email address can be released to the public by the telephone receptionist or published on the company Web site. Otherwise, each employee shall only disclose his or her personal email address to people who have genuine need to know. The generic email address can be released to the public by the telephone receptionist or published on the company Web site. Otherwise, each employee shall only disclose his or her personal email address to people who have genuine need to know.
During the first phase of a social engineering attack, the attacker often tries to obtain telephone numbers, names, and t.i.tles of employees. In most cases, this information is publicly available on the company Web site or just for the asking.
Creation of generic voice mailboxes and/or email addresses makes it difficult to a.s.sociate employee names with particular departments or responsibilities.
7-9 Contact information for domain registrations Policy: When registering for acquisition of Internet address s.p.a.ce or host names, the contact information for administrative, technical, or other personnel should not identify any individual personnel by name. Instead, you should list a generic email address and the main corporate telephone number.
Explanation/Notes: The purpose of this policy is to prevent contact information from being abused by a computer intruder. When the names and phone numbers of individuals are provided, an intruder can use this information to contact the individuals and attempt to deceive them into revealing system information, or to perform an action item that facilitates an attacker"s objective. Or the social engineer can impersonate a listed person in an effort to deceive other company personnel.
Instead of an email address to a particular employee, contact information must be in the form of [email protected] Telecommunications department personnel can establish a generic voice mailbox for administrative or technical contacts so as to limit information disclosure that would be useful in a social engineering attack.
7-10 Installation of security and operating system updates Policy: All security patches for operating system and application software shall be installed as soon as they become available. If this policy conflicts with the operation of mission-critical productions systems, such updates should be performed as soon as practicable.
Explanation/Notes: Once a vulnerability has been identified, the software manufacturer should be contacted immediately to determine whether a patch or a temporary fix ha been made available to close the vulnerability.
An un-patched computer system represents one of the greatest security threats to the enterprise. When system administrators procrastinate about applying the necessary fixes, the window of exposure is open wide so that any attacker can climb through.
Dozens of security vulnerabilities are identified and published weekly on the Internet. Until information technology staff are vigilant in their efforts to apply all security patches and fixes as soon as practical, despite these systems being behind the company firewall, the corporate network will always be at risk of suffering a security incident. It is extremely important to keep apprised of published security vulnerabilities identified in the operating system or any application programs used during the course of business.
7-11 Contact information on Web sites Policy: The company"s external Web site shall not reveal any details of corporate structure or identify any employees by name.
Explanation/Notes: Corporate structure information such as organization charts, hierarchy charts, employee or departmental lists, reporting structure, names, positions, internal contact numbers, employee numbers, or similar information that is used for internal processes should not be made available on publicly accessible Web sites.
Computer intruders often obtain very useful information on a target"s Web site.
The attacker uses this information to appear as a knowledgeable 206 employee when using a pretext or ruse. The social engineer is more likely to establish credibility by having this information at his or her disposal.
Moreover, the attacker can a.n.a.lyze this information to find out the likely targets who have access to valuable, sensitive, or critical information.
7-12 Creation of privileged accounts Policy." No privileged account should be created or system privileges granted to any account unless authorized by the system administrator or system manager.
Explanation/Notes." Computer intruders frequently pose as hardware or software vendors in an attempt to dupe information technology personnel into creating unauthorized accounts. The intention of this policy is to block these attacks by establishing greater control over the creation of privileged accounts. The system manager or administrator of the computer system must approve any request to create an account with elevated privileges.
7-13 Guest accounts Policy: Guest accounts on any computer systems or related networked devices shall be disabled or removed, except for an FTP (file transfer protocol) server approved by management with anonymous access enabled.
Explanation/Notes: The intention of the guest account is to provide temporary access for persons who do not need to have their own account. Several operating systems are installed by default with a guest account enabled. Guest accounts should always be disabled because their existence violates the principle of user accountability. IT should be able to audit any computer-related activity and relate it to a specific user.
Social engineers are easily able to take advantage of these guest accounts for gaining unauthorized access, either directly or by duping authorized personnel into using a guest account.
7-14 Encryption of off-site backup data Policy: Any company data that is stored off site should be encrypted to prevent unauthorized access.
Explanation/Notes: Operations staff must insure that all data is recoverable in the event that any information needs to be restored. This requires regular test decryption of a random sampling of encrypted files to make sure the data can be recovered. Furthermore, keys used to encrypt data shall be escrowed with a trusted manager in the event the encryption keys are lost or unavailable.
7-15 Visitor access to network connections Policy: All publicly accessible Ethernet access points must be on a segmented network to prevent unauthorized access to the internal network.
Explanation/Notes: The intention of this policy is to prevent any outsiders from connecting to the internal network when on company premises. Ethernet jacks installed in conference rooms, the cafeteria, training centers, or other areas accessible to visitors shall be filtered to prevent unauthorized access by visitors to the corporate computer systems.
The network or security administrator may choose to set up a virtual LAN in a switch, if available, to control access from these locations.
7-16 Dial-in modems Policy: Modems used for dial-in calls shall be set to answer no earlier than the fourth ring.
Explanation/Notes: As depicted in the movie War Games, hackers use a technique known as war dialing to locate telephone lines that have modems connected to them. The process begins with the attacker identifying the telephone prefixes used in the area where the target company is located. A scanning program is then used to try every telephone number in those prefixes, to locate those that answer with a modem. To speed up the process, these programs are configured to wait for one or two rings for a modem response before going on to try the next number. When a company sets the auto answer on modem lines to at least four rings, scanning programs will fail to recognize the line as a modem line.
7-17 Antivirus software Policy: Every computer system shall have current versions of antivirus software installed and activated.
Explanation/Notes: For those businesses that do not automatically push down antivirus software and pattern files (programs that recognize patterns common to virus software to recognize new viruses) to user desktops or workstations, individual users must take the responsibility for installing and maintaining the software on their own systems, including any computer systems used for accessing the corporate network remotely.
If feasible, this software must be set for automatic update of virus and Trojan signatures nightly. When pattern or signature flies are not pushed down to user desktops, computer users shall have the responsibility to update pattern files at least on a weekly basis.
These provisions apply to all desktop machines and laptops used to access company computer systems, and apply whether the computer is company property or personally owned.
7-18 Incoming email attachments (high security requirements) Policy: In an organization with high security requirements, the corporate firewall shall be configured to filter out all email attachments.
Explanation/Notes: This policy applies only to businesses with high security requirements, or to those that have no business need to receive attachments through electronic mail.
7-19 Authentication of software Policy: All new software or software fixes or upgrades, whether on physical media or obtained over the Internet, must be verified as authentic prior to installation. This policy is especially relevant to the information technology department when installing any software that requires system privileges.
Explanation/Notes: Computer software referred to in this policy includes operating system components, application software, hot fixes, patches, or any software updates. Many software manufacturers have implemented methods whereby customers can check the integrity of any distribution, usually by a digital signature. In any case where the integrity cannot be verified, the manufacturer must be consulted to verify that the software is authentic. Computer software referred to in this policy includes operating system components, application software, hot fixes, patches, or any software updates. Many software manufacturers have implemented methods whereby customers can check the integrity of any distribution, usually by a digital signature. In any case where the integrity cannot be verified, the manufacturer must be consulted to verify that the software is authentic.
Computer attackers have been known to send software to a victim, packaged to appear as if the software manufacturer had produced it and shipped it to the company. It is essential that you verify any software you receive as authentic, especially if unsolicited, before installing it on company systems.
Note that a sophisticated attacker might find out that your organization has ordered software from a manufacturer. With that information in hand, the attacker can cancel the order with the real manufacturer, and order the software himself.
The software is then modified to perform some malicious function, and is shipped or delivered to your company, in the original packaging, with shrink-wrapping if necessary. Once the product is installed, the attacker is in control.
7-20 Default pa.s.swords Policy: All operating system software and hardware devices that initially have a pa.s.sword set to a default value must have their pa.s.swords reset in accordance with the company pa.s.sword policy.
Explanation/Notes: Several operating systems and computer-related devices are shipped with default pa.s.swords--that is, with the same pa.s.sword enabled on every unit sold. Failure to change default pa.s.swords is a grave mistake that places the company at risk.
Default pa.s.swords are widely known and are available on Internet Web sites. In an attack, the first pa.s.sword an intruder tries is the manufacturer s default pa.s.sword.