The Art of Deception: Controlling the Human Element of Security (37 page)

11-3 Forwarding emails Policy: Any request from an Unverified Person to relay an electronic mail message to another Unverified Person requires verification of the requester's identity.

11-4 Verifying email Policy: An email message that appears to be from a Trusted Person that contains a request to provide information not designated as Public, or to perform an action with any computer-related equipment, requires an additional form of authentication. See Verification and Authorization Procedures. Explanation/Notes: An attacker can easily forge an email message and its header, making it appear as if the message originated from another email address. An attacker can also send an email message from a compromised computer system, providing phony authorization to disclose information or perform an action. Even by examining the header of an email message you cannot detect email messages sent from a compromised internal computer system.

Phone Use 12-1 Participating in telephone surveys Policy: Employees may not participate in surveys by answering any questions from any outside organization or person. Such requests must be referred to the public relations department or other designated person.

Explanation/Notes: A method used by social engineers to obtain valuable information that may be used against the enterprise is to call an employee and claim to be doing a survey. It's surprising how many people are happy to provide information about the company and themselves to strangers when they believe they're taking part in legitimate research. Among the innocuous questions, the caller will insert a few questions that the attacker wants to know. Eventually, such information may be used to compromise the corporate network.

12-2 Disclosure of internal telephone numbers Policy: If an Unverified Person asks an employee for his phone number the employee may make a reasonable determination of whether disclosure is necessary to conduct company business. Explanation/Notes: The intention of this policy is to require employees to make a considered decision on whether disclosure of their telephone extension is necessary. When dealing with people who have not demonstrated a genuine need to know the extension, the safest course is to require them to call the main company phone number and be transferred.

12-3 Passwords in voice mail messages Policy.: Leaving messages containing password information on anyone's voice mailbox is prohibited.

Explanation/Notes: A social engineer can often gain access to an employee's voice mailbox because it is inadequately protected with an easy-to-guess access code. In one type of attack, a sophisticated computer intruder is able to create his own phony voice mailbox and persuade another employee to leave a message relaying password information. This policy defeats such a ruse.

Fax Use 13-1 Relaying faxes Policy: No fax may be received and forwarded to another party without verification of the requester's identity.

Explanation/Notes: Information thieves may trick trusted employees into faxing sensitive information to a fax machine located on the company's premises. Prior to the attacker giving the fax number to the victim, the imposter telephones an unsuspecting employee, such as a secretary or administrative assistant, and asks if a document can be faxed to them for later pickup. Subsequently, after the unsuspecting employee receives the fax, the attacker telephones the employee and requests that the fax be sent to another location, perhaps claiming that it is needed for an urgent meeting. Since the person asked to relay the fax usually has no understanding of the value of the information, he or she complies with the request.

13-2 Verification of faxed authorizations Policy: Prior to carrying out any instructions received by facsimile, the sender must be verified as an employee or other Trusted Person. Placing a telephone call to the sender to verify the request is usually sufficient.

Explanation/Notes: Employees must exercise caution when unusual requests are sent by fax, such as a request to enter commands into a computer or disclose information. The data in the header of a faxed document can be falsified by changing the settings of the sending fax machine. Therefore the header on a fax must not be accepted as a means of establishing identity or authorization.

13-3 Sending sensitive information by fax Policy: Before sending Sensitive information by fax to a machine that is located in an area accessible to other personnel, the sender shall transmit a cover page. The recipient, on receiving the page, transmits a page in response, demonstrating that he/he is physically present at the fax machine. The sender then transmits the fax.

Explanation/Notes: This handshake process assures the sender that the recipient is physically present at the receiving end. Moreover, this process verifies that the receiving fax telephone number has not been forwarded to another location.

13-4 Faxing passwords prohibited Policy: Passwords must not be sent via facsimile under any circumstances.

Explanation/Notes: Sending authentication information by facsimile is not secure. Most fax machines are accessible to a number of employees. Furthermore, they rely on the public telephone switched network, which can be manipulated by call forwarding the phone number for the receiving fax machine so that the fax is actually sent to the attacker at another number.

Voice Mail Use 14-1 Voice mail passwords Policy: Voice mail passwords must never be disclosed to anyone for any purpose. In addition, voice mail passwords must be changed every ninety days or sooner. Explanation/Notes: Confidential company information may be left in voice mail messages. To protect this information, employees should change their voice mail passwords frequently, and never disclose them. In addition, voice mail users should not use the same or similar voice mail passwords within a twelve-month period.

14-2 Passwords on multiple systems Policy.. Voice mail users must not use the same password on any other phone or computer system, whether internal or external to the company. Explanation/Notes." Use of a similar or identical password for multiple devices, such as voice mail and computer, makes it easier for social engineers to guess all the passwords of a user after identifying only one.

14-3 Setting voice mail passwords Policy: Voice mail users and administrators must create voice mail passwords that are difficult to guess. They must not be related in any way to the person using it, or the company, and should not contain a predictable pattern that is likely to be guessed.

Explanation/Notes: Passwords must not contain sequential or repeating digits (i.e. 1111, 1234, 1010), must not be the same as or based on the telephone extension number, and must not be related to address, zip code, birth date, license plate, phone number, weight, I.Q., or other predictable personal information.

14-4 Mail messages marked as "old" Policy: When previously unheard voice mail messages are not marked as new messages, the voice mail administrator must be notified of a possible security violation and the voice mail password must immediately be changed.

Explanation/Notes: Social engineers may gain access to a voice mailbox in a variety of ways. An employee who becomes aware that messages they have never listened to are not being announced as new messages must assume that another person has obtained unauthorized access to the voice mailbox and listened to the messages themselves. 14-5 External voice mail greetings Policy: Company workers shall limit their disclosure of information on their external outgoing greeting on their voice mail. Ordinarily information related to a worker's daily routine or travel schedule should not be disclosed.

Explanation/Notes: An external greeting (played to outside callers) should not include last name, extension, or reason for absence (such as travel, vacation schedule, or daily itinerary). An attacker can use this information to develop a plausible story in his attempt to dupe other personnel.

14-6 Voice mail password patterns Policy: Voice mail users shall not select a password where one part of the password remains fixed, while another part changes in a predictable pattern.

Explanation/Notes: For example, do not use a password such as 743501, 743502, 743503, and so on, where the last two digits correspond to the current month.

14-7 Confidential or Private information Policy: Confidential or Private information shall not be disclosed in a voice mail message.

Explanation/Notes: The corporate telephone system is typically more vulnerable than corporate computer systems. The passwords are usually a string of digits, which substantially limits the number of possibilities for an attacker to guess. Further, in some organizations, voice mail passwords may be shared with secretaries or another administrative staff who have the responsibility of taking messages for their managers. In light of the above, no Sensitive information should ever be left on anyone's voice mail.

Passwords 15-1 Telephone security Policy: Passwords shall not be disclosed over the telephone at any time.

Explanation/Notes: Attackers may find ways to listen in to phone conversations, either in person or through a technological device.

15-2 Revealing computer passwords Policy: Under no circumstances shall any computer user reveal his or her password to anyone for any purpose without prior written consent of the responsible information technology manager.

Explanation/Notes: The goal of many social engineering attacks involves deceiving unsuspecting persons into revealing their account names and passwords. This policy is a crucial step in reducing the risk of successful social engineering attacks against the enterprise. Accordingly, this policy needs to be followed religiously throughout the company.

15-3 Internet passwords Policy: Personnel must never use a password that is the same as or similar to one they are using on any corporate system on an Internet site.

Explanation/Notes: Malicious Web site operators may set up a site that purports to offer something of value or the possibility of winning a prize. To register, a visitor to the site must enter an email address, username, and password. Since many people use the same or similar sign-on information repeatedly, the malicious Web site operator will attempt to use the chosen password and variations of it for attacking the target's work- or home- computer system. The visitor's work computer can sometimes be identified by the email address entered during the registration process.

15-4 Passwords on multiple systems Policy: Company personnel must never use the same or a similar password in more than one system. This policy pertains to various types of devices (computer or voice mail); various locations of devices (home or work); and various types of systems, devices (router or firewall), or programs (database or application).

Explanation/Notes: Attackers rely on human nature to break into computer systems and networks. They know that, to avoid the hassle of keeping track of several passwords, many people use the same or a similar password on every system they access. As such, the intruder will attempt to learn the password of one system where the target has an account. Once obtained, it's highly likely that this password or a variation thereof will give access to other systems and devices used by the employee.

15-5 Reusing passwords Policy: No computer user shall use the same or a similar password within the same eighteen-month period.

Explanation/Note: If an attacker does discover a user's password, frequent changing of the password minimizes the damage that can be done. Making the new password unique from previous passwords makes it harder for the attacker to guess it.

15-6 Password patterns Policy." Employees must not select a password where one part remains fixed, and another element changes in a predictable pattern. Explanation/Notes: For example, do not use a password such as Kevin01, Kevin02, Kevin03, and so on, where the last two digits correspond to the current month.

15-7 Choosing passwords Policy: Computer users should create or choose a password that adheres to the following requirements. The password must:

Be at least eight characters long for standard user accounts and at least twelve characters long for privileged accounts.

Contain at least one number, at least one symbol (such as $, -, I, &), at least one lowercase letter, and at least one upper-case letter (to the extent that such variables are supported by the operating system).

Not be any of the following items: words in a dictionary in any language; any word that is related to an employee's family, hobbies, vehicle, work, license plate, social security number, address, telephone, pet's name, birthday, or phrases containing those words.

Not be a variation of a previously used password, with one element remaining the same and another element changing, such as kevin, kevin 1, kevin2; or kevinjan, kevinfeb.

Explanation/Notes: The parameters listed above will produce a password that is difficult for the social engineer to guess. Another option is the consonant-vowel method, which provides an easy-to-remember and pronounceable password. To construct this kind of password substitute consonants for each letter C and vowels for the letter V, using the mask of "CVCVCVCV." Examples would be MIXOCASO; CUSOJENA.

15-8 Writing passwords down Policy: Employees should write passwords down only when they store them in a secure location away from the computer or other password protected device.

Explanation/Notes: Employees are discouraged from ever writing down passwords. Under certain conditions, however, it may be necessary; for example, for an employee who has multiple accounts on different computer systems. Any written passwords must be secured in a safe place away from the computer. Under no circumstances may a password be stored under the keyboard or attached to the computer display.

15-9 Plaintext passwords in computer files Policy: Plaintext passwords shall not be saved in any computer file or stored as text called by pressing a function key. When necessary, passwords may be saved using an encryption utility approved by the IT department to prevent any unauthorized disclosures.

Explanation/Notes: Passwords can be easily recovered by an attacker if stored in unencrypted form in computer data files, batch files, terminal function keys, login files, macro or scripting programs, or any data files which contain passwords to FTP sites.