The Art of Deception: Controlling the Human Element of Security (31 page)

A confidentiality agreement must be signed before Internal information may be disclosed to third parties, such as employees of vendor firms, contractor labor, partner firms, and so on. Internal information generally includes anything used in the course of daily business activity that should not be released to outsiders, such as corporate organizational charts, network dial-up numbers, internal system names, remote access procedures, cost center codes, and so on.

Public. Information that is specifically designated for release to the public. This type of information can be freely distributed to anyone, such as press releases, customer-support contact information, or product brochures. Note that any information not specifically designated as Public should be treated as Sensitive information.

Classified Data Terminology Based on its classification, data should be distributed to certain categories of people. A number of policies in this chapter refer to information being given to an Unverified Person. For the purposes of these policies, an Unverified Person is someone whom the employee does not personally know to be an active employee or to b an employee with the proper rank to have access to information, or who has not been vouched for by a trusted third party.

For the purposes of these policies, a Trusted Person is a person you have met face-to-face who is known to you as a company employee, customer, or consultant to the company with the proper rank to have access to information. A Trusted Person might also be an employee of a company having an established relationship, with your company (for example, a customer, vendor, or strategic business partner that has signed a nondisclosure agreement).

In third party vouching, a Trusted Person provides verification of a person's employment or status, and the person's authority to request information or an action. Note that in some instances, these policies require you to verify that the Trusted Person is still employed by the company before responding to a request for information or action by someone for whom they have vouched.

A privileged account is a computer or other account requiring access permission beyond the basic user account, such as a systems administrator account. Employees with privileged accounts typically have the ability to modify user privileges or perform system functions.

A general departmental mailbox is a voice mailbox answered with a generic message for the department. Such a mailbox is used in order to protect names and phone extensions of employees who work in a particular department.

VERIFICATION AND AUTHORIZATION PROCEDURES Information thieves commonly use deceptive tactics to access or obtain confidential business information by masquerading as legitimate employees, contractors, vendors, or business partners. To maintain effective information security, an employee receiving a request to perform an action or provide sensitive information must positively identify the caller and verify his authority prior to granting a request.

The recommended procedures given in this chapter are designed to help an employee who receives a request via any communication method such as telephone, email, or fax to determine whether the request and the person making it are legitimate.

Requests from a Trusted Person A request for information or action from a Trusted Person may require:

Verification that the company actively employs or has a relationship with the person where such a relationship is a condition of access to this category of information. This is to prevent terminated employees, vendors, contractors, and others who no longer are associated with the company from masquerading as active personnel.

Verification that the person has a need to know, and is authorized to have access to the information or to request the action.

Requests from an Unverified Person When a request is made by an Unverified Person, a reasonable verification process must be deployed to positively identify the person making the request as authorized to receive the requested information, especially when the request in any way involves computers or computer-related equipment. This process is the fundamental control to prevent successful social engineering attacks: If these verification procedures are followed, they will dramatically reduce successful social engineering attacks.

It is important that you not make the process so cumbersome that it is cost- prohibitive, or that employees ignore it.

As detailed below, the verification process involves three steps:

Verifying that the person is who he or she claims to be.

Determining that the requester is currently employed or shares a need-to-know relationship with the company.

Determining that the person is authorized to receive the specific information or to call for the requested action. Step One: Verification of Identity The recommended steps for verification are listed below in order of effectiveness--the higher the number, the more effective the method. Also included with each item is a statemen.t about the weakness of that particular method, and the way in which a social engineer can defeat or circumvent the method to deceive an employee.

1. Caller ID (assuming this feature is included in the company telephone

system). From the caller ID display, ascertain whether the call is from inside

or outside the company, and that the name or telephone number displayed

matches the identity provided by the caller.

Weakness: External caller ID information can be falsified by anyone with access to a PBX or telephone switch connected to digital phone service.

2. Callback. Look up the requester in the company directory,and call back to the

listed extension to verify that therequester is an employee.

Weakness: An attacker with sufficient knowledge can call-forward a company extension so that, when the employee places the verification call to the listed phone number, the call is transferred to the attacker's outside phone number.

3. Vouching. A Trusted Person who vouches for the requester's identity verifies

the requester.

Weakness: Attackers using a pretext are frequently able to convince another employee of their identity, and get that employee to vouch for them.

4. Shared Secret. Use an enterprise-wide shared secret, such as apassword or

daily code.

Weakness." If many people know the shared secret, it may be easy for an attacker to learn it.

5. Employee's Supervisor/Manager. Telephone the employee'simmediate

supervisor and request verification.

Weakness: If the requester has provided the telephone number for reaching his or her manager, the person the employee reaches when calling the number may not be the real manager but may, in fact, be an accomplice of the attacker.

6. Secure Email. Request a digitally signed message. Weakness: If an attacker has already compromised an employee's computer and installed a keystroke logger to obtain the employee's pass phrase, he can send digitally signed email that appears to be from the employee.

7. Personal Voice Recognition. The person receiving the request has dealt with

the requester (preferably face-to-face),knows for certain that the person

actually is a Trusted Person, and is familiar enough with the person to

recognize his or her voice on the telephone.

Weakness: This is a fairly secure method, not easily circumvented by an attacker, but is of no use if the person receiving the request has never met or spoken with the requester.

8. Dynamic Password Solution. The requester authenticates himself or herself

through the use of a dynamic password solution such as a Secure ID.

Weakness: To defeat this method, an attacker would have to obtain one of the dynamic password devices, as well the accompanying PIN of the employee to whom the device rightfully belongs, or would have to deceive an employee into reading the information on the display of the device and providing the PIN.

9. In Person with ID. The requester appears in person andpresents an employee

badge or other suitable identification,preferably a picture ID.

Weakness: Attackers are often able to steal an employee badge, or create a phony badge that appears authentic; however, attackers generally shun this approach because appearing in person puts the attacker at significant risk of being identified and apprehended.

Step Two: Verification of Employment Status

The greatest information security threat is not from the professional social engineer, nor from the skilled computer intruder, but from someone much closer: the just-fired employee seeking revenge or hoping to set himself up in business using information stolen from the company. (Note that a version of this procedure can also be used to verify that someone still enjoys another kind of business relationship with your company, such as a vendor, consultant, or contract worker.)

Before providing Sensitive information to another person or accepting instructions for actions involving the computer or computer-related equipment, verify that the requester is still a current employee by using one of these methods: Employee Directory Check. If the company maintains an online employee directory that accurately reflects active employees, verify that the requester is still listed.

Requester's Manager Verification. Call the requester's manager using a phone number listed in the company directory, not a number provided by the requester.

Requester's Department or Workgroup Verification. Call the requester's department or workgroup and determine from anyone in that department or workgroup that the requester is still employed by the company.

Step Three: Verification of Need to Know Beyond verifying that the requester is a current employee or has a relationship with your company, there still remains the issue of whether the requester is authorized to have access to the information being requested, or is authorized to request that specific actions affecting computers or computer-related equipment be taken.

This determination may be made by using one of these methods:

Consult job title/workgroup/responsibilities lists. A company can provide ready access to authorization information by publishing lists of which employees are entitled to what information. These lists may be organized in terms of employee job title, employee departments and workgroups, employee responsibilities, or by some combination of these. Such lists would need to be maintained on line to be kept current and provide quick access to authorization information. Ordinarily, Information Owners would be responsible for overseeing the creation and maintenance of the lists for access to information under the Owner's control.

NOTE It is important to note that maintaining such lists is an invitation to the social engineer. Consider: If an attacker targets a company becomes aware that the company maintains such lists, there is a strong motivation to obtain one. Once in hand, such a list opens many doors to the attacker and puts the company at serious risk.

Obtain Authority from a Manager. An employee contacts his or her own manager, or the manager of the requester, for authority to comply with the request.

Obtain Authority from the Information Owner or a Designee. The information Owner is the ultimate judge of whether a particular person should be granted access. The process for computer-based access control is for the employee to contact his or her immediate manager to approve a request for access to information based on existing job profiles. If such a profile does not exist, it is the manager's responsibility to contact the relevant data Owner for permission. This chain of command should be followed so that Information Owners are not barraged with requests when there is a frequent need to know. Obtain Authority by Means of a Proprietary Software Package. For a large company in a highly competitive industry, it may be practical to develop a proprietary software package that provides need-to-know authorization. Such a database stores employee names and access privileges to classified information. Users would not be able to look up each individual's access rights, but instead would enter the requester's name, and the identifier associated with the information being sought. The software then provides a response indicating whether or not the employee is authorized to access such information. This alternative avoids the danger of creating a list of personnel with respective access rights to valuable, critical, or sensitive information that could be stolen.

Data Classification Policies Data Classification refers to how your company classifies the sensitivity of information and who should have access to that information.

1-1 Assign data classification Policy: All valuable, sensitive, or critical business information must be assigned to a classification category by the designated Information Owner or delegate.

Explanation/Notes: The designated Owner or delegate will assign the appropriate data classification to any information routinely used to accomplish business goals. The Owner also controls who can access such information and what use can be made of it. The Owner of the information may reassign the classification and may designate a time period for automatic declassification. Any item not otherwise marked should be classified as Sensitive.

1-2 Publish classified handling procedures Policy: The company must establish procedures governing the release of information in each category.

Explanation/Notes." Once classifications are established, procedures for release of information to employees and to outsiders must be set up, as detailed in the Verification and Authorization Procedures outlined earlier in this chapter.

1-3 Label all items Policy." Clearly mark both printed materials and media storage containing Confidential, Private, or Internal information to show the appropriate data classification.

Explanation/Notes." Hard copy documents must have a cover sheet, with a classification label prominently displayed, and a classification label on every page that is visible when the document is open.

All electronic files that cannot easily be labeled with appropriate data classifications (database or raw data files) must be protected via access controls to insure that such information is not improperly disclosed, and that it cannot be changed, destroyed, or made inaccessible. All computer media such as floppy disks, tapes, and CD-ROMs must be labeled with the highest classification of any information contained therein.

Information Disclosure Information disclosure involves the release of information to various parties based on their identity and need to know.

2-1 Employee verification procedure Policy: The company should establish comprehensive procedures to be used by employees for verifying the identity, employment status, and authorization of an individual before releasing Confidential or Sensitive information or performing any task that involves use of any computer hardware or software.

Explanation/Notes: Where justified by size of company and security needs, advanced security technologies should be used to authenticate identity. The best security practice would be to deploy authentication tokens in combination with a shared secret to positively identify persons making requests. While this practice would substantially minimize risk, the cost may be prohibitive for some businesses. In those circumstances, the company should use a company-wide shared secret, such as a daily password or code.

2-2 Release of information to third parties Policy: A set of recommended information disclosure procedures must be made available and all employees should be trained to follow them.

Explanation/Notes: Generally, distribution procedures need to be established for:

Information made available within the company.

Distribution of information to individuals and employees of organizations having an established relationship with the company, such as consultants, temporary workers, interns, employees of organizations that have a vendor relationship or strategic partnership arrangement with the company, and so on. Information made available outside the company.

Information at each classification level, when the information is being delivered in person, by telephone, by email, by facsimile, by voice mail, by postal service, by signature delivery service, and by electronic transfer. 2-3 Distribution of Confidential information Policy: Confidential information, which is company information that could cause substantial harm if obtained by unauthorized persons, may be delivered only to a Trusted Person who is authorized to receive it.

Explanation/Notes: Confidential information in a physical form (that is, printed copy or on a removable storage medium) may be delivered:

In person.

By internal mail, sealed and marked with the Confidential classification.

Outside the company by a reputable delivery service (that is, FedEx, UPS, and so on) with signature of recipient required, or by a postal service using a certified or registered class of mail.

Confidential information in electronic form (computer files, database files, email) may be delivered:

Within the body of encrypted email.

By email attachment, as an encrypted file.

By electronic transfer to a server within the company internal network.

By a fax program from a computer, provided that only the intended recipient uses the destination machine, or that the intended recipient is waiting at the destination machine while the fax is being sent. As an alternative, facsimiles can be sent without the recipient present if sent over an encrypted telephone link to a password-protected fax server.

Confidential information may be discussed in person; by telephone within the company; by telephone outside the company if encrypted; by encrypted satellite transmission; by encrypted videoconferencing link; and by encrypted Voice Over Internet Protocol (VoIP).

For transmission by fax machine, the recommended method calls for the sender to transmit a cover page; the recipient, on receiving the page, transmits a page in response, demonstrating that he/she is at the fax machine. The sender then transmits the fax.

The following means of communication are not acceptable for discussing or distributing Confidential information: unencrypted email, voice mail message, regular mail, or any wireless communication method (cellular, Short Message Service, or cordless).

2-4 Distribution of Private information Policy: Private information, which is personal information about an employee or employees that, if disclosed, could be used to harm employees or the company, may be delivered only to a Trusted Person who is authorized to receive it.

Explanation/Notes: Private information in a physical form (that is, hard-copy or data on a removable storage medium) may be delivered:

In person

By internal mail, sealed and marked with the Private classification

By regular mail

Private information in electronic form (computer files, database files, email) may be delivered:

By internal email.

By electronic transfer to a server within the company internal network.

By facsimile, provided that only the intended recipient uses the destination machine, or that the intended recipient is waiting at the destination machine while the fax is being sent. Facsimiles can also be sent to password-protected fax servers. As an alternative, facsimiles can be sent without the recipient present if sent over an encrypted telephone link to a password-protected fax server.

Private information may be discussed in person; by telephone; by satellite transmission; by videoconferencing link; and by encrypted Vole

The following means of communication are not acceptable for discussing or distributing Private information: unencrypted email, voice mail message, regular mail, and by any wireless communication method (cellular, SMS, or cordless).

2-5 Distribution of Internal information Policy: Internal information is information to be shared only within the company or with other Trusted persons who have signed a nondisclosure agreement. You must establish guidelines for the distribution of Internal information. Explanation/Notes: Internal information may be distributed in any form, including internal email, but may not be distributed outside the company in email form unless encrypted.

2-6 Discussing Sensitive information over the telephone Policy: Prior to releasing any information that is not designated as Public over the telephone, the person releasing such information must personally recognize the requester's voice through prior business contact, or the company phone system must identify the call as being from an internal telephone number that has been assigned to the requester.

Explanation/Notes: If the requester's voice is not known, call the requester's internal phone number to verify the requester voice through a recorded voice mail message, or have the requester's manager verify the requester's identity and need to know.

2-7 Lobby or reception personnel procedures Policy: Lobby personnel must obtain photo identification prior to releasing any package to any person who is not known to be an active employee. A log should be kept for recording the person's name, driver's license number, birth date, the item picked up, and the date and time of such pickup.

Explanation/Notes: This policy also applies to handing over outgoing packages to any messenger or courier service such as FedEx, UPS, or Airborne Express. These companies issue identification cards that can be used to verify employee identity.

2-8 Transfer of software to third parties Policy: Prior to the transfer or disclosure of any software, program, or computer instructions, the requester's identity must be positively verified, and it must be established whether such release is consistent with the data classification assigned to such information. Ordinarily, software developed in-house in source- code format is considered highly proprietary, and classified Confidential.

Explanation/Notes: Determination of authorization is usually based on whether the requester needs access to the software to do his or her job.

2-9 Sales and marketing qualification of customer leads Policy: Sales and marketing personnel must qualify leads before releasing internal callback numbers, product plans, product group contacts, or other Sensitive information to any potential customer. Explanation/Notes: It is a common tactic for industrial spies to contact a sales and marketing representative and make him believe that a big purchase may be in the offing. In an effort to take advantage of the sales opportunity, sales and marketing reps often release information that can be used by the attacker as a poker chip to obtain access to Sensitive information.

2-10 Transfer of files or data Policy: Files or other electronic data should not be transferred to any removable media unless the requester is a Trusted Person whose identity has been verified and who has a need to have such data in that format.

Explanation/Notes: A social engineer can easily dupe an employee by providing a plausible request for having Sensitive information copied to a tape, Zip disc, or other removable media, and sent to him or held in the lobby for pickup.

Phone Administration Phone administration policies ensure that employees can verify caller identity, and protect their own contact information from those calling into the company.

3-1 Call forwarding on dial-up or fax numbers Policy: Call forwarding services that permit forwarding calls to external telephone numbers will not be placed on any dial-up modem or fax telephone numbers within the company.

Explanation/Notes: Sophisticated attackers may attempt to dupe telephone company personnel or internal telecom workers into forwarding internal numbers to an external phone line under control of an attacker. This attack allows the intruder to intercept faxes, request Confidential information to be faxed within the company (personnel assume that faxing within the organization must be safe) or dupe dial-in users into providing their account passwords by forwarding the dial-up lines to a decoy computer that simulates the login process.

Depending on the telephone service used within the company, the call forwarding feature may be under control of the communications provider, rather than the telecommunications department. In such circumstances, a request will be made to the communications provider to insure the call forwarding feature is not present on the telephone numbers assigned to dial-up and fax lines.

3-2 Caller ID Policy: The corporate telephone system must provide caller line identification (caller ID) on all internal telephone sets, and, if possible, enable distinctive ringing to indicate when a call is from outside the company. Explanation/Notes: If employees can verify the identity of telephone calls from outside the company it may help them prevent an attack, or identify the attacker to appropriate security personnel.

3-3 Courtesy phones Policy: To prevent visitors from masquerading as company workers, every courtesy telephone will clearly indicate the location of the caller (for example, "Lobby") on the recipient's caller ID.

Explanation/Notes." If the caller ID for internal calls shows extension number only, appropriate provision must be made for calls placed from company phones in the reception area and any other public areas. It must not be possible for an attacker to place a call from one of these phones and

deceive an employee into believing that the call has been placed internally from an employee telephone.

3-4 Manufacturer default passwords shipped with phone systems Policy: The voice mail administrator should change all default passwords that were shipped with the phone system prior to use by company personnel.

Explanation/Notes: Social engineers can obtain lists of default passwords from manufacturers and use these to access administrator accounts.

3-5 Department voice mailboxes Policy." Set up a generic voice mailbox for every department that ordinarily has contact with the public.

Explanation/Notes: The first step of social engineering involves gathering information about the target company and its personnel. By limiting the accessibility of the names and telephone numbers of employees, a company makes it more difficult for the social engineer to identify targets in the company, or names of legitimate employees for use in deceiving other personnel.

3-6 Verification of telephone system vendor Policy: No vendor-support technicians will be permitted to remotely access the company telephone system without positive identification of vendor and authorization to perform such work.