Security policies are clear instructions that provide the guidelines for employee behavior for safeguarding information, and are a fundamental building block in developing effective controls to counter potential security threats. These policies are even more significant when it comes to preventing and detecting social engineering attacks.

Effective security controls are implemented by training employees with well-documented policies and procedures. However, it is important to note that security policies, even if religiously followed by all employees, are not guaranteed to prevent every social engineering attack. Rather, the reasonable goal is always to mitigate the risk to an acceptable level.

The policies presented here include measures that, while not strictly focused on social engineering issues, nonetheless belong here because they deal with techniques commonly used in social engineering attacks. For example, policies about opening email attachments—which could install malicious Trojan Horse software allowing the attacker to take over the victim's computer—address a method frequently used by computer intruders.

Steps to Developing a Program

A comprehensive information security program usually starts with a risk assessment aimed at determining:

The primary goal of risk assessment is to prioritize which information assets are in need of immediate safeguards, and whether instituting safeguards will be cost-effective based on a cost-benefit analysis. Simply put, what assets are going to be protected first, and how much money should be spent to protect these assets?

It's essential that senior management buy into and strongly support the necessity of developing security policies and an information security program. As with any other corporate program, if a security program is to succeed, management must do more than merely provide an endorsement, it must demonstrate a commitment by personal example. Employees need to be aware that management strongly subscribes to the belief that information security is vital to the company's operation, that protection of company business information is essential for the company to remain in business, and that every employee's job may depend on the success of the program.

The person assigned to draft information security policies needs to understand that the policies should be written in a style free of technical jargon and readily understood by the nontechnical employee. It's also important that the document make clear why each policy is important; otherwise employees may disregard some policies as a waste of time. The policy writer should create a document that presents the policies, and a separate document for procedures, because policies will probably change much less frequently than the specific procedures used to implement them.

In addition, the policy writer should be aware of ways in which security technologies can be used to enforce good information security practices. For example, most operating systems make it possible to require that user passwords conform to certain specifications such as length. In some companies, a policy prohibiting users from downloading programs can be controlled via local or global policy settings within the operating system. The policies should require use of security technology whenever cost-effective to remove human-based decision-making.

Employees must be advised of the consequences for failing to comply with security policies and procedures. A set of appropriate consequences for violating the policies should be developed and widely publicized. Also, a reward program should be created for employees who demonstrate good security practices or who recognize and report a security incident. Whenever an employee is rewarded for foiling a security breach, it should be widely publicized throughout the company, for example in an article in the company newsletter.

One goal of a security awareness program is to communicate the importance of security policies and the harm that can result from failure to follow such rules. Given human nature, employees will, at times, ignore or circumvent policies that appear unjustified or too time-consuming. It is a management responsibility to insure that employees understand the importance of the policies and are motivated to comply, rather than treating them as obstacles to be circumvented.

It's important to note that information security policies cannot be written in stone. As business needs change, as new security technologies come to market, and as security vulnerabilities evolve, the policies need to be modified or supplemented. A process for regular review and updating should be put into place. Make the corporate security policies and procedures available via the corporate intranet or maintain such policies in a publicly available folder. This increases the likelihood that such policies and procedures will be reviewed more frequently, and provides a convenient method for employees to quickly find the answer to any information-security related question.

Finally, periodic penetration tests and vulnerability assessments using social engineering methods and tactics should be conducted to expose any weakness in training or lack of adherence to company policies and procedures. Prior to using any deceptive penetration-testing tactics, employees should be put on notice that such testing may occur from time to time.

How to Use These Policies

The detailed policies presented in this chapter represent only a subset of the information security policies I believe are necessary to mitigate all security risks. Accordingly, the policies included here should not be considered as a comprehensive list of information security policies. Rather, they are the basis for building a comprehensive body of security policies appropriate to the specific needs of your company.

Policy writers for an organization will have to choose the policies that are appropriate based on their company's unique environment and business goals. Each organization, having different security requirements based on business needs, legal requirements, organizational culture, and the information systems used by the company, will take what it needs from the policies presented, and omit the rest.

There are also choices to be made about how stringent policies will be in each category. A smaller company located in a single facility where most employees know one another does not need to be much concerned about an attacker calling on the phone and pretending to be an employee (although of course an imposter may masquerade as a vendor). Also, despite the increased risks, a company framed around a casual, relaxed corporate culture may wish to adopt only a limited subset of recommended policies to meet its security objectives.

A data classification policy is fundamental to protecting an organization's information assets, and sets up categories for governing the release of sensitive information. This policy provides a framework for protecting corporate information by making all employees aware of the level of sensitivity of each piece of information.

Operating without a data classification policy—the status quo in almost all companies today—leaves most of these decisions in the hands of individual workers. Naturally, employee decisions are largely based on subjective factors, rather than on the sensitivity, criticality, and value of information. Information is also released because employees are ignorant of the possibility that in responding to a request for the information, they may be putting it into the hands of an attacker.

The data classification policy sets forth guidelines for classifying valuable information into one of several levels. With each item assigned a classification, employees can follow a set of data-handling procedures that protect the company from inadvertent or careless release of sensitive information. These procedures mitigate the possibility that employees will be duped into revealing sensitive information to unauthorized persons.

Every employee must be trained on the corporate data classification policy, including those who do not typically use computers or corporate communications systems. Because every member of the corporate workforce—including the cleaning crew, building guards, and copy-room staff, as well as consultants, contractors, and even interns—may have access to sensitive information, anyone could be the target of an attack.

Management must assign an Information Owner to be responsible for any information that is currently in use at the company. Among other things, the Information Owner is responsible for the protection of the information assets. Ordinarily, the Owner decides what level of classification to assign based on the need to protect the information, periodically reassesses the classification level assigned, and decides if any changes are needed. The Information Owner may also delegate the responsibility of protecting the data to a Custodian or Designee.

Classification Categories and Definitions

Information should be separated into varying levels of classification based on its sensitivity. Once a particular classification system is set up, it's an expensive and time-consuming process to reclassify information into new categories. In our example policy I chose four classification levels, which is appropriate for most medium-to-large businesses. Depending on the number and types of sensitive information, business may choose to add more categories to further control specific types of information. In smaller businesses, a three-level classification scheme may be sufficient. Remember—the more complex the classification scheme, the more expense to the organization in training employees and enforcing the system.

Confidential. This category of information is the most sensitive. Confidential information is intended for use only within the organization. In most cases, it should only be shared with a very limited number of people with an absolute need to know. The nature of Confidential information is such that any unauthorized disclosure could seriously impact the company, its shareholders, its business partners, and/or its customers. Items of Confidential information generally fall into one of these categories:

Private. This category covers information of a personal nature that is intended for use only within the organization. Any unauthorized disclosure of Private information could seriously impact employees, or the company if obtained by any unauthorized persons (especially social engineers). Items of Private information would include employee medical history, health benefits, bank account information, salary history, or any other personal identifying information that is not of public record.

Internal. This category of information can be freely provided to any persons employed by the organization. Ordinarily, unauthorized disclosure of Internal information is not expected to cause serious harm tothe company, its shareholders, its business partners, its customers, or itsemployees. However, persons adept in social engineering skills can usethis information to masquerade as an authorized employee, contractor, or vendor to deceive unsuspecting personnel into providing more sensitiveinformation that would result in unauthorized access to corporate computer systems.

A confidentiality agreement must be signed before Internal information may be disclosed to third parties, such as employees of vendor firms, contractor labor, partner firms, and so on. Internal information generally includes anything used in the course of daily business activity that should not be released to outsiders, such as corporate organizational charts, network dial-up numbers, internal system names, remote access procedures, cost center codes, and so on.

Public. Information that is specifically designated for release to the public. This type of information can be freely distributed to anyone, such as pressreleases, customer-support contact information, or product brochures. Note that any information not specifically designated as Public should betreated as Sensitive information.

Classified Data Terminology

Based on its classification, data should be distributed to certain categories of people. A number of policies in this chapter refer to information being given to an Unverified Person. For the purposes of these policies, an Unverified Person is someone whom the employee does not personally know to be an active employee or to be an employee with the proper rank to have access to information, or who has not been vouched for by a trusted third party.

For the purposes of these policies, a Trusted Person is a person you have met face-to-face who is known to you as a company employee, customer, or consultant to the company with the proper rank to have access to information. A Trusted Person might also be an employee of a company having an established relationship with your company (for example, a customer, vendor, or strategic business partner that has signed a non-disclosure agreement).

In third party vouching, a Trusted Person provides verification of a person's employment or status, and the person's authority to request information or an action. Note that in some instances, these policies require you to verify that the Trusted Person is still employed by the company before responding to a request for information or action by someone for whom they have vouched.

A privileged account is a computer or other account requiring access permission beyond the basic user account, such as a systems administrator account. Employees with privileged accounts typically have the ability to modify user privileges or perform system functions.

A general departmental mailbox is a voice mailbox answered with a generic message for the department. Such a mailbox is used in order to protect names and phone extensions of employees who work in a particular department.

Information thieves commonly use deceptive tactics to access or obtain confidential business information by masquerading as legitimate employees, contractors, vendors, or business partners. To maintain effective information security, an employee receiving a request to perform an action or provide sensitive information must positively identify the caller and verify his authority prior to granting a request.

The recommended procedures given in this chapter are designed to help an employee who receives a request via any communication method such as telephone, email, or fax to determine whether the request and the person making it are legitimate.

Requests from a Trusted Person

A request for information or action from a Trusted Person may require:

Requests from an Unverified Person

When a request is made by an Unverified Person, a reasonable verification process must be deployed to positively identify the person making the request as authorized to receive the requested information, especially when the request in any way involves computers or computer-related equipment. This process is the fundamental control to prevent successful social engineering attacks: If these verification procedures are followed, they will dramatically reduce successful social engineering attacks.

It is important that you not make the process so cumbersome that it is cost-prohibitive, or that employees ignore it.

As detailed below, the verification process involves three steps:

Step One: Verification of Identity

The recommended steps for verification are listed below in order of effectiveness—the higher the number, the more effective the method. Also included with each item is a statement about the weakness of that particular method, and the way in which a social engineer can defeat or circumvent the method to deceive an employee.

Step Two: Verification of Employment Status

The greatest information security threat is not from the professional social engineer, nor from the skilled computer intruder, but from someone much closer: the just-fired employee seeking revenge or hoping to set himself up in business using information stolen from the company. (Note that a version of this procedure can also be used to verify that someone still enjoys another kind of business relationship with your company, such as a vendor, consultant, or contract worker.)

Before providing Sensitive information to another person or accepting instructions for actions involving the computer or computer-related equipment, verify that the requester is still a current employee by using one of these methods:

Step Three: Verification of Need to Know

Beyond verifying that the requester is a current employee or has a relationship with your company, there still remains the issue of whether the requester is authorized to have access to the information being requested, or is authorized to request that specific actions affecting computers or computer-related equipment be taken.

This determination may be made by using one of these methods:

The following policies pertain to management-level employees. These are divided into the areas of Data Classification, Information Disclosure, Phone Administration, and Miscellaneous Policies. Note that each category of policies uses a unique numbering structure for easy identification of individual policies.

Data Classification Policies

Data Classification refers to how your company classifies the sensitivity of information and who should have access to that information.

1–1 Assign data classification

Policy: All valuable, sensitive, or critical business information must be assigned to a classification category by the designated Information Owner or delegate.

Explanation/Notes: The designated Owner or delegate will assign the appropriate data classification to any information routinely used to accomplish business goals. The Owner also controls who can access such information and what use can be made of it. The Owner of the information may reassign the classification and may designate a time period for automatic declassification.

Any item not otherwise marked should be classified as Sensitive.

1–2 Publish classified handling procedures

Policy: The company must establish procedures governing the release of information in each category.

Explanation/Notes: Once classifications are established, procedures for release of information to employees and to outsiders must be set up, as detailed in the Verification and Authorization Procedures outlined earlier in this chapter.

1–3 Label all items

Policy: Clearly mark both printed materials and media storage containing Confidential, Private, or Internal information to show the appropriate data classification.

Explanation/Notes: Hard copy documents must have a cover sheet, with a classification label prominently displayed, and a classification label on every page that is visible when the document is open.

All electronic files that cannot easily be labeled with appropriate data classifications (database or raw data files) must be protected via access controls to insure that such information is not improperly disclosed, and that it cannot be changed, destroyed, or made inaccessible.

All computer media such as floppy disks, tapes, and CD-ROMs must be labeled with the highest classification of any information contained therein.

Information Disclosure

Information disclosure involves the release of information to various parties based on their identity and need to know.

2–1 Employee verification procedure

Policy: The company should establish comprehensive procedures to be used by employees for verifying the identity, employment status, and authorization of an individual before releasing Confidential or Sensitive information or performing any task that involves use of any computer hardware or software.

Explanation/Notes: Where justified by size of company and security needs, advanced security technologies should be used to authenticate identity. The best security practice would be to deploy authentication tokens in combination with a shared secret to positively identify persons making requests. While this practice would substantially minimize risk, the cost may be prohibitive for some businesses. In those circumstances, the company should use a company-wide shared secret, such as a daily password or code.

2–2 Release of information to third parties

Policy: A set of recommended information disclosure procedures must be made available and all employees should be trained to follow them.

Explanation/Notes: Generally, distribution procedures need to be established for:

2–3 Distribution of Confidential information

Policy: Confidential information, which is company information that could cause substantial harm if obtained by unauthorized persons, may be delivered only to a Trusted Person who is authorized to receive it.

Explanation/Notes: Confidential information in a physical form (that is, printed copy or on a removable storage medium) may be delivered:

Confidential information in electronic form (computer files, database files, email) may be delivered:

Confidential information may be discussed in person; by telephone within the company; by telephone outside the company if encrypted; by encrypted satellite transmission; by encrypted videoconferencing link; and by encrypted Voice Over Internet Protocol (VoIP).

For transmission by fax machine, the recommended method calls for the sender to transmit a cover page; the recipient, on receiving the page, transmits a page in response, demonstrating that he/she is at the fax machine. The sender then transmits the fax.

The following means of communication are not acceptable for discussing or distributing Confidential information: unencrypted email, voice mail message, regular mail, or any wireless communication method (cellular, Short Message Service, or cordless).

2–4 Distribution of Private information

Policy: Private information, which is personal information about an employee or employees that, if disclosed, could be used to harm employees or the company, may be delivered only to a Trusted Person who is authorized to receive it.

Explanation/Notes: Private information in a physical form (that is, hard-copy or data on a removable storage medium) may be delivered:

Private information in electronic form (computer files, database files, email) may be delivered:

Private information may be discussed in person; by telephone; by satellite transmission; by videoconferencing link; and by encrypted VoIP.

The following means of communication are not acceptable for discussing or distributing Private information: unencrypted email, voice mail message, regular mail, and by any wireless communication method (cellular, SMS, or cordless).

2–5 Distribution of Internal information

Policy: Internal information is information to be shared only within the company or with other Trusted persons who have signed a nondisclosure agreement. You must establish guidelines for the distribution of Internal information.

Explanation/Notes: Internal information may be distributed in any form, including internal email, but may not be distributed outside the company in email form unless encrypted.

2–6 Discussing Sensitive information over the telephone

Policy: Prior to releasing any information that is not designated as Public over the telephone, the person releasing such information must personally recognize the requester's voice through prior business contact, or the company phone system must identify the call as being from an internal telephone number that has been assigned to the requester.

Explanation/Notes: If the requester's voice is not known, call the requester's internal phone number to verify the requester voice through a recorded voice mail message, or have the requester's manager verify the requester's identity and need to know.

2–7 Lobby or reception personnel procedures

Policy: Lobby personnel must obtain photo identification prior to releasing any package to any person who is not known to be an active employee. A log should be kept for recording the person's name, driver's license number, birth date, the item picked up, and the date and time of such pickup.

Explanation/Notes: This policy also applies to handing over outgoing packages to any messenger or courier service such as FedEx, UPS, or Airborne Express. These companies issue identification cards that can be used to verify employee identity.

2–8 Transfer of software to third parties

Policy: Prior to the transfer or disclosure of any software, program, or computer instructions, the requester's identity must be positively verified, and it must be established whether such release is consistent with the data classification assigned to such information. Ordinarily, software developed in-house in source-code format is considered highly proprietary, and classified Confidential.

Explanation/Notes: Determination of authorization is usually based on whether the requester needs access to the software to do his or her job.

2–9 Sales and marketing qualification of customer leads

Policy: Sales and marketing personnel must qualify leads before releasing internal callback numbers, product plans, product group contacts, or other Sensitive information to any potential customer.

Explanation/Notes: It is a common tactic for industrial spies to contact a sales and marketing representative and make him believe that a big purchase may be in the offing. In an effort to take advantage of the sales opportunity, sales and marketing reps often release information that can be used by the attacker as a poker chip to obtain access to Sensitive information.

2–10 Transfer of files or data

Policy: Files or other electronic data should not be transferred to any removable media unless the requester is a Trusted Person whose identity has been verified and who has a need to have such data in that format.

Explanation/Notes: A social engineer can easily dupe an employee by providing a plausible request for having Sensitive information copied to a tape, Zip disc, or other removable media, and sent to him or held in the lobby for pickup.

Phone Administration

Phone administration policies ensure that employees can verify caller identity, and protect their own contact information from those calling into the company.

3–1 Call forwarding on dial-up or fax numbers

Policy: Call forwarding services that permit forwarding calls to external telephone numbers will not be placed on any dial-up modem or fax telephone numbers within the company.

Explanation/Notes: Sophisticated attackers may attempt to dupe telephone company personnel or internal telecom workers into forwarding internal numbers to an external phone line under control of an attacker. This attack allows the intruder to intercept faxes, request Confidential information to be faxed within the company (personnel assume that faxing within the organization must be safe) or dupe dial-in users into providing their account passwords by forwarding the dialup lines to a decoy computer that simulates the login process.

Depending on the telephone service used within the company, the call forwarding feature may be under control of the communications provider, rather than the telecommunications department. In such circumstances, a request will be made to the communications provider to insure the call forwarding feature is not present on the telephone numbers assigned to dial-up and fax lines.

3–2 Caller ID

Policy: The corporate telephone system must provide caller line identification (caller ID) on all internal telephone sets, and, if possible, enable distinctive ringing to indicate when a call is from outside the company.

Explanation/Notes: If employees can verify the identity of telephone calls from outside the company it may help them prevent an attack, or identify the attacker to appropriate security personnel.

3–3 Courtesy phones

Policy: To prevent visitors from masquerading as company workers, every courtesy telephone will clearly indicate the location of the caller (for example, "Lobby") on the recipient's caller ID.

Explanation/Notes: If the caller ID for internal calls shows extension number only, appropriate provision must be made for calls placed from company phones in the reception area and any other public areas. It must not be possible for an attacker to place a call from one of these phones and deceive an employee into believing that the call has been placed internally from an employee telephone.

3–4 Manufacturer default passwords shipped with phone systems

Policy: The voice mail administrator should change all default passwords that were shipped with the phone system prior to use by company personnel.

Explanation/Notes: Social engineers can obtain lists of default passwords from manufacturers and use these to access administrator accounts.

3–5 Department voice mailboxes

Policy: Set up a generic voice mailbox for every department that ordinarily has contact with the public.

Explanation/Notes: The first step of social engineering involves gathering information about the target company and its personnel. By limiting the accessibility of the names and telephone numbers of employees, a company makes it more difficult for the social engineer to identify targets in the company, or names of legitimate employees for use in deceiving other personnel.

3–6 Verification of telephone system vendor

Policy: No vendor-support technicians will be permitted to remotely access the company telephone system without positive identification of vendor and authorization to perform such work.

Explanation/Notes: Computer intruders who gain access to corporate telephone systems gain the ability to create voice mailboxes, intercept messages intended for other users, or make free phone calls at the corporation's expense.

3–7 Configuration of phone system

Policy: The voice mail administrator will enforce security requirements by configuring the appropriate security parameters in the telephone system.

Explanation/Notes: Phone systems can be set up with greater or lesser degrees of security for voice mail messages. The administrator should be aware of company security concerns, and work with security personnel to configure the phone system to protect Sensitive data.

3–8 Call trace feature

Policy: Depending on limitations of the communications provider, the call trace feature will be enabled globally to allow employees to activate the trap-and-trace feature when the caller is suspected of being an attacker.

Explanation/Notes: Employees must be trained on call trace usage and the appropriate circumstances when it should be used. A call trace should be initiated when the caller is clearly attempting to gain unauthorized access to corporate computer systems or requesting Sensitive information. Whenever an employee activates the call trace feature, immediate notification must be sent to the Incident Reporting Group.

3–9 Automated phone systems

Policy: If the company uses an automated phone answering system, the system must be programmed so that telephone extensions are not announced when transferring a call to an employee or department.

Explanation/Notes: Attackers can use a company's automated telephone system to map employee names to telephone extensions. Attackers can then use knowledge of those extensions to convince call recipients that they are employees with a right to insider information.

3–10 Voice mailboxes to become disabled after successive invalid access attempts

Policy: Program the corporate telephone system to lock out any voice mail account whenever a specified number of successive invalid access attempts have been made.

Explanation/Notes: The Telecommunications administrator must lock out a voice mailbox after five successive invalid attempts to log in. The administrator must then reset any voice mail lockouts manually.

3–11 Restricted telephone extensions

Policy: All internal telephone extensions to departments or workgroups that ordinarily do not receive calls from external callers (help desk, computer room, employee technical support, and so on) should be programmed so that these telephones can be reached only from internal extensions. Alternately, they can be password-protected so that employees and other authorized persons calling from the outside must enter the correct password.

Explanation/Notes: While use of this policy will block most attempts by amateur social engineers to reach their likely targets, it should be noted that a determined attacker will sometimes be able to talk an employee into calling the restricted extension and asking the person who answers the phone to call the attacker, or simply conference in the restricted extension. During security training, this method of tricking employees into assisting the intruder should be discussed to raise employee awareness about these tactics.

Miscellaneous

4–1 Employee badge design

Policy: Employee badges must be designed to include a large photo that can be recognized from a distance.

Explanation/Notes: The photograph on corporate ID badges of standard design is, for security purposes, only slightly better than worthless. The distance between a person entering the building and the guard or receptionist who has the responsibility to check identification is usually great enough that the picture is too small to recognize when the person walks by. For the photo to be of value in this situation, a redesign of the badge is necessary.

4–2 Access rights review when changing position or responsibilities

Policy: Whenever a company employee changes positions or is given increased or decreased job responsibilities, the employee's manager will notify IT of the change in the employee's responsibilities so that the appropriate security profile can be assigned.

Explanation/Notes: Managing the access rights of personnel is necessary to limit disclosure of protected information. The rule of least privilege will apply: The access rights assigned to users will be the minimum necessary to perform their jobs. Any requests for changes that result in elevated access rights must be in accordance with a policy on granting elevated access rights.

The worker's manager or the human resources department will have the responsibility of notifying the information technology department to properly adjust the account holder's access rights as needed.

4–3 Special identification for nonemployees

Policy: Your company should issue a special photo company badge to trusted delivery people and nonemployees who have a business need to enter company premises on a regular basis.

Explanation/Notes: Nonemployees who need to enter the building regularly (for example, to make food or beverage deliveries to the cafeteria, or to repair copying machines or make telephone installations) can pose a threat to your company. In addition to issuing identification to these visitors, make sure your employees are trained to spot a visitor without a badge and know how to act in that situation.

4–4 Disabling computer accounts for contractors

Policy: Whenever a contractor who has been issued a computer account has completed his or her assignment, or when the contract expires, the responsible manager will immediately notify the information technology department to disable the contractor's computer accounts, including any accounts used for database access, dial-up, or Internet access from remote locations.

Explanation/Notes: When a worker's employment is terminated, there is a danger that he or she will use knowledge of your company's systems and procedures to gain access to data. All computer accounts used by or known to the worker must be promptly disabled. This includes accounts that provide access to production databases, remote dial-in accounts, and any accounts used to access computer-related devices.

4–5 Incident reporting organization

Policy: An incident reporting organization must be established or, in smaller companies, an incident reporting individual and backup person designated, for receiving and distributing alerts concerning possible security incidents in progress.

Explanation/Notes: By centralizing the reporting of suspected security incidents, an attack that may otherwise have gone unnoticed can be detected. In the event that systematic attacks across the organization are detected and reported, the incident reporting organization may be able to determine what the attacker is targeting so that special efforts can be made to protect those assets.

Employees assigned to receive incident reports must become familiar with social engineering methods and tactics, enabling them to evaluate reports and recognize when an attack may be in progress.

4–6 Incident reporting hotline

Policy: A hotline to the incident reporting organization or person, which may consist of an easy-to-remember phone extension, must be established.

Explanation/Notes: When employees suspect that they are the target of a social engineering attack, they must be able to immediately notify the incident reporting organization. In order for the notification to be timely, all company telephone operators and receptionists must have the number posted or otherwise immediately available to them.

A company-wide early warning system can substantially aid the organization in detecting and responding to an ongoing attack. Employees must be sufficiently well trained that one who suspects he or she has been the target of a social engineering attack will immediately call the incident reporting hotline. In accordance with published procedures, the incident reporting personnel will immediately notify the targeted groups that an intrusion may be in progress so personnel will be on alert. In order for the notification to be timely, the reporting hotline number must be widely distributed throughout the company.

4–7 Sensitive areas must be secured

Policy: A security guard will screen access to sensitive or secure areas and should require two forms of authentication.

Explanation/Notes: One acceptable form of authentication uses a digital electronic lock that requires an employee to swipe his employee badge and enter an access code. The best method to secure sensitive areas is to post a security guard who observes any access-controlled entry. In organizations where this is not cost-effective, two forms of authentication should be used to validate identity. Depending on risk and cost, a biometric-enabled access card is recommended.

4–8 Network and phone cabinets

Policy: Cabinets, closets, or rooms containing network cabling, phone wiring, or network access points must be secured at all times.

Explanation/Notes: Only authorized personnel will be permitted access to telephone and network closets, rooms, or cabinets. Any outside maintenance people or vendor personnel must be positively identified using the procedures published by the department responsible for information security. Access to phone lines, network hubs, switches, bridges, or other related equipment could be used by an attacker to compromise computer and network security.

4–9 Intracompany mail bins

Policy: Intracompany mail bins must not be located in publicly accessible areas.

Explanation/Notes: Industrial spies or computer intruders who have access to any intracompany mail pickup points can easily send forged authorization letters or internal forms that authorize personnel to release Confidential information or to perform an action that assists the attacker. Additionally, the attacker can mail a floppy disk or electronic media with instructions to install a software update, or open a file that has embedded macro commands that serve the intruder's objectives. Naturally, any request received by intracompany mail is assumed to be authentic by the party who receives it.

4–10 The company bulletin board

Policy: Bulletin boards for the benefit of company workers should not be posted in locations where the public has access.

Explanation/Notes: Many businesses have bulletin boards where private company or personnel information is posted for anyone to read. Employer notices, employee lists, internal memorandums, employee home contact numbers listed in advertisements, and other, similar information are frequently posted on the board.

Bulletin boards may be located near company cafeterias, or in close proximity to smoking or break areas where visitors have free access. This type of information should not be made available to visitors or the public.

4–11 Computer center entrance

Policy: The computer room or data center should be locked at all times and personnel must authenticate their identity prior to entering.

Explanation/Notes: Corporate security ought to consider deploying an electronic badge or access card reader so all entries can be electronically logged and audited.

4–12 Customer accounts with service providers

Policy: Company personnel who place service orders with vendors that supply critical services to the company must set up an account password to prevent unauthorized persons from placing orders on behalf of the company.

Explanation/Notes: Utility companies and many other vendors allow customers to set up a password on request; the company should establish passwords with all vendors that provide mission-critical services. This policy is especially critical to telecommunication and Internet services. Any time critical services can be affected, a shared secret is necessary to verify that the caller is authorized to place such orders. Note, too, identifiers such as social security number, corporate taxpayer identification number, mother's maiden name, or similar identifiers must not be used.

A social engineer might, for example, call the telephone company and give orders to add features such as call forwarding to dial-in modem lines, or make a request to the Internet Service Provider to change translation information to provide a bogus IP address when users perform a hostname lookup.

4–13 Departmental contact person

Policy: Your company may institute a program under which each department or workgroup assigns an employee the responsibility of acting as a point contact so that any personnel can easily verify the identity of unknown persons claiming to be from that department. For example, the help desk may contact the departmental point person to verify the identity of an employee who is requesting support.

Explanation/Notes: This method of verifying identity reduces the pool of employees who are authorized to vouch for employees within their department when such employees request support such as resetting passwords or other computer account-related issues.

Social engineering attacks are successful in part because technical support personnel are pressed for time and do not properly verify the identity of requesters. Typically support staff cannot personally recognize all authorized personnel because of the number of employees in larger organizations. The point-person method of vouching limits the number of employees that technical support staff need to be personally familiar with for verification purposes.

4–14 Customer passwords

Policy: Customer service representatives shall not have the ability to retrieve customer account passwords.

Explanation/Notes: Social engineers frequently call customer service departments and, under a pretext, attempt to obtain a customer's authentication information, such as the password or social security number. With this information, the social engineer can then call another service representative, pretend to be the customer, and obtain information or place fraudulent orders.

To prevent these attempts from succeeding, customer service software must be designed so that representatives can only type in the authentication information provided by the caller, and receive a response from the system indicating whether the password is correct or not.

4–15 Vulnerability testing

Policy: Notification of company use of social engineering tactics to test security vulnerabilities is required during security awareness training and employee orientation.

Explanation/Notes: Without notification of social engineering-penetration testing, company personnel may suffer embarrassment, anger, or other emotional trauma from the use of deceptive tactics used against them by other employees or contractors. By placing new hires on notice during the orientation process that they may be subject to this testing, you prevent such conflict.

4–16 Display of company Confidential information

Policy: Company information not designated for public release shall not be displayed in any publicly accessible areas.

Explanation/Notes: In addition to Confidential product or procedure information, internal contact information such as internal telephone or employee lists, or building rosters that contain a list of management personnel for each department within the company must also be kept out of view.

4–17 Security awareness training

Policy: All persons employed by the company must complete a security awareness training course during employee orientation. Furthermore, each employee must take a security awareness refresher course at periodic intervals, not to exceed twelve months, as required by the department assigned with security-training responsibility.

Explanation/Notes: Many organizations disregard end-user awareness training altogether. According to the 2001 Global Information Security Survey, only 30 percent of the surveyed organizations spend money on awareness training for their user-community. Awareness training is an essential requirement to mitigate successful security breaches utilizing social engineering techniques.

4–18 Security training course for computer access

Policy: Personnel must attend and successfully complete a security information course before being given access to any corporate computer systems.

Explanation/Notes: Social engineers frequently target new employees, knowing that as a group they are generally the people least likely to be aware of the company's security policies and the proper procedures to determine classification and handling of sensitive information.

Training should include an opportunity for employees to ask questions about security policies. After training, the account holder should be required to sign a document acknowledging their understanding of the security policies, and their agreement to abide by the policies.

4–19 Employee badge must be color-coded

Policy: Identification badges must be color-coded to indicate whether the badge holder is an employee, contractor, temporary, vendor, consultant, visitor, or intern.

Explanation/Notes: The color of the badge is an excellent way to determine the status of a person from a distance. An alternative would be to use large lettering to indicate the badgeholder's status, but using a color-coded scheme is unmistakable and easier to see.

A common social engineering tactic to gain access to a physical building is to dress up as a delivery person or repair technician. Once inside the facility, the attacker will masquerade as another employee or lie about his status to obtain cooperation from unsuspecting employees. The purpose of this policy is to prevent people from entering the building legitimately and then entering areas they should not have access to. For example, a person entering the facility as a telephone repair technician would not be able to masquerade as an employee: The color of the badge would give him away.

The information technology department of any company has a special need for policies that help it protect the organization's information assets. To reflect the typical structure of IT operations in an organization, I have divided the IT policies into General, Help Desk, Computer Administration, and Computer Operations.

General

5–1 IT department employee contact information

Policy: Phone numbers and email addresses of individual IT department employees should not be disclosed to any person without a need to know.

Explanation/Notes: The purpose of this policy is to prevent contact information from being abused by social engineers. By only disclosing a general contact number or email address for IT, outsiders will be blocked from contacting IT department personnel directly. The email address for site administrative and technical contacts should only consist of generic names such as [email protected]; published telephone numbers should connect to a departmental voice mailbox, not to individual workers.

When direct contact information is available, it becomes easy for a computer intruder to reach specific IT employees and trick them into providing information that can be used in an attack, or to impersonate IT employees by using their names and contact information.

5–2 Technical support requests

Policy: All technical support requests must be referred to the group that handles such requests.

Explanation/Notes: Social engineers may attempt to target IT personnel who do not ordinarily handle technical support issues, and who may not be aware of the proper security procedures when handling such requests. Accordingly, IT staff must be trained to deny these requests and refer the caller to the group that has the responsibility of providing support.

Help Desk

6–1 Remote access procedures

Policy: Help desk personnel must not divulge details or instructions regarding remote access, including external network access points or dialup numbers, unless the requester has been:

Explanation/Notes: The corporate help desk is often a primary target for the social engineer, both because the nature of their work is to assist users with computer-related issues, and because they usually have elevated system privileges. All help desk personnel must be trained to act as a human firewall to prevent unauthorized disclosure of information that will assist any unauthorized persons from gaining access to company resources. The simple rule is to never disclose remote access procedures to anyone until positive verification of identity has been made.

6–2 Resetting passwords

Policy: The password to a user account may be reset only at the request of the account holder.

Explanation/Notes: The most common ploy used by social engineers is to have another person's account password reset or changed. The attacker poses as the employee using the pretext that their password was lost or forgotten. In an effort to reduce the success of this type of attack, an IT employee receiving a request for a password reset must call the employee back prior to taking any action; the callback must not be made to a phone number provided by the requester, but to a number obtained from the employee telephone directory. See Verification and Authorization Procedures for more about this procedure.

6–3 Changing access privileges

Policy: All requests to increase a user's privileges or access rights must be approved in writing by the account holder's manager. When the change is made a confirmation must be sent to the requesting manager via intracompany mail. Furthermore, such requests must be verified as authentic in accordance with the Verification and Authorization Procedures.

Explanation/Notes: Once a computer intruder has compromised a standard user account, the next step is to elevate his or her privileges so that the attacker has complete control over the compromised system. An attacker who has knowledge of the authorization process can spoof an authorized request when email, fax, or telephone are used to transmit it. For example, the attacker may phone technical support or the help desk and attempt to persuade a technician to grant additional access rights to the compromised account.

6–4 New account authorization

Policy: A request to create a new account for an employee, contractor, or other authorized person must be made either in writing and signed by the employee's manager, or sent by digitally signed electronic mail. These requests must also be verified by sending a confirmation of the request through intracompany mail.

Explanation/Notes: Because passwords and other information useful in breaking into computer systems are the highest priority targets of information thieves for gaining access, special precautions are necessary. The intention of this policy is to prevent computer intruders from impersonating authorized personnel or forging requests for new accounts. Therefore, all such requests must be positively verified using the Verification and Authorization Procedures.

6–5 Delivery of new passwords

Policy: New passwords must be handled as company Confidential information, delivered by secure methods including in person; by a signature-required delivery service such as registered mail; or by UPS or FedEx. See policies concerning distribution of Confidential information.

Explanation/Notes: Intracompany mail may also be used, but it is recommended that passwords be sent in secure envelopes that obscure the content. A suggested method is to establish a computer point person in each department who has the responsibility of handling distribution of new account details and vouching for the identity of personnel who lose or forget their passwords. In these circumstances, support personnel would always be working with a smaller group of employees that would be personally recognized.

6–6 Disabling an account

Policy: Prior to disabling a user's account you must require positive verification that the request was made by authorized personnel.

Explanation/Notes: The intention of this policy is to prevent an attacker from spoofing a request to disable an account, and then calling to troubleshoot the user's inability to access the computer system. When the social engineer calls posing as a technician with preexisting knowledge of the user's inability to log in, the victim often complies with a request to reveal his or her password during the troubleshooting process.

6–7 Disabling network ports or devices

Policy: No employee should disable any network device or port for any unverified technical support personnel.

Explanation/Notes: The intention of this policy is to prevent an attacker from spoofing a request to disable a network port, and then calling the worker to troubleshoot his or her inability to access the network. When the social engineer, posing as a helpful technician, calls with preexisting knowledge of the user's network problem, the victim often complies with a request to reveal his or her password during the troubleshooting process.

6–8 Disclosure of procedures for wireless access

Policy: No personnel should disclose procedures for accessing company systems over wireless networks to any parties not authorized to connect to the wireless network.

Explanation/Notes: Always obtain prior verification of a requester as a person authorized to connect to the corporate network as an external user before releasing wireless access information. See Verification and Authorization Procedures.

6–9 User trouble tickets

Policy: The names of any employees who have reported computer-related problems should not be revealed outside the information technology department.

Explanation/Notes: In a typical attack, a social engineer will call the help desk and request the names of any personnel who have reported recent computer problems. The caller may pretend to be an employee, vendor, or an employee of the telephone company. Once he obtains the names of persons reporting trouble, the social engineer, posing as a help desk or technical support person, contacts the employee and says he/she is calling to troubleshoot the problem. During the call, the attacker deceives the victim into providing the desired information or into performing an action that facilitates the attacker's objective.

6–10 Initiating execute commands or running programs

Policy: Personnel employed in the IT department who have privileged accounts should not execute any commands or run any application programs at the request of any person not personally known to them.

Explanation/Notes: A common method attackers use to install a Trojan Horse program or other malicious software is to change the name of an existing program, and then call the help desk complaining that an error message is displayed whenever an attempt is made to run the program. The attacker persuades the help desk technician to run the program himself. When the technician complies, the malicious software inherits the privileges of the user executing the program and performs a task, which gives the attacker the same computer privileges as the help desk employee. This may allow the attacker to take control of the company system.

This policy establishes a countermeasure to this tactic by requiring that support personnel verify employment status prior to running any program at the request of a caller.

Computer Administration

7–1 Changing global access rights

Policy: A request to change the global access rights associated with an electronic job profile must be approved by the group assigned the responsibility of managing access rights on the corporate network.

Explanation/Notes: Authorized personnel will analyze each such request to determine whether the change might entail a threat to information security. If so, the responsible employee will address the pertinent issues with the requester and jointly arrive at a decision about the changes to be made.

7–2 Remote access requests

Policy: Remote computer access will only be provided to personnel who have a demonstrated need to access corporate computer systems from off-site locations. The request must be made by an employee's manager and verified as described in the Verification and Authorization Procedures section.

Explanation/Notes: Recognizing the need for off-site access into the corporate network by authorized personnel, limiting such access only to people with a need may dramatically reduce risk and management of remote access users. The smaller the number of people with external dialup privileges, the smaller the pool of potential targets for an attacker. Never forget that the attacker also may target remote users with the intent of hijacking their connection into the corporate network, or by masquerading as them during a pretext call.

7–3 Resetting privileged account passwords

Policy: A request to reset a password to a privileged account must be approved by the system manager or administrator responsible for the computer on which the account exists. The new password must be sent through intracompany mail or delivered in person.

Explanation/Notes: Privileged accounts have access to all system resources and files stored on the computer system. Naturally, these accounts deserve the greatest protection possible.

7–4 Outside support personnel remote access

Policy: No outside support person (such as software or hardware vendor personnel) may be given any remote access information or be allowed to access any company computer system or related devices without positive verification of identity and authorization to perform such services. If the vendor requires privileged access to provide support services, the password to the account used by the vendor shall be changed immediately after the vendor services have been completed.

Explanation/Notes: Computer attackers may pose as vendors to gain access to corporate computer or telecommunication networks. Therefore, it is essential that the identity of the vendor be verified in addition to their authorization to perform any work on the system. Moreover, the doors into the system must be slammed shut once their job is done by changing the account password used by the vendor.

No vendor should be allowed to pick his or her own password for any account, even temporarily. Some vendors have been known to use the same or similar passwords across multiple customer systems. For example, one network service company set up privileged accounts on all their customers' systems with the same password, and, to add insult to injury, with outside Telnet access enabled.

7–5 Strong authentication for remote access to corporate systems

Policy: All connection points into the corporate network from remote locations must be protected through the use of strong authentication devices, such as dynamic passwords or biometrics.

Explanation/Notes: Many businesses rely on static passwords as the sole means of authentication for remote users. This practice is dangerous because it is insecure: computer intruders target any remote access point that might be the weak link in the victim's network. Remember that you never know when someone else knows your password.

Accordingly, any remote access points must be protected with strong authentication such as time-based tokens, smart cards, or biometric devices, so that intercepted passwords are of no value to an attacker.

When authentication based on dynamic passwords is impractical, computer users must religiously adhere to the policy for choosing hard-to-guess passwords.

7–6 Operating system configuration

Policy: Systems administrators shall ensure that, wherever possible, operating systems are configured so that they are consistent with all pertinent security policies and procedures.

Explanation/Notes: Drafting and distributing security policies is a fundamental step toward reducing risk, but in most cases, compliance is necessarily left up to the individual employee. There are, however, any number of computer-related policies that can be made mandatory through operating-system settings, such as the required length of passwords. Automating security policies by configuration of operating system parameters effectively takes the decision out of the human element's hands, increasing the overall security of the organization.

7–7 Mandatory expiration

Policy: All computer accounts must be set to expire after one year.

Explanation/Notes: The intention of this policy is to eliminate the existence of computer accounts that are no longer being used, since computer intruders commonly target dormant accounts. The process insures that any computer accounts belonging to former employees or contractors that have been inadvertently left in place are automatically disabled.

At management discretion, you may require that employees must take a security refresher training course at renewal time, or must review information security policies and sign an acknowledgment of their agreement to adhere to them.

7–8 Generic email addresses

Policy: The information technology department shall set up a generic email address for each department within the organization that ordinarily communicates with the public.

Explanation/Notes: The generic email address can be released to the public by the telephone receptionist or published on the company Web site. Otherwise, each employee shall only disclose his or her personal email address to people who have genuine need to know.

During the first phase of a social engineering attack, the attacker often tries to obtain telephone numbers, names, and titles of employees. In most cases, this information is publicly available on the company Web site or just for the asking. Creation of generic voice mailboxes and/or email addresses makes it difficult to associate employee names with particular departments or responsibilities.

7–9 Contact information for domain registrations

Policy: When registering for acquisition of Internet address space or host names, the contact information for administrative, technical, or other personnel should not identify any individual personnel by name. Instead, you should list a generic email address and the main corporate telephone number.

Explanation/Notes: The purpose of this policy is to prevent contact information from being abused by a computer intruder. When the names and phone numbers of individuals are provided, an intruder can use this information to contact the individuals and attempt to deceive them into revealing system information, or to perform an action item that facilitates an attacker's objective. Or the social engineer can impersonate a listed person in an effort to deceive other company personnel.

Instead of an email address to a particular employee, contact information must be in the form of [email protected]. Telecommunications department personnel can establish a generic voice mailbox for administrative or technical contacts so as to limit information disclosure that would be useful in a social engineering attack.

7–10 Installation of security and operating system updates

Policy: All security patches for operating system and application software shall be installed as soon as they become available. If this policy conflicts with the operation of mission-critical productions systems, such updates should be performed as soon as practicable.

Explanation/Notes: Once a vulnerability has been identified, the software manufacturer should be contacted immediately to determine whether a patch or a temporary fix has been made available to close the vulnerability. An unpatched computer system represents one of the greatest security threats to the enterprise. When system administrators procrastinate about applying the necessary fixes, the window of exposure is open wide so that any attacker can climb through.

Dozens of security vulnerabilities are identified and published weekly on the Internet. Until information technology staff are vigilant in their efforts to apply all security patches and fixes as soon as practical, despite these systems being behind the company firewall, the corporate network will always be at risk of suffering a security incident. It is extremely important to keep apprised of published security vulnerabilities identified in the operating system or any application programs used during the course of business.

7–11 Contact information on Web sites

Policy: The company's external Web site shall not reveal any details of corporate structure or identify any employees by name.

Explanation/Notes: Corporate structure information such as organization charts, hierarchy charts, employee or departmental lists, reporting structure, names, positions, internal contact numbers, employee numbers, or similar information that is used for internal processes should not be made available on publicly accessible Web sites.

Computer intruders often obtain very useful information on a target's Web site. The attacker uses this information to appear as a knowledgeable employee when using a pretext or ruse. The social engineer is more likely to establish credibility by having this information at his or her disposal. Moreover, the attacker can analyze this information to find out the likely targets who have access to valuable, sensitive, or critical information.

7–12 Creation of privileged accounts

Policy: No privileged account should be created or system privileges granted to any account unless authorized by the system administrator or system manager.

Explanation/Notes: Computer intruders frequently pose as hardware or software vendors in an attempt to dupe information technology personnel into creating unauthorized accounts. The intention of this policy is to block these attacks by establishing greater control over the creation of privileged accounts. The system manager or administrator of the computer system must approve any request to create an account with elevated privileges.

7–13 Guest accounts

Policy: Guest accounts on any computer systems or related networked devices shall be disabled or removed, except for an FTP (file transfer protocol) server approved by management with anonymous access enabled.

Explanation/Notes: The intention of the guest account is to provide temporary access for persons who do not need to have their own account. Several operating systems are installed by default with a guest account enabled. Guest accounts should always be disabled because their existence violates the principle of user accountability. IT should be able to audit any computer-related activity and relate it to a specific user.

Social engineers are easily able to take advantage of these guest accounts for gaining unauthorized access, either directly or by duping authorized personnel into using a guest account.

7–14 Encryption of off-site backup data

Policy: Any company data that is stored off site should be encrypted to prevent unauthorized access.

Explanation/Notes: Operations staff must insure that all data is recoverable in the event that any information needs to be restored. This requires regular test decryption of a random sampling of encrypted files to make sure the data can be recovered. Furthermore, keys used to encrypt data shall be escrowed with a trusted manager in the event the encryption keys are lost or unavailable.

7–15 Visitor access to network connections

Policy: All publicly accessible Ethernet access points must be on a segmented network to prevent unauthorized access to the internal network.

Explanation/Notes: The intention of this policy is to prevent any outsiders from connecting to the internal network when on company premises. Ethernet jacks installed in conference rooms, the cafeteria, training centers, or other areas accessible to visitors shall be filtered to prevent unauthorized access by visitors to the corporate computer systems.

The network or security administrator may choose to set up a virtual LAN in a switch, if available, to control access from these locations.

7–16 Dial-in modems

Policy: Modems used for dial-in calls shall be set to answer no earlier than the fourth ring.

Explanation/Notes: As depicted in the movie War Games, hackers use a technique known as war-dialing to locate telephone lines that have modems connected to them. The process begins with the attacker identifying the telephone prefixes used in the area where the target company is located. A scanning program is then used to try every telephone number in those prefixes, to locate those that answer with a modem. To speed up the process, these programs are configured to wait for one or two rings for a modem response before going on to try the next number. When a company sets the auto answer on modem lines to at least four rings, scanning programs will fail to recognize the line as a modem line.

7–17 Antivirus software

Policy: Every computer system shall have current versions of antivirus software installed and activated.

Explanation/Notes: For those businesses that do not automatically push down antivirus software and pattern files (programs that recognize patterns common to virus software to recognize new viruses) to user desktops or workstations, individual users must take the responsibility for installing and maintaining the software on their own systems, including any computer systems used for accessing the corporate network remotely.

If feasible, this software must be set for automatic update of virus signatures nightly. When pattern or signature files are not pushed down to user desktops, computer users shall have the responsibility to update pattern files at least on a weekly basis.

These provisions apply to all desktop machines and laptops used to access company computer systems, and apply whether the computer is company property or personally owned.

7–18 Incoming email attachments (high security requirements)

Policy: In an organization with high security requirements, the corporate firewall shall be configured to filter out all email attachments.

Explanation/Notes: This policy applies only to businesses with high security requirements, or to those that have no business need to receive attachments through electronic mail.

7–19 Authentication of software

Policy: All new software or software fixes or upgrades, whether on physical media or obtained over the Internet, must be verified as authentic prior to installation. This policy is especially relevant to the information technology department when installing any software that requires system privileges.

Explanation/Notes: Computer software referred to in this policy includes operating system components, application software, hot fixes, patches, or any software updates. Many software manufacturers have implemented methods whereby customers can check the integrity of any distribution, usually by a digital signature. In any case where the integrity cannot be verified, the manufacturer must be consulted to verify that the software is authentic.

Computer attackers have been known to send software to a victim, packaged to appear as if the software manufacturer had produced it and shipped it to the company. It is essential that you verify any software you receive as authentic, especially if unsolicited, before installing it on company systems.

Note that a sophisticated attacker might find out that your organization has ordered software from a manufacturer. With that information in hand, the attacker can cancel the order with the real manufacturer, and order the software himself. The software is then modified to perform some malicious function, and is shipped or delivered to your company, in the original packaging, with shrink-wrapping if necessary. Once the product is installed, the attacker is in control.

7–20 Default passwords

Policy: All operating system software and hardware devices that initially have a password set to a default value must have their passwords reset in accordance with the company password policy.

Explanation/Notes: Several operating systems and computer-related devices are shipped with default passwords—that is, with the same password enabled on every unit sold. Failure to change default passwords is a grave mistake that places the company at risk.

Default passwords are widely known and are available on Internet Web sites. In an attack, the first password an intruder tries is the manufacturer's default password.

7–21 Invalid access attempts lockout (low to medium security)

Policy: Especially in an organization with low to medium security requirements, whenever a specified number of successive invalid login attempts to a particular account have been made, the account should be locked out for a period of time.

Explanation/Notes: All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is necessary to prevent password guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.

The system administrator must configure the security settings to lock out an account whenever the desired threshold of successive invalid attempts has been reached. It is recommended that an account be locked out for at least thirty minutes after seven successive login attempts.

7–22 Invalid access attempts account disabled (high security)

Policy: In an organization with high security requirements, whenever a specified number of successive invalid login attempts to a particular account has been made, the account should be disabled until reset by the group responsible for providing account support.

Explanation/Notes: All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is a necessary control to prevent password guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.

The system administrator must configure the security settings to disable the account after five invalid login attempts. Following such an attack, the account holder will need to call technical support or the group responsible for account support to enable the account. Prior to resetting the account, the department responsible must positively identify the account holder, following the Verification and Authorization Procedures.

7–23 Periodic change of privileged account passwords

Policy: All privileged account holders shall be required to change their passwords at least every thirty days.

Explanation/Notes: Depending on operating system limitations, the systems administrator must enforce this policy by configuration of security parameters in system software.

7–24 Periodic change of user passwords

Policy: All account holders must change their passwords at least every sixty days.

Explanation/Notes: With operating systems that provide this feature, the systems administrator must enforce this policy by configuration of security parameters in the software.

7–25 New account password set up

Policy: New computer accounts must be established with an initial password that is preexpired, requiring the account holder to select a new password upon initial use.

Explanation/Notes: This requirement ensures that only the account holder will have knowledge of his or her password.

7–26 Boot-up passwords

Policy: All computer systems must be configured to require a boot-up password.

Explanation/Notes: Computers must be configured so that when the computer is turned on, a password is required before the operating system will boot. This prevents any unauthorized person from turning on and using another person's computer. This policy applies to all computers on company premises.

7–27 Password requirements for privileged accounts

Policy: All privileged accounts must have a strong password: The password must:

Explanation/Notes: In most cases computer intruders will target specific accounts that have system privileges. Occasionally the attacker will exploit other vulnerabilities to gain full control over the system.

The first passwords an intruder will try are the simple, commonly used words found in a dictionary. Selecting strong passwords enhances the security by reducing the chance an attacker will find the password by trial and error, dictionary attack, or brute force attack.

7–28 Wireless access points

Policy: All users who access a wireless network must use VPN (Virtual Private Network) technology to protect the corporate network.

Explanation/Notes: Wireless networks are being attacked by a new technique called war driving. This technique involves simply driving or walking around with a laptop equipped with an 802.11B NIC card until a wireless network is detected.

Many companies have deployed wireless networks without even enabling WEP (wireless equivalency protocol), which is used to secure the wireless connection through use of encryption. But even when activated, the current version of WEP (mid-2002) is ineffective: It has been cracked wide open, and several Web sites are devoted to providing the means for locating open wireless systems and cracking WEP-enabled wireless access points.

Accordingly, it is essential to add a layer of protection around the 802.11B protocol by deploying VPN technology.

7–29 Updating antivirus pattern files

Policy: Every computer system must be programmed to automatically update antivirus/anti-Trojan pattern files.

Explanation/Notes: At a minimum, such updates shall occur at least weekly. In businesses where employees leave their computers turned on, it is highly recommended that pattern files be updated on a nightly basis.

Antivirus software is ineffective if it is not updated to detect all new forms of malicious code. Since the threat of virus, worm, and Trojan Horse infections is substantially increased if pattern files are not updated, it is essential that antivirus or malicious code products be kept up to date.

Computer Operations 8–1 Entering commands or running programs

Policy: Computer operations personnel must not enter commands or run programs at the request of any person not known to them. If a situation arises where an Unverified Person seems to have reason to make such a request, it should not be complied with without first getting manager approval.

Explanation/Notes: Computer operations employees are popular targets of social engineers, since their positions usually require privileged account access, and the attacker expects that they will be less experienced and less knowledgeable about company procedures than other IT workers. The intention of this policy is to add an appropriate check and balance to prevent social engineers from duping computer operations personnel.

8–2 Workers with privileged accounts

Policy: Employees with privileged accounts must not provide assistance or information to any Unverified Person. In particular this refers to not providing computer help (such as training on application use), accessing any company database, downloading software, or revealing names of personnel who have remote access capabilities,

Explanation/Notes: Social engineers often target employees with privileged accounts. The intent of this policy is to direct IT staff with privileged accounts to successfully handle calls that might represent social engineering attacks.

8–3 Internal systems information

Policy: Computer Operations staff must never disclose any information related to enterprise computer systems or related devices without positively verifying the identity of the requester.

Explanation/Notes: Computer intruders often contact computer operations employees to obtain valuable information such as system access procedures, external points for remote access, and dial-in telephone numbers that are of substantial value to the attacker.

In companies that have technical support staff or a help desk, requests to the computer operations staff for information about computer systems or related devices should be considered unusual. Any information request should be scrutinized under the corporate data classification policy to determine whether the requester is authorized to have such information. When the class of information cannot be determined, the information should be considered to be Internal.

In some cases, outside vendor technical support will need to communicate with persons who have access to enterprise computer systems. Vendors must have specific contacts in the IT department so that those individuals can recognize each other for verification purposes.

8–4 Disclosure of passwords

Policy: Computer operations staff must never reveal their password, or any other passwords entrusted to them, without prior approval of an information technology manager.

Explanation/Notes: In general terms, revealing any password to another is strictly prohibited. This policy recognizes that operations personnel may need to disclose a password to a third party when exigent situations arise. This exception to the general policy prohibiting disclosure of any password requires specific approval of an information technology manager. For extra precaution, this responsibility of disclosing authentication information should be limited to a small group of individuals who have received special training on verification procedures.

8–5 Electronic media

Policy: All electronic media that contains information not designated for public release shall be locked in a physically secure location.

Explanation/Notes: The intention of this policy is to prevent physical theft of Sensitive information stored on electronic media.

8–6 Backup media

Policy: Operations personnel should store backup media in a company safe or other secure location.

Explanation/Notes: Backup media is another prime target of computer intruders. An attacker is not going to spend time attempting to compromise a computer system or network when the weakest link in the chain might be physically unprotected backup media. Once backup media is stolen, the attacker can compromise the confidentiality of any data stored on it, unless the data is encrypted. Therefore, physically securing backup media is an essential process to protect the confidentiality of corporate information.

Whether in IT or human resources, the accounting department, or the maintenance staff, there are certain security policies that every employee of your company must know. These policies fall into the categories of General, Computer Use, Email Use, policies for Telecommuters, Phone Use, Fax Use, Voice Mail Use, and Passwords.

General 9–1 Reporting suspicious calls

Policy: Employees who suspect that they may be the subject of a security violation, including any suspicious requests to disclose information or to perform action items on a computer, must immediately report the event to the company's incident reporting group.

Explanation/Notes: When a social engineer fails to convince his or her target to comply with a demand, the attacker will always try someone else. By reporting a suspicious call or event, an employee takes the first step in alerting the company that an attack may be under way. Thus, individual employees are the first line of defense against social engineering attacks.

9–2 Documenting suspicious calls

Policy: In the event of a suspicious phone call that appears to be a social engineering attack, the employee shall, to the extent practical, draw out the caller to learn details that might reveal what the attacker is attempting to accomplish, and make notes of these details for reporting purposes.

Explanation/Notes: When reported to the incident reporting group, such details can help them spot the object or pattern of an attack.

9–3 Disclosure of dial-up numbers

Policy: Company personnel must not disclose company modem telephone numbers, but should always refer such requests to the help desk or to technical support personnel.

Explanation/Notes: Dial-up telephone numbers must be treated as Internal information, to be provided only to employees who have a need to know such information to carry out their job responsibilities.

Social engineers routinely target employees or departments that are likely to be less protective of the requested information. For example, the attacker may call the accounts payable department masquerading as a telephone company employee who is trying to resolve a billing problem. The attacker then asks for any known fax or dial-in numbers in order to resolve the problem. The intruder often targets an employee who is unlikely to realize the danger of releasing such information, or who lacks training with respect to company disclosure policy and procedures.

9–4 Corporate ID badges

Policy: Except when in their immediate office area, all company personnel, including management and executive staff, must wear their employee badges at all times.

Explanation/Notes: All workers, including corporate executives, should be trained and motivated to understand that wearing an ID badge is mandatory everywhere on company premises other than public areas and the person's own office or workgroup area.

9–5 Challenging ID badge violations

Policy: All employees must immediately challenge any unfamiliar person who is not wearing an employee badge or visitor's badge.

Explanation/Notes: While no company wants to create a culture where eagle-eyed employees look for a way to ensnare coworkers for venturing into the hallway without their badges, nonetheless any company concerned with protecting its information needs to take seriously the threat of a social engineer wandering its facilities unchallenged. Motivation for employees who prove diligent in helping enforce the badges-always policy may be acknowledged in familiar ways, such as recognition in the company newspaper or on bulletin boards; a few hours off with pay; or a letter of commendation in their personnel records.

9–6 Piggybacking (passing through secure entrances)

Policy: Employees entering a building must not allow anyone not personally known to them to follow behind them when they have used a secure means, such as a card key, to gain entrance (piggybacking).

Explanation/Notes: Employees must understand that it is not rude to require unknown persons to authenticate themselves before helping them enter a facility or access a secure area.

Social engineers frequently use a technique known as piggybacking, in which they lie in wait for another person who is entering a facility or Sensitive area, and then simply enter with them. Most people feel uncomfortable challenging others, assuming that they are probably legitimate employees. Another piggybacking technique is to carry several boxes so that an unsuspecting worker opens or holds the door to help.

9–7 Shredding Sensitive documents

Policy: Sensitive documents to be discarded must be cross-shredded; media including hard drives that have ever contained Sensitive information or materials must be destroyed in accordance with the procedures set forth by the group responsible for information security.

Explanation/Notes: Standard shredders do not adequately destroy documents; cross-shredders turn documents into pulp. The best security practice is to presume that the organization's chief competitors will be rifling through discarded materials looking for any intelligence that could be beneficial to them.

Industrial spies and computer attackers regularly obtain Sensitive information from materials tossed in the trash. In some cases, business competitors have been known to attempt bribery of cleaning crews to turn over company trash. In one recent example, an employee at Goldman Sachs discovered items that were used in an insider-trading scheme from the trash.

9–8 Personal identifiers

Policy: Personal identifiers such as employee number, social security number, driver's license number, date and place of birth, and mother's maiden name should never be used as a means of verifying identity. These identifiers are not secret and can be obtained by numerous means.

Explanation/Notes: A social engineer can obtain other people's personal identifiers for a price. And in fact, contrary to popular belief, anyone with a credit card and access to the Internet can obtain these pieces of personal identification. Yet despite the obvious danger, banks, utility companies, and credit card companies commonly use these identifiers. This is one reason that identity theft is the fastest growing crime of the decade.

9–9 Organization charts

Policy: Details shown on the company's organization chart must not be disclosed to anyone other than company employees.

Explanation/Notes: Corporate structure information includes organization charts, hierarchy charts, departmental employee lists, reporting structure, employee names, employee positions, internal contact numbers, employee numbers, or similar information.

In the first phase of a social engineering attack, the goal is to gather information about the internal structure of the company. This information is then used to strategize an attack plan. The attacker can also analyze this information to determine which employees are likely to have access to the data that he seeks. During the attack, the information makes the attacker appear as a knowledgeable employee; making it more likely he'll dupe his victim into compliance.

9–10 Private information about employees

Policy: Any requests for private employee information must be referred to human resources.

Explanation/Notes: An exception to this policy may be the telephone number for an employee who needs to be contacted regarding a work-related issue or who is acting in an on-call role. However, it is always preferable to get the requester's phone number, and have the employee call him or her back.

Computer Use

10–1 Entering commands into a computer

Policy: Company personnel should never enter commands into a computer or computer-related equipment at the request of another person unless the requester has been verified as an employee of the information technology department.

Explanation/Notes: One common ploy of social engineers is to request that an employee enter a command that makes a change to the system's configuration, allows the attacker to access the victim's computer without providing authentication, or allows the attacker to retrieve information that can be used to facilitate a technical attack.

10–2 Internal naming conventions

Policy: Employees must not disclose the internal names of computer systems or databases without prior verification that the requester is employed by the company.

Explanation/Notes: Social engineers will sometimes attempt to obtain the names of company computer systems; once the names are known, the attacker places a call to the company and masquerades as a legitimate employee having trouble accessing or using one of the systems. By knowing the internal name assigned to the particular system, the social engineer gains credibility.

10–3 Requests to run programs

Policy: Company personnel should never run any computer applications or programs at the request of another person unless the requester has been verified as an employee of the information technology department.

Explanation/Notes: Any request to run programs, applications, or perform any activity on a computer must be refused unless the requester is positively identified as an employee in the information technology department. If the request involves revealing Confidential information from any file or electronic message, responding to the request must be in accordance with the procedures for releasing Confidential information. See Information Disclosure Policy.

Computer attackers deceive people into executing programs that enable the intruder to gain control of the system. When an unsuspecting user runs a program planted by an attacker, the result may give the intruder access to the victim's computer system. Other programs record the activities of the computer user and return that information to the attacker. While a social engineer can trick a person into executing computer instructions that may do damage, a technically based attack tricks the computer's operating system into executing computer instructions that may cause the same sort of damage.

10–4 Downloading or installing software

Policy: Company personnel must never download or install software at the request of another person, unless the requester has been verified as an employee with the information technology department.

Explanation/Notes: Employees should be on the alert for any unusual request that involves any sort of transaction with computer-related equipment.

A common tactic used by social engineers is to deceive unsuspecting victims into downloading and installing a program that helps the attacker accomplish his or her goal of compromising computer or network security. In some instances, the program may covertly spy on the user or allow the attacker to take control of the computer system through use of a covert remote control application.

10–5 Plain text passwords and email

Policy: Passwords shall not be sent through email unless encrypted.

Explanation/Notes: While it's discouraged, this policy may be waived by e-commerce sites in certain limited circumstances, such as:

10–6 Security-related software

Policy: Company personnel must never remove or disable antivirus/Trojan Horse, firewall, or other security-related software without prior approval from the information technology department.

Explanation/Notes: Computer users sometimes disable security-related software without provocation, thinking it will increase the speed of their computer.

A social engineer may attempt to deceive an employee into disabling or removing software that is needed to protect the company against security-related threats.

10–7 Installation of modems

Policy: No modems may be connected to any computer until prior approval has been obtained from the IT department.

Explanation/Notes: It is important to recognize that modems on desktops or workstations in the workplace pose a substantial security threat, especially if connected to the corporate network. Accordingly, this policy controls modem connection procedures.

Hackers use a technique called war dialing to identify any active modem lines within a range of telephone numbers. The same technique may be used to locate telephone numbers connected to modems within the enterprise. An attacker can easily compromise the corporate network if he or she identifies a computer system connected to a modem running vulnerable remote access software, which is configured with an easily guessed password or no password at all.

10–8 Modems and auto-answer settings

Policy: All desktops or workstations with IT-approved modems shall have the modem auto-answer feature disabled to prevent anyone from dialing into the computer system.

Explanation/Notes: Whenever feasible, the information technology department should deploy a dial-out modem pool for those employees who need to dial out to external computer systems via modem.

10–9 Cracking tools

Policy: Employees will not download or use any software tools designed to defeat software protection mechanisms.

Explanation/Notes: The Internet has dozens of sites devoted to software designed to crack shareware and commercial software products. The use of these tools not only violates a software owner's copyright, but also is extremely dangerous. Because these programs originate from unknown sources, they may contain hidden malicious code that may cause damage to the user's computer or plant a Trojan Horse that gives the author of the program access to the user's computer.

10–10 Posting company information on line

Policy: Employees shall not disclose any details regarding company hardware or software in any public newsgroup, forum, or bulletin board, and shall not disclose contact information other than in accordance with policy.

Explanation/Notes: Any message posted to the Usenet, on-line forums, bulletin boards, or mailing lists can be searched to gather intelligence on a target company or a target individual. During the research phase of a social engineering attack, the attacker may search the Internet for any posts that contain useful information about the company, its products or its people.

Some posts contain very useful tidbits of information that the attacker can use to further an attack. For example, a network administrator may post a question about configuring firewall filters on a particular brand and model of firewall. An attacker who discovers this message will learn valuable information about the type and configuration of the company's firewall that enables him to circumvent it to gain access to the enterprise network.

This problem can be reduced or avoided by implementing a policy that allows employees to post to newsgroups from anonymous accounts that do not identify the company from which they originated. Naturally, the policy must require employees not to include any contact information that may identify the company.

10–11 Floppy disks and other electronic media

Policy: If media used to store computer information, such as floppy disks or CD-ROMS have been left in a work area or on an employee's desk, and that media is from an unknown source, it must not be inserted into any computer system.

Explanation/Notes: One method used by attackers to install malicious code is to place programs onto a floppy or CD-ROM and label it with something very enticing (for example, "Personnel Payroll Data—Confidential"). They then drop several copies in areas used by employees. If a single copy is inserted into a computer and the files on it opened, the attacker's malicious code is executed. This may create a backdoor, which is used to compromise the system, or may cause other damage to the network.

10–12 Discarding removable media

Policy: Before discarding any electronic media that ever contained Sensitive company information, even if that information has been deleted, the item shall be thoroughly degaussed or damaged beyond recovery.

Explanation/Notes: While shredding hard-copy documents is commonplace these days, company workers may overlook the threat of discarding electronic media that contained Sensitive data at any time. Computer attackers attempt to recover any data stored on discarded electronic media. Workers may presume that by just deleting files, they ensure that those files cannot be recovered. This presumption is absolutely incorrect and can cause confidential business information to fall into the wrong hands. Accordingly, all electronic media that contains or previously contained information not designated as Public must be wiped clean or destroyed using the procedures approved by the responsible group.

10–13 Password-protected screen savers

Policy: All computer users must set a screen saver password and the inactivity time-out limit to lock the computer after a certain period of inactivity.

Explanation/Notes: All employees are responsible for setting a screen saver password, and setting the inactivity timeout for no more than ten minutes. The intention of this policy is to prevent any unauthorized person from using another person's computer. Additionally, this policy protects company computer systems from being easily accessed by outsiders who have gained access to the building.

10–14 Disclosure or sharing of passwords statement

Policy: Prior to creation of a new computer account, the employee or contractor must sign a written statement acknowledging that he or she understands that passwords must never be disclosed or shared with anyone, and that he or she agrees to abide by this policy.

Explanation/Notes: The agreement should also include a notice that violation of such agreement may lead to disciplinary action up to and including termination.

Email Use

11–1 Email attachments

Policy: Email attachments must not be opened unless the attachment was expected in the course of business or was sent by a Trusted Person.

Explanation/Notes: All email attachments must be scrutinized closely. You may require that prior notice be given by a Trusted Person that an email attachment is being sent before the recipient opens any attachment. This will reduce the risk of attackers using social engineering tactics to deceive people into opening attachments.

One method of compromising a computer system is to trick an employee into running a malicious program that creates a vulnerability, providing the attacker with access to the system. By sending an email attachment that has executable code or macros, the attacker may be able to gain control of the user's computer.

A social engineer may send a malicious email attachment, then call and attempt to persuade the recipient to open the attachment.

11–2 Automatic forwarding to external addresses

Policy: Automatic forwarding of incoming email to an external email address is prohibited.

Explanation/Notes: The intention of this policy is to prevent an out-sider from receiving email sent to an internal email address.

Employees occasionally set up email forwarding of their incoming mail to an email address outside the company when they will be away from the office. Or an attacker may be able to deceive an employee into setting up an internal email address that forwards to an address outside the company. The attacker can then pose as a legitimate insider by having an internal company email address and get people to email Sensitive information to the internal email address.

11–3 Forwarding emails

Policy: Any request from an Unverified Person to relay an electronic mail message to another Unverified Person requires verification of the requester's identity.

11–4 Verifying email

Policy: An email message that appears to be from a Trusted Person that contains a request to provide information not designated as Public, or to perform an action with any computer-related equipment, requires an additional form of authentication. See Verification and Authorization Procedures.

Explanation/Notes: An attacker can easily forge an email message and its header, making it appear as if the message originated from another email address. An attacker can also send an email message from a compromised computer system, providing phony authorization to disclose information or perform an action. Even by examining the header of an email message you cannot detect email messages sent from a compromised internal computer system.

Phone Use

12–1 Participating in telephone surveys

Policy: Employees may not participate in surveys by answering any questions from any outside organization or person. Such requests must be referred to the public relations department or other designated person.

Explanation/Notes: A method used by social engineers to obtain valuable information that may be used against the enterprise is to call an employee and claim to be doing a survey. It's surprising how many people are happy to provide information about the company and themselves to strangers when they believe they're taking part in legitimate research. Among the innocuous questions, the caller will insert a few questions that the attacker wants to know. Eventually, such information may be used to compromise the corporate network.

12–2 Disclosure of internal telephone numbers

Policy: If an Unverified Person asks an employee for his phone number the employee may make a reasonable determination of whether disclosure is necessary to conduct company business.

Explanation/Notes: The intention of this policy is to require employees to make a considered decision on whether disclosure of their telephone extension is necessary. When dealing with people who have not demonstrated a genuine need to know the extension, the safest course is to require them to call the main company phone number and be transferred.

12–3 Passwords in voice mail messages

Policy: Leaving messages containing password information on anyone's voice mailbox is prohibited.

Explanation/Notes: A social engineer can often gain access to an employee's voice mailbox because it is inadequately protected with an easy-to-guess access code. In one type of attack, a sophisticated computer intruder is able to create his own phony voice mailbox and persuade another employee to leave a message relaying password information. This policy defeats such a ruse.

Fax Use

13–1 Relaying faxes

Policy: No fax may be received and forwarded to another party without verification of the requester's identity.

Explanation/Notes: Information thieves may trick trusted employees into faxing sensitive information to a fax machine located on the company's premises. Prior to the attacker giving the fax number to the victim, the imposter telephones an unsuspecting employee, such as a secretary or administrative assistant, and asks if a document can be faxed to them for later pickup. Subsequently, after the unsuspecting employee receives the fax, the attacker telephones the employee and requests that the fax be sent to another location, perhaps claiming that it is needed for an urgent meeting. Since the person asked to relay the fax usually has no understanding of the value of the information, he or she complies with the request.

13–2 Verification of faxed authorizations

Policy: Prior to carrying out any instructions received by facsimile, the sender must be verified as an employee or other Trusted Person. Placing a telephone call to the sender to verify the request is usually sufficient.

Explanation/Notes: Employees must exercise caution when unusual requests are sent by fax, such as a request to enter commands into a computer or disclose information. The data in the header of a faxed document can be falsified by changing the settings of the sending fax machine. Therefore the header on a fax must not be accepted as a means of establishing identity or authorization.

13–3 Sending sensitive information by fax

Policy: Before sending Sensitive information by fax to a machine that is located in an area accessible to other personnel, the sender shall transmit a cover page. The recipient, on receiving the page, transmits a page in response, demonstrating that he/she is physically present at the fax machine. The sender then transmits the fax.

Explanation/Notes: This handshake process assures the sender that the recipient is physically present at the receiving end. Moreover, this process verifies that the receiving fax telephone number has not been forwarded to another location.

13–4 Faxing passwords prohibited

Policy: Passwords must not be sent via facsimile under any circumstances.

Explanation/Notes: Sending authentication information by facsimile is not secure. Most fax machines are accessible to a number of employees. Furthermore, they rely on the public telephone switched network, which can be manipulated by call forwarding the phone number for the receiving fax machine so that the fax is actually sent to the attacker at another number.

Voice Mail Use

14–1 Voice mail passwords

Policy: Voice mail passwords must never be disclosed to anyone for any purpose. In addition, voice mail passwords must be changed every ninety days or sooner.

Explanation/Notes: Confidential company information may be left in voice mail messages. To protect this information, employees should change their voice mail passwords frequently, and never disclose them. In addition, voice mail users should not use the same or similar voice mail passwords within a twelve-month period.

14–2 Passwords on multiple systems

Policy: Voice mail users must not use the same password on any other phone or computer system, whether internal or external to the company.

Explanation/Notes: Use of a similar or identical password for multiple devices, such as voice mail and computer, makes it easier for social engineers to guess all the passwords of a user after identifying only one.

14–3 Setting voice mail passwords

Policy: Voice mail users and administrators must create voice mail passwords that are difficult to guess. They must not be related in any way to the person using it, or the company, and should not contain a predictable pattern that is likely to be guessed.

Explanation/Notes: Passwords must not contain sequential or repeating digits (i.e. 1111, 1234, 1010), must not be the same as or based on the telephone extension number, and must not be related to address, zip code, birth date, license plate, phone number, weight, I.Q., or other predictable personal information.

14–4 Mail messages marked as "old"

Policy: When previously unheard voice mail messages are not marked as new messages, the voice mail administrator must be notified of a possible security violation and the voice mail password must immediately be changed.

Explanation/Notes: Social engineers may gain access to a voice mailbox in a variety of ways. An employee who becomes aware that messages they have never listened to are not being announced as new messages must assume that another person has obtained unauthorized access to the voice mailbox and listened to the messages themselves.

14–5 External voice mail greetings

Policy: Company workers shall limit their disclosure of information on their external outgoing greeting on their voice mail. Ordinarily information related to a worker's daily routine or travel schedule should not be disclosed.

Explanation/Notes: An external greeting (played to outside callers) should not include last name, extension, or reason for absence (such as travel, vacation schedule, or daily itinerary). An attacker can use this information to develop a plausible story in his attempt to dupe other personnel.

14–6 Voice mail password patterns

Policy: Voice mail users shall not select a password where one part of the password remains fixed, while another part changes in a predictable pattern.

Explanation/Notes: For example, do not use a password such as 743501, 743502, 743503, and so on, where the last two digits correspond to the current month.

14–7 Confidential or Private information

Policy: Confidential or Private information shall not be disclosed in a voice mail message.

Explanation/Notes: The corporate telephone system is typically more vulnerable than corporate computer systems. The passwords are usually a string of digits, which substantially limits the number of possibilities for an attacker to guess. Further, in some organizations, voice mail passwords may be shared with secretaries or another administrative staff who have the responsibility of taking messages for their managers. In light of the above, no Sensitive information should ever be left on anyone's voice mail.

Passwords

15–1 Telephone security

Policy: Passwords shall not be disclosed over the telephone at any time.

Explanation/Notes: Attackers may find ways to listen in to phone conversations, either in person or through a technological device.

15–2 Revealing computer passwords

Policy: Under no circumstances shall any computer user reveal his or her password to anyone for any purpose without prior written consent of the responsible information technology manager.

Explanation/Notes: The goal of many social engineering attacks involves deceiving unsuspecting persons into revealing their account names and passwords. This policy is a crucial step in reducing the risk of successful social engineering attacks against the enterprise. Accordingly, this policy needs to be followed religiously throughout the company.

15–3 Internet passwords

Policy: Personnel must never use a password that is the same as or similar to one they are using on any corporate system on an Internet site.

Explanation/Notes: Malicious Web site operators may set up a site that purports to offer something of value or the possibility of winning a prize. To register, a visitor to the site must enter an email address, username, and password. Since many people use the same or similar sign-on information repeatedly, the malicious Web site operator will attempt to use the chosen password and variations of it for attacking the target's work- or home-computer system. The visitor's work computer can sometimes be identified by the email address entered during the registration process.

15–4 Passwords on multiple systems

Policy: Company personnel must never use the same or a similar password in more than one system. This policy pertains to various types of devices (computer or voice mail); various locations of devices (home or work); and various types of systems, devices (router or firewall), or pro-grams (database or application).

Explanation/Notes: Attackers rely on human nature to break into computer systems and networks. They know that, to avoid the hassle of keeping track of several passwords, many people use the same or a similar password on every system they access. As such, the intruder will attempt to learn the password of one system where the target has an account. Once obtained, it's highly likely that this password or a variation thereof will give access to other systems and devices used by the employee.

15–5 Reusing passwords

Policy: No computer user shall use the same or a similar password within the same eighteen-month period.

Explanation/Note: If an attacker does discover a user's password, frequent changing of the password minimizes the damage that can be done. Making the new password unique from previous passwords makes it harder for the attacker to guess it.

15–6 Password patterns

Policy: Employees must not select a password where one part remains fixed, and another element changes in a predictable pattern.

Explanation/Notes: For example, do not use a password such as Kevin01, Kevin02, Kevin03, and so on, where the last two digits correspond to the current month.

15–7 Choosing passwords

Policy: Computer users should create or choose a password that adheres to the following requirements. The password must:

Explanation/Notes: The parameters listed above will produce a password that is difficult for the social engineer to guess. Another option is the consonant-vowel method, which provides an easy-to-remember and pronounceable password. To construct this kind of password substitute consonants for each letter C and vowels for the letter V, using the mask of "CVCVCVCV." Examples would be MIXOCASO; CUSOJENA.

15–8 Writing passwords down

Policy: Employees should write passwords down only when they store them in a secure location away from the computer or other password-protected device.

Explanation/Notes: Employees are discouraged from ever writing down passwords. Under certain conditions, however, it may be necessary; for example, for an employee who has multiple accounts on different computer systems. Any written passwords must be secured in a safe place away from the computer. Under no circumstances may a password be stored under the keyboard or attached to the computer display.

15–9 Plaintext passwords in computer files

Policy: Plaintext passwords shall not be saved in any computer file or stored as text called by pressing a function key. When necessary, passwords may be saved using an encryption utility approved by the IT department to prevent any unauthorized disclosures.

Explanation/Notes: Passwords can be easily recovered by an attacker if stored in unencrypted form in computer data files, batch files, terminal function keys, login files, macro or scripting programs, or any data files which contain passwords to FTP sites.

Telecommuters are outside the corporate firewall, and therefore more vulnerable to attack. These policies will help you prevent social engineers from using your telecommuter employees as a gateway to your data.

16–1 Thin clients

Policy: All company personnel who have been authorized to connect via remote access shall use a thin client to connect to the corporate network.

Explanation/Notes: When an attacker analyzes an attack strategy, he or she will try to identify users who access the corporate network from external locations. As such, telecommuters are prime targets. Their computers are less likely to have stringent security controls, and may be a weak link that may compromise the corporate network.

Any computer that connects to a trusted network can be booby-trapped with keystroke loggers, or their authenticated connection can be hijacked. A thin client strategy can be used to avoid problems. A thin client is similar to a diskless workstation or a dumb terminal; the remote computer does not have storage capabilities but instead the operating system, application programs, and data all reside on the corporate network. Accessing the network via a thin client substantially reduces the risk posed by unpatched systems, outdated operating systems, and malicious code. Accordingly, managing the security of telecommuters is effective and made easier by centralizing security controls. Rather than relying on the inexperienced telecommuter to properly manage security-related issues, these responsibilities are better left with trained system, network, or security administrators.

16–2 Security software for telecommuter computer systems

Policy: Any external computer system that is used to connect to the corporate network must have antivirus software, anti-Trojan software, and a personal firewall (hardware or software). Antivirus and anti-Trojan pattern files must be updated at least weekly.

Explanation/Notes: Ordinarily, telecommuters are not skilled on securityrelated issues, and may inadvertently or negligently leave their computer system and the corporate network open to attack. Telecommuters therefore pose a serious security risk if they are not properly trained. In addition to installing antivirus and anti-Trojan Horse software to protect against malicious code, a firewall is necessary to block any hostile users from obtaining access to any services enabled on the telecommuter's system.

The risk of not deploying the minimal security technologies to prevent malicious code from propagating cannot be underestimated, as an attack on Microsoft proves. A computer system belonging to a Microsoft telecommuter, used to connect to Microsoft's corporate network, became infected with a Trojan Horse program. The intruder or intruders were able to use the telecommuter's trusted connection to Microsoft's development network to steal developmental source code.

Human resources departments have a special charge to protect employees from those attempting to discover personal information through their workplace. HR professionals also have a responsibility to protect their company from the actions of unhappy ex-employees.

17–1 Departing employees

Policy: Whenever a person employed by the company leaves or is terminated, Human Resources must immediately do the following:

Explanation/Notes: Employees who are stationed at building entrances must be notified to prevent a former employee from reentering the premises. Further, notifying other personnel may prevent the former employee from successfully masquerading as an active employee and duping personnel into taking some action damaging to the company.

In some circumstances, it may be necessary to require every user within the former employee's department to change his or her passwords. (When I was terminated from GTE solely because of my reputation as a hacker, the company required all employees throughout the company to change their password.)

17–2 IT department notification

Policy: Whenever a person employed by the company leaves or is terminated, Human Resources should immediately notify the information technology department to disable the former employee's computer accounts, including any accounts used for database access, dial-up, or Internet access from remote locations.

Explanation/Notes: It's essential to disable any former worker's access to all computer systems, network devices, databases, or any other computerrelated devices immediately upon termination. Otherwise, the company may leave the door wide open for a disgruntled employee to access company computer systems and cause significant damage.

17–3 Confidential information used in hiring process

Policy: Advertisements and other forms of public solicitation of candidates to fill job openings should, to the extent possible, avoid identifying computer hardware and software used by the company.

Explanation/Notes: Managers and human resources personnel should only disclose information related to enterprise computer hardware and software that is reasonably necessary to obtain resumes from qualified candidates.

Computer intruders read newspapers and company press releases, and visit Internet sites, to find job listings. Often, companies disclose too much information about the types of hardware and software used to attract prospective employees. Once the intruder has knowledge of the target's information systems, he is armed for the next phase of attack. For example, by knowing that a particular company uses the VMS operating system, the attacker may place pretext calls to determine the release version, and then send a phony emergency security patch made to appear as if it came from the software developer. Once the patch is installed, the attacker is in.

17–4 Employee personal information

Policy: The human resources department must never release personal information about any current or former employee, contractor, consultant, temporary worker, or intern, except with prior express written consent of the employee or human resources manager.

Explanation/Notes: Head-hunters, private investigators, and identity thieves target private employee information such as employee numbers, social security numbers, birth dates, salary history, financial data including direct deposit information, and health-related benefit information. The social engineer may obtain this information so as to masquerade as the individual. In addition, disclosing the names of new hires may be extremely valuable to information thieves. New hires are likely to comply with any request by persons with seniority or in a position of authority, or anyone claiming to be from corporate security.

17–5 Background checks

Policy: A background check should be required for all new hires, contractors, consultants, temporary workers, or interns prior to an offer of employment or establishing of a contractual relationship.

Explanation/Notes: Because of cost considerations, the requirement for background checks may be limited to specific positions of trust. Note, however, that any person who is given physical access to corporate offices may be a potential threat. For example, cleaning crews have access to personnel offices, which gives them access to any computer systems located there. An attacker with physical access to a computer can install a hardware keystroke logger in less than a minute to capture passwords.

Computer intruders will sometimes go to the effort of obtaining a job as a means of gaining access to a target company's computer systems and networks. An attacker can easily obtain the name of a company's cleaning contractor by calling the responsible employee at the target company, claiming to be from a janitorial company looking for their business, and then obtaining the name of the company that is currently providing such services.

Though social engineers try to avoid showing up in person at a workplace they want to target, there are times when they will violate your space. These policies will help you to keep your physical premises secure from threat.

18–1 Identification for nonemployees

Policy: Delivery people and other nonemployees who need to enter company premises on a regular basis must have a special badge or other form of identification in accordance with policy established by corporate security.

Explanation/Notes: Nonemployees who need to enter the building regularly (for example, to make food or beverage deliveries to the cafeteria, or to repair copying machines or install telephones) should be issued a special form of company identification badge provided for this purpose. Others who need to enter only occasionally or on a one-time basis must be treated as visitors and should be escorted at all times.

18–2 Visitor identification

Policy: All visitors must present a valid driver's license or other picture identification to be admitted to the premises.

Explanation/Notes: The security staff or receptionist should make a photocopy of the identification document prior to issuing a visitor's badge. The copy should be kept with the visitor's log. Alternatively, the identification information can be recorded in the visitor's log by the receptionist or guard; visitors should not be permitted to write down their own ID information.

Social engineers seeking to gain entrance to a building will always write false information in the log. Even though it's not difficult to obtain false ID and to learn the name of an employee he or she can claim to be visiting, requiring that the responsible employee must log the entry adds one level of security to the process.

18–3 Escorting visitors

Policy: Visitors must be escorted or in the company of an employee at all times.

Explanation/Notes: One popular ruse of social engineers is to arrange to visit a company employee (for example, visiting with a product engineer on the pretext of being the employee of a strategic partner). After being escorted to the initial meeting, the social engineer assures his host that he can find his own way back to the lobby. By this means he gains the freedom to roam the building and possibly gain access to Sensitive information.

18–4 Temporary badges

Policy: Company employees from another location who do not have their employee badges with them must present a valid driver's license or other picture ID and be issued a temporary visitor's badge.

Explanation/Notes: Attackers often pose as employees from a different office or branch of a company to gain entrance to a company.

18–5 Emergency evacuation

Policy: In any emergency situation or drill, security personnel must ensure that everybody has evacuated the premises.

Explanation/Notes: Security personnel must check for any stragglers that may be left behind in restrooms or office areas. As authorized by the fire department or other authority in charge of the scene, the security force needs to be on the alert for anyone departing the building long after the evacuation.

Industrial spies or sophisticated computer intruders may cause a diversion to gain access to a building or secure area. One diversion used is to release a harmless chemical known as butyl mercaptan into the air. The effect is to create the impression that there is a natural gas leak. Once personnel start evacuation procedures, the bold attacker uses this diversion to either steal information or to gain access to enterprise computer systems. Another tactic used by information thieves involves remaining behind, sometimes in a restroom or closet, at the time of a scheduled evacuation drill, or after setting off a smoke flare or other device to cause an emergency evacuation.

18–6 Visitors in mail room

Policy: No visitors should be permitted in the mail room without the supervision of a company worker.

Explanation/Notes: The intention of this policy is to prevent an outsider from exchanging, sending, or stealing intracompany mail.

18–7 Vehicle license plate numbers

Policy: If the company has a guarded parking area, security staff shall log vehicle license plate numbers for any vehicle entering the area.

18–8 Trash Dumpsters

Policy: Trash Dumpsters must remain on company premises at all times and should be inaccessible to the public.

Explanation/Notes: Computer attackers and industrial spies can obtain valuable information from company trash bins. The courts have held that trash is considered legally abandoned property, so the act of Dumpster diving is perfectly legal, as long as the trash receptacles are on public property. For this reason, it is important that trash receptacles be situated on company property, where the company has a legal right to protect the containers and their contents.

Receptionists are often on the front lines when it comes to dealing with social engineers, yet they are rarely given enough security training to recognize and stop an invader. Institute these policies to help your receptionist better protect your company and its data.

19–1 Internal directory

Policy: Disclosure of information in the internal company directory should be limited to persons employed by the company.

Explanation/Notes: All employee titles, names, telephone numbers, and addresses contained within the company directory should be considered Internal information, and should only be disclosed in accordance with the policy related to data classification and Internal information.

Additionally, any calling party must have the name or extension of the party they are trying to contact. Although the receptionist can put a call through to an individual when a caller does not know the extension, telling the caller the extension number should be prohibited. (For those curious folks who follow by example, you can experience this procedure by calling the National Security Agency and asking the operator to provide an extension.)

19–2 Telephone numbers for specific departments/groups

Policy: Employees shall not provide direct telephone numbers for the company help desk, telecommunications department, computer operations, or system administrator personnel without verifying that the requester has a legitimate need to contact these groups. The receptionist, when transferring a call to these groups, must announce the caller's name.

Explanation/Notes: Although some organizations may find this policy overly restrictive, this rule makes it more difficult for a social engineer to masquerade as an employee by deceiving other employees into transferring the call from their extension (which in some phone systems causes the call to appear to originate from within the company), or demonstrating knowledge of these extensions to the victim in order to create a sense of authenticity.

19–3 Relaying information

Policy: Telephone operators and receptionists should not take messages or relay information on behalf of any party not personally known to be an active employee.

Explanation/Notes: Social engineers are adept at deceiving employees into inadvertently vouching for their identity. One social engineering trick is to obtain the telephone number of the receptionist and, on a pretext, ask the receptionist to take any messages that may come for him. Then, during a call to the victim, the attacker pretends to be an employee, asks for some sensitive information or to perform a task, and gives the main switchboard number as a callback number. The attacker later calls back to the receptionist and is given any message left for him by the unsuspecting victim.

19–4 Items left for pickup

Policy: Before releasing any item to a messenger or other Unverified Person, the receptionist or security guard must obtain picture identification and enter the identification information into the pickup log as required by approved procedures.

Explanation/Notes: One social engineering tactic is to deceive an employee into releasing sensitive materials to another supposedly authorized employee by dropping off such materials at the receptionist or lobby desk for pickup. Naturally, the receptionist or security guard assumes the package is authorized for release. The social engineer either shows up him-self or has a messenger service pick up the package.

Every company should set up a centralized group that should be notified when any form of attack on corporate security is identified. What follows are some guidelines for setting up and structuring the activities of this group.

20–1 Incident reporting group

Policy: An individual or group must be designated and employees should be instructed to report security incidents to them. All employees should be provided with the contact information for the group.

Explanation/Notes: Employees must understand how to identify a security threat, and be trained to report any threat to a specific incident reporting group. It is also important that an organization establish specific procedures and authority for such a group to act when a threat is reported.

20–2 Attacks in progress

Policy: Whenever the incident reporting group has received reports of an ongoing social engineering attack they shall immediately initiate procedures for alerting all employees assigned to the targeted groups.

Explanation/Notes: The incident reporting group or responsible manager should also make a determination about whether to send a companywide alert. Once the responsible person or group has a good faith belief that an attack may be in progress, mitigation of damage must be made a priority by notifying company personnel to be on their guard.