• Choose a category
• All
• Classic-Fiction

Naturally the magazine will never say where they got the scoop.

PREVENTING THE CON

When asked for any valuable, sensitive, or critical information that could be of benefit to a competitor or anyone else, employees must be aware that using caller ID as a means of verifying the identity of an outside caller is not acceptable. Some other means of verification must be used, such as checking with the person’s supervisor that the request was appropriate and that the user has authorization to receive the information.

The verification process requires a balancing act that each company must define for itself: Security versus productivity. What priority is going to be assigned to enforcing security measures? Will employees be resistant to following security procedures, and even circumvent them in order to complete their job responsibilities? Do employees understand why security is important to the company and themselves? These questions need to be answered to develop a security policy based on corporate culture and business needs.

Most people inevitably see anything that interferes with getting their work done as an annoyance, and may circumvent any security measures that appear to be a waste of time. Motivating employees to make security part of their everyday responsibilities through education and awareness is key.

Although caller ID service should never be used as a means of authentication for voice calls from outside the company, another method called automatic number identification (ANI) can. This service is provided when a company subscribes to toll-free services where the company pays for the incoming calls and is reliable for identification. Unlike caller ID, the telephone company switch does not use any information that is sent from a customer when providing the calling number. The number transmitted by ANI is the billing number assigned to the calling party.

Note that several modem manufacturers have added a caller ID feature into their products, protecting the corporate network by allowing remote-access calls only from a list of preauthorized telephone numbers. Caller ID modems are an acceptable means of authentication in a low-security environment but, as should be clear by now, spoofing caller ID is a relatively easy technique for computer intruders, and so should not be relied on for proving the caller’s identity or location in a high-security setting.

To address the case of identity theft, as in the story about deceiving an administrator to create a voice mailbox on the corporate phone system, make it a policy that all phone service, all voice mailboxes, and all entries to the corporate directory, both in print and on line, must be requested in writing, on a form provided for the purpose. The employee’s manager should sign the request, and the voice mail administrator should verify the signature.

Corporate security policy should require that new computer accounts or increases in access rights be granted only after positive verification of the person making the request, such as a callback to the system manager or administrator, or his or her designee, at the phone number listed in the print or on-line company directory. If the company uses secure email where employees can digitally sign messages, this alternative verification method may also be acceptable.

Remember that every employee, regardless of whether he has access to company computer systems, may be duped by a social engineer. Everyone must be included in security awareness training. Administrative assistants, receptionists, telephone operators, and security guards must be made familiar with the types of social engineering attack most likely to be directed against them so that they will be better prepared to defend against those attacks.

chapter 14

Industrial Espionage

The threat of information attacks against government, corporations, and university systems is well established. Almost every day, the media reports a new computer virus, denial of service attack, or theft of credit card information from