The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [125]
There’s always the danger that the encryption keys will be lost or that the only person who knows the keys will be hit by a bus. But the nuisance level can be minimized, and anyone who stores sensitive information off-site with a commercial firm and does not use encryption is, excuse me for being blunt, an idiot. It’s like walking down the street in a bad neighborhood with twenty-dollar bills sticking out of your pockets, essentially asking to be robbed.
Leaving backup media where someone could walk off with it is a common flaw in security. Several years ago, I was employed at a firm that could have made better efforts to protect client information. The operation’s staff left the firm’s backup tapes outside the locked computer room door for a messenger to pick up each day. Anyone could have walked off with the backup tapes, which contained all of the firm’s word-processed documents in unencrypted text. If backup data is encrypted, loss of the material is a nuisance; if it’s not encrypted—well, you can envision the impact on your company better than I can.
The need in larger companies for reliable offsite storage is pretty much a given. But your company’s security procedures need to include an investigation of your storage company to see how conscientious they are about their own security policies and practices. If they’re not as dedicated as your own company, all your security efforts could be undermined.
Smaller companies have a good alternate choice for backup: Send the new and changed files each night to one of the companies offering on-line storage. Again, it’s essential that the data be encrypted. Otherwise, the information is available not just to a bent employee at the storage company but to every computer intruder who can breach the on-line storage company’s computer systems or network.
And of course, when you set up an encryption system to protect the security of your backup files, you must also set up a highly secure procedure for storing the encryption keys or the pass phrases that unlock them. Secret keys used to encrypt data should be stored in a safe or vault. Standard company practice needs to provide for the possibility that the employee handling this data could suddenly leave, die, or take another job. There must always be at least two people who know the storage place and the encryption/decryption procedures, as well as the policies for how and when keys are to be changed. The policies must also require that encryption keys be changed immediately upon the departure of any employee who had access to them.
Who Is That?
The example in this chapter of a slick con artist who uses charm to get employees to share information reinforces the importance of verification of identity. The request to have source code forwarded to an FTP site also points to the importance of knowing your requester.
In Chapter 16 you will find specific policies for verifying the identity of any stranger who makes a request for information or a request that some action be taken. We’ve talked about the need for verification throughout the book; in Chapter 16 you’ll get specifics of how this should be done.
part 4
raising the bar
chapter 15
Information Security Awareness and Training
A social engineer has been given the assignment of obtaining the plans to your hot new product due for release in two months. What’s going to stop him?
Your firewall? No.
Strong authentication devices? No.
Intrusion detection systems? No.
Encryption? No.
Limited access to phone numbers for dial-up modems? No.
Code names for servers that make it difficult for an outsider to determine which server might contain the product plans? No.
The truth is that there is no technology in the world that can prevent a social engineering attack.
SECURITY THROUGH TECHNOLOGY, TRAINING, AND PROCEDURES