• Choose a category
• All
• Classic-Fiction

A privileged account is a computer or other account requiring access permission beyond the basic user account, such as a systems administrator account. Employees with privileged accounts typically have the ability to modify user privileges or perform system functions.

A general departmental mailbox is a voice mailbox answered with a generic message for the department. Such a mailbox is used in order to protect names and phone extensions of employees who work in a particular department.

VERIFICATION AND AUTHORIZATION PROCEDURES

Information thieves commonly use deceptive tactics to access or obtain confidential business information by masquerading as legitimate employees, contractors, vendors, or business partners. To maintain effective information security, an employee receiving a request to perform an action or provide sensitive information must positively identify the caller and verify his authority prior to granting a request.

The recommended procedures given in this chapter are designed to help an employee who receives a request via any communication method such as telephone, email, or fax to determine whether the request and the person making it are legitimate.

Requests from a Trusted Person

A request for information or action from a Trusted Person may require:

• Verification that the company actively employs or has a relationship with the person where such a relationship is a condition of access to this category of information. This is to prevent terminated employees, vendors, contractors, and others who no longer are associated with the company from masquerading as active personnel.

• Verification that the person has a need to know, and is authorized to have access to the information or to request the action.

Requests from an Unverified Person

When a request is made by an Unverified Person, a reasonable verification process must be deployed to positively identify the person making the request as authorized to receive the requested information, especially when the request in any way involves computers or computer-related equipment. This process is the fundamental control to prevent successful social engineering attacks: If these verification procedures are followed, they will dramatically reduce successful social engineering attacks.

It is important that you not make the process so cumbersome that it is cost-prohibitive, or that employees ignore it.

As detailed below, the verification process involves three steps:

• Verifying that the person is who he or she claims to be.

• Determining that the requester is currently employed or shares a need-to-know relationship with the company.

• Determining that the person is authorized to receive the specific information or to call for the requested action.

Step One: Verification of Identity

The recommended steps for verification are listed below in order of effectiveness—the higher the number, the more effective the method. Also included with each item is a statement about the weakness of that particular method, and the way in which a social engineer can defeat or circumvent the method to deceive an employee.

1. Caller ID (assuming this feature is included in the company telephone system). From the caller ID display, ascertain whether the call is from inside or outside the company, and that the name or telephone number displayed matches the identity provided by the caller.

Weakness: External caller ID information can be falsified by anyone with access to a PBX or telephone switch connected to digital phone service.

2. Callback. Look up the requester in the company directory, and call back to the listed extension to verify that the requester is an employee.

Weakness: An attacker with sufficient knowledge can call-forward a company extension so that, when the employee places the verification call to the listed phone number, the call is transferred to the attacker’s outside phone number.

3. Vouching. A Trusted Person