The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [138]
Weakness: Attackers using a pretext are frequently able to convince another employee of their identity, and get that employee to vouch for them.
4. Shared Secret. Use an enterprise-wide shared secret, such as a password or daily code.
Weakness: If many people know the shared secret, it may be easy for an attacker to learn it.
5. Employee’s Supervisor/Manager. Telephone the employee’s immediate supervisor and request verification.
Weakness: If the requester has provided the telephone number for reaching his or her manager, the person the employee reaches when calling the number may not be the real manager but may, in fact, be an accomplice of the attacker.
6. Secure Email. Request a digitally signed message.
Weakness: If an attacker has already compromised an employee’s computer and installed a keystroke logger to obtain the employee’s pass phrase, he can send digitally signed email that appears to be from the employee.
7. Personal Voice Recognition. The person receiving the request has dealt with the requester (preferably face-to-face), knows for certain that the person actually is a Trusted Person, and is familiar enough with the person to recognize his or her voice on the telephone.
Weakness: This is a fairly secure method, not easily circumvented by an attacker, but is of no use if the person receiving the request has never met or spoken with the requester.
8. Dynamic Password Solution. The requester authenticates himself or herself through the use of a dynamic password solution such as a Secure ID.
Weakness: To defeat this method, an attacker would have to obtain one of the dynamic password devices, as well the accompanying PIN of the employee to whom the device rightfully belongs, or would have to deceive an employee into reading the information on the display of the device and providing the PIN.
9. In Person with ID. The requester appears in person and presents an employee badge or other suitable identification, preferably a picture ID.
Weakness: Attackers are often able to steal an employee badge, or create a phony badge that appears authentic; however, attackers generally shun this approach because appearing in person puts the attacker at significant risk of being identified and apprehended.
Step Two: Verification of Employment Status
The greatest information security threat is not from the professional social engineer, nor from the skilled computer intruder, but from someone much closer: the just-fired employee seeking revenge or hoping to set himself up in business using information stolen from the company. (Note that a version of this procedure can also be used to verify that someone still enjoys another kind of business relationship with your company, such as a vendor, consultant, or contract worker.)
Before providing Sensitive information to another person or accepting instructions for actions involving the computer or computer-related equipment, verify that the requester is still a current employee by using one of these methods:
Employee Directory Check. If the company maintains an on-line employee directory that accurately reflects active employees, verify that the requester is still listed.
Requester’s Manager Verification. Call the requester’s manager using a phone number listed in the company directory, not a number provided by the requester.
Requester’s Department or Workgroup Verification. Call the requester’s department or workgroup and determine from anyone in that department or workgroup that the requester is still employed by the company.
Step Three: Verification of Need to Know
Beyond verifying that the requester is a current employee or has a relationship with your company, there still remains the issue of whether the requester is authorized to have access to the information being requested, or is authorized to request that specific actions affecting computers or computer-related equipment be taken.
This determination may be made by using one of these methods: