The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [142]
Explanation/Notes: Determination of authorization is usually based on whether the requester needs access to the software to do his or her job.
2-9 Sales and marketing qualification of customer leads
Policy: Sales and marketing personnel must qualify leads before releasing internal callback numbers, product plans, product group contacts, or other Sensitive information to any potential customer.
Explanation/Notes: It is a common tactic for industrial spies to contact a sales and marketing representative and make him believe that a big purchase may be in the offing. In an effort to take advantage of the sales opportunity, sales and marketing reps often release information that can be used by the attacker as a poker chip to obtain access to Sensitive information.
2-10 Transfer of files or data
Policy: Files or other electronic data should not be transferred to any removable media unless the requester is a Trusted Person whose identity has been verified and who has a need to have such data in that format.
Explanation/Notes: A social engineer can easily dupe an employee by providing a plausible request for having Sensitive information copied to a tape, Zip disc, or other removable media, and sent to him or held in the lobby for pickup.
Phone Administration
Phone administration policies ensure that employees can verify caller identity, and protect their own contact information from those calling into the company.
3-1 Call forwarding on dial-up or fax numbers
Policy: Call forwarding services that permit forwarding calls to external telephone numbers will not be placed on any dial-up modem or fax telephone numbers within the company.
Explanation/Notes: Sophisticated attackers may attempt to dupe telephone company personnel or internal telecom workers into forwarding internal numbers to an external phone line under control of an attacker. This attack allows the intruder to intercept faxes, request Confidential information to be faxed within the company (personnel assume that faxing within the organization must be safe) or dupe dial-in users into providing their account passwords by forwarding the dial-up lines to a decoy computer that simulates the login process.
Depending on the telephone service used within the company, the call forwarding feature may be under control of the communications provider, rather than the telecommunications department. In such circumstances, a request will be made to the communications provider to insure the call forwarding feature is not present on the telephone numbers assigned to dial-up and fax lines.
3-2 Caller ID
Policy: The corporate telephone system must provide caller line identification (caller ID) on all internal telephone sets, and, if possible, enable distinctive ringing to indicate when a call is from outside the company.
Explanation/Notes: If employees can verify the identity of telephone calls from outside the company it may help them prevent an attack, or identify the attacker to appropriate security personnel.
3-3 Courtesy phones
Policy: To prevent visitors from masquerading as company workers, every courtesy telephone will clearly indicate the location of the caller (for example, “Lobby”) on the recipient’s caller ID.
Explanation/Notes: If the caller ID for internal calls shows extension number only, appropriate provision must be made for calls placed from company phones in the reception area and any other public areas. It must not be possible for an attacker to place a call from one of these phones and deceive an employee into believing that the call has been placed internally from an employee telephone.
3-4 Manufacturer default passwords shipped with phone systems
Policy: The voice mail administrator should change all default passwords that were shipped with the phone system prior to use by