The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [144]
Miscellaneous
4-1 Employee badge design
Policy: Employee badges must be designed to include a large photo that can be recognized from a distance.
Explanation/Notes: The photograph on corporate ID badges of standard design is, for security purposes, only slightly better than worthless. The distance between a person entering the building and the guard or receptionist who has the responsibility to check identification is usually great enough that the picture is too small to recognize when the person walks by. For the photo to be of value in this situation, a redesign of the badge is necessary.
4-2 Access rights review when changing position or responsibilities
Policy: Whenever a company employee changes positions or is given increased or decreased job responsibilities, the employee’s manager will notify IT of the change in the employee’s responsibilities so that the appropriate security profile can be assigned.
Explanation/Notes: Managing the access rights of personnel is necessary to limit disclosure of protected information. The rule of least privilege will apply: The access rights assigned to users will be the minimum necessary to perform their jobs. Any requests for changes that result in elevated access rights must be in accordance with a policy on granting elevated access rights.
The worker’s manager or the human resources department will have the responsibility of notifying the information technology department to properly adjust the account holder’s access rights as needed.
4-3 Special identification for nonemployees
Policy: Your company should issue a special photo company badge to trusted delivery people and nonemployees who have a business need to enter company premises on a regular basis.
Explanation/Notes: Nonemployees who need to enter the building regularly (for example, to make food or beverage deliveries to the cafeteria, or to repair copying machines or make telephone installations) can pose a threat to your company. In addition to issuing identification to these visitors, make sure your employees are trained to spot a visitor without a badge and know how to act in that situation.
4-4 Disabling computer accounts for contractors
Policy: Whenever a contractor who has been issued a computer account has completed his or her assignment, or when the contract expires, the responsible manager will immediately notify the information technology department to disable the contractor’s computer accounts, including any accounts used for database access, dial-up, or Internet access from remote locations.
Explanation/Notes: When a worker’s employment is terminated, there is a danger that he or she will use knowledge of your company’s systems and procedures to gain access to data. All computer accounts used by or known to the worker must be promptly disabled. This includes accounts that provide access to production databases, remote dial-in accounts, and any accounts used to access computer-related devices.
4-5 Incident reporting organization
Policy: An incident reporting organization must be established or, in smaller companies, an incident reporting individual and backup person designated, for receiving and distributing alerts concerning possible security incidents in progress.
Explanation/Notes: By centralizing the reporting of suspected security incidents, an attack that may otherwise have gone unnoticed can be detected. In the event that systematic attacks across the organization are detected and reported, the incident reporting organization may be able to determine what the attacker is targeting so that special efforts can be made to protect those assets.
Employees assigned to receive incident reports must become familiar with social engineering methods and tactics, enabling them to evaluate reports and recognize when an attack may be in progress.
4-6 Incident reporting hotline
Policy: A hotline to the incident reporting organization or person,