The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [148]
Help Desk
6-1 Remote access procedures
Policy: Help desk personnel must not divulge details or instructions regarding remote access, including external network access points or dial-up numbers, unless the requester has been:
• Verified as authorized to receive Internal information; and,
• Verified as authorized to connect to the corporate network as an external user. Unless known on a person-to-person basis, the requester must be positively identified in accordance with the Verification and Authorization Procedures outlined at the beginning of this chapter.
Explanation/Notes: The corporate help desk is often a primary target for the social engineer, both because the nature of their work is to assist users with computer-related issues, and because they usually have elevated system privileges. All help desk personnel must be trained to act as a human firewall to prevent unauthorized disclosure of information that will assist any unauthorized persons from gaining access to company resources. The simple rule is to never disclose remote access procedures to anyone until positive verification of identity has been made.
6-2 Resetting passwords
Policy: The password to a user account may be reset only at the request of the account holder.
Explanation/Notes: The most common ploy used by social engineers is to have another person’s account password reset or changed. The attacker poses as the employee using the pretext that their password was lost or forgotten. In an effort to reduce the success of this type of attack, an IT employee receiving a request for a password reset must call the employee back prior to taking any action; the callback must not be made to a phone number provided by the requester, but to a number obtained from the employee telephone directory. See Verification and Authorization Procedures for more about this procedure.
6-3 Changing access privileges
Policy: All requests to increase a user’s privileges or access rights must be approved in writing by the account holder’s manager. When the change is made a confirmation must be sent to the requesting manager via intracompany mail. Furthermore, such requests must be verified as authentic in accordance with the Verification and Authorization Procedures.
Explanation/Notes:Once a computer intruder has compromised a standard user account, the next step is to elevate his or her privileges so that the attacker has complete control over the compromised system. An attacker who has knowledge of the authorization process can spoof an authorized request when email, fax, or telephone are used to transmit it. For example, the attacker may phone technical support or the help desk and attempt to persuade a technician to grant additional access rights to the compromised account.
6-4 New account authorization
Policy: A request to create a new account for an employee, contractor, or other authorized person must be made either in writing and signed by the employee’s manager, or sent by digitally signed electronic mail. These requests must also be verified by sending a confirmation of the request through intracompany mail.
Explanation/Notes: Because passwords and other information useful in breaking into computer systems are the highest priority targets of information thieves for gaining access, special precautions are necessary. The intention of this policy is to prevent computer intruders from impersonating authorized personnel or forging requests for new accounts. Therefore, all such requests must be positively verified using the Verification and Authorization Procedures.
6-5 Delivery of new passwords
Policy: New passwords must be handled as company Confidential information, delivered by secure methods including in person; by a signature-required