The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [149]
Explanation/Notes: Intracompany mail may also be used, but it is recommended that passwords be sent in secure envelopes that obscure the content. A suggested method is to establish a computer point person in each department who has the responsibility of handling distribution of new account details and vouching for the identity of personnel who lose or forget their passwords. In these circumstances, support personnel would always be working with a smaller group of employees that would be personally recognized.
6-6 Disabling an account
Policy: Prior to disabling a user’s account you must require positive verification that the request was made by authorized personnel.
Explanation/Notes: The intention of this policy is to prevent an attacker from spoofing a request to disable an account, and then calling to troubleshoot the user’s inability to access the computer system. When the social engineer calls posing as a technician with preexisting knowledge of the user’s inability to log in, the victim often complies with a request to reveal his or her password during the troubleshooting process.
6-7 Disabling network ports or devices
Policy: No employee should disable any network device or port for any unverified technical support personnel.
Explanation/Notes: The intention of this policy is to prevent an attacker from spoofing a request to disable a network port, and then calling the worker to troubleshoot his or her inability to access the network. When the social engineer, posing as a helpful technician, calls with preexisting knowledge of the user’s network problem, the victim often complies with a request to reveal his or her password during the troubleshooting process.
6-8 Disclosure of procedures for wireless access
Policy: No personnel should disclose procedures for accessing company systems over wireless networks to any parties not authorized to connect to the wireless network.
Explanation/Notes: Always obtain prior verification of a requester as a person authorized to connect to the corporate network as an external user before releasing wireless access information. See Verification and Authorization Procedures.
6-9 User trouble tickets
Policy: The names of any employees who have reported computer-related problems should not be revealed outside the information technology department.
Explanation/Notes: In a typical attack, a social engineer will call the help desk and request the names of any personnel who have reported recent computer problems. The caller may pretend to be an employee, vendor, or an employee of the telephone company. Once he obtains the names of persons reporting trouble, the social engineer, posing as a help desk or technical support person, contacts the employee and says he/she is calling to troubleshoot the problem. During the call, the attacker deceives the victim into providing the desired information or into performing an action that facilitates the attacker’s objective.
6-10 Initiating execute commands or running programs
Policy: Personnel employed in the IT department who have privileged accounts should not execute any commands or run any application programs at the request of any person not personally known to them.
Explanation/Notes: A common method attackers use to install a Trojan Horse program or other malicious software is to change the name of an existing program, and then call the help desk complaining that an error message is displayed whenever an attempt is made to run the program. The attacker persuades the help desk technician to run the program himself. When the technician complies, the malicious software inherits the privileges of the user executing the program and performs a task, which gives the attacker the same computer privileges as the help desk employee. This may allow the attacker to take control of the company system.
This policy establishes a countermeasure to this tactic by requiring that support personnel verify