• Choose a category
• All
• Classic-Fiction

When authentication based on dynamic passwords is impractical, computer users must religiously adhere to the policy for choosing hard-to-guess passwords.

7-6 Operating system configuration

Policy: Systems administrators shall ensure that, wherever possible, operating systems are configured so that they are consistent with all pertinent security policies and procedures.

Explanation/Notes: Drafting and distributing security policies is a fundamental step toward reducing risk, but in most cases, compliance is necessarily left up to the individual employee. There are, however, any number of computer-related policies that can be made mandatory through operating-system settings, such as the required length of passwords. Automating security policies by configuration of operating system parameters effectively takes the decision out of the human element’s hands, increasing the overall security of the organization.

7-7 Mandatory expiration

Policy: All computer accounts must be set to expire after one year.

Explanation/Notes: The intention of this policy is to eliminate the existence of computer accounts that are no longer being used, since computer intruders commonly target dormant accounts. The process insures that any computer accounts belonging to former employees or contractors that have been inadvertently left in place are automatically disabled.

At management discretion, you may require that employees must take a security refresher training course at renewal time, or must review information security policies and sign an acknowledgment of their agreement to adhere to them.

7-8 Generic email addresses

Policy: The information technology department shall set up a generic email address for each department within the organization that ordinarily communicates with the public.

Explanation/Notes: The generic email address can be released to the public by the telephone receptionist or published on the company Web site. Otherwise, each employee shall only disclose his or her personal email address to people who have genuine need to know.

During the first phase of a social engineering attack, the attacker often tries to obtain telephone numbers, names, and titles of employees. In most cases, this information is publicly available on the company Web site or just for the asking. Creation of generic voice mailboxes and/or email addresses makes it difficult to associate employee names with particular departments or responsibilities.

7-9 Contact information for domain registrations

Policy: When registering for acquisition of Internet address space or host names, the contact information for administrative, technical, or other personnel should not identify any individual personnel by name. Instead, you should list a generic email address and the main corporate telephone number.

Explanation/Notes: The purpose of this policy is to prevent contact information from being abused by a computer intruder. When the names and phone numbers of individuals are provided, an intruder can use this information to contact the individuals and attempt to deceive them into revealing system information, or to perform an action item that facilitates an attacker’s objective. Or the social engineer can impersonate a listed person in an effort to deceive other company personnel.

Instead of an email address to a particular employee, contact information must be in the form of administrator@company.com. Telecommunications department personnel can establish a generic voice mailbox for administrative or technical contacts so as to limit information disclosure that would be useful in a social engineering attack.

7-10 Installation of security and operating system updates

Policy: All security patches for operating system and application software shall be installed as soon as they become available. If this policy conflicts with the operation of mission-critical productions systems, such updates should be performed as soon as practicable.

Explanation/Notes: Once a vulnerability has been identified, the software manufacturer