The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [152]
Dozens of security vulnerabilities are identified and published weekly on the Internet. Until information technology staff are vigilant in their efforts to apply all security patches and fixes as soon as practical, despite these systems being behind the company firewall, the corporate network will always be at risk of suffering a security incident. It is extremely important to keep apprised of published security vulnerabilities identified in the operating system or any application programs used during the course of business.
7-11 Contact information on Web sites
Policy: The company’s external Web site shall not reveal any details of corporate structure or identify any employees by name.
Explanation/Notes: Corporate structure information such as organization charts, hierarchy charts, employee or departmental lists, reporting structure, names, positions, internal contact numbers, employee numbers, or similar information that is used for internal processes should not be made available on publicly accessible Web sites.
Computer intruders often obtain very useful information on a target’s Web site. The attacker uses this information to appear as a knowledgeable employee when using a pretext or ruse. The social engineer is more likely to establish credibility by having this information at his or her disposal. Moreover, the attacker can analyze this information to find out the likely targets who have access to valuable, sensitive, or critical information.
7-12 Creation of privileged accounts
Policy: No privileged account should be created or system privileges granted to any account unless authorized by the system administrator or system manager.
Explanation/Notes: Computer intruders frequently pose as hardware or software vendors in an attempt to dupe information technology personnel into creating unauthorized accounts. The intention of this policy is to block these attacks by establishing greater control over the creation of privileged accounts. The system manager or administrator of the computer system must approve any request to create an account with elevated privileges.
7-13 Guest accounts
Policy: Guest accounts on any computer systems or related networked devices shall be disabled or removed, except for an FTP (file transfer protocol) server approved by management with anonymous access enabled.
Explanation/Notes: The intention of the guest account is to provide temporary access for persons who do not need to have their own account. Several operating systems are installed by default with a guest account enabled. Guest accounts should always be disabled because their existence violates the principle of user accountability. IT should be able to audit any computer-related activity and relate it to a specific user.
Social engineers are easily able to take advantage of these guest accounts for gaining unauthorized access, either directly or by duping authorized personnel into using a guest account.
7-14 Encryption of off-site backup data
Policy: Any company data that is stored off site should be encrypted to prevent unauthorized access.
Explanation/Notes: Operations staff must insure that all data is recoverable in the event that any information needs to be restored. This requires regular test decryption of a random sampling of encrypted files to make sure the data can be recovered. Furthermore, keys used to encrypt data shall be escrowed with a trusted manager in the event the encryption keys are lost or unavailable.
7-15 Visitor access to network connections
Policy: All publicly accessible Ethernet access points must be on a segmented network to prevent unauthorized access to the internal network.
Explanation/Notes: