• Choose a category
• All
• Classic-Fiction

Policy: All privileged accounts must have a strong password: The password must:

• Not be a word found in a dictionary in any language

• Be mixed upper and lower case with at least one letter, one symbol, and one numeral

• Be at least 12 characters in length

• Not be related to the company or individual in any way.

Explanation/Notes: In most cases computer intruders will target specific accounts that have system privileges. Occasionally the attacker will exploit other vulnerabilities to gain full control over the system.

The first passwords an intruder will try are the simple, commonly used words found in a dictionary. Selecting strong passwords enhances the security by reducing the chance an attacker will find the password by trial and error, dictionary attack, or brute force attack.

7-28 Wireless access points

Policy: All users who access a wireless network must use VPN (Virtual Private Network) technology to protect the corporate network.

Explanation/Notes: Wireless networks are being attacked by a new technique called wardriving. This technique involves simply driving or walking around with a laptop equipped with an 802.11B NIC card until a wireless network is detected.

Many companies have deployed wireless networks without even enabling WEP (wireless equivalency protocol), which is used to secure the wireless connection through use of encryption. But even when activated, the current version of WEP (mid-2002) is ineffective: It has been cracked wide open, and several Web sites are devoted to providing the means for locating open wireless systems and cracking WEP-enabled wireless access points.

Accordingly, it is essential to add a layer of protection around the 802.11 B protocol by deploying VPN technology.

7-29 Updating antivirus pattern files

Policy: Every computer system must be programmed to automatically update antivirus/anti-Trojan pattern files.

Explanation/Notes: At a minimum, such updates shall occur at least weekly. In businesses where employees leave their computers turned on, it is highly recommended that pattern files be updated on a nightly basis.

Antivirus software is ineffective if it is not updated to detect all new forms of malicious code. Since the threat of virus, worm, and Trojan Horse infections is substantially increased if pattern files are not updated, it is essential that antivirus or malicious code products be kept up to date.

Computer Operations

8-1 Entering commands or running programs

Policy: Computer operations personnel must not enter commands or run programs at the request of any person not known to them. If a situation arises where an Unverified Person seems to have reason to make such a request, it should not be complied with without first getting manager approval.

Explanation/Notes: Computer operations employees are popular targets of social engineers, since their positions usually require privileged account access, and the attacker expects that they will be less experienced and less knowledgeable about company procedures than other IT workers. The intention of this policy is to add an appropriate check and balance to prevent social engineers from duping computer operations personnel.

8-2 Workers with privileged accounts

Policy: Employees with privileged accounts must not provide assistance or information to any Unverified Person. In particular this refers to not providing computer help (such as training on application use), accessing any company database, downloading software, or revealing names of personnel who have remote access capabilities,

Explanation/Notes: Social engineers often target employees with privileged accounts. The intent of this policy is to direct IT staff with privileged accounts to successfully handle calls that might represent social engineering attacks.

8-3 Internal systems information

Policy: Computer Operations staff must never disclose any information related to enterprise computer systems or related devices without positively verifying the identity of the requester.