• Choose a category
• All
• Classic-Fiction

9-3 Disclosure of dial-up numbers

Policy: Company personnel must not disclose company modem telephone numbers, but should always refer such requests to the help desk or to technical support personnel.

Explanation/Notes: Dial-up telephone numbers must be treated as Internal information, to be provided only to employees who have a need to know such information to carry out their job responsibilities.

Social engineers routinely target employees or departments that are likely to be less protective of the requested information. For example, the attacker may call the accounts payable department masquerading as a telephone company employee who is trying to resolve a billing problem. The attacker then asks for any known fax or dial-in numbers in order to resolve the problem. The intruder often targets an employee who is unlikely to realize the danger of releasing such information, or who lacks training with respect to company disclosure policy and procedures.

9-4 Corporate ID badges

Policy: Except when in their immediate office area, all company personnel, including management and executive staff, must wear their employee badges at all times.

Explanation/Notes: All workers, including corporate executives, should be trained and motivated to understand that wearing an ID badge is mandatory everywhere on company premises other than public areas and the person’s own office or workgroup area.

9-5 Challenging ID badge violations

Policy: All employees must immediately challenge any unfamiliar person who is not wearing an employee badge or visitor’s badge.

Explanation/Notes: While no company wants to create a culture where eagle-eyed employees look for a way to ensnare coworkers for venturing into the hallway without their badges, nonetheless any company concerned with protecting its information needs to take seriously the threat of a social engineer wandering its facilities unchallenged. Motivation for employees who prove diligent in helping enforce the badges-always policy may be acknowledged in familiar ways, such as recognition in the company newspaper or on bulletin boards; a few hours off with pay; or a letter of commendation in their personnel records.

9-6 Piggybacking (passing through secure entrances)

Policy: Employees entering a building must not allow anyone not personally known to them to follow behind them when they have used a secure means, such as a card key, to gain entrance (piggybacking).

Explanation/Notes: Employees must understand that it is not rude to require unknown persons to authenticate themselves before helping them enter a facility or access a secure area.

Social engineers frequently use a technique known as piggybacking, in which they lie in wait for another person who is entering a facility or Sensitive area, and then simply enter with them. Most people feel uncomfortable challenging others, assuming that they are probably legitimate employees. Another piggybacking technique is to carry several boxes so that an unsuspecting worker opens or holds the door to help.

9-7 Shredding Sensitive documents

Policy: Sensitive documents to be discarded must be cross-shredded; media including hard drives that have ever contained Sensitive information or materials must be destroyed in accordance with the procedures set forth by the group responsible for information security.

Explanation/Notes: Standard shredders do not adequately destroy documents; cross-shredders turn documents into pulp. The best security practice is to presume that the organization’s chief competitors will be rifling through discarded materials looking for any intelligence that could be beneficial to them.

Industrial spies and computer attackers regularly obtain Sensitive information from materials tossed in the trash. In some cases, business competitors have been known to attempt bribery of cleaning crews to turn over company trash. In one recent example, an employee at Goldman Sachs discovered items