• Choose a category
• All
• Classic-Fiction

9-8 Personal identifiers

Policy: Personal identifiers such as employee number, social security number, driver’s license number, date and place of birth, and mother’s maiden name should never be used as a means of verifying identity. These identifiers are not secret and can be obtained by numerous means.

Explanation/Notes: A social engineer can obtain other people’s personal identifiers for a price. And in fact, contrary to popular belief, anyone with a credit card and access to the Internet can obtain these pieces of personal identification. Yet despite the obvious danger, banks, utility companies, and credit card companies commonly use these identifiers. This is one reason that identity theft is the fastest growing crime of the decade.

9-9 Organization charts

Policy: Details shown on the company’s organization chart must not be disclosed to anyone other than company employees.

Explanation/Notes: Corporate structure information includes organization charts, hierarchy charts, departmental employee lists, reporting structure, employee names, employee positions, internal contact numbers, employee numbers, or similar information.

In the first phase of a social engineering attack, the goal is to gather information about the internal structure of the company. This information is then used to strategize an attack plan. The attacker can also analyze this information to determine which employees are likely to have access to the data that he seeks. During the attack, the information makes the attacker appear as a knowledgeable employee; making it more likely he’ll dupe his victim into compliance.

9-10 Private information about employees

Policy: Any requests for private employee information must be referred to human resources.

Explanation/Notes: An exception to this policy may be the telephone number for an employee who needs to be contacted regarding a work-related issue or who is acting in an on-call role. However, it is always preferable to get the requester’s phone number, and have the employee call him or her back.

Computer Use

10-1 Entering commands into a computer

Policy: Company personnel should never enter commands into a computer or computer-related equipment at the request of another person unless the requester has been verified as an employee of the information technology department.

Explanation/Notes: One common ploy of social engineers is to request that an employee enter a command that makes a change to the system’s configuration, allows the attacker to access the victim’s computer without providing authentication, or allows the attacker to retrieve information that can be used to facilitate a technical attack.

10-2 Internal naming conventions

Policy: Employees must not disclose the internal names of computer systems or databases without prior verification that the requester is employed by the company.

Explanation/Notes: Social engineers will sometimes attempt to obtain the names of company computer systems; once the names are known, the attacker places a call to the company and masquerades as a legitimate employee having trouble accessing or using one of the systems. By knowing the internal name assigned to the particular system, the social engineer gains credibility.

10-3 Requests to run programs

Policy: Company personnel should never run any computer applications or programs at the request of another person unless the requester has been verified as an employee of the information technology department.

Explanation/Notes: Any request to run programs, applications, or perform any activity on a computer must be refused unless the requester is positively identified as an employee in the information technology department. If the request involves revealing Confidential information from any file or electronic message, responding to the request must be in accordance with the procedures for releasing Confidential information. See Information Disclosure Policy.

Computer attackers deceive people into executing programs