The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [159]
10-4 Downloading or installing software
Policy: Company personnel must never download or install software at the request of another person, unless the requester has been verified as an employee with the information technology department.
Explanation/Notes: Employees should be on the alert for any unusual request that involves any sort of transaction with computer-related equipment.
A common tactic used by social engineers is to deceive unsuspecting victims into downloading and installing a program that helps the attacker accomplish his or her goal of compromising computer or network security. In some instances, the program may covertly spy on the user or allow the attacker to take control of the computer system through use of a covert remote control application.
10-5 Plain text passwords and email
Policy: Passwords shall not be sent through email unless encrypted.
Explanation/Notes: While it’s discouraged, this policy may be waived by e-commerce sites in certain limited circumstances, such as:
• Sending passwords to customers who have registered on the site.
• Sending passwords to customers who have lost or forgotten their passwords.
10-6 Security-related software
Policy: Company personnel must never remove or disable antivirus/ Trojan Horse, firewall, or other security-related software without prior approval from the information technology department.
Explanation/Notes: Computer users sometimes disable security-related software without provocation, thinking it will increase the speed of their computer.
A social engineer may attempt to deceive an employee into disabling or removing software that is needed to protect the company against security-related threats.
10-7 Installation of modems
Policy: No modems may be connected to any computer until prior approval has been obtained from the IT department.
Explanation/Notes: It is important to recognize that modems on desktops or workstations in the workplace pose a substantial security threat, especially if connected to the corporate network. Accordingly, this policy controls modem connection procedures.
Hackers use a technique called war dialing to identify any active modem lines within a range of telephone numbers. The same technique may be used to locate telephone numbers connected to modems within the enterprise. An attacker can easily compromise the corporate network if he or she identifies a computer system connected to a modem running vulnerable remote access software, which is configured with an easily guessed password or no password at all.
10-8 Modems and auto-answer settings
Policy: All desktops or workstations with IT-approved modems shall have the modem auto-answer feature disabled to prevent anyone from dialing into the computer system.
Explanation/Notes: Whenever feasible, the information technology department should deploy a dial-out modem pool for those employees who need to dial out to external computer systems via modem.
10-9 Cracking tools
Policy: Employees will not download or use any software tools designed to defeat software protection mechanisms.
Explanation/Notes: The Internet has dozens of sites devoted to software designed to crack shareware and commercial software products. The use of these tools not only violates a software owner’s copyright, but also is extremely dangerous. Because these programs originate from unknown sources, they may contain hidden malicious code that may cause damage to the user’s computer or plant a Trojan Horse that gives the author of the program