• Choose a category
• All
• Classic-Fiction

10-10 Posting company information on line

Policy: Employees shall not disclose any details regarding company hardware or software in any public newsgroup, forum, or bulletin board, and shall not disclose contact information other than in accordance with policy.

Explanation/Notes: Any message posted to the Usenet, on-line forums, bulletin boards, or mailing lists can be searched to gather intelligence on a target company or a target individual. During the research phase of a social engineering attack, the attacker may search the Internet for any posts that contain useful information about the company, its products or its people.

Some posts contain very useful tidbits of information that the attacker can use to further an attack. For example, a network administrator may post a question about configuring firewall filters on a particular brand and model of firewall. An attacker who discovers this message will learn valuable information about the type and configuration of the company’s firewall that enables him to circumvent it to gain access to the enterprise network.

This problem can be reduced or avoided by implementing a policy that allows employees to post to newsgroups from anonymous accounts that do not identify the company from which they originated. Naturally, the policy must require employees not to include any contact information that may identify the company.

10-11 Floppy disks and other electronic media

Policy: If media used to store computer information, such as floppy disks or CD-ROMS have been left in a work area or on an employee’s desk, and that media is from an unknown source, it must not be inserted into any computer system.

Explanation/Notes: One method used by attackers to install malicious code is to place programs onto a floppy or CD-ROM and label it with something very enticing (for example, “Personnel Payroll Data—Confidential”). They then drop several copies in areas used by employees. If a single copy is inserted into a computer and the files on it opened, the attacker’s malicious code is executed. This may create a backdoor, which is used to compromise the system, or may cause other damage to the network.

10-12 Discarding removable media

Policy: Before discarding any electronic media that ever contained Sensitive company information, even if that information has been deleted, the item shall be thoroughly degaussed or damaged beyond recovery.

Explanation/Notes: While shredding hard-copy documents is commonplace these days, company workers may overlook the threat of discarding electronic media that contained Sensitive data at any time. Computer attackers attempt to recover any data stored on discarded electronic media. Workers may presume that by just deleting files, they ensure that those files cannot be recovered. This presumption is absolutely incorrect and can cause confidential business information to fall into the wrong hands. Accordingly, all electronic media that contains or previously contained information not designated as Public must be wiped clean or destroyed using the procedures approved by the responsible group.

10-13 Password-protected screen savers

Policy: All computer users must set a screen saver password and the inactivity time-out limit to lock the computer after a certain period of inactivity.

Explanation/Notes: All employees are responsible for setting a screen saver password, and setting the inactivity timeout for no more than ten minutes. The intention of this policy is to prevent any unauthorized person from using another person’s computer. Additionally, this policy protects company computer systems from being easily accessed by outsiders who have gained access to the building.

10-14 Disclosure or sharing of passwords statement

Policy: Prior to creation of a new computer account, the employee or contractor must sign a written statement acknowledging that he or she understands that passwords must never be disclosed or shared with anyone, and that he or she agrees to abide by this policy.

Explanation/Notes: The