The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [161]
Email Use
11-1 Email attachments
Policy: Email attachments must not be opened unless the attachment was expected in the course of business or was sent by a Trusted Person.
Explanation/Notes: All email attachments must be scrutinized closely. You may require that prior notice be given by a Trusted Person that an email attachment is being sent before the recipient opens any attachment. This will reduce the risk of attackers using social engineering tactics to deceive people into opening attachments.
One method of compromising a computer system is to trick an employee into running a malicious program that creates a vulnerability, providing the attacker with access to the system. By sending an email attachment that has executable code or macros, the attacker may be able to gain control of the user’s computer.
A social engineer may send a malicious email attachment, then call and attempt to persuade the recipient to open the attachment.
11-2 Automatic forwarding to external addresses
Policy: Automatic forwarding of incoming email to an external email address is prohibited.
Explanation/Notes: The intention of this policy is to prevent an outsider from receiving email sent to an internal email address.
Employees occasionally set up email forwarding of their incoming mail to an email address outside the company when they will be away from the office. Or an attacker may be able to deceive an employee into setting up an internal email address that forwards to an address outside the company. The attacker can then pose as a legitimate insider by having an internal company email address and get people to email Sensitive information to the internal email address.
11-3 Forwarding emails
Policy: Any request from an Unverified Person to relay an electronic mail message to another Unverified Person requires verification of the requester’s identity.
1 1-4 Verifying email
Policy: An email message that appears to be from a Trusted Person that contains a request to provide information not designated as Public, or to perform an action with any computer-related equipment, requires an additional form of authentication. See Verification and Authorization Procedures.
Explanation/Notes: An attacker can easily forge an email message and its header, making it appear as if the message originated from another email address. An attacker can also send an email message from a compromised computer system, providing phony authorization to disclose information or perform an action. Even by examining the header of an email message you cannot detect email messages sent from a compromised internal computer system.
Phone Use
12-1 Participating in telephone surveys
Policy: Employees may not participate in surveys by answering any questions from any outside organization or person. Such requests must be referred to the public relations department or other designated person.
Explanation/Notes: A method used by social engineers to obtain valuable information that may be used against the enterprise is to call an employee and claim to be doing a survey. It’s surprising how many people are happy to provide information about the company and themselves to strangers when they believe they’re taking part in legitimate research. Among the innocuous questions, the caller will insert a few questions that the attacker wants to know. Eventually, such information may be used to compromise the corporate network.
12-2 Disclosure of internal telephone numbers
Policy: If an Unverified Person asks an employee for his phone number the employee may make a reasonable determination of whether disclosure is necessary to conduct company business.
Explanation/Notes: The intention of this policy is to require employees to make a considered decision on whether disclosure of their telephone extension is necessary. When dealing with people who have not demonstrated a genuine need to know the extension, the