• Choose a category
• All
• Classic-Fiction

12-3 Passwords in voice mail messages

Policy: Leaving messages containing password information on anyone’s voice mailbox is prohibited.

Explanation/Notes: A social engineer can often gain access to an employee’s voice mailbox because it is inadequately protected with an easy-to-guess access code. In one type of attack, a sophisticated computer intruder is able to create his own phony voice mailbox and persuade another employee to leave a message relaying password information. This policy defeats such a ruse.

Fax Use

13-1 Relaying faxes

Policy: No fax may be received and forwarded to another party without verification of the requester’s identity.

Explanation/Notes: Information thieves may trick trusted employees into faxing sensitive information to a fax machine located on the company’s premises. Prior to the attacker giving the fax number to the victim, the imposter telephones an unsuspecting employee, such as a secretary or administrative assistant, and asks if a document can be faxed to them for later pickup. Subsequently, after the unsuspecting employee receives the fax, the attacker telephones the employee and requests that the fax be sent to another location, perhaps claiming that it is needed for an urgent meeting. Since the person asked to relay the fax usually has no understanding of the value of the information, he or she complies with the request.

13-2 Verification of faxed authorizations

Policy: Prior to carrying out any instructions received by facsimile, the sender must be verified as an employee or other Trusted Person. Placing a telephone call to the sender to verify the request is usually sufficient.

Explanation/Notes:Employees must exercise caution when unusual requests are sent by fax, such as a request to enter commands into a computer or disclose information. The data in the header of a faxed document can be falsified by changing the settings of the sending fax machine. Therefore the header on a fax must not be accepted as a means of establishing identity or authorization.

13-3 Sending sensitive information by fax

Policy: Before sending Sensitive information by fax to a machine that is located in an area accessible to other personnel, the sender shall transmit a cover page. The recipient, on receiving the page, transmits a page in response, demonstrating that he/she is physically present at the fax machine. The sender then transmits the fax.

Explanation/Notes: This handshake process assures the sender that the recipient is physically present at the receiving end. Moreover, this process verifies that the receiving fax telephone number has not been forwarded to another location.

13-4 Faxing passwords prohibited

Policy: Passwords must not be sent via facsimile under any circumstances.

Explanation/Notes: Sending authentication information by facsimile is not secure. Most fax machines are accessible to a number of employees. Furthermore, they rely on the public telephone switched network, which can be manipulated by call forwarding the phone number for the receiving fax machine so that the fax is actually sent to the attacker at another number.

Voice Mail Use

14-1 Voice mail passwords

Policy: Voice mail passwords must never be disclosed to anyone for any purpose. In addition, voice mail passwords must be changed every ninety days or sooner.

Explanation/Notes: Confidential company information may be left in voice mail messages. To protect this information, employees should change their voice mail passwords frequently, and never disclose them. In addition, voice mail users should not use the same or similar voice mail passwords within a twelve-month period.

14-2 Passwords on multiple systems

Policy: Voice mail users must not use the same password on any other phone or computer system, whether internal or external to the company.

Explanation/Notes: Use of a similar or identical password for multiple devices, such as voice mail and computer, makes it easier for