• Choose a category
• All
• Classic-Fiction

14-3 Setting voice mail passwords

Policy: Voice mail users and administrators must create voice mail passwords that are difficult to guess. They must not be related in any way to the person using it, or the company, and should not contain a predictable pattern that is likely to be guessed.

Explanation/Notes: Passwords must not contain sequential or repeating digits (i.e. 1111, 1234, 1010), must not be the same as or based on the telephone extension number, and must not be related to address, zip code, birth date, license plate, phone number, weight, I.Q., or other predictable personal information.

14-4 Mail messages marked as “old”

Policy: When previously unheard voice mail messages are not marked as new messages, the voice mail administrator must be notified of a possible security violation and the voice mail password must immediately be changed.

Explanation/Notes: Social engineers may gain access to a voice mailbox in a variety of ways. An employee who becomes aware that messages they have never listened to are not being announced as new messages must assume that another person has obtained unauthorized access to the voice mailbox and listened to the messages themselves.

14-5 External voice mail greetings

Policy: Company workers shall limit their disclosure of information on their external outgoing greeting on their voice mail. Ordinarily information related to a worker’s daily routine or travel schedule should not be disclosed.

Explanation/Notes: An external greeting (played to outside callers) should not include last name, extension, or reason for absence (such as travel, vacation schedule, or daily itinerary). An attacker can use this information to develop a plausible story in his attempt to dupe other personnel.

14-6 Voice mail password patterns

Policy: Voice mail users shall not select a password where one part of the password remains fixed, while another part changes in a predictable pattern.

Explanation/Notes: For example, do not use a password such as 743501, 743502, 743503, and so on, where the last two digits correspond to the current month.

14-7 Confidential or Private information

Policy: Confidential or Private information shall not be disclosed in a voice mail message.

Explanation/Notes: The corporate telephone system is typically more vulnerable than corporate computer systems. The passwords are usually a string of digits, which substantially limits the number of possibilities for an attacker to guess. Further, in some organizations, voice mail passwords may be shared with secretaries or another administrative staff who have the responsibility of taking messages for their managers. In light of the above, no Sensitive information should ever be left on anyone’s voice mail.

Passwords

15-1 Telephone security

Policy: Passwords shall not be disclosed over the telephone at any time.

Explanation/Notes: Attackers may find ways to listen in to phone conversations, either in person or through a technological device.

15-2 Revealing computer passwords

Policy: Under no circumstances shall any computer user reveal his or her password to anyone for any purpose without prior written consent of the responsible information technology manager.

Explanation/Notes: The goal of many social engineering attacks involves deceiving unsuspecting persons into revealing their account names and passwords. This policy is a crucial step in reducing the risk of successful social engineering attacks against the enterprise. Accordingly, this policy needs to be followed religiously throughout the company.

15-3 Internet passwords

Policy: Personnel must never use a password that is the same as or similar to one they are using on any corporate system on an Internet site.

Explanation/Notes: Malicious Web site operators may set up a site that purports to offer something of value or the possibility of winning a prize. To register, a visitor to the site must enter an email address, username, and password.