The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [166]
In some circumstances, it may be necessary to require every user within the former employee’s department to change his or her passwords. (When I was terminated from GTE solely because of my reputation as a hacker, the company required all employees throughout the company to change their password.)
1 7-2 IT department notification
Policy: Whenever a person employed by the company leaves or is terminated, Human Resources should immediately notify the information technology department to disable the former employee’s computer accounts, including any accounts used for database access, dial-up, or Internet access from remote locations.
Explanation/Notes:It’s essential to disable any former worker’s access to all computer systems, network devices, databases, or any other computer-related devices immediately upon termination. Otherwise, the company may leave the door wide open for a disgruntled employee to access company computer systems and cause significant damage.
17-3 Confidential information used in hiring process
Policy: Advertisements and other forms of public solicitation of candidates to fill job openings should, to the extent possible, avoid identifying computer hardware and software used by the company.
Explanation/Notes: Managers and human resources personnel should only disclose information related to enterprise computer hardware and software that is reasonably necessary to obtain resumes from qualified candidates.
Computer intruders read newspapers and company press releases, and visit Internet sites, to find job listings. Often, companies disclose too much information about the types of hardware and software used to attract prospective employees. Once the intruder has knowledge of the target’s information systems, he is armed for the next phase of attack. For example, by knowing that a particular company uses the VMS operating system, the attacker may place pretext calls to determine the release version, and then send a phony emergency security patch made to appear as if it came from the software developer. Once the patch is installed, the attacker is in.
17-4 Employee personal information
Policy: The human resources department must never release personal information about any current or former employee, contractor, consultant, temporary worker, or intern, except with prior express written consent of the employee or human resources manager.
Explanation/Notes: Head-hunters, private investigators, and identity thieves target private employee information such as employee numbers, social security numbers, birth dates, salary history, financial data including direct deposit information, and health-related benefit information. The social engineer may obtain this information so as to masquerade as the individual. In addition, disclosing the names of new hires may be extremely valuable to information thieves. New hires are likely to comply with any request by persons with seniority or in a position of authority, or anyone claiming to be from corporate security.
17-5 Background checks
Policy: A background check should be required for all new hires, contractors, consultants, temporary workers, or interns prior to an offer of employment or establishing of a contractual relationship.
Explanation/Notes: Because of cost considerations, the requirement for background checks may be limited to specific positions of trust. Note, however, that any person who is given physical access to corporate offices may be a potential threat. For example, cleaning crews have access to personnel offices, which gives them access to any computer systems located there. An attacker with physical access to a computer can install a hardware keystroke logger in less than a minute to capture passwords.
Computer intruders will sometimes go to the effort of obtaining a job