The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [167]
POLICIES FOR PHYSICAL SECURITY
Though social engineers try to avoid showing up in person at a workplace they want to target, there are times when they will violate your space. These policies will help you to keep your physical premises secure from threat.
18-1 Identification for nonemployees
Policy:Delivery people and other nonemployees who need to enter company premises on a regular basis must have a special badge or other form of identification in accordance with policy established by corporate security.
Explanation/Notes: Nonemployees who need to enter the building regularly (for example, to make food or beverage deliveries to the cafeteria, or to repair copying machines or install telephones) should be issued a special form of company identification badge provided for this purpose. Others who need to enter only occasionally or on a one-time basis must be treated as visitors and should be escorted at all times.
18-2 Visitor identification
Policy: All visitors must present a valid driver’s license or other picture identification to be admitted to the premises.
Explanation/Notes: The security staff or receptionist should make a photocopy of the identification document prior to issuing a visitor’s badge. The copy should be kept with the visitor’s log. Alternatively, the identification information can be recorded in the visitor’s log by the receptionist or guard; visitors should not be permitted to write down their own ID information.
Social engineers seeking to gain entrance to a building will always write false information in the log. Even though it’s not difficult to obtain false ID and to learn the name of an employee he or she can claim to be visiting, requiring that the responsible employee must log the entry adds one level of security to the process.
18-3 Escorting visitors
Policy: Visitors must be escorted or in the company of an employee at all times.
Explanation/Notes: One popular ruse of social engineers is to arrange to visit a company employee (for example, visiting with a product engineer on the pretext of being the employee of a strategic partner). After being escorted to the initial meeting, the social engineer assures his host that he can find his own way back to the lobby. By this means he gains the freedom to roam the building and possibly gain access to Sensitive information.
18-4 Temporary badges
Policy: Company employees from another location who do not have their employee badges with them must present a valid driver’s license or other picture ID and be issued a temporary visitor’s badge.
Explanation/Notes: Attackers often pose as employees from a different office or branch of a company to gain entrance to a company.
18-5 Emergency evacuation
Policy: In any emergency situation or drill, security personnel must ensure that everybody has evacuated the premises.
Explanation/Notes: Security personnel must check for any stragglers that may be left behind in restrooms or office areas. As authorized by the fire department or other authority in charge of the scene, the security force needs to be on the alert for anyone departing the building long after the evacuation.
Industrial spies or sophisticated computer intruders may cause a diversion to gain access to a building or secure area. One diversion used is to release a harmless chemical known as buryl mercaptan into the air. The effect is to create the impression that there is a natural gas leak. Once personnel start evacuation procedures, the bold attacker uses this diversion to either steal information or to gain access to enterprise computer systems. Another tactic used by information thieves involves remaining behind, sometimes in a restroom