The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [169]
Explanation/Notes: One social engineering tactic is to deceive an employee into releasing sensitive materials to another supposedly authorized employee by dropping off such materials at the receptionist or lobby desk for pickup. Naturally, the receptionist or security guard assumes the package is authorized for release. The social engineer either shows up himself or has a messenger service pick up the package.
POLICIES FOR THE INCIDENT REPORTING GROUP
Every company should set up a centralized group that should be notified when any form of attack on corporate security is identified. What follows are some guidelines for setting up and structuring the activities of this group.
20-1 Incident reporting group
Policy: An individual or group must be designated and employees should be instructed to report security incidents to them. All employees should be provided with the contact information for the group.
Explanation/Notes: Employees must understand how to identify a security threat, and be trained to report any threat to a specific incident reporting group. It is also important that an organization establish specific procedures and authority for such a group to act when a threat is reported.
20-2 Attacks in progress
Policy: Whenever the incident reporting group has received reports of an ongoing social engineering attack they shall immediately initiate procedures for alerting all employees assigned to the targeted groups.
Explanation/Notes: The incident reporting group or responsible manager should also make a determination about whether to send a company-wide alert. Once the responsible person or group has a good faith belief that an attack may be in progress, mitigation of damage must be made a priority by notifying company personnel to be on their guard.
Security at a Glance
The following lists and charts provide a quick reference version of social engineering methods discussed in Chapters 2 to 14, and verification procedures detailed in Chapter 16. Modify this information for your organization, and make it available for employees to refer to when an information security question arises.
IDENTIFYING A SECURITY ATTACK
These tables and checklists will assist you in spotting a social engineering attack.
The Social Engineering Cycle
Common Social Engineering Methods
• Posing as a fellow employee
• Posing as an employee of a vendor, partner company, or law enforcement
• Posing as someone in authority
• Posing as a new employee requesting help
• Posing as a vendor or systems manufacturer calling to offer a system patch or update
• Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call them for help
• Sending free software or patch for victim to install
• Sending a virus or Trojan Horse as an email attachment
• Using a false pop-up window asking user to log in again or sign on with password
• Capturing victim keystrokes with expendable computer system or program
• Leaving a floppy disk or CD around the workplace with malicious software on it
• Using insider lingo and terminology to gain trust
• Offering a prize for registering at a Web site with username and password
• Dropping a document or file at company mail room for intraoffice delivery
• Modifying fax machine heading to appear to come from an internal location
• Asking receptionist to receive then forward a fax
• Asking for a file to be transferred to an apparently internal location
• Getting a voice mailbox set up so callbacks perceive attacker as internal
• Pretending to be from remote office and asking for email access locally
Warning Signs of an Attack
• Refusal to give callback number
• Out-of-ordinary request
• Claim of authority
• Stresses urgency
• Threatens negative consequences