The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [39]
In high-security situations, the only requests that should be granted are ones delivered in person or with a strong form of authentication—for example, two separate items such as a shared secret and a time-based token.
Data classification procedures must designate that no information be provided from a part of the organization involved with sensitive work to anyone not personally known or vouched for in some manner.
So how do you handle a legitimate-sounding request for information from another company employee, such as the list of names and email addresses of people in your group? In fact, how do you raise awareness so that an item like this, which is clearly less valuable than, say, a spec sheet for a product under development, is recognized as something for internal use only? One major part of the solution: Designate employees in each department who will handle all requests for information to be sent outside the group. An advanced security-training program must then be note provided to make these designated employees aware of the special verification procedures they should follow.
note
Incredibly, even looking up the name and phone number of the caller in the company’s employee database and calling him back is not an absolute guarantee-social engineers know ways of planting names in a corporate database or redirecting telephone calls.
Forget Nobody
Anyone can quickly rattle off the identity of organizations within her company that need a high degree of protection against malicious attacks. But we often overlook other places that are less obvious, yet highly vulnerable. In one of these stories, the request for a fax to be sent to a phone number within the company seemed innocent and secure enough, yet the attacker took advantage of this security loophole. The lesson here: Everybody from secretaries and administrative assistants to company executives and high-level managers needs to have special security training so that they can be alert to these types of tricks. And don’t forget to guard the front door: Receptionists, too, are often prime targets for social engineers and must also be made aware of the deceptive techniques used by some visitors and callers.
Corporate security should establish a single point of contact as a kind of central clearinghouse for employees who think they may have been the target of a social engineering ruse. Having a single place to report security incidents will provide an effective early-warning system that will make it clear when a coordinated attack is under way, so that any damage can be controlled immediately.
chapter 6
“Can You Help Me?”
You’ve seen how social engineers trick people by offering to help. Another favorite approach turns the tables: The social engineer manipulates by pretending he needs the other person to help him. We can all sympathize with people in a tight spot, and the approach proves effective over and over again in allowing a social engineer to reach his goal.
THE OUT-OF-TOWNER
A story in Chapter 3 showed how an attacker can talk a victim into revealing his employee number. This one uses a different approach for achieving the same result, and then shows how the attacker can make use of that information.
Keeping Up with the Joneses
In Silicon Valley there is a certain global company that shall be nameless. The scattered sales offices and other field installations around the world are all connected to that company’s headquarters over a WAN, a wide area network. The intruder, a smart, feisty guy named Brian Atterby, knew it was almost always easier to break into a network at one of the remote sites, where security is practically guaranteed to be more lax than at headquarters.
The intruder phoned the Chicago office and asked to speak with Mr. Jones. The receptionist asked if he knew Mr. Jones’s first name; he answered, “I had it here, I’m looking for it. How many Joneses do you