The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [47]
Company security procedures need to spell out in detail what kind of verification mechanisms should be used in various circumstances. Chapter 17 provides a detailed list of procedures, but here are some guidelines to consider:
• One good way to verify the identity of a person making a request is to call the phone number listed in the company directory for that person. If the person making the request is actually an attacker, the verification call will either let you speak to the real person on the phone while the imposter is on hold, or you will reach the employee’s voice mail so that you can listen to the sound of his voice, and compare it to the speech of the attacker.
• If employee numbers are used in your company for verifying identity, then those numbers have to be treated as sensitive information, carefully guarded and not given out to strangers. The same goes for all other kinds of internal identifiers, such as internal telephone numbers, departmental billing identifiers, and even email addresses.
• Corporate training should call everyone’s attention to the common practice of accepting unknown people as legitimate employees on the grounds that they sound authoritative or knowledgeable. Just because somebody knows a company practice or uses internal terminology is no reason to assume that his identity doesn’t need to be verified in other ways.
• Security officers and system administrators must not narrow their focus so that they are only alert to how security-conscious everyone else is being. They also need to make sure they themselves are following the same rules, procedures, and practices.
• Passwords and the like must, of course, never be shared, but the restriction against sharing is even more important with time-based tokens and other secure forms of authentication. It should be a matter of common sense that sharing any of these items violates the whole point of the company’s having installed the systems. Sharing means there can be no accountability. If a security incident takes place or something goes wrong, you won’t be able to determine who the responsible party is.
• As I reiterate throughout this book, employees need to be familiar with social engineering strategies and methods to thoughtfully analyze requests they receive. Consider using role-playing as a standard part of security training, so that employees can come to a better understanding of how the social engineer works.
chapter 7
Phony Sites and Dangerous Attachments
There’s an old saying that you never get something for nothing. Still, the ploy of offering something for free continues to be a big draw for both legitimate (“But wait—there’s more! Call right now and we’ll throw in a set of knives and a popcorn popper!”) and not-so-legitimate (“Buy one acre of swampland in Florida and get a second acre free!”) businesses.
And most of us are so eager to get something free that we may be distracted from thinking clearly about the offer or the promise being made. We know the familiar warning, “buyer beware,” but it’s time to heed another warning: Beware of come-on email attachments and free software. The savvy attacker will use nearly any means to break into the corporate network, including appealing to our natural desire to get a free gift. Here are a few examples.
“WOULDN’T YOU LIKE A FREE (BLANK)?”
Just as viruses have been a curse to mankind and medical practitioners since the beginning of time, so the aptly named computer virus represents a similar curse to users of technology. The computer viruses that get most of the attention and end up in the spotlight, not coincidentally, do the most damage. These are the product of computer vandals.
Computer nerds turned malicious, computer vandals strive