The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [75]
Any company with a need for verbal security codes needs to spell out clearly for its employees when and how the codes are used. Properly trained, the character in the first story in this chapter would not have had to rely on his instincts, easily overcome, when asked to give a security code to a stranger. He sensed that he should not be asked for this information under the circumstances, but lacking a clear security policy—and good common sense—he readily gave in.
Security procedures should also set up steps to follow when an employee fields an inappropriate request for a security code. All employees should be trained to immediately report any request for authentication credentials, such as a daily code or password, made under suspicious circumstances. They should also report when an attempt to verify the identity of a requestor doesn’t check out.
At the very least, the employee should record the caller’s name, phone number, and office or department, and then hang up. Before calling back, he should verify that the organization really does have an employee of that name, and that the callback phone number matches the phone number in the on-line or hard-copy company directory. Most of the time, this simple tactic will be all that’s needed to verify that the caller is who he says he is.
Verifying becomes a bit trickier when the company has a published phone directory instead of an on-line version. People get hired; people leave; people change departments, job positions, and phone numbers. The hard-copy directory is already out of date the day after it’s published, even before being distributed. Even on-line directories can’t always be relied on, because social engineers know how to modify them. If an employee can’t verify the phone number from an independent source, she should be instructed to verify by some other means, such as contacting the employee’s manager.
part 3
intruder alert
chapter 10
Entering the Premises
Why is it so easy for an outsider to assume the identity of a company employee and carry off an impersonation so convincingly that even people who are highly security conscious are taken in? Why is it so easy to dupe individuals who may be fully aware of security procedures, suspicious of people they don’t personally know, and protective of their company’s interests?
Ponder these questions as you read the stories in this chapter.
THE EMBARRASSED SECURITY GUARD
Date/Time: Tuesday, October 17, 2:16 A.M.
Place: Skywatcher Aviation, Inc. manufacturing plant on the outskirts of Tucson, Arizona.
The Security Guard’s Story
Hearing his leather heels click against the floor in the halls of the nearly deserted plant made Leroy Greene feel much better than spending the night hours of his watch in front of the video monitors in the security office. There he wasn’t allowed to do anything but stare at the screens, not even read a magazine or his leather-bound Bible. You just had to sit there looking at the displays of still images where nothing ever moved.
But walking the halls, he was at least stretching his legs, and when he remembered to throw his arms and shoulders into the walk, it got him a little exercise, too. Although it didn’t really count very much as exercise for a man who had played right tackle on the All-City champion high school football team. Still, he thought, a job is a job.
He turned the southwest corner and started along the gallery overlooking the half-mile-long production floor. He glanced down and saw two people walking past the line of partly built copters. The pair stopped and seemed to be pointing things out to each other. A strange sight at this time of night. “Better check, ”he thought.
Leroy headed for a staircase that would bring him onto the production-line floor behind the pair, and they didn’t sense his approach until he stepped alongside. “Morning. Can I see your security badges,