The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [87]
Another step easily overlooked: When an employee who was authorized to retrieve backup tapes from storage leaves, a written policy must call for the storage company to be immediately notified to remove her name from its authorization list.
Chapter 16 of this book provides detailed information on this vital subject, but it will be helpful to list here some of the key security provisions that should be in place, as highlighted by this story:
• A complete and thorough checklist of steps to be taken upon the departure of an employee, with special provisions for workers who had access to sensitive data.
• A policy of terminating the employee’s computer access immediately—preferably before the person has even left the building.
• A procedure to recover the person’s ID badge, as well as any keys or electronic access devices.
• Provisions that require security guards to see photo ID before admitting any employee who does not have his or her security pass, and for checking the name against a list to verify that the person is still employed by the organization.
Some further steps will seem excessive or too expensive for some companies, but they are appropriate to others. Among these more stringent security measures are:
• Electronic ID badges combined with scanners at entrances; each employee swipes his badge through the scanner for an instantaneous electronic determination that the person is still a current employee and entitled to enter the building. (Note, however, that security guards must still be trained to be on the alert for piggybacking—an unauthorized person slipping by in the wake of a legitimate employee.)
• A requirement that all employees in the same workgroup as the person leaving (especially if the person is being fired) change their passwords. (Does this seem extreme? Many years after my short time working at General Telephone, I learned that the Pacific Bell security people, when they heard General Telephone had hired me, “rolled on the ground with laughter.” But to General Telephone’s credit when they realized they had a reputed hacker working for them after they laid me off, they then required that passwords be changed for everyone in the company!)
You don’t want your facilities to feel like jails, but at the same time you need to defend against the guy who was fired yesterday but is back today intent on doing damage.
Don’t Forget Anybody
Security policies tend to overlook the entry-level worker, people like receptionists who don’t handle sensitive corporate information. We’ve seen elsewhere that receptionists are a handy target for attackers, and the story of the break-in at the auto parts company provides another example: A friendly person, dressed like a professional, who claims to be a company employee from another facility may not be what he appears. Receptionists need to be well-trained about politely asking for company ID when appropriate, and the training needs to be not just for the main receptionist but also for everyone who sits in as relief at the reception desk during lunchtime or coffee breaks.
For visitors from outside the company, the policy should require that a photo ID be shown and the information recorded. It isn’t hard to get fake ID, but at least demanding ID makes pretexting one degree harder for the would-be attacker.
In some companies, it makes sense to follow a policy requiring that visitors be escorted from the lobby and from meeting to meeting. Procedures should require that the escort make clear when delivering the visitor to his first appointment that this person has entered the building as an employee or nonemployee. Why is this important? Because, as we’ve seen in earlier stories, an attacker will often pass himself off in one guise to the first person encountered, and as someone else to the next. It’s too easy for an attacker to show