What Every Company Needs To Know To Prevent The Release of “Innocuous” Information As detailed by Kevin Mitnick in THE ART OF DECEPTION
¨ The Information Security Department needs to conduct awareness training detailing the methods used by social engineers.
Social engineers often obtain seemingly nonsensitive information and use it as a poker chip to gain short-term trust. Each and every employee needs to be aware that when a caller has knowledge about company procedures, lingo, and internal identifiers it does not in any way shape, or form authenticate the requestor or authorize him or her as having a need to know. A caller could be a former employee or contractor with the requisite insider information. Accordingly, each corporation has a responsibility to determine the appropriate authentication method to be used when employees interact with people they don’t recognize in person or over the telephone.
¨ The person or persons with the role and responsibility of drafting the data classification policy should examine the types of details that may be used to gain access for legitimate employees that seem innocuous, but could lead to information that is sensitive.
Though you’d never give out the access code for your ATM card, would you tell somebody what server you use to develop company software products? Could that information be used by a person pretending to be somebody who has legitimate access to the corporate network?
¨ Sometimes just knowing inside terminology can make the social engineer appear authoritative and knowledgeable.
The attacker often relies on this common misconception to dupe his or her victims into compliance. For example, a Merchant ID is an identifier that people in the New Accounts department of a bank casually use every day. But such an identifier is exactly the same as a password. If each and every employee understood the nature of this identifier―that it is used to positively authenticate a requestor―they may treat it with more respect.
¨ Few companies give out the direct-dial phone numbers of their CEO or board chairman. Most companies, though, have no concern about giving out phone numbers to most departments and workgroups in the organization―especially to someone who is, or appears to be, an employee.
A possible countermeasure: Implement a policy that prohibits giving out internal phone numbers of employees, contractors, consultants, and temps, to any outsiders. More importantly, develop the step-by-step procedure to positively identify whether a caller asking for phone numbers is really an employee.
¨ Accounting codes for workgroups and departments, as well as copies of the corporate directory (whether hardcopy, data file, or electronic phone book on the Intranet) are frequent targets of social engineers.
Every company needs a written, well-publicized policy on disclosure of this type of information. The safeguards should include maintaining an audit log that records instances when sensitive information is disclosed to people outside the company.
¨ Information such as an employee number, by itself, should not be used as any sort of authentication.
Every employee must be trained to verify not just the identity of a requestor, but also the requestor’s need to know.
¨ In your security training, consider teaching employees this approach: Whenever asked a question or asked for a favor by a stranger, learn first to politely decline until the request can be verified.
Before giving in to the natural desire to be Mr. or Ms. Helpful, follow company policies and procedures with respect to verification and disclosure of non-public information. This style may go against our natural tendencies to help others, but a little healthy paranoia may be necessary to avoid being the social engineer’s next dupe.
|