Step Two: Verification of Employment Status

 

The greatest information security threat is not from the professional social engineer, nor from the skilled computer intruder, but from someone much closer: the just-fired employee seeking revenge or hoping to set himself up in business using information stolen from the company. (Note that a version of this procedure can also be used to verify that someone still enjoys another kind of business relationship with your company, such as a vendor, consultant, or contract worker.)

 

Before providing Sensitive information to another person or accepting instructions for actions involving the computer or computer-related equipment, verify that the requester is still a current employee by using one of these methods:

 

Employee Directory Check. If the company maintains an online employee directory that accurately reflects active employees, verify that the requester is still listed.
   

Requester's Manager Verification. Call the requester's manager using a phone number listed in the company directory, not a number provided by the requester.
   

Requester's Department or Workgroup Verification. Call the requester's department or workgroup and determine from anyone in that department or workgroup that the requester is still employed by the company.

 

Step Three: Verification of Need to Know

Beyond verifying that the requester is a current employee or has a relationship with your company, there still remains the issue of whether the requester is authorized to have access to the information being requested, or is authorized to request that specific actions affecting computers or computer-related equipment be taken.

 

This determination may be made by using one of these methods:

 

Consult job title/workgroup/responsibilities lists. Acompany can provide ready access to authorization information by publishing lists of which employees are entitled to what information. These lists may be organized in terms of employee job title, employee departments and workgroups, employee responsibilities, or by some combination of these. Such lists would need to be maintained on line to be kept current and provide quick access to authorization information. Ordinarily, Information Owners would be responsible for overseeing the creation and maintenance of the lists for access to information under the Owner's control.

 

NOTE

It is important to note that maintaining such lists is an invitation to the social engineer. Consider: If an attacker targets a company becomes aware that the company maintains such lists, there is a strong motivation to obtain one. Once in hand, such a list opens many doors to the attacker and puts the company at serious risk.

 

Obtain Authority from a Manager. An employee contacts his or her own manager, or the manager of the requester, for authority to comply with the request.

 

Obtain Authority from the Information Owner or a Designee. The information Owner is the ultimate judge of whether a particular person should be granted access. The process for computer-based access control is for the employee to contact his or her immediate manager to approve a request for access to information based on existing job profiles. If such a profile does not exist, it is the manager's responsibility to contact the relevant data Owner for permission. This chain of command should be followed so that Information Owners are not barraged with requests when there is a frequent need to know.

 

Obtain Authority by Meansof a Proprietary Software Package. For a large company in a highly competitive industry, it may be practical to develop a proprietary software package that provides need-to-know authorization. Such a database stores employee names and access privileges to classified information. Users would not be able to look up each individual's access rights, but instead would enter the requester's name, and the identifier associated with the information being sought. The software then provides a response indicating whether or not the employee is authorized to access such information. This alternative avoids the danger of creating a list of personnel with respective access rights to valuable, critical, or sensitive information that could be stolen.

 

MANAGEMENT POLICIES

The following policies pertain to management-level employees. These are divided into the areas of Data Classification, Information Disclosure, Phone Administration, and Miscellaneous Policies. Note that each category of policies uses a unique numbering structure for easy identification of individual policies.

 

Data Classification Policies

Data Classification refers to how your company classifies the sensitivity of information and who should have access to that information.

 

1-1 Assign data classification

Policy: All valuable, sensitive, or critical business information must be assigned to a classification category by the designated Information Owner or delegate.

 

Explanation/Notes: The designated Owner or delegate will assign the appropriate data classification to any information routinely used to accomplish business goals. The Owner also controls who can access such information and what use can be made of it. The Owner of the information may reassign the classification and may designate a time period for automatic declassification.

Any item not otherwise marked should be classified as Sensitive.

 

1-2 Publish classified handling procedures

Policy: The company must establish procedures governing the release of information in each category.

 

Explanation/Notes." Once classifications are established, procedures for release of information to employees and to outsiders must be set up, as detailed in the Verification and Authorization Procedures outlined earlier in this chapter.

 

1-3 Label all items

Policy." Clearly mark both printed materials and media storage containing Confidential, Private, or Internal information to show the appropriate data classification.

 

Explanation/Notes." Hard copy documents must have a cover sheet, with a classification label prominently displayed, and a classification label on every page that is visible when the document is open.

 

All electronic files that cannot easily be labeled with appropriate data classifications (database or raw data files) must be protected via access controls to insure that such information is not improperly disclosed, and that it cannot be changed, destroyed, or made inaccessible.

 

All computer media such as floppy disks, tapes, and CD-ROMs must be labeled with the highest classification of any information contained therein.

 

Information Disclosure

Information disclosure involves the release of information to various parties based on their identity and need to know.

2-1 Employee verification procedure

Policy: The company should establish comprehensive procedures to be

used by employees for verifying the identity, employment status, and authorization of an individual before releasing Confidential or Sensitive information or performing any task that involves use of any computer hardware or software.

Explanation/Notes: Where justified by size of company and security needs, advanced security technologies should be used to authenticate identity. The best security practice would be to deploy authentication tokens in combination with a shared secret to positively identify persons making requests. While this practice would substantially minimize risk, the cost may be prohibitive for some businesses. In those circumstances, the company should use a company-wide shared secret, such as a daily password or code.

 

2-2 Release of information to third parties

Policy: A set of recommended information disclosure procedures must

be made available and all employees should be trained to follow them.

 

Explanation/Notes:Generally, distribution procedures need to be established for:

 

Information made available within the company.

 

Distribution of information to individuals and employees of organizations having an established relationship with the company, such as consultants, temporary workers, interns, employees of organizations that have a vendor relationship or strategic partnership arrangement with the company, and so on.

 

Information made available outside the company.

 

Information at each classification level, when the information is being delivered in person, by telephone, by email, by facsimile, by voice mail, by postal service, by signature delivery service, and by electronic transfer.

 

2-3 Distribution of Confidential information

Policy: Confidential information, which is company information that could cause substantial harm if obtained by unauthorized persons, may be delivered only to a Trusted Person who is authorized to receive it.

 

Explanation/Notes: Confidential information in a physical form (that is, printed copy or on a removable storage medium) may be delivered:

 

In person.

 

By internal mail, sealed and marked with the Confidential classification.

 

Outside the company by a reputable delivery service (that is, FedEx, UPS, and so on) with signature of recipient required, or by a postal service using a certified or registered class of mail.

 

Confidential information in electronic form (computer files, database files, email) may be delivered:

 

Within the body of encrypted email.
 

By email attachment, as an encrypted file.

 

By electronic transfer to a server within the company internal network.

 

By a fax program from a computer, provided that only the intended recipient uses the destination machine, or that the intended recipient is waiting at the destination machine while the fax is being sent. As an alternative, facsimiles can be sent without the recipient present if sent over an encrypted telephone link to a password-protected fax server.

 

Confidential information may be discussed in person; by telephone within the company; by telephone outside the company if encrypted; by encrypted satellite transmission; by encrypted videoconferencing link; and by encrypted Voice Over Internet Protocol (VoIP).

 

For transmission by fax machine, the recommended method calls for the sender to transmit a cover page; the recipient, on receiving the page, transmits a page in response, demonstrating that he/she is at the fax machine. The sender then transmits the fax.  

 

The following means of communication are not acceptable for discussing or distributing Confidential information: unencrypted email, voice mail message, regular mail, or any wireless communication method (cellular, Short Message Service, or cordless).

 

2-4 Distribution of Private information

Policy: Private information, which is personal information about an employee or employees that, if disclosed, could be used to harm employees or the company, may be delivered only to a Trusted Person who is authorized to receive it.

Explanation/Notes:Private information in a physical form (that is, hard-copy or data on a removable storage medium) may be delivered:

 

In person

 

By internal mail, sealed and marked with the Private classification

 

By regular mail  

 

Private information in electronic form (computer files, database files, email) may be delivered:

 

By internal email.

 

By electronic transfer to a server within the company internal network.

 

By facsimile, provided that only the intended recipient uses the destination machine, or that the intended recipient is waiting at the destination machine while the fax is being sent. Facsimiles can also be sent to password-protected fax servers. As an alternative, facsimiles can be sent without the recipient present if sent over an encrypted telephone link to a password-protected fax server.

 

Private information may be discussed in person; by telephone; by satellite transmission; by videoconferencing link; and by encrypted Vole

 

The following means of communication are not acceptable for discussing or distributing Private information: unencrypted email, voice mail message, regular mail, and by any wireless communication method (cellular, SMS, or cordless).

 

2-5 Distribution of Internal information

Policy: Internal information is information to be shared only within the company or with other Trusted persons who have signed a nondisclosure agreement. You must establish guidelines for the distribution of Internal information.

 

Explanation/Notes: Internal information may be distributed in any form, including internal email, but may not be distributed outside the company in email form unless encrypted.

 

2-6 Discussing Sensitive information over the telephone
Policy: Prior to releasing any information that is not designated as Public over the telephone, the person releasing such information must personally recognize the requester's voice through prior business contact, or the company phone system must identify the call as being from an internal telephone number that has been assigned to the requester.
   

Explanation/Notes: If the requester's voice is not known, call the requester's internal phone number to verify the requester voice through a recorded voice mail message, or have the requester's manager verify the requester's identity and need to know.

 

2-7 Lobby or reception personnel procedures

Policy: Lobby personnel must obtain photo identification prior to releasing any package to any person who is not known to be an active employee. A log should be kept for recording the person's name, driver's license number, birth date, the item picked up, and the date and time of such pickup.

 

Explanation/Notes: This policy also applies to handing over outgoing packages to any messenger or courier service such as FedEx, UPS, or Airborne Express. These companies issue identification cards that can be used to verify employee identity.

 

2-8 Transfer of software to third parties

Policy: Prior to the transfer or disclosure of any software, program, or computer instructions, the requester's identity must be positively verified, and it must be established whether such release is consistent with the data classification assigned to such information. Ordinarily, software developed in-house in source-code format is considered highly proprietary, and classified Confidential.

 

Explanation/Notes: Determination of authorization is usually based on whether the requester needs access to the software to do his or her job.

 

2-9 Sales and marketing qualification of customer leads

Policy: Sales and marketing personnel must qualify leads before releasing internal callback numbers, product plans, product group contacts, or other Sensitive information to any potential customer.

 

Explanation/Notes: It is a common tactic for industrial spies to contact a sales and marketing representative and make him believe that a big purchase may be in the offing. In an effort to take advantage of the sales opportunity, sales and marketing reps often release information that can be used by the attacker as a poker chip to obtain access to Sensitive information.

 

2-10 Transfer of files or data

Policy: Files or other electronic data should not be transferred to any removable media unless the requester is a Trusted Person whose identity has been verified and who has a need to have such data in that format.

 

Explanation/Notes: A social engineer can easily dupe an employee by providing a plausible request for having Sensitive information copied to a tape, Zip disc, or other removable media, and sent to him or held in the lobby for pickup.

 

Phone Administration

Phone administration policies ensure that employees can verify caller identity, and protect their own contact information from those calling into the company.

 

3-1 Call forwarding on dial-up or fax numbers

Policy: Call forwarding services that permit forwarding calls to external telephone numbers will not be placed on any dial-up modem or fax telephone numbers within the company.

 

Explanation/Notes: Sophisticated attackers may attempt to dupe telephone company personnel or internal telecom workers into forwarding internal numbers to an external phone line under control of an attacker. This attack allows the intruder to intercept faxes, request Confidential information to be faxed within the company (personnel assume that faxing within the organization must be safe) or dupe dial-in users into

 

providing their account passwords by forwarding the dial-up lines to a decoy computer that simulates the login process.

 

Depending on the telephone service used within the company, the call forwarding feature may be under control of the communications provider, rather than the telecommunications department. In such circumstances, a request will be made to the communications provider to insure the call forwarding feature is not present on the telephone numbers assigned to dial-up and fax lines.

 

3-2 Caller ID

Policy: The corporate telephone system must provide caller line identification (caller ID) on all internal telephone sets, and, if possible, enable distinctive ringing to indicate when a call is from outside the company.

 

Explanation/Notes: If employees can verify the identity of telephone calls from outside the company it may help them prevent an attack, or identify the attacker to appropriate security personnel.

 

3-3 Courtesy phones

Policy: To prevent visitors from masquerading as company workers, every courtesy telephone will clearly indicate the location of the caller (for example, "Lobby") on the recipient's caller ID.

 

Explanation/Notes." If the caller ID for internal calls shows extension number only, appropriate provision must be made for calls placed from company phones in the reception area and any other public areas. It must not be possible for an attacker to place a call from one of these phones and
deceive an employee into believing that the call has been placed internally from an employee telephone.

 

3-4 Manufacturer default passwords shipped with phone systems

Policy: The voice mail administrator should change all default passwords that were shipped with the phone system prior to use by company personnel.

 

Explanation/Notes: Social engineers can obtain lists of default passwords from manufacturers and use these to access administrator accounts.

 

3-5 Department voice mailboxes

Policy." Set up a generic voice mailbox for every department that ordinarily has contact with the public.

 

Explanation/Notes: The first step of social engineering involves gathering information about the target company and its personnel. By limiting the accessibility of the names and telephone numbers of employees, a company makes it more difficult for the social engineer to identify targets in the company, or names of legitimate employees for use in deceiving other personnel.

 

3-6 Verification of telephone system vendor

Policy: No vendor-support technicians will be permitted to remotely

access the company telephone system without positive identification of vendor and authorization to perform such work.

 

Explanation/Notes: Computer intruders who gain access to corporate telephone systems gain the ability to create voice mailboxes, intercept messages intended for other users, or make free phone calls at the corporation's expense.

 

3-7 Configuration of phone system

Policy." The voice mail administrator will enforce security requirements

by configuring the appropriate security parameters in the telephone system.

 

Explanation/Notes: Phone systems can be set up with greater or lesser degrees of security for voice mail messages. The administrator should be aware of company security concerns, and work with security personnel to configure the phone system to protect Sensitive data.

 

3-8 Call trace feature