Policy: Voice mail users shall not select a password where one part of the password remains fixed, while another part changes in a predictable pattern.

 

Explanation/Notes: For example, do not use a password such as 743501, 743502, 743503, and so on, where the last two digits correspond to the current month.

 

1 4-7 Confidential or Private information

Policy: Confidential or Private information shall not be disclosed in a voice mail message.

 

Explanation/Notes: The corporate telephone system is typically more vulnerable than corporate computer systems. The passwords are usually a string of digits, which substantially limits the number of possibilities for an attacker to guess. Further, in some organizations, voice mail passwords may be shared with secretaries or another administrative staff who have the responsibility of taking messages for their managers. In light of the above, no Sensitive information should ever be left on anyone's voice mail.

 

Passwords

1 5-1 Telephone security

Policy: Passwords shall not be disclosed over the telephone at any time.

 

Explanation/Notes: Attackers may find ways to listen in to phone conversations, either in person or through a technological device.

 

1 5-2 Revealing computer passwords

Policy: Under no circumstances shall any computer user reveal his or her password to anyone for any purpose without prior written consent of the responsible information technology manager.

 

Explanation/Notes: The goal of many social engineering attacks involves deceiving unsuspecting persons into revealing their account names and passwords. This policy is a crucial step in reducing the risk of successful social engineering attacks against the enterprise. Accordingly, this policy needs to be followed religiously throughout the company.  

 

1 5-3 Internet passwords

Policy: Personnel must never use a password that is the same as or similar to one they are using on any corporate system on an Internet site.

 

Explanation/Notes: Malicious Web site operators may set up a site that purports to offer something of value or the possibility of winning a prize. To register, a visitor to the site must enter an email address, username, and password. Since many people use the same or similar sign-on information repeatedly, the malicious Web site operator will attempt to use the chosen password and variations of it for attacking the target's work- or home- computer system. The visitor's work computer can sometimes be identified by the email address entered during the registration process.  

1 5-4 Passwords on multiple systems

Policy: Company personnel must never use the same or a similar password in more than one system. This policy pertains to various types of devices (computer or voice mail); various locations of devices (home or work); and various types of systems, devices (router or firewall), or programs (database or application).

 

Explanation/Notes: Attackers rely on human nature to break into computer systems and networks. They know that, to avoid the hassle of keeping track of several passwords, many people use the same or a similar password on every system they access. As such, the intruder will attempt to learn the password of one system where the target has an account. Once obtained, it's highly likely that this password or a variation thereof will give access to other systems and devices used by the employee.

 

1 5-5 Reusing passwords

Policy: No computer user shall use the same or a similar password within the same eighteen-month period.

 

Explanation/Note: If an attacker does discover a user's password, frequent changing of the password minimizes the damage that can be done. Making the new password unique from previous passwords makes it harder for the attacker to guess it.

 

1 5-6 Password patterns

Policy." Employees must not select a password where one part remains fixed, and another element changes in a predictable pattern.

 

Explanation/Notes: For example, do not use a password such as Kevin01, Kevin02, Kevin03, and so on, where the last two digits correspond to the current month.

 

1 5-7 Choosing passwords

Policy: Computer users should create or choose a password that adheres

to the following requirements. The password must:

 

Be at least eight characters long for standard user accounts and at least twelve characters long for privileged accounts.

 

Contain at least one number, at least one symbol (such as $, -, I, &), at least one lowercase letter, and at least one upper-case letter (to the extent that such variables are supported by the operating system).

Not be any of the following items: words in a dictionary in any language; any word that is related to an employee's family, hobbies, vehicle, work, license plate, social security number, address, telephone, pet's name, birthday, or phrases containing those words.

 

Not be a variation of a previously used password, with one element remaining the same and another element changing, such as kevin, kevin 1, kevin2; or kevinjan, kevinfeb.

 

Explanation/Notes:The parameters listed above will produce a password that is difficult for the social engineer to guess. Another option is the consonant-vowel method, which provides an easy-to-remember and pronounceable password. To construct this kind of password substitute consonants for each letter C and vowels for the letter V, using the mask of "CVCVCVCV." Examples would be MIXOCASO; CUSOJENA.

 

1 5-8 Writing passwords down
Policy: Employees should write passwords down only when they store them in a secure location away from the computer or other password protected device.
   

Explanation/Notes: Employees are discouraged from ever writing down passwords. Under certain conditions, however, it may be necessary;   for example, for an employee who has multiple accounts on different computer systems. Any written passwords must be secured in a safe place away from the computer. Under no circumstances may a password be stored under the keyboard or attached to the computer display.

 

1 5-9 Plaintext passwords in computer files

Policy: Plaintext passwords shall not be saved in any computer file or stored as text called by pressing a function key. When necessary, passwords may be saved using an encryption utility approved by the IT department to prevent any unauthorized disclosures.

 

Explanation/Notes: Passwords can be easily recovered by an attacker if stored in unencrypted form in computer data files, batch files, terminal function keys, login files, macro or scripting programs, or any data files which contain passwords to FTP sites.

 

POLICIES FOR TELECOMMUTERS

Telecommuters are outside the corporate firewall, and therefore more vulnerable to attack. These policies will help you prevent social engineers from using your telecommuter employees as a gateway to your data.

 

16-1 Thin clients

Policy: All company personnel who have been authorized to connect via remote access shall use a thin client to connect to the corporate network.

 

Explanation/Notes: When an attacker analyzes an attack strategy, he or she will try to identify users who access the corporate network from external locations. As such, telecommuters are prime targets. Their computers are less likely to have stringent security controls, and may be a weak link that may compromise the corporate network.

 

Any computer that connects to a trusted network can be booby-trapped with keystroke loggers, or their authenticated connection can be hijacked. A thin client strategy can be used to avoid problems. A thin client is similar to a diskless workstation or a dumb terminal; the remote computer does not have storage capabilities but instead the operating system, application programs, and data all reside on the corporate network. Accessing the network via a thin client substantially reduces the risk posed by un-patched systems, outdated operating systems, and malicious code. Accordingly, managing the security of telecommuters is effective and made easier by centralizing security controls. Rather than relying on the inexperienced telecommuter to properly manage security-related issues, these responsibilities are better left with trained system, network, or security administrators.

 

16-2 Security software for telecommuter computer systems

Policy: Any external computer system that is used to connect to the corporate network must have antivirus software, anti-Trojan software, and a personal firewall (hardware or software). Antivirus and anti-Trojan pattern files must be updated at least weekly.

 

Explanation/Notes: Ordinarily, telecommuters are not skilled on security- related issues, and may inadvertently" or negligently leave their computer system and the corporate network open to attack. Telecommuters

 

therefore pose a serious security risk if they are not properly trained. In addition to installing antivirus and anti-Trojan Horse software to protect against malicious code, a firewall is necessary to block any hostile users from obtaining access to any services enabled on the telecommuter's system.

 

The risk of not deploying the minimal security technologies to prevent malicious code from propagating cannot be underestimated, as an attack on Microsoft proves. A computer system belonging to a Microsoft telecommuter, used to connect to Microsoft's corporate network, became infected with a Trojan Horse program. The intruder or intruders were able to use the telecommuter's trusted connection to Microsoft's development network to steal developmental source code.