Policies for physical security

Though social engineers try to avoid showing up in person at a workplace they want to target, there are times when they will violate your space. These policies will help you to keep your physical premises secure from threat.

 

18-1 Identification for non employees

Policy: Delivery people and other non employees who need to enter company premises on a regular basis must have a special badge or other form of identification in accordance with policy established by corporate security.

Explanation/Notes: Non employees who need to enter the building regularly (for example, to make food or beverage deliveries to the cafeteria, or to repair copying machines or install telephones) should be issued a special form of company identification badge provided for this purpose. Others who need to enter only occasionally or on a one-time basis must be treated as visitors and should be escorted at all times.

 

18-2 Visitor identification

Policy: All visitors must present a valid driver's license or other picture identification to be admitted to the premises.

 

Explanation/Notes: The security staff or receptionist should make a photocopy of the identification document prior to issuing a visitor's badge. The copy should be kept with the visitor's log. Alternatively, the identification information can be recorded in the visitor's log by the receptionist or guard; visitors should not be permitted to write down their own ID information.

Social engineers seeking to gain entrance to a building will always write

false information in the log. Even though it's not difficult to obtain false ID and to learn the name of an employee he or she can claim to be visiting, requiring that the responsible employee must log the entry adds one level of security to the process.

 

18-3 Escorting visitors

Policy: Visitors must be escorted or in the company of an employee at all times.

 

Explanation/Notes.: One popular ruse of social engineers is to arrange

to visit a company employee (for example, visiting with a product engineer on the pretext of being the employee of a strategic partner). After being escorted to the initial meeting, the social engineer assures his host that he can find his own way back to the lobby. By this means he gains the freedom to roam the building and possibly gain access to Sensitive information.

 

1 8-4 Temporary badges

Policy: Company employees from-another location who do not have their employee badges with them must present a valid driver's license or other picture ID and be issued a temporary visitor's badge.

 

Explanation/Notes: Attackers often pose as employees from a different office or branch of a company to gain entrance to a company.

 

1 8-5 Emergency evacuation

Policy: In any emergency situation or drill, security personnel must ensure that everybody has evacuated the premises.

 

Explanation/Notes: Security personnel must check for any stragglers that may be left behind in restrooms or office areas. As authorized by the fire department or other authority in charge of the scene, the security force needs to be on the alert for anyone departing the building long after the evacuation.

 

Industrial spies or sophisticated computer intruders may cause a diversion to gain access to a building or secure area. One diversion used is to release a harmless chemical known as butyl mercaptan into the air. The effect is to create the impression that there is a natural gas leak. Once personnel start evacuation procedures, the bold attacker uses this diversion to either steal information or to gain access to enterprise computer systems. Another tactic used by information thieves involves remaining behind, sometimes in a restroom or closet, at the time of a scheduled evacuation drill, or after setting off a smoke flare or other device to cause an emergency evacuation.

 

18-6 Visitors in mail room

Policy: No visitors should be permitted in the mail room without the supervision of a company worker.

 

Explanation/Notes: The intention of this policy is to prevent an outsider from exchanging, sending, or stealing intracompany mail.

 

1 8-7 Vehicle license plate numbers

Policy: If the company has a guarded parking area, security staff shall log vehicle license plate numbers for any vehicle entering the area.

 

1 8-8 Trash Dumpsters

Policy: Trash Dumpsters must remain on company premises at all times and should be inaccessible to the public.

 

Explanation/Notes: Computer attackers and industrial spies can obtain valuable information from company trash bins. The courts have held that trash is considered legally abandoned property, so the act of Dumpster diving is perfectly legal, as long as the trash receptacles are on public property. For this reason, it is important that trash receptacles be situated on

 

company property, where the company has a legal right to protect the containers and their contents.  

 

POLICIES FOR RECEPTIONISTS

Receptionists are often on the front lines when it comes to dealing with social engineers, yet they are rarely given enough security training to recognize and stop an invader. Institute these policies to help your receptionist better protect your company and its data.

 

19-1 Internal directory
Policy: Disclosure of information in the internal company directory should be limited to persons employed by the company.

 

Explanation/Notes: All employee titles, names, telephone numbers, and addresses contained within the company directory should be considered Internal information, and should only be disclosed in accordance with the policy related to data classification and Internal information.

 

Additionally, any calling party must have the name or extension of the party they are trying to contact. Although the receptionist can put a call through to an individual when a caller does not know the extension, telling the caller the extension number should be prohibited. (For those curious folks who follow by example, you can experience this procedure by calling any U.S. government agency and asking the operator to provide an extension.)                                                                                  

 

19-2 Telephone numbers for specific departments/groups
Policy: Employees shall not provide direct telephone numbers for the company help desk, telecommunications department, computer operations, or system administrator personnel without verifying that the requester has a legitimate need to contact these groups. The receptionist, when transferring a call to these groups, must announce the caller's name.       

 

Explanation/Notes: Although some organizations may find this policy overly restrictive, this rule makes it more difficult for a social engineer to masquerade as an employee by deceiving other employees into transferring the call from their extension (which in some phone systems causes the call to appear to originate from within the company), or demonstrating knowledge of these extensions to the victim in order to create a sense of authenticity.

 

1 9-3 Relaying information

Policy: Telephone operators and receptionists should not take messages or relay information on behalf of any party not personally known to be an active employee.

 

Explanation/Notes:Social engineers are adept at deceiving employees into inadvertently vouching for their identity. One social engineering trick is to obtain the telephone number of the receptionist and, on a pretext, ask the receptionist to take any messages that may come for him. Then, during a call to the victim, the attacker pretends to be an employee, asks for some sensitive information or to perform a task, and gives the main switchboard number as a call back number. The attacker later calls back to the receptionist and is given any message left for him by the unsuspecting victim.

 

19-4 Items left for pickup

Policy: Before releasing any item to a messenger or other Unverified Person, the receptionist or security guard must obtain picture identification and enter the identification information into the pickup log as required by approved procedures.

 

Explanation/Notes." One social engineering tactic is to deceive an employee into releasing sensitive materials to another supposedly authorized employee by dropping off such materials at the receptionist or lobby desk for pickup. Naturally, the receptionist or security guard assumes the package is authorized for release. The social engineer either shows up himself or has a messenger service pick up the package.