Tuesday, March 4, 2014

Part III-2: Security Best Practice

<- Previous Post | Main Post | Book review | Next Post ->

Context Innocuous Information

Again, the sensitivity of information depends on the context. Social engineers usually create a context through which information is likely to be disclosed (e.g., claiming to be an employee working on the field).
It is very difficult to verify the context over the phone. So, do not give out both sensitive and insensitive information over the phone unless you know that voice of the other side AND the other side has a need to know.

Data Classification and Need to Know

          Again, the sensitivity of information depends on the context. Data should be classified based on context. Under a particular context, one person may ‘need to know’ one piece of information, but may not ‘need to know’ another piece of information. Make a list of ‘need-to-know’, and associate them with people and context. Make the list of need-to-know’ available in company’s directory. For example, customers may need to know general information of the company. You can put general information over the internet. Only the employees ‘need to know’ internal phone numbers and server’s name. Make them available from within the company, not from the internet. 


          If a caller claims to be someone, challenge the caller to authenticate himself in a friendly way, irrespective of his authority.
          Telephone caller ID isn’t reliable. It can be spoofed. Trust the number in company’s directory, not the number given by the caller. When an attacker calls in, put him on hold. Then call the one he claims to be. If someone picks up or you reach a voice mail whose voice is different than the attacker, you will know right away that the caller is an impostor.

Information disclosure policy

  • Disclose when you know the requester.
  • Disclose when the other side has a need-to-know based on what specified in the company’s need-to-know list.
  • Do not transfer files to someone you don’t personally know, even if the destination is seemingly within your internal network.
  • Log the transaction, both online and offline.
  • Have a centre to report suspicious activities

Password Security

  • Always set a password for any guest account.
  • Use a hashing algorithm to encrypt users’ password. Protect the password hashes.
  • Change the default password as soon as possible. Most default passwords are known to the attackers.
  • Take care of your encryption key and procedure. Make sure that at least two persons has access to it, in case one of them quits or dies. Change your encryption key as soon as at least one of them leave your company.
  • After verification of a caller, you will also need to check the authorization (e.g., need-to-know). 

Email, Firewall, and Anti-Virus Software: 

  • Use personal firewall and anti-virus for both company and home computers and keep it up to date. 
  • Scan emails at the corporate gateway
  • Do not, under any circumstances, open attachments from an email. Attack can come in various forms ranging from unsolicited (relevant or irrelevant) emails to emails from your friends. 

Dumpster diving

          Dumpster diving is an act of looking for useful information in your garbage bins. Protect dumpster diving by the following strategies: 
  • Classify all sensitive information. Provide separate disposal container for sensitive documents.
  • Shred media with sensitive information before discarding. Use cross shredder to destroy your sensitive documents. 
  • Securely erase all electronic media.
  • Lock trash dumpster. 
  • Be selective on your cleaning company. Check their security policy and background of their crew.
  • Remind everyone to be aware of the sensitivity of things they want to throw away.

ID Card

          An ID card verifies that you really are with the company. But, a lot of times, it is not treated in the right way. Employees see it as a burden. They tend to forget or purposefully not to wear them. On the other hand, the guards tend to overly abuse power, trying to embarrass those who do not wear it. So, people have a bad attitude towards guards. 
          This is not the right way to treat ID cards. We should begin by telling employees how important the ID cards is. And, we should establish a procedure for employees who forget or do not have the badge. Train your guards to implement the procedure without trying to embarrass the other side. For example, you may require those who do not have their ID card to acquire a temporary badge before entering the building. Also, motivate your employees to stop everyone who does not wear the badge. 

Your Outsource

          Social engineers tend to come after office hours. Those who did not think of the procedure during this time will fall as a victim. You may set up a security group for this non-business hours. This group should have identity of all employees as well as the chain of command so that they can call the supervisors of the visitor who claims to be an employee. 
If you outsource your backup (i.e., offsite) data center, investigate security of the site provider. Also encrypt your data before sending it off to the backup site.

Your Workforce Is Your Greatest Assets

          Perhaps, the most effective measure against security attacks is to train your workforce. Just having security policy and procedures is just not enough. People will try to circumvent the measure for the sake of convenience.
          You need to take effort to implement your policy and procedure. But, more importantly, you need to change the culture. Every employee need to be aware of attacks as well as its consequence. Make them believe that the attacks are more likely than what most people think. Tell them that bad security can bring troubles to the company as well as themselves. If their personal data is in the company’s database, tell your employee that the bad guy can get not only company’s information but also their private information.

          Give your people proper security awareness. Do it before giving them access to the computer systems. Emphasize on password protection. Tell them DO NOT disclose their password under any circumstances.  

Source: The Art of Deception: Controlling the Human Element of Security

Book or Audiobooks?

          Personally, I prefer audiobooks. It's fun, and I can listen when I'm doing something else. It also makes other activities (e.g., jogging) a lot more fun. For more detail about audiobooks, please read [this post].   
          There is one more reason that may encourage you to go for the audiobook version. You can get it now for FREE. Audible offers you a free trial for 14 days. Even if you get the book and cancel the subscription right away (so that you don't have to pay), you can keep the book. And, don't worry if you lost the audiobook file. Just log into audible.com. You can keep downloading the over and over again.
    About the summary: It takes time to finish up a book. And, when you do, sometimes, you want to review what you learn from the book. If you do not make  notes as you read, you might have to go through the book once again. This can be time-consuming when you are dealing with a book. But you can still flip through the book and locate what you are looking for.

However, when the material is an audiobook, it is extremely hard to locate a specific part of content. Most likely you will have to listen to the entire audiobook once again.

This book summary will help solve the pain of having to go through the book all over again.

I am leaving out the details of the books. Most books have interesting examples and case studies, not included here. Reading the original book would be much more entertaining and enlightening. If you like the summary, you may want to get the original from the source below.

No comments:

Post a Comment