/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsNine out of every ten large corporations and government agencies have been attacked by computer intruders, to judge from the results of a survey conducted by the FBI and reported by the Associated Press in April 2002. Interestingly, the study found that only about one company in three reported or publicly acknowledged any attacks. That reticence to reveal their victimization makes sense. To avoid loss of customer confidence and to prevent further attacks by intruders who learn that a company may be vulnerable, most business do not publicly report computer security incidents.
It appears that there are no statistics on social engineering attacks, and if there were, the numbers would be highly unreliable; in most cases a company never knows when a social engineer has “stolen” information, so many attacks go unnoticed and unreported.
|
/pcq/media/post_attachments/813d88e3021ec41c9d844852ce8b707b3a7adb2f05a6d64e635f74f24723c317.jpg)
Effective counter measures can be put into place against most types of social engineering attacks. But let's face reality here -unless everyone in the enterprise understands that security is important and makes it his or her business to know and adhere to a company's security policies, social engineering attacks will always present a grave risk to the enterprise.
In fact, as improvements are made in the technological weapons against security become significantly more frequent and attractive to information thieves. An industrial spy will naturally attempt to accomplish his or her objective using the easiest method and the one involving the least risk of detection. As a matter of fact, a company that has protected its computer systems and network by deploying state-of-the-art security technologies may thereafter be at more risk from attackers who use social engineering strategies, methods, and tactics to accomplish their objectives.
This chapter presents specific policies designed to minimize a company's risk with respect to social engineering attacks. The policies address attacks that are based not strictly on exploiting technical vulnerabilities. They involve using some kind of pretext or ruse to deceive a trusted employee into providing information or performing an action that gives the perpetrator access to sensitive business information or to enterprise computer systems and networks.
What is a security policy?
Security policies are clear instructions that provide the guidelines for employee behavior for safeguarding information, and are a fundamental building block in developing effective controls to counter potential security threats. These policies are even more significant when it comes to preventing and detecting social engineering attacks.
Effective security controls are implemented by training employees with well-documented policies and procedures. However, it is important to note that security policies, even if religiously followed by all employees, are not guaranteed to prevent every social engineering attack. Rather, the reasonable goal is always to mitigate the risk to an acceptable level.
The policies presented here include measures that, while not strictly focused on social engineering issues, nonetheless belong here because they deal with techniques commonly used in social engineering attacks. For example, policies about opening email attachments-which could install malicious Trojan Horse software allowing the attacker to take over the victim's computer-address a method frequently used by computer intruders.
Steps to developing a program
A comprehensive information security program usually starts with a risk assessment aimed at determining:
- What enterprise information assets need to be protected?
- What specific threats exist against these assets?
- What damage would be caused to the enterprise if these potential threats were to materialize?
The primary goal of risk assessment is to prioritize which information assets are in need of immediate safeguards, and whether instituting safeguards will be cost-effective based on a cost-benefit analysis. Simply put, what assets are going to be protected first, and how much money should be spent to protect these assets?
It's essential that senior management buy into and strongly support the necessity of developing security policies and an information security program. As with any other corporate program, if a security program is to succeed, management must do more than merely provide an endorsement, it must demonstrate a commitment by personal example. Employees need to be aware that management strongly subscribes to the belief that information security is vital to the company's operation, that protection of company business information is essential for the company to remain in business, and that every employee's job may depend on the success of the program.
The person assigned to draft information security policies needs to understand that the policies should be written in a style free of technical jargon and readily understood by the nontechnical employees. It's also important that the document make clear why each policy is important; otherwise employees may disregard some policies as a waste of time. The policy writer should create a document that presents the policies, and a separate document for procedures, because policies will probably change much less frequently than the specific procedures used to implement them.
In addition, the policy writer should be aware of ways in which security technologies can be used to enforce good information security practices. For example, most operating systems make it possible to require that user passwords conform to certain specifications such as length. In some companies, a policy prohibiting users from downloading programs can be controlled via local or global policy settings within the operating system. The policies should require use of security technology whenever cost-effective to remove human-based decision-making.
Employees must be advised of the consequences for failing to comply with security policies and procedures. A set of appropriate consequences for violating the policies should be created. Also, a reward program should be created for employees who demonstrate good security practices or who recognize and report a security incident. Whenever an employee is rewarded for foiling a security breach, it should be widely publicized throughout the company, for example in an article in the company
newsletter.
One goal of a security awareness program is to communicate the importance of security policies and the harm that can result from failure to follow such rules. Given human nature, employees will, at times, ignore or circumvent policies that appear unjustified or too time-consuming. It is a management responsibility to insure that employees understand the importance of the policies and are motivated to comply, rather than treating them as obstacles to be circumvented.
It's important to note that information security policies cannot be written in stone. As business needs change, as new security technologies come to market, and as security vulnerabilities evolve, the policies need to be modified or supplemented. A process for regular review and updating should be put into place. Make the corporate security policies and procedures available via the corporate intranet or maintain such policies in a publicly available folder. This increases the likelihood that such policies and procedures will be reviewed more frequently, and provides a convenient method for employees to quickly find the answer to any information-security related question.
Finally, periodic penetration tests and vulnerability assessments using social engineering methods and tactics should be conducted to expose any weakness in training or lack of adherence to company policies and procedures. Prior to using any deceptive penetration-testing tactics, employees should be put on notice that such testing may occur from time to time.
How to use these policies
The detailed policies presented in this chapter represent only a subset of the information security policies I believe are necessary to mitigate all security risks. Accordingly, the policies included here should not be considered as a comprehensive list of information security policies. Rather, they are the basis for building a comprehensive body of security policies appropriate to the specific needs of your company.
Policy writers for an organization will have to choose the policies that are appropriate based on their company's unique environment and business goals. Each organization, having different security requirements based on business needs, legal requirements, organizational culture, and the information systems used by the company, will take what it needs from the policies presented, and omit the rest.
There are also choices to be made about how stringent policies will be in each category. A smaller company located in a single facility where most employees know one another does not need to be much concerned about an attacker calling on the phone and pretending to be an employee (although of course an imposter may masquerade as a vendor). Also, despite the increased risks, a company framed around a casual, relaxed corporate culture may wish to adopt only a limited subset of recommended policies to meet its security objectives.
Data Classification
A data classification policy is fundamental to protecting an organization's information assets, and sets up categories for governing the release of sensitive information. This policy provides a framework for protecting corporate information by making all employees aware of the level of sensitivity of each piece of information.
Operating without a data classification policy-the status quo in almost all companies today-leaves most of these decisions in the hands of individual workers. Naturally, employee decisions are largely based on subjective factors, rather than on the sensitivity, criticality, and ignorant of the possibility that in responding to a request for the information, they may be putting it into the hands of an attacker. The data classification policy sets forth guidelines for classifying valuable information into one of several
levels.
Excerpted with permission from “The Art of Deception” by Kevin D. Mitnick and William L Simon