XOOPS Brasil

 

Chapter 11

Information Security Policy and Awareness

Your information security policy is a document that describes how you will deal with specific information security situations. This could define what the acceptable use of your e-mail system is, or it might dictate whether you can read employee e-mail. Today, a good information security policy will cover the gamut of information, such as e-mail, Instant Messaging (IM), backup storage, and acceptable use of company resources (meaning desktops, notebooks, servers, Internet connection, and so on).

An information policy is built to guide the employee, as well as to protect you and your company from inadvertent problems. Often, the employee excuse of “we didn't know” tends to work, and, sadly, it forces you to document all of your policies. Although people tend to gloss over employee policies, the information policy document will serve to push the burden of responsibility back onto the employee or user community.

Your information security policy should cover the responsibility of each person. The information policy also should cover license information (such as if you find pirated software, what to do), as well as what can or cannot be plugged into your network, such as an outside notebook or any other unauthorized device.

Awareness also falls into the information security category. People are often unaware of what is going on around them. This is a “perfect storm” situation for a social engineer (that is, someone who uses specific social techniques to get past another person's defenses). A classic social engineering technique is to call someone in the company and fool him or her into helping the caller by providing a password. Unfortunately, this method works very well. Training your staff in proper phone screening can help to avoid this issue.

This chapter covers two aspects of the information security spectrum. The first half of this chapter provides an in-depth view of the information security policy itself. Although you won't find here a full written plan, the discussion can help guide you to developing your own. The second part of the chapter helps you to develop a strong defense against social-engineering techniques and takes a look at the situational awareness paradigm.

Establishing an Information Security Policy

The information security policy can be a single document stating what is and is not acceptable concerning what information can be divulged to whom. It may also be a collection of policy documents. The purpose of the information security policy is to protect you and your business from harm caused by the actions of employees, contractors, customers, and others who violate the rules.

Following are the particular policy areas examined in this section:

  • Overall information security policy
  • Internet use
  • Remote access
  • Acceptable e-mail use
  • Instant messaging
  • Social media network use

Although this list of examined topics is not exhaustive, it's meant to get you started on the proper path. This section covers a basic framework for your information security policy. Take the time to discuss the information presented in this chapter with your staff as it relates to your business and technical needs.

To begin, let's start with the overall information security policy.

General Information Security Policy

The primary document you will create is the information security policy. This document is typically delivered to employees for acknowledgment and signature. Its scope covers the use of the company's information resources.

The policy should be updated from time to time as your technology needs change. It's important that the employees read the policy document and acknowledge an understanding of its contents by signature.

This type of document typically covers the following areas:

  • Violations
  • Management's responsibilities
  • Employee responsibilities
  • IT (or your technical staff) responsibilities
  • Acceptable use of resources
  • Unacceptable use of resources
  • Password policy
  • Software installation policy
  • External equipment/installation policy
  • Social networking policy

Sections within the overall information security policy document tend to cover these areas, which represent many of the normal delicate areas in IT. However, keep in mind that, as your IT evolves with new technologies, your policy should also cover new technologies, cover new issues, and address various yet-to-be-determined threats.

Violations

Make a clear definition statement for what will happen in the event of violations. This should cover whether disciplinary action will occur, and may even contain to what degree.

An example statement may be written as follows:

“Violations of this information security policy may result in disciplinary action in accordance with company policy. The failure to observe and maintain the guidelines of this policy could result in the employee's being subjected to disciplinary action up to and including immediate termination. The severity of the employee violation will dictate the level of disciplinary action. These violations include (but are not limited to) actions that result in liability or harm/loss to the company, or repeat violations of the policy.”

Of course, you should draft your own statement of what will happen in the event of violations.

Management Responsibilities

The roles of management should be spelled out to describe the expectation that you have for them in regard to this policy. For example, supervisors and managers should be responsible for reviewing the contents of this document with their direct reports. Further, managers must put into place the standards and controls to ensure employee compliance with this policy.

Employee Responsibilities

The employee responsibilities section of your security policy will be specific to your environment, but should include coverage of several common areas that span across companies.

Many systems in IT are simply communications tools of one form or another. Therefore, at all times, the employee must observe a sense of decorum and professional behavior in his or her use of the IT systems.

This policy should state that the employee has full responsibility for any file (text, music/audio, video, and so on) that he or she sends or uses with the company's computer and network systems.

In today's electronically oriented society, stressing to employees what copyrighted materials are is important. Ensure that copyrighted material is not unlawfully sent out or distributed using company resources. The idea that sharing a digital resource is wrong often tends to escape some employees. Your company could be on the hook financially for such behavior.

Be sure that the employee is fully aware of company policies regarding the security of information such as price lists, customer lists, road map information, or anything else deemed confidential by the company.

IT/Technical Staff Responsibilities

Be sure to cover the basic scope of your IT or technical staff's mission. This includes the setting of technical security standards, such as virus scanning, spam filtering, and so on. You should also spell out how IT is also responsible for providing assistance as needed to the employees with regard to technology.

Acceptable Use of Resources

Define for your staff what you will deem acceptable use of company resources. For example, web browsing for company purposes should be fine, whereas you may not want employees spending time on an auction site for personal use. Alternatively, you may not care. It's all a matter of what you deem as acceptable.

You may also want to clarify for your staff the appropriate use of e-mail and other communications tools. Do you care if they send personal e-mails over the company e-mail systems? If not, then state it. If you do care, ensure that you state that the e-mail system is to be used for company business purposes only. As you will discover later in this chapter, many companies deem e-mail that is sent and received as company property. Be sure to consider that when drafting your acceptable use policy.

Unacceptable Use of Resources

Unacceptable use of resources could be practically anything, because different companies have different views of what is and is not acceptable. However, it is the opposite of acceptable use. This section of your information security policy details what is clearly not up for negotiation.

Define in this section of the policy the overview of what you will not accept (for example, racism, viewing or sending pornographic material, using company resources to run the employee's own business, and so on).

This section should tie back into the violations section of your policy.

Password Policy

Define the password standards, the length of time between password changes, who the employee may give his or her passwords to, and why. You might consider adding to this a process or policy to guide the employee on procedures to follow in the event of a compromised password.

Software Installation

Depending on the nature and size of your business, you may want to restrict any installation rights to your IT administrative staff. Write out the policy for installing software, such as “software may be requested through the change management process and will be installed by IT.”

Spell out the policy on software licensing. That is, if software is licensed commercially, the company should have proof of that license before installation occurs.

The goal of this part of the security policy is to prevent employees from attempting to install software they were given, downloaded, or brought in from another source. The installation of this software could open you up to legal or technical liabilities.

External Equipment/Installation

You should have a general policy to prevent the installation of external devices such as wireless routers or switches or any other unauthorized devices. The policy should prohibit any unauthorized installation of equipment to your network. The reasons are simple. It could cause a disruption to service, it could be a security risk, or it might very well be an intentional security vulnerability (such as a sniffer).

Internet Use Policy

Without a clearly defined policy, employees will not consider the Internet connection to be company property. You must define how firmly you want to control employee behavior in terms of Internet use.

Unless a legitimate business reason exists, you should include in your policy that browsing or surfing any sites that display or promote pornography is considered a violation of company policies that will result in immediate termination. This is one area you cannot waver on at all. That type of activity can lead to lawsuits and other legal trouble.

Additionally, your Internet use policy should extend to prohibit any site promoting hate, racism, and so on.

Remote Access Policy

Remote access is commonplace today with both open source and commercial applications. The remote access policy primarily defines acceptable use for remote access, the security standards expected for the remote machine, and the type of software to be used. In addition to these items, you'll want to cover any legal violations and provide a disclaimer for damages to the user's machine or loss of data. For example, is the employee responsible if a hacker breaks into your network through the user's remotely connected machine? Clearly, this is a tough question, but one that should addressed.

Lastly, in the remote access policy, consider including what the rule will be for access costs. Today, the typical means of remote access is through the employee's ISP. Define whether you will reimburse the employee for costs incurred for the IPS. Write this into your policy upfront so that there will be no questions later.

Acceptable E-Mail Use

E-mail can easily let in all kinds of attacks. The use of your company's e-mail system by and large should be rigidly defined. At a minimum, your policy should address the points shown in Table 11.1, and clearly spell out the company's position.

Table 11.1 E-Mail Policy Description

Policy Description
Defining employee responsibilities E-mail can reduce productivity. The employee policy should be to ensure that e-mail doesn't replace traditional communications and, thus, impact employee productivity. The employee is clearly responsible for anything sent from his or her e-mail address. The employee should never transmit any copyrighted material without permission. This can include music, videos, or e-books. The employee should not disable any virus protection systems for any reason. Lastly, you should define in your policy what non-public information is, when it should be allowed to be sent, and to whom.
Defining “spam” The policy should state what is considered “spam.” The policy should contain a statement to never create or send spam.
Defining a response to the receipt of spam You're likely running a spam filter that helps capture and slow the flood of spam. However, a possibility always exists of spam getting through. Spam is sent for mostly nefarious reasons, and the payload is often viruses, phishing scams, and other things that could hurt your IT systems. Your policy should define a procedure for dealing with spam that slips through your e-mail defenses.
Opening of spam Define the process the employee should follow if he or she inadvertently opens an e-mail that contains harmful contents. Occasionally, people will open a spam and, without proper safeguards, the contents could quickly spread evil through your network.
Chain e-mail The policy should instruct the employee to not forward or send chain e-mail letters (or equivalents). Without a doubt, this is not only annoying, but can be a drag on your resources. This should include jokes, humor, or any type of photos that may be deemed inappropriate.
Sending of malware Any intentional transmission of malware or viruses should be strictly forbidden in all circumstances.
Denial of service The policy should state that the employee should never engage in any activity that could cause a denial of service.
Phishing Your policy should contain rules against alteration of the e-mail headers for the purpose of deceiving the receiver. This is typically known as phishing.
Contents of mail The policy needs a clear statement prohibiting the sending of any hate, racist, sexually oriented, or pornographic images.
Illegal mail The policy must contain statements that define not sending e-mail that contains any illegal information (for example, copyright violations or disclosure of trade secrets), harassing messages, or threatening messages.
Encryption Some e-mail systems encrypt e-mail before sending. Some countries do not allow encryption. Be aware of this issue and address it in your policy if needed.

Define for your employees your company's position on the sending of political e-mails during an election season. By and large, a company resource such as e-mail should only be used for company purposes, and the transmission of political messaging is a recipe for trouble and wasting time.

The final point is to define the nature of ownership of your e-mail system and the e-mail passing through it. As part of this ownership policy, you should establish the right to review any and all e-mail that is sent through your e-mail system. (This part of the policy may require a review with your legal counsel.)

With respect to external clients, you want to cover the responsibilities for any e-mail sent to them through your website. This responsibility would be covered separately in your privacy policies.

Instant Messaging Policy

Instant messaging (IM) has become such a critical part of our society that countless applications are in use. IM is a wonderful resource to communicate with clients, co-workers, vendors, or others. The challenge with IM is that it represents a two-way street. It can allow in malware, or it can be used to transmit out company information.

You should standardize on a company-wide IM platform. Choose one that fits your needs and is fairly secure. Beyond that design, your policies should account for the following:

  • Scope of IM usage—Typically, for business reasons, you should define the acceptable purpose of IM, such as customer care, vendor communications, and so on.
  • Prohibited use—Define what the prohibited usages of IM are.
  • IM etiquette—People tend to get brave and dumb behind a keyboard. Be sure you cover rules such as not discussing confidential or sensitive company business or information. Further, be sure that employees are careful about not opening or accepting any attachments. Additionally, IM conversations should never be considered private. The possibilities of eavesdropping are too great. Be sure that employees never ask for anything such as credit card numbers or passwords over IM.
  • Compromised accounts—Define in your policy what actions should be taken if an employee believes (or you have reason to believe) an IM account has been compromised.
  • Fees—Determine how (or whether) you reimburse your staff for any commercial IM services.
  • Care and feeding of IM—Define who takes care of issues for IM users.
  • Monitoring of IM—If you need to monitor IM and capture the traffic, you may need to inform your users and employees.

Social Media Networks

The use of social networks today is as common as using the telephone. Most everyone has used or heard of Facebook, Twitter, and other social media networks.

The social media network is also a means for a hacker to gain vital information about you or your company. Define your policy regarding the use, posting, and distribution of company information on social networks.

The social media network should be considered as completely public (that is, 100 percent of the time). There are simply too many ways into a social media network, and, thus, too great of a chance that information can be released that should not be.

The next section provides a primer on increasing your awareness as it relates to information security. Most people are so inundated with information (such as advertising, news, interruptions, and life in general) that they tend to ignore their surroundings. The problem is compounded by a plethora of techniques employed by what are commonly known as social engineers.

Social Engineering

The idea behind social engineering is to manipulate how the human mind works, to the advantage of the attacker. A hacker may deploy many tools, but they tend to fall into some very observable categories. Table 11.2 shows a few tools in the social engineer's toolkit.

Table 11.2 Social Engineering Tools

Tool Description
Framing The framing technique is used to frame up a particular thought, such as “75 percent real fruit juice.” Okay, what's the other 25 percent? The idea of framing is to get your mind headed in a specific direction. That direction is likely not one you want to go in if it's a social engineer doing the talking.
Incentives Using incentives is a timeless technique. In fact, it's used quite legitimately on a regular basis. Think about “35 percent off” of that item you have to have. The incentive, of course, is less money for them and more money for you! At least, that's how it's presented. This incentive can also be social; for example the homeless guy who holds up the “will work for food” sign. The incentive is that you can absolve the feeling of guilt he may be creating in your mind by giving him some money. A social engineer can use incentives in relation to his or her desired attack. The attacker needs to know what incentive will work on you. It could be any number of things, such as money, social influence/pressure, or something that plays on your personal value set or ideals.
Reciprocity Although it can be tricky to use, reciprocity can work very well when a social engineer plays it right. The reciprocity ploy does take some time to set up because the target (that's you) must feel that you owe the perpetrator. An example might be where someone calls in and pretends to provide “help” to the target, such as, “This is Matt from the phone company. I proactively have reset your phone passwords. Can I get your current password to test?” The grateful target will want to pay back the perpetrator, and so comply with the request.
Scarcity or time-limited Much like the “35 percent off” example, the scarcity play is used by sales people as a social engineering technique all the time. A simple example is when sales person can get you that deal, but you must provide a signed purchase order today, because the sales person's boss is going to pull the offer. Although this is complete nonsense, the technique works so well that it's a standard one used in vendor/customer relationships. For the social engineer, the time-limited or scarcity problem comes into play in an “urgent” situation. The perpetrator places a call to the target to obtain the information. The perpetrator explains that she must have this report in tonight, or else she may lose her job (or other bad things will happen). She might say that she is unable to get into the server, into the site, or wherever. If you could help her, she would be most grateful.
Authoritarian play Clearly, authoritarian play refers to the normal behavior of submitting to authority. If your boss calls and is irate, and tells you to get something done now, chances are you'll jump on it. This is a very common ploy used by social engineers. They will pretend to be sent by the boss or, in some cases, they pull off the sham of making you think they are the boss. Your inner desire to stay out of trouble with the manager could motivate you to comply.
Getting to “yes” by commitment The “getting to ‘yes’ by commitment” tactic is a very sneaky one that you often see used in an infomercial. The concept is that if the perpetrator can get the target to say “yes” to something that is in line with that person's ideals, then the target is likely to say “yes” to another question that is in line with the initial commitment. The typical “Do you like to save money every time you shop?” is a ploy to get you to say “yes.”
For example, a social engineer will start with something small, building in the question-and-commitment scenario with the target. Typically, this is a public proposition that continues to escalate until the attacker has the target committing to what he or she wanted. The target's desire to save face will usually prevent him or her from backing off of the commitment. It's a powerful technique.
Liking or being liked Deep within all humans is a desire to be liked or wanted. In return, people tend to like other people. This means of information gathering is used in one or two ways. The first is when the social engineer is charming, which can be a powerful tactic to get the desired information. It could be used as a negative, in the sense of taking away approval. More often, though, the former and not the latter is the method used, especially in a seductive manner such as compliments paid. This will cause the target to linger, desiring more compliments. People like positive reinforcement—the proverbial “carrot-on-a-stick” method. The social engineer will flatter a target by playing to the person's emotions and feelings, lowering their defenses enough to get them to divulge information. This dirty trick works on people from many cultures and age groups.
Social proof or groupthink Another common tactic of marketers is social proof. The general thought is that if the crowd likes it, it can't be wrong! An example of this is a statement such as, “Nine out of ten dentists recommend brushing your teeth as a means to prevent cavities.” You might think, “Well, yes.” But you likely never stopped to think why that tenth dentist feels the opposite way. In the social engineering space, the attacker uses groupthink to get you thinking that the decision he wants you to make is wise and is supported by many people. Therefore, it must be right! Right? If the attacker can get you to buy into it because it goes along with popular wisdom, then you own the decision and will go along with it.

Social engineering is a well-known and well-used means to extract information. Train yourself and your employees to question unusual situations, and to remain vigilant in the workplace environment.

Having Situational Awareness

If you were in a combat situation, you would experience situational awareness, which means that you would be extremely aware of what's going on around you in any direction—what your fellow soldiers are doing, and possibly what the enemy is doing. The nature of combat demands that you keep a strong vigilance of your surroundings, but in everyday civilian life, people tend to lose focus and not be vigilant at all.

You and your employees should develop a sense of awareness regarding your office, your network, and the company perimeter in order to protect the company from hackers.

Situational awareness is important because people tend to leak information. A skilled social engineer can pick up your employees' lack of vigilance and get more information. For example, a good Samaritan may open a door for a stranger without question, or an overly helpful person may not challenge a person during a phone conversation who says he or she works for the president of the company. These are examples of where situational awareness would be handy to have.

Usually, if you pay attention to your surroundings, you are not surprised when things happen. You may see things build up to something. it, The buildup doesn't catch you off guard, and gives you an opportunity to prevent damage.

If a hacker desires to gather information or penetrate a building for the purpose of hacking a company's systems, then he or she can deploy a number of different social engineering techniques. These are actions taken for the specific purpose of fooling someone to gain something from him or her. In social engineering techniques such as a Ponzi scheme or a confidence-man ploy, which is a scheme where the con artist gains your confidence to deceive you, the idea is to get past your natural defenses to get something from you.

Additionally, a hacker wanting to enter a company's building needs to know as much as possible about the people, the way they dress, the cars they drive, the guards, security systems, trashcan locations, and more.

Using the information gathered online, over the phone, and from your employees combined with knowledge of your company's physical perimeters, the attacker can construct a false persona to use with social engineering techniques to gain the information he is seeking from your company.

Vulnerable Security Points

The following sections cover points of vulnerability that are general in nature, but could represent a threat to you.

Front Door

“Hold the door, please,” a well-dressed gentleman says with a briefcase in one hand and cardboard carrier with four large cups of steaming-hot coffee in the other. You smile and hold the door because he looks like he's late for an important meeting. You move on your way to your desk because you are late yourself and are glad you made it without too much fanfare. You don't give the guy a second thought.

Who was he? Did he have a badge? Do you know him? This situation has been played out many times through both penetration testing and real-life hacker exploits. It is a technique to play on your sympathy. If your company has a policy for badges and clear identification of who's coming in, then you should have challenged him and asked for identification.

Develop and cultivate an awareness of everyone who is entering and leaving your company premises. Who is following you into the building? Why are they there? Where are they going? What is their business? Do they have an appointment?

Asking these questions does not make you paranoid; it makes you aware and smart. People are often afraid to challenge someone because they fear that the person may be someone important who could take it the wrong way and make life difficult. However, if that person is an executive and you challenge him or her for identification, then you should be thanked. A vigilant employee can save the day.

Asking for an ID from someone is perfectly fine. If the person cannot produce it, then a polite escort to the guard for further assistance is usually all it takes. If the person is legit, the guard can track down the right party for him or her. If not, then the guard can follow whatever procedure is in place to take care of the intruder.

Following are some basic rules for awareness regarding door entrances:

  • Be aware of who follows you into a building, and encourage employees to do the same. Figure out whether you know the person or whether he or she looks familiar.
  • Notice whether someone following you into your building has a badge or not (if your company has badges), and ask the person to produce the badge or show an ID.
  • Know the procedure for escorting an unbadged or unfamiliar person to the guard. If the person is a visitor, you could politely ask him or her to go check in at the front desk.
  • If you are the boss, make sure you have a physical security policy in place, and ensure your employees know what the policy is.

Trash Receptacles

Another interesting area to be aware of in regard to security is when carrying out trash to a dumpster. Do you see someone always there about the same time emptying a can? Is someone parked nearby? Digging through the trash is a very powerful means of information gathering. Trash can yield passwords, customer lists, internal memos, e-mails, source code, sales figures, and more.

This type of information can make someone very knowledgeable about your company, sometimes so much so that he or she can easily pass for an employee. Consider establishing a policy to either shred all paper (cross-cut like confetti) or utilize an outside service to handle destruction of paper. In the area of electronic waste, there are a number of third-party services that will provide certified destruction. Hardware devices are prime targets for data loss.

Before sending out drives for destruction, use the free software product called Darik's Boot and Nuke (“DBAN”) from www.dban.org. This tool is designed to wipe out data on hard drives very thoroughly. Using this in combination with the physical destruction of the drive is a sure-fire guarantee that the data is not retrievable.

Cars

Remember the fictional wireless hacker from Chapter 10? He used his parking spot near the building to monitor the wireless transmissions from outside your building. The information he gathered enabled him to break into the wireless network.

The guy in the Chapter 10 was simply picking up “free” signals from his location. From a hacker's point of view, he's safe—he's not trying to physically gain access to the building.

If the hacker wanted to gain access to the building, he would want to get closer to observe the target. Strange cars that are continuously parked in your parking lot or that are constantly driving around and scoping out the building are cause for vigilance.

The hacker wants to gain information about the building, the people, security, cameras, telephones, deliveries, and more. If he is to successfully penetrate your building, he'll need a full scope of what he's facing.

Following are some types of information a stranger in a “parked car” might be after:

  • Where are the main and back entrances?
  • Where are the designated smoking areas?
  • Do the doors require badges for entrance?
  • When do guards patrol?
  • Does the area have frequent law enforcement patrols?
  • How many times a day or week does the company receive deliveries?
  • Are cameras mounted on the building, and are they stationary or do they move?
  • Are the cameras wireless? If so, they may be able to be hacked into, and would give the hacker the same view as the guards.
  • Is the loading dock door open? Is it guarded?
  • Are other businesses nearby? If so, can the perpetrator pretend to be looking for the business if he's caught?

This list merely scratches the surface of possible points of interest to an attacker, but you can probably imagine how the information he could gather can compromise your company's security, either physically or wirelessly.

Fire Exit or Smoke Break Area

Most buildings today in the United States are non-smoking. That means that smokers must go outside or to a designated smoking area. In many buildings, the fire exit is often a place for employees to smoke because it's easily accessible. Similar to the “hold the door please” scenario mentioned earlier, the smoking areas are a prime target for building penetration.

Imagine the scene where a person comes walking toward a smoking area, holding a pack of cigarettes. He's patting his pockets in a manner familiar to all smokers, looking for a lighter. A fellow smoker might quickly offer him a light. The bad guy may strike up some small talk with the new acquaintance and, being friendly, the other person would respond. After all, he's just taking a smoke break! If the bad guy has done his homework, he'll know quite a bit about the inner workings of the company—enough so that he could pass off himself as an employee of the company.

His purpose, of course, is to either follow you or someone else in. He may stay for one more quick smoke while you return to work. He might casually smoke another as he waits for someone else to come out who didn't know the bad guy had simply walked up. At this point, the bad guy merely taps out the smoke as the other person walks out, and then he walks in. Mission accomplished.

Employees

People are clearly the biggest threat to your network. In this case, “people” are defined as employees. A break-in often occurs via an employee either by accident or intentionally. One very well-known case of an employee doing something wrong is the alleged behavior of the soldier who delivered documents in the WikiLeaks scandal. According to the charges filed, he allegedly accessed the government networks and removed documents for delivery to an unauthorized person.

This scenario has been repeated at all levels millions of times. People inside your company are very likely your largest threat.

The author once had job in the defense industry that used a proprietary network in a building that routed communications to terminals (before PCs were everywhere) from the mainframe. This network was very sensitive to physical changes (that is, putting something on the network that was not supposed to be on it could cause it to fail).

The author received a trouble ticket stating that part of the robotic manufacturing network had failed. He traced it down to a terminal that had been attached that shouldn't have been. He found out a manager had taken it upon himself to add it and avoid the process of applying for installation.

Following the process to remove the terminal and letting the person know how to properly request access, the author continued about his business. A mere few hours later, the robots in manufacturing had lost their connection again. Returning again to the manager's location, the author found that the manager had decided to ignore the previous admonition and put the terminal back on. Removing it restored proper operations. After that, the recurring problem was handled directly with the manager at a more senior level in the organization.

In this example, when the manager attached the terminal, it broke the connection to the robots that delivered parts to the manufacturing line. This caused a stop in production, thus causing delays in delivery of the product to the customer. Hence, the network was fine, but the cause of the failure was the person who was deliberately installing equipment he should not have.

Your policy should clearly cover situations where employees decide to take things into their own hands. In the event of someone's adding equipment to the network, adding a wireless router, or plugging a home laptop into your network, you'll have to decide on the actions to take. Consider each scenario and lay out the proper procedures, accompanied by the consequences for not following procedure.

Blatant violations like information theft should be treated as a criminal act, and be dealt with by your policy. Other items such as innocently plugging in a notebook computer may just require a discussion about safety of the network, virus scanning standards, and so forth.

Rogue Devices

Numerous online sites sell hardware keyloggers that plug into a USB port. The purpose of these innocuous-looking devices is to capture, record, and send out electronically what was typed. These devices are basically a hardware equivalent of a Trojan horse. This type of technology has been used in various forms for many years across many types of computing platforms.

Take the time to periodically check desktops and keyboards for any devices plugged in that you don't recognize. Obviously, if you don't know what it is, you should investigate and remove it if it is unneeded.

Along those same lines, train employees to never insert a “found” USB key or other device into a workplace computer. Dropping a USB key containing malicious code in a place an employee can find it is a form of social engineering, as is simply asking an employee to insert it—a technique that works more often than you might think.

Phones

One of the more popular social engineering attacks (but by far not the only one) is the caller who phones in and pretends to be someone in need of assistance, such as for a forgotten password. This type of hacker attempt can run from a nice “please help me” kind of conversation all the way to a hostile or possibly threatening call.

Summary

This chapter covered two key operational areas for your business—the development of a solid information security policy, and increasing your situational awareness.

Policies are designed to guide your employees on the proper use of your information systems (such as server, websites, e-mail, browsers, instant messaging, and so forth). Policies should also cover the use and misuse of confidential information. You should establish a policy on the type of equipment that employees can install into your network, and how they can use remote access.

The second half of this chapter covered the dark side of information gathering through social engineering techniques. The idea you must adopt is to pay attention to what is going on around you. The techniques deployed are very simple to detect and defeat. However, without any awareness that they are occurring, you and your employees can often be tripped up by them.



Security Guide