Table of Contents
Introduction 3
Best Practices for Internal Office Affairs 3
Avoid Negligence 3
Prevent Disgruntled Employee Attacks 3
Increase User Awareness 4
Use Adequate Physical Security 4
Penalize Security Policy Violations 5
Best Practices for Avoiding Social Engineering 5
Never disclose passwords 5
Limit IT Information Disclosed 5
Limit Information in Auto-Reply Emails 6
Escort Guests in Sensitive Areas 6
Talk to employees about security 6
Centralize Reporting 6
Introduction
This document serves to introduce a number of best practices for the user domain. By following these recommendations, a corporation will increase user awareness and the efficiency of the implemented security system. While the document includes advantageous strategies for all companies, these recommendations must be adapted to fit an individual work environment.
Best Practices for Internal Office Affairs
Avoid Negligence
Common causes of negligence in the user domain are negligent hiring, retention, supervision, and training. First, employees should only be hired after a rigorous interview and placement process. Lax procedures for hiring will result in substandard employees and increased problems in the user domain. Retention must also be emphasized by management and HR departments, ensuring that employees remain as valued assets to the company for the duration f their employment. Supervision may be enforced by implementing proper surveillance techniques such as video monitoring and regular performance reviews Finally, security awareness training must occur periodically, so that all employees are aware of current threats to corporate security, including proper responses to each threat.
Prevent Disgruntled Employee Attacks
Employee attacks include multiple stages: an exploit, an attack, and subsequent handling of the incident. The company must have a plan to anticipate and respond to these incidents. A number of warning signs are apparent for common disgruntled employee attacks, including reconnaissance scanning, exploiting the system, keeping access, and covering tracks. Reconnaissance occurs when an employee attempts to gather information about the corporation’s security weaknesses. This often involves attempts to access information that the user is not authorized to have. The employee may also scan the network in order to identify certain weak points which could be used as targets in an attack. After a target has been identified, the disgruntled employee will likely exploit the system at the given point, and then install malicious software in order to keep access to the system after he or she no longer has legitimate permission to do so. He or she will then cover any tracks in order to avoid legal consequences. Employee attacks are a serious threat to an organization, because employees are authorized to bypass public firewalls and other security measures that deter outside threats. For this reason, a corporation must be aware of the warning signs of an attack, and then formulate a plan to prevent employee attacks, and respond accordingly to an incident if necessary. Employee attacks may also be prevented by providing current workers with opportunities to share their opinions about the work environment, allowing them to constructively criticize the corporation instead of becoming frustrated and acting out in anger.
Increase User Awareness
One of the main tenants of proper user behavior is education and awareness. Users are more apt to disobey policies if they are ignorant or apathetic towards these policies. A corporation can increase its security by providing security awareness training programs to increase user awareness of proper practices for the user domain and proper responses to incidents that may occur. Different levels of security awareness are appropriate for different positions within a company. These levels include: awareness, training, education, and certification. Awareness of security policies and proper incident response techniques is necessary for any employee that has network access. Training is appropriate for users that access the network on a regular basis, especially if those activities include access to important company assets. Further education is necessary for employees that desire to work with the corporate security system, including proper certification tests in order to verify a user’s ability to design or administrate a security system.
Use Adequate Physical Security
Assets must be secured with multiple layers of protection, including: deterrence, access control, detection, identification, and human response. Deterrence includes security measures that may not necessarily prevent incidents from occurring, but they will discourage potential hackers by increasing the difficulty of a successful attack. This is similar to a “No Trespassing” sign, which does not actually prevent trespassing, but may deter people from entering another’s private property. In addition to deterrence measures, access control techniques such as ACLs must be implemented. When these two measures do not successfully prevent an attack, detection techniques will allow a corporation to determine when a breach of security has occurred. Further tools such as IDS or IDPS systems allow a company to identify the specific incident, including details about the attacker’s system and how he or she gained access to the network. Finally, human response is necessary after details have been acquired. This may include shutting down affected segments of the network, or reconfiguring firewalls to prevent the attack from occurring again. A number of other tips are also helpful in securing information. All sensitive information must be adequately protected, included portable devices that have access to the network. Extra copies of sensitive information should not be made, and these copies must be destroyed properly so that data cannot be recovered. All doors should be locked within the corporate premises, and closed-circuit security camera recording may be useful in identifying physical intruders. The tapes from these recording devices must be stored, so that an incident response team may determine if an intruder was in the building at the time of a security breach.
Penalize Security Policy Violations
Employees are less likely to follow security policies if there is no penalty for policy infringement. Though negative consequences are never desired, these consequences must be established and publicized so that users are aware of possible punishments for poor behavior. These consequences should differ depending on each infringement that is anticipated by the IT department. All violations must also be reported by employees, so it may be proper to include a consequence for a user that has knowledge of a policy infringement without reporting it to the proper point of contact. Infringements that are ignored could result in dire consequences for the corporation, so all policies must be publicized and enforced on a regular basis.
Best Practices for Avoiding Social Engineering
Never disclose passwords
Many social engineering attacks request a password that does not belong to the attacker. This attack is successful only when an employee chooses to disclose the password. If the corporation allows users to disclose passwords at certain times, then an attacker can capitalize on this vulnerability and manipulate employees into sharing their password with an unauthorized party. The simple solution is to never share passwords under any circumstances, because it removes the judgment call associated with sharing a password and protects the network from this type of social engineering attack.
Limit IT Information Disclosed
Only certain employees require knowledge of the corporate security system. The details of this system and its configuration should only be discussed by authorized IT professionals within the company, in order to avoid a third party gaining access to this information. One social engineering technique is to call a corporation with a fake survey asking details about the configuration. These survey questions should not be answered, because the attacker could then pose as a repairman offering to upgrade the system and then gain access to corporate assets. If the company is ever confronted with a call or visit from someone claiming to be a vendor or maintenance worker, this must be confirmed by a call to the vender or upgrade service in question. Limiting the IT information that is disclosed to third parties and verifying the legitimacy of anyone who accesses the network will increase the security of the system against social engineering attacks.
Limit Information in Auto-Reply Emails
Details in out-of-office reply emails must be kept to a minimum. Social engineers could potentially use this information to formulate a targeted attack against an employee who is unavailable for an extended period of time. Instead of displaying information on the duration of an employee’s absence or providing direct contact information for another employee, automatic email replies should simply route all questions to a receptionist. The receptionist must be trained to only divulge a minimum amount of information to all inquiries, in order to prevent a social engineer from gathering intelligence on the system and possibly identifying vulnerabilities.
Escort Guests in Sensitive Areas
All visitors to the premises must be monitored in order to prevent social engineers from gaining confidential information. All areas with network access must be carefully guarded, including empty offices, waiting rooms, conference rooms, and others. This preventative measure ensures that social engineers are not free to roam the premises unattended, planting surveillance equipment or accessing corporate resources. If an employee sees someone in the facilities that he or she does not know, the employee should introduce himself or herself to that person, asking why the individual is there and if he or she needs help with anything. If employees are not confident enough to introduce themselves to new people and ask questions, then a social engineer will have little difficulty infiltrating the physical premises and gaining network access. Also, all employees should display appropriate badges at all time, deterring a social engineer from attempting to roam the facilities unattended.
Talk to employees about security
This instruction coordinates with employee awareness from the previous section. Employees should be made aware of common social engineering techniques so that they are always on guard against potential attackers. Talk about proper security measures should be common in the work environment, so that employees are thinking about social engineering more often than just during formal training programs. Everyone with network access must always watch what they say and do in order for all of these preventative measures to be effective.
Centralize Reporting
Each company should designate an individual or group to be in charge of compiling all reports of suspicious behavior. Social engineers will use many points of contact within a company in order to gather small pieces of information. If every request for information is reported to a centralized location, the security personnel for a network can identify patterns of social engineering and prevent these attacks from succeeding.
Resources
Acceptable Usage Policy Template. (2005, April 22). Retrieved March 24, 2013, from First: www.first.org/_assets/resources/guides/aup_generic.doc
Childress, J. (2013, March). CS5493(CS7493) Secure System Administration and Certification . Retrieved March 8, 2013, from utulsa.edu: http://personal.utulsa.edu/~james-childress/cs5493/cs5493.html
Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks."Spiceworks Community Global. n.d. Web. 26 Mar. 2013. <http://community.spiceworks.com/how_to/show/666-best-practices-to-prevent-social-engineering-attacks>.
Giallombardo, A. (2012, September 25). Sample Acceptable Use Policy Template. Retrieved March 24, 2013, from Mafia Securtiy: https://www.mafiasecurity.com/disaster-recovery/sample-acceptable-use-policy-template/
Information, Network & Managed IT Security Services. "Social Engineering."SecureWorks. Dell, 2013. Web. 26 Mar. 2013. <http://www.secureworks.com/consulting/security_testing_and_assessments/social_engineering/>.
InfoSec Acceptable Use Policy. (2006). Retrieved March 7, 2013, from SANS: http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf
Kratt, H. (2004, December 8). The Inside Story: A Disgruntled Employee Gets His Revenge. Retrieved March 23, 2013, from SANS: http://www.sans.org/reading_room/whitepapers/engineering/story-disgruntled-employee-revenge_1548
Negligence. (2012, November 21). Retrieved March 23, 2013, from Wikipedia: http://en.wikipedia.org/wiki/Negligence_in_employment
Russell, C. (2002, October 25). Security Awareness - Implementing an Effective. Retrieved March 23, 2013, from SANS: http://www.sans.org/reading_room/whitepapers/awareness/security-awareness-implementing-effective-strategy_418
"Types of Social Engineering."NDPN.org. National Diagnostic Network, 2013. Web. 26 Mar. 2013. <http://www.npdn.org/social_engineering_types>.
User Domain. (2007, August 25). Retrieved March 7, 2013, from http://c2.com/cgi/wiki?UserDomain
Wilson, M., & Hash, J. (n.d.). INFORMATION TECHNOLOGY SECURITY AWARENESS, TRAINING, EDUCATION, AND CERTIFICATION. Retrieved March 25, 2013, from National Institute of Standards and Technology: http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm