Company_Security_Recomendations

Company Security Recommendations The following is a list of Security Recommendations listing prescriptive measures that should be implemented in order to prevent future intrusions and security breaches by using social engineering techniques. 1. Establish Security Policies - Social engineering attacks can have two different aspects: the physical aspect or the location of the attack, such as in the workplace, over the phone, dumpster diving, on-line, and the psychological aspect, which refers to the manner in which the attack is carried out, such as persuasion, impersonation, ingratiation, conformity, and friendliness. Combat strategies, therefore, require action on both the physical and psychological levels. Employee training is essential. The mistake many corporations make is to only plan for attack on the physical side. That leaves them wide open from the social-psychological angle. So to begin, management must understand the importance of developing and implementing well-rounded security policies and procedures. Employees must be well trained in order to follow the policies and make them work .Management should be willing to reprimand and or punish employees who regularly break security policies. 2. Suspicious emails- Instruct all users to never answer or reply to a suspicious looking email . These can include emails from unknown sources which request bank account information for whatever reason, claims of phony lottery prizes or free merchandise that is given away by clicking on URL links etc. If you cannot verify the identity of the sender and if the topic is not something relating to you it is recommended that those emails be deleted to prevent malicious code from being downloaded to the computer. 3. Preventing Dumpster Diving – Dumpster diving is a social engineering technique which consists of looking through the intended victims trash in order to find important personal information such as bank account and credit card numbers , social security numbers , date of birth or any other information that can be used for identity theft. In the corporate environment company invoices, bank or credit card information or simply the names and address of corporate personal can be used by social engineers in order to gain access to other company information. Important information should not be left lying around or in the trash. All garbage with sensitive information should be shredded. Company street dumpsters should be locked or in areas which can be observed by security personnel. 4. In Person Persuasion – Verification is the key issue here. Social engineers who act in person will try to look like a person who should be there. These individuals will often disguise themselves as repair technicians, consultants or company personnel such as janitors etc. Always ask someone who looks suspicious for credentials, like ID and verify this information with someone who knows if they should be there such as security personnel , the receptionist etc. 5. Prevent Unauthorized Physical Access – Access to all company restricted areas should be properly secured by security personnel or devices. Anyone who enters the building should have his/her ID checked and verified. No exceptions. Some documents will need to be physically locked in file drawers or other safe storage sites and keys should not left out in obvious places. Access to areas within the building which contain computers should be properly restricted and all machines on the network (including remote systems) need to be well protected by properly implemented passwords. 6. Identity Verification - Always verify the identity of the person who is making contact with you be it over the phone, physical or web, and the information they are requesting. Instruct all company personnel that personal information such as social security numbers, license numbers or financial information such as credit card numbers should never be given out over the phone or email. Beware of intruders requesting urgent information such as passwords etc. because of fictitious emergency situations. Here is a table with the most common types of social engineering threats and recommendations on how to prevent them. |Area of Risk |Hacker Tactic |Combat Strategy | |Phone (Help Desk) |Impersonation and persuasion |Train employees/help desk to never give out passwords or| | | |other confidential info by phone | |Building entrance |Unauthorized physical access |Tight badge security, employee training, and security | | | |officers present | |Office |Shoulder surfing eavesdropping |Don’t type in passwords with anyone else present (or if | | | |you must, do it quickly!) | |Phone (Help Desk) |Impersonation on help desk calls |All employees should be assigned a PIN specific to help | | | |desk support | |Office |Wandering through halls looking for open offices |Require all guests to be escorted | |Mail room |Insertion of forged memos |Lock & monitor mail room | |Machine room/Phone closet|Attempting to gain access, remove equipment, and/or |Keep phone closets, server rooms, etc. locked at all | | |attach a protocol analyzer to grab confidential data |times and keep updated inventory on equipment | |Phone & PBX |Stealing phone toll access |Control overseas & long-distance calls, trace calls, | | | |refuse transfers | |Dumpsters |Dumpster diving |Keep all trash in secured, monitored areas, shred | | | |important data, erase magnetic media | |Intranet-Internet |Creation & insertion of mock software on intranet or |Continual awareness of system and network changes, | | |internet to sniff passwords |training on password use | |Office |Stealing sensitive documents |Mark documents as confidential & require those documents| | | |to be locked | |General-Psychological |Impersonation & persuasion |Keep employees on their toes through continued awareness| | | |and training programs |