LINUX SECURITY --- February 20, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
__________________________________________________________________________
______
HIGHLIGHTS
* Securing your company against onsite visitors.
__________________________________________________________________________
______
Social Engineering -- Revisited
By Rick Johnson
A while back, we discussed Social Engineering. In terms of security,
it is the ability to compromise data by exploiting human nature. Such
exploits included various tactics, such as dumpster diving and irate
calls to the help desk, as ways of uncovering passwords. Now, let's
get into more creative methodologies.
Currently, obtain inside information by engaging the sales or public
relations department has become the most popular method. How could
these people possibly cause a problem? Try this scenario:
I (playing the role of the bad guy) contact with your sales department
regarding a major purchase of your services. Of course, I have all
sorts of questions about the company before making a purchase. Most
sales people happily answer any questions, especially for a large
enough sale. Inevitably, my questions start focusing on security, as my
firm is "concerned" about the safety of our information. They gladly
tell me about the safeguards in place to alleviate my fears. Once I
have enough preliminary data gathered, I ask the salesperson for a tour
of the company. This is key for this type of attack to be successful.
As they busily dazzle me with smoke and mirrors, no one notices me
checking out the place. As I walk through the front door, they whisk me
into the inner reaches of the company. You can normally stroll right
past workers and glance at their screens and desks. If you are lucky,
then someone leaves important documents on a printer. Just imagine
what could be out in the open. If you have not been given enough time
to snoop, ask to go to the restroom. Who would follow you there?
Granted, it might not be this easy but then again, it might be even
easier. To prevent against such a blatant attack, educate your sales
department on information permissible to discuss and what violates
policy. Most importantly, creating procedures dealing with onsite
visitors. These should include the following:
* Define what areas are restricted to visitors;
* Notify key personnel of a scheduled (or unscheduled) visit;
* Assign visitors an escort to stay by their side at all times
(even waiting outside the bathroom);
* Have the security staff walk through open areas before the
visitor arrives to ensure nothing of value is vulnerable.
Take some time to look over your facility, you may notice something
before the wrong person does.
About the author(s)
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
__________________________________________________________________________
______
ADDITIONAL RESOURCES
Human error: the source of most security problems
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/2199/NWW003798
Tapping on the Walls
http://www.unixinsider.com/jsw/linsec_nl/swol-11-2000/swol-1117-buildingbl
ocks.html
The sky is not falling
Panic over vulnerabilities may make security experts skeptical of real
emergencies
http://www.unixinsider.com/jsw/linsec_nl/swol-02-2001/swol-0216-unixsecuri
ty-dv.html
Like lojack for your laptop
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Comp/1290/ITW1856/
__________________________________________________________________________
______
<<attachment: winmail.dat>>