Notes from The Art of Deception, Mitnick and Simon
Notes from The Art of Deception, Mitnick and Simon
Available here for some reason…
Part 1: Behind the Scenes.
Chapter 1: Security’s Weakest Link.Part 2: The Art of the Attacker.
Chapter 2: When Innocuous Information Isn’t.
Chapter 3: The Direct Attack: Just Asking for It.
Chapter 4: Building Trust.
Chapter 5: “Let Me Help You”.
Chapter 6: “Can You Help Me?”
Chapter 7: Phony Sites and Dangerous Attachments.
Chapter 8: Using Sympathy, Guilt, and Intimidation.
Chapter 9: The Reverse Sting.
Part 3: Intruder Alert.
Chapter 10: Entering the Premises.
Chapter 11: Combining Technology and Social Engineering.
Chapter 12: Attacks on the Entry-Level Employee.
Chapter 13: Clever Cons.
Chapter 14: Industrial Espionage.
Part 4: Raising the Bar.
Chapter 15: Information Security Awareness and Training.
Chapter 16: Recommended Corporate Information Security Policies.
Security at a Glance.
P27 “Two or three pieces of information might be all it takes to mount an effective impersonation….an employee’s name… phone number… manager’s name and phone number. “ The innocuous information you give might be used to gain information further up the ladder.
P35 Security training with respect to company policy designed to protect information assets needs to be for everyone in the company, not just any employee who has electronic or physical access to the company’s IT assets.
P72 List of default passwords for operating systems, routers, etc. http://www.phenoelit.de/dpl/dpl.html
P73 Security is not one-size-fits-all…. There should be a base level of training that everyone in the company is required to complete, and then people must also be trained according to their job profile to adhere to certain procedures….People who work with sensitive information or are placed in positions of trust should be given additional specialized training…. Never cooperate with a stranger who asks you to look up information, enter unfamiliar commands into a computer, make changes to software settings… open an email attachment, or download unchecked software. This is part of information literacy: security literacy. Everyone needs a base level, at the least to avoid identity theft.
P102 Everyone who uses the internet should know about the little symbol that often appears somewhere on a web page and looks like the drawing of a padlock…when closed , the site has been certified as secure; when open the website is not authenticated as genuine and any information transmitted is in the clear – that is, unencrypted. [This is another example of information literacy]
P112 People must be trained that it’s not only acceptable but expected to challenge authority when security is at stake. Information training should include teaching people how to challenge authority in customer-friendly ways, without damaging relationships….this expectation must be supported from the top down, by management.
P115 http://policy.ssa.gov/poms.nsf data an SSA clerk is allowed to give law enforcement personnel.
P119 security-related website www.ntsecurity.nu
P128 Techniques to establish authentication:
- Establish the need to know
- Keep a personal or departmental log of these transactions
- Maintain a list of people who have been trained in the procedures and who are trusted to authorize sending out sensitive information. Require that only these people be allowed to send information to anyone outside the workgroup
- If a request for the data is made in writing (email, fax, mail) take additional security steps to verify that the request actually came form the person it appears to have come from.
P129 Security training needs to cover the topic of passwords…so that employees grasp possible security compromises. You can tell a child “look both ways before you cross the street,” but until a child understands why that’s important you’re replying on blind obedience. And rules requiring blind obedience are typically ignored or forgotten.
P131 Training tips, security reminders, short blurbs in the company newsletter with a new security reminder in short attention-catching way…
P140 …when you steal money or goods, somebody will notice it’s gone. When you steal information, most of the time no one will notice because the information is still in their possession.
P186 Enumeration tools http://ntsleuth.0catch.com
P213 Caller ID can be spoofed and cannot be trusted for verification of identity
P223 …develop a security policy based on corporate culture and business needs…. Employees will circumvent any security measures that appear to be a waste of time. Motivating employees to make security part of their everyday responsibilities through education and awareness is key.
P246 Six basic tendencies of human nature that are involved in an attempt to obtain compliance to a request:
- Authority – request (apparently) comes from a person in authority
- Likeability – the request comes from a likeable person or with similar interests beliefs, and attitudes
- Reciprocity – compliance with promise of a return favor
- Consistency – compliance after making a public commitment or endorsement for a cause
- Social validation – actions of others (apparently) validate the action in question
- Scarcity – compliance when an object sought is (apparently) in short supply or in competition
P249 ‘Creating training and awareness programs’ a walkthrough of a training curriculum including goals, structure, contents, testing, ongoing awareness
P259 Chapter 16 ‘Recommended Corporate Information Security Policies’ defines a ‘security policy,’ steps to develop one.
P262 A data classification policy is fundamental to protecting an organization’s information assets….Management must assign an Information Owner to be responsible for any information that is currently in use in the company.
P264 Classification categories and definitions….”the more complex the classification scheme, the more expense to the organization in training employees and enforcing the system.”
- Confidential. The most sensitive. Only for use within the organization. Share with a very limited number of people with an absolute need to know….its accidental disclosure could seriously impact the company….Trade secrets, marketing and financial information not available to the public, vital to the operation of the company such as future business strategies.
- Private. Covers information of a personal nature intended only for use within the company….could seriously impact employees, or the company….medical history, bank accounts, salary history, personal identifying information not of public record.
- Internal. Information freely provided to any persons employed by the organization. Disclosure not expected to cause serious harm to the company or employees. Requires a signed confidentiality agreement before disclosing to third parties. Daily business information that should not be released to outsiders like corporate organizational charts, network dial-up numbers, internal system names, remote access procedures.
- Public. Information specifically designated for release to the public such as press releases, product brochures
Any information not specifically designated as Public should be treated as Sensitive information (confidential, private, or internal).
Other policies and procedures discussed in this chapter:
- Verification and authorization policies
- Management policies – data classification, information disclosure
- Information technology policies – help desk, computer administration, operations, access
- Policies for all employees – reporting suspicious behavior, computer use, email use, telecommuters, phone, fax, voice mail, passwords
- Policies for telecommuters – outside-the-firewall issues
- Policies for Human Resources – protect employees’ personal information
- Policies for Physical security – ID of non-employees and visitors, escorting, badges
- Policies for receptionists – internal directory, relaying information, items left for pickup
- Policies for the incident reporting group – designated responses
The last part of the book includes cheat sheets for ‘security at a glance’ with definitions and summary lists, as well as flowcharts for ‘responding to a request for information,’ and ‘responding to a request for action.’
Until these last few chapters the book was primarily a wake up call. A bunch of examples where clever people ended up getting information they shouldn’t have access to. But the last few chapters give you some real-world, pragmatic, practical ways to address the issues. Or at least a bunch of lists.
Entry filed under: information literacy.