-
social engineering
hi
say a scenario like this. Staff A poses as the helpdesk and calls up Staff B. Staff A asked for Staff B's password to do some administration stuff..Thinking that Staff A is helpdesk , Staff B gives the password to him. How can we prevent such things from happening.? Security awareness is one way. How about preventing this from a technical perspective. ?
thanks
-
I'm sorry but I am not very tolerant about any one giving out passwords for any reason. Staff B should be fired or at the very least denied access to restricted (passworded) areas.
Your company SOP's should have policy laid out so that giving a password to anyone on the phone would be a firing offense. If staff A was legitimate they would either already know the password, or have a more secure venue of getting it.
There is not any good technical fix for user stupidity.
-
Training is going to be the best answer for this. There are some technical controls that may help but the human is the weakest link in any network. Social Engineering is the most effective type of attack out there because people have weaknesses, kindness, greed and stupidity are a few of them.
On way we can prevent the problem would to be implementation of some controls that would require several passwords. One-time passwords may also be effective to a degree.
-
There is no technical means to prevent this. I know my password. I can speak, too. So unless my computer is equipped with a psychic communications array to hear my thoughts with, and a flyswatter to slap me upside the head with before I give out my password, it can't stop me.
You can limit the impact by enforcing password changes regularly, watching for multiple logins, and limiting physically where passwords can be used.
Another possibility is the use of smart cards, of which employees are issued only one. I have also seen keyfobs with a serial number that changes every 30 seconds or so, which is linked to a password database. That serial number is the user's passwor dfor those 30 seconds. But neither will prevent employees from lending them. The only other solution would be the use of biometrics.
But a technological measure against password sluts would be as impossible as a car that won't let stupid drivers inside it.
-
The device that's being accessed needs the finger print from Staff B ;)
edit:sorry just saw Strieks part about biometrics.
-
Have all your workes read the Art of descption by kevin mitnick
-
kruptos has the answer 'training'.
Staff need to be made aware of the value of their username/passwords and also made aware of the consequences if they hand them out.
If your company doesn't have a password policy and if you do hasn't made an efforet to make staff understand a password policy then you probably won't be able to discipline the staff never mind sack them.
This sort of thing has to be started from the top with policy driven by senior management.
-
My answer would be to have help desk verify that they are who they say they are and/or not give him the time of day if he doesent show up on Caller ID. Generally you call help desk they dont call you!
-
thanks for all your input.
The main concern on my part is how , in the scenario mentioned, the staff B is going to identify that helpdesk is who they are.
So firstly, helpdesk should not ask for passwords from users at all. This is enforced by policy.
secondly, users should just say no, no and no when being asked for password (enforced by policy )
lastly, as a identifying mechanism, use caller ID...
thanks
-
You could have a system where no member of staff is allowed to tell anybody their password (as you currently do) and your help desk call around during quiet times and attempt to obtain a password from users. Those who hand over a password could then be sent on a training course to show them the error of their ways. If the staff know about this process then they will be very suspicioius of anybody who asks for their password.