Page 1479 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1479

“chatting up” computer users, office gossips, and administrative

               personnel. This information can provide excellent ammunition when
               mounting a password-guessing attack. Furthermore, attackers can
               sometimes obtain sensitive network topography or configuration data
               that is useful when planning other types of electronic attacks against
               an organization.

               Dumpster diving is a variant of social engineering where the attacker
               literally rummages through the trash of the target company, searching

               for sensitive information. This technique is easily defeated by
               shredding papers and wiping electronic media, but dumpster divers
               are still surprisingly successful with their efforts.


               Countermeasures

               The cornerstone of any security program is education. Security
               personnel should continually remind users of the importance of

               choosing a secure password and keeping it secret. Users should receive
               training when they first enter an organization, and they should receive
               periodic refresher training, even if it’s just an email from the
               administrator reminding them of the threats.

               Provide users with the knowledge they need to create secure
               passwords. Tell them about the techniques attackers use when

               guessing passwords, and give them advice on how to create a strong
               password. One of the most effective techniques is to use a very long
               phrase, such as “My son Richard likes to eat four pies” instead of a
               short password. If the system does not allow the use of long
               passphrases, consider using a mnemonic device such creating a
               password out of the first letter of each word of a long phrase. For
               example, “My son Richard likes to eat four pies” would become
               MsRlte4p—an extremely strong password. You may also wish to

               consider providing users with a secure tool that allows for the storage
               of these strong passwords. Password Safe and LastPass are two
               commonly used examples. These tools allow users to create unique,
               strong passwords for each service they use without the burden of
               memorizing them all.
   1474   1475   1476   1477   1478   1479   1480   1481   1482   1483   1484