From here:

Management is on board with your decision to roll out NAC, and your team is working diligently on a migration strategy. You have your organization?s policies clearly defined. You?re ready to create a set of recommendations for handling non-compliant devices and take them to management. Where do you start?

While each organization?s handling of non-compliant devices can vary widely, there are a few good guidelines and best practices to get you started. First of all, we have to consider the allowed tradeoffs between security, ease of management and productivity. There are some organizations, primarily government and high-risk corporate groups, which have zero allowance for tradeoffs that compromise security at any level. Others, such as many commerce-driven companies, have a minimal tolerance for any down time that directly affects revenue.

We could revisit the ubiquitous C.I.A. triad of confidentiality, integrity and availability. Our security systems are a delicate balance of the beloved security triangle. I?m obligated to read and write enough CISSP materials as it is, so I?ll just leave you with the triad to keep in the back of your mind.

Options for Unruly Users

What can we do to our unruly users and malware-ridden demonic devices? You?ll usually see one of these four solutions, or some slight modification thereof.

• 1. Monitor only. Most NAC solutions offer a monitor-only function, which allows you to create policies and then see which systems would pass or fail based on the current posture of the devices ? without actually enforcing any restrictions. It?s like a dry run. This is a great place to start, and may be the best place to stay, if you can afford a bit of security tradeoff in favor of productivity.
• 2. Probation. This lets you specify an amount of time a non-compliant device is allowed to remain on the network and function uninterrupted. This option imposes no restrictions but usually notifies the user that the endpoint doesn?t meet the policy requirements and tells them how long of a probation period they?re permitted. On most users, this is a wasted effort and you?ll need the IT department to proactively remedy the issue. Again, this can be a nice transition option when going from zero to full enforcement.
• 3. Quarantine. Quarantining can be one of the most restrictive actions, but it can also be as flexible and permissive as you allow. If you?ve set up quarantine policies using VLANs and/or ACLs, you can permit or deny access to internal and external resources and ? for example ? only inhibit connections to critical segments of the network, or - as another example - confine the device to accessing a very small set of remediation servers. NAC solutions that offer some level of auto-remediation are ideal if this is important since the built-in quarantine functions of most are meager at best.
• 4. Block. There are some organizations that entirely block access to all network resources for non-compliant devices of a particular nature. Complete blocking of access is really a more restrictive function of a quarantine action. In most NAC systems you can configure different levels of access policies so that a user might have unrestricted or probationary access if the operating system patches aren?t quite up to date. But, if the device scans positive for a virus, it?s immediately blocked from all access so as not to spread malicious code.

Again, the key is to understand the pain thresholds and tradeoff allowances. The four actions above are arranged from most lenient/least secure to least flexible/most secure. Of course, the actual security provided will depend on the quality of policies and proper execution of enforcement.

At first blush, most network admins are predisposed to blocking anyone for any reason. You?ll soon learn during your exploratory and monitor-only period that this isn?t a feasible option. Try not to jump in head first with NAC policies ? you?re sure to bust your head wide open. Be judicious about it and refrain from the overzealousness that accompanies all the new blinking lights.

It?s difficult to quantify threats and vulnerabilities without a team dedicated to security and audit functions, but you can make some educated decisions when planning your NAC strategy. Just make sure your policies and restrictions make sense and the action warrants the punishment you?re imposing.

From here:

Network access control technologies are complicated enough to plan and implement on a technological level, but dealing with the politics of policies can be an entirely new headache your IT department never saw coming.

Conversations about NAC frequently start with basic information gathering: What features are you looking for? What operating systems and switches are in the environment? How do you want to handle non-compliant devices? And, of course, the sales guy will slip in the ol? ?What?s your budget?? line.

Take this set of Q&A with a grain of salt. When making decisions about NAC, there?s another set of primary questions that should be addressed first: What are the primary drivers for implementing NAC? What organizational policies need to be enforced? Where is your organization?s trade off between security and productivity?

The Technology of Policy

For the network administrators, IT directors and technologists these questions are the equivalent of that mandatory legal jargon in size 6 font on a page footer; superfluous at best and an impediment at worst. And so here comes the catch-22 we face in every NAC implementation ? the struggle of finding the equilibrium between the policies of management and the technology of security.

When we talk about network access control systems, we start talking about segmenting, VLAN-ing, quarantining and isolating devices and/or users from the various network resources. We?re stopping users from accessing the Internet, we?re stopping laptops from accessing the primary database servers and maybe we?re even preventing a critical billing or HR system from accessing the resource it needs to cut the weekly paychecks. We are, as technologists, implementing a control that will, in effect, be playing God on the network.

And yes, I know the prospect of total supreme network domination is exceptionally appealing to you all. Aside from sounding cool, it does give us complete purview over the network and control over any objects that may become security risks for the organization. For those of you who have spent your entire career protecting the network from dumb users and protecting those same dumb users from themselves, NAC can be a key tool for you; however, implemented without controls and proper planning, it can also be the bane of your (and everyone else?s) existence. Why? It?s pretty simple, the first time a critical system or critical employee gets zapped from the network, either you or your NAC solution will disappear ? and quickly.

I get dirty looks every time I say this, but it?s true - network access control is a BUSINESS DECISION, not a technology decision. We put the technology in place ONLY for the purpose of supporting and enforcing an organizational policy that is already in place. When organizations do it the other way around and start making policies around the technology, they?ve doomed the project before it began.

There are a host of reasons to not set access policies Willie-nilly on the network. Aside from the obvious ones, there?s an assortment of legal and business reasons to hold off on total network domination. In this age, the IT department is forced to take into account such off-the-wall issues as human resources policies, compliance and regulation mandates, corporate initiatives and even partner contracts. What if one of your newly imposed NAC policies conflicted with a primary policy or standard for operation and violated your organizations HIPAA or SOX compliance? What if you cut off a partner resource that was contractually provisioned with an uptime guarantee? Or what if the policy you set is simply not enforceable by the HR department?

Five Steps for a Successful Start

If NAC is something your organization?s management recognizes as a necessity and has signed off on, then you?re heading down the right path and there are some key things to consider in a successful NAC rollout.

• 1. REVIEW your organization?s current policies on network resource usage, access and enforcement. If they need to be updated or rewritten, do that first and then continue with your project.
• 2. IDENTIFY, ORGANIZE AND CATEGORIZE key resources, devices and users. You don?t want to cut off your arm if your finger is bleeding, and for some users, you don?t want to ever cut off anything. Understanding the key pieces in the network is the first step to matching your NAC policies to the real policies.
• 3. MAP the NAC policies to your organization?s usage policies. That?s why we do step 1 first. If users in Group A aren?t allowed to Resource X, in Circumstances C, D or E, then make it happen that way. If a device is critical, exempt it from enforcement policies and only monitor and audit it.
• 4. START slowly and monitor first. Most NAC solutions offer a monitor-only function that allows you to create policies and then determine which systems would pass or fail based on the current posture of the devices ? without actually enforcing any restrictions. Monitoring lets you ease in to the solution, identify non-compliant devices and fix them before your help desk (or your cell phone) is inundated with calls from end users.
  
• 5. RINSE AND REPEAT. NAC policies need adjusting as endpoints, programs and the Internet changes and evolve. New threats and new organizational goals are always on the horizon, and the only way to prevent stale and useless policies is to stay on top of them.

Copy-paste from here:

Social engineering and mind games expert Brian Brushwood has not come by his knowledge in the traditional manner of school or business training. Brushwood is the host of the Internet video series Scam School, a show he describes as dedicated to social engineering in the bar and on the street.

In addition to his passion for teaching people about social engineering cons, Brushwood is also a touring magician who frequently performs on college campuses and has appeared on the Tonight Show. He first became interested in social engineering years ago as a means to enhance his performance and pull off secret moves successfully. Brushwood said his understanding and use of the term social engineering goes beyond the security industry perception.

"When I use the phrase, I am actually talking about an older version of it. Social engineering just basically means the application of social science to the solution of social problems," he said. "In other words, it's getting people to do what you want by using certain sociological principles."

These days, Brushwood uses social engineering techniques so frequently he admits it is sometime hard to "turn it off." Here Brushwood explains the four basic psychological tactics social engineers use to gain trust and get what they want, and how security pros can arm their staff against this type of deception.

1. Social engineers are confident and in control of the conversation

According to Brushwood, one of the first steps to pulling off something deceptive is to act confident. For example, someone trying to get into a secure building might forge a badge or pretend to be from a service company. The key to getting in without being challenged is to simply act like you belong there and that you have nothing to hide. Conveying confidence with body posture puts others at ease.

"People running concert security often aren't even looking for badges," said Brushwood. "They are looking for posture. They can always tell who is a fan trying to sneak back and catch a glimpse of the star and who is working the event because they seem like they belong there." (See how this tactic played into another scammer's attempt to get into the Super Bowl for a massive prank.)

Another way to gain the upper hand is to seem in charge through conversation, said Brushwood.

"The person who asks the questions controls the conversation," he said. "When someone asks you a question, it immediately puts you on defense. You feel a social pressure to give a correct or appropriate response."

Brushwood refers to these types of reactions as fixed action patterns and credits the book Influence: The Psychology of Persuasionby Robert Cialdini as a major inspiration for his current work.

Takeaway: Advise employees not to become too comfortable with allowing outsiders into the building. Visitors (and service providers) should have credentials checked thoroughly -- even if they are familiar faces.

2. They give you something

Reciprocation is another fixed action pattern, said Brushwood.

"When people are given something, such as a favor or a gift, even if they actively dislike the person who did it, they feel the need to reciprocate," said Brushwood, who referred to the Hare Krishnas as one of the more well-known employers of this tactic.

"They give out a flower or a copy of the Bhagavad Gita and say 'This is a gift for you. Enjoy. Oh, by the way, would you like to make a donation?' You may be thinking 'I didn't want this flower,' but it's still difficult to turn around and say 'No, go away.'"

Brushwood himself uses this tactic during his many cross-country flights when he is hoping for a free upgrade or perhaps a free drink or two. With a few bags of M&Ms in hand, he boards each flight and hands them to flight attendants on his way in and tells him he wanted to give them something for their hard work.

"Even if they hate M&Ms, they are so moved by the thoughtfulness of the gesture," he noted.

This tactic, like the confident attitude, would be useful for a social engineer trying to gain illegal entry into a secure facility or office building. (Read how another social engineer breached building security with a box of cookies in Anatomy of a Hack.) However, Brushwood noted that the time delay between giving the gift and asking for a favor is also important.

"If you give a gift and then immediately ask for a favor, the odds are that somebody might perceive it as a bribe. If they perceive as a bribe, they react uncomfortably."

Instead, a skilled con artist might give something to a gatekeeping employee early in the day and then come back later, claiming to need access due to a mix up, such as an item left behind after a meeting.

"Chances are they will let you by as reciprocation for how you treated them earlier," said Brushwood.

Takeaway: Advise employees to be skeptical of anyone who tries to give them something. Depending on how big the stakes are, an experienced criminal may even spend weeks laying the ground work to form a reciprocal relationship with staff that can result in access to sensitive or secure areas.

3. They use humor

People generally enjoy the company of those who have a good sense of humor. The social engineer knows this all too well and uses it to gain information, get past a gatekeeper, or even just to get out of trouble. Brushwood refers to it as the 'liking' fixed action pattern.

"People who we like, or think we like, we are much more likely to grant a favor to because we feel a familiarity to them," he said.

Brushwood has used humor to get out of speeding tickets many times. His trick is to show a funny license picture and then even finds a way to hand the officer a Monopoly "Get out of Jail Free" card as part of his side-of-the-road shtick.

"Police deal all day with the boo-hoo stories," he said. "But my approach is to be upbeat. To give them the impression that I am not worried and would rather hang out and make them laugh."

Brushwood estimates he gets out of speeding tickets 80 to 90 percent of the time with this tactic.

Takeaway: In a breach or criminal scenario, the social engineer might try and chat with an employee to get information out of him. One good example is the fake IT call, where the caller asks for an employee's password. It is much more likely that sensitive information will be volunteered if the conversation is fun, and puts the employee at ease.

4. They make a request and offer a reason

Brushwood was recently inspired by the results of a recent Harvard study, also included in Cialdini's 'Influence,' which found people are likely to concede to a request if the word 'because' is used when asking. The study looked at groups of people waiting to use a copy machine in a library and how they responded when someone approached and asked to cut in line.

In the first group, the person would say: "Excuse me, I have five pages. May I use the Xerox machine because I'm in a rush?" In that group, 94 percent said yes and allowed the person to skip ahead in line. In another group, the line-cutter asked: "Excuse me, I have five pages. May I use the Xerox machine?" However, only 60 percent said yes to the person looking to cut. In a third group, the question was: "Excuse me, I have five pages. May I use the Xerox machine because I need to make copies?" Even though the reason was seemingly ridiculous, 93 percent still said yes to the line-cutter.

"Turns out magic word is because," said Brushwood. "It didn't matter what she said next. Just like if you see someone marching around like they own the place, it's safe to assume they belong there. Likewise, if someone says 'because' people assume they have some legitimate reason."

Brushwood points out that the fixed action pattern at work in this scenario is the simply the perception of a reason. Even if the reason given is nonsense, hearing the word 'because' prompts people to respond favorably.

Takeaway: It's important to slow down and look and listen to what is happening and what is being said in a work environment. During a hectic day, it may seem easier to wave someone by, or give up information when it is requested. But awareness and presence of mind are paramount to prevent a criminal from taking advantage of you.

A video from PrivacyMatters.nl:

PrivacyMatters from Robin Oudheusden on Vimeo.

Social Engineering: 5 Security Holes at the Office (Includes Video)

We poked around a secure building with social engineering expert
Chris Nickerson and found several ways a criminal could get inside and
access sensitive data

If you think the biggest threat to your sensitive information lies in
network security, think again. Once a criminal is inside a building,
there are limitless possibilities to what that person can access or
damage. Take a look at your building's security. How easy is it to get
inside?

We spent an afternoon with social engineering expert Chris
Nickerson, founder of Lares, a security consultancy based in Colorado,
to get an idea of some of the key vulnerabilities a criminal looks for
in building security. Lares specializes in what Nickerson calls 'Red
Team Testing,' a method that gauges risk in real environments. In other
words, he and his team are hired to break into buildings and find out
where the security gaps lie (Read Chris' first-hand account of how he
does it in Anatomy of a Hack).

Our goal for the day was to choose a building at random and find ways a
con artist might be able to get inside the facility and pretend to be
an employee. Once someone is inside, posing as a legitimate worker,
their potential to steal data, hack a network, or commit some other
crime is high. Yet most offices, even the most secure, have holes, said
Nickerson.

"One of the big problems with offices is you can get into them because, by design, you have to go to work," said Nickerson.

Of course, security needs will vary from building to building. And
security and facility managers have to make their own individual
determinations about what kind of safeguards they should put in place.
But with Nickerson, we aimed to point out some of the things a social
engineering criminal will look for when trying to get in some place
they have no right to be (Check out the video for Chris' walk-through
of the building).

First Impressions

We headed to a building near CSO headquarters to see what we could
find. We chose the building from one of several options in the area
that we knew had a secured entrance and that required identification to
get inside. Immediately upon walking onto the property, Nickerson
pointed out that the first vulnerability is lack of external camera
coverage.

"I could be lurker-stalker guy and hang out in woods, beat someone's
badge out of them or steal something," he said "Or set up cameras to
profile the facility and there are all sorts of really nifty places to
hide in."

Power Supply

The next place Nickerson headed was the building's generator.
The generator on the property was not caged or protected externally in
any way. Nickerson approached the generator and opened it with ease
because it was unlocked. In addition to the obvious gap this leaves in
a building's business continuity/disaster recovery plan, Nickerson also
pointed out how the generator can be used in a social engineering scam.

"It is pretty obvious, now that we see a generator, that there is a
data center inside. It's pretty easy to deduce that they have things
that have to stay running," he said. "So if we cut the power here,
you'll have full corporate denial of service. Everybody freaks out and
then you walk in while everybody is freaking out and steal things."

(*Note: Snooping around the generator did catch the attention of the
facilities manager at the building we were assessing. A few minutes
after Nickerson opened the generator, the facilities manager came out
and spoke to us. But according Nickerson, anticipating questions from
authority is just part of any good social engineer's preparation. Read
an accountant of how Nickerson handled our one-on-one confrontation,
and how easy it was for him to get what he wanted in The Fine Art of BS, Face to Face).

Entryways

Our tour continued with a check of the back of the building, where
Nickerson quickly spotted a smoking section. It was clear the area is
used for smoking breaks because there was a standing ashtray filled
with used cigarette butts. A common tactic for entering a secured
building unseen is to hang out in the smoking area and wait to be let
in by an unsuspecting employee.

"A social engineers best friend is a cigarette," said Nickerson.

A cigarette wasn't even necessary to get into the building at this
facility. The back door was unlocked, unguarded and it was very easy to
open it and walk into the building.

Parking Lots

We didn't go poking around the cars in the parking lot, but
Nickerson said opening unlocked cars is part of his Red Team
assessment, and also another common social engineering strategy.

"People always leave their cars unlocked and there are always badges
and other stuff in there. It's a good place to get in and get all the
credentials you need."

Trash Compactor

Our aim was to find ways a criminal could possibly enter the
building and pull off a theft or other kind of security breach. But as
Nickerson pointed out, the facility's trash compactor brings the
sensitive information outside and more directly into the hands of a
thief.

"Because they are compactors, it usually means they hold five times the
amount of sensitive and bad stuff because they take forever to get
emptied," he said.

A savvy criminal could rent a vehicle that looks like a legitimate
business van or car, such as a generic white van, park next to the
compactor, and "shovel it in," he said. Some even go as far as to make
a decal with a business logo that can be affixed to the side of the
vehicle so no one will question why the compactor is being emptied.

Technology makes it easier than ever for someone to pose as someone
they are not. It is simple now to go to a copy shop or graphics store
and produce a business decal that looks legitimate. However, one of
Nickerson favorite ways to prep for an assignment is at a good,
old-fashion pawn shop. He looks for, and often finds, shirts and
uniforms with company logos that can be used in an assessment test.

"You look at the facility and get an idea of what some of the outs
are: the sprinkler and lawn care service, the trash service, the
internal cleaning services. Try and get a profile of what they look
like. Then go thrifting that day looking for things. Fifty to sixty
percent of the time I will find them."