Social Engineering in its basic form is hacker talk for manipulating computer users out of their username and password. Social engineering really goes beyond just usernames and passwords. A well planned social engineering attack can destroy companies. All of the most devastating information thefts have used some sort of social engineering attack. Social engineering is so effective because computer admins and security experts spend all their time patching systems and not training employees about information security. Information security goes beyond patching computers, it is a combination of physical security, computer/network policy and employee training.
This article will describe many of the common security flaws that information thieves take advantage off and how you can prevent them.
1. Web sites Information – Company web sites are the best place to start when gathering information. Often a company will post all their employees names, email addresses, positions and phone numbers for everyone to see. You want to limit the number of employees and phone numbers listed on a web site. Also, live active links to employee email addresses should be avoided. A common mistake is a company’s email user name will be the same as their network logon, example: email address of firstname.lastname@example.org has a user name of jsmith for the network with the same password for email and the network.
2. Phone Scams – Scamming someone on a phone is very simple. Company employees need to be trained to be courteous but cautious when giving callers information over the phone. One hacking scam is a hacker will call a company posing as computer salesmen. The salesmen will ask the secretary what type of computers they have, do they have a wireless network and what type of operating systems they run. Hackers can use this information to plan their attack on the network. Train your employees to refer any IT related questions to Tech Support.
3. Outside Contractors – Outside contractors should have a security liaison to monitor their activities. Security liaisons should be briefed on what work the contractor is hired to perform, area of operation, identity of contractor and if the contractor will be removing items from the work site.
4. Dumpster Diving – The easiest way to get information about anyone is to go through their trash. Shredders should be used in all cases or shredding services should be hired. Also, the Dumpster should be in a secure location and under surveillance.
5. Secretaries – They are your first line of defense, train them to not let anyone into your building unless they are for certain whom they are. Security cameras should be place in the main entrance way and also on the outside of the building. A thief who is probing your network will test to see if he is challenged upon entering the building, cameras can help identify patterns and suspicious people.
6. NO PASSWORDS – Make it company policy that the tech department will never call you or email you asking for your username or password. If somebody does call and ask for a password or username red flags will go up every where.
7. LOG OFF – Social Engineering attacks get the hacker into the building and they will usually find many workstations where the user hasn’t logged off. Make it company policy that all users must log off their workstations every time they leave it. If the policy is not followed then the employee should be written up or docked pay. Don’t make a hacker’s job any easier than it already is.
8. Training – Information security training is a must for any size company. Information security is a layered approach that starts with the physical structure of the building down to how each work station is configured. The more layers your security plan has the harder it is for an information thief to accomplish his mission.