Competitive Advantage - Social Engineering Defense

By Claudio Locicero

Social engineering has become, due to the advent of more intelligent and comprehensive technological security controls that guard against viruses and the like, the greatest non-technological risk to the security of personal and corporate information. Although there are as many forms of social engineering attacks as there are books on the topic of information security, the aim of this article is to provide a general overview of a few of the most common scenarios, the principles of which can be extrapolated and applied as a litmus test to other situations an employee may be exposed to.

In its strictest form, social engineering is a category of security attacks in which someone manipulates another individual, either directly or indirectly, to acquire sensitive information or unauthorized access. An attack is performed by tricking an unsuspecting individual by building, in some manner, a trust relationship. An example of social engineering is where an attacker telephones an employee then pretends to be from the IT department and asks the user to download and install a system update. Unbeknownst to the employee, this "update" is actually a Trojan horse which will open a backdoor to the computer for the attacker to gain full access to corporate network resources.

Phishing
Phishing is type of scam that often leads to theft of personal details such as passwords or credit card numbers. In one example, an attacker sends an email to an employee of a business that appears to come from a legitimate website used by that employee that requires the use of a user name and password to access his/her account. The email may ask the employee to reply with their account user name and password to update/verify account details or, more probably, ask the employee to a follow a website link to an especially created fake site which has the look and feel of the real site, but has been specifically set up for stealing personal information.
Unsuspecting individuals are then fooled into entering user names, passwords, credit card numbers, or other private and confidential personal or corporate details on this fake website. After the required information is entered the fake website will then redirect the individual to the real site and may even automatically pass the previously entered credentials to allow them seamless access. The employee would then be completely unaware that they have been compromised.

Hoaxes
Hoaxes usually fall into two categories, the first is a virus hoax and the second is an urban myth. Although not usually considered a social engineering attack by mainstream information security specialists, these need to be considered as such due to the structure of the attacks themselves and their intended purposes.

a. Virus Hoaxes
A virus hoax is an email message prank that warns readers about a supposed virus that has either already infected their computer or is about to through various means. Recipients of this type of hoax are usually tricked into downloading a file that is supposed to "fix" their computers but in actuality infects the computer with some type of Trojan or virus causing further chaos.
Additionally this type of attack may be used as a diversionary tactic by hackers if directed to a particular organization to engage their IT personnel in a flood of support calls from internal users while the hacker tries to gain access into the organization's network via alternate means.

b. Urban Myths
This is the type of hoax that inevitably wastes an individual's time by having them chase something that doesn't exist perhaps in addition to having personal information compromised.
Recipients may be informed that they can receive some type of prize for following instructions contained in an email or even warn of bad luck for not following the instructions. One such hoax promised a free pair of Nike running shoes for filling out a questionnaire which asked for personal information such as name and address then forwarding the email to ten other individuals to perpetuate the compromise of personal information.

Dumpster Diving
Dumpster diving, again not usually considered social engineering in a traditional sense, allows attackers to make use of certain societal taboos such as sifting through the garbage of others and the collective belief that no one would. This collective belief has, over the years, allowed attackers to obtain for large amounts of confidential information by sifting through corporate waste. Organizations dispose of policy manuals, meeting notes, memos, organizational charts, vacation schedules, and much more in their dumpsters. Sensitive documents should be shredded and the type of shredder used depends on how difficult a document reconstruction task should be. Corporate data can be restored from hard drives retrieved from dumpsters, thus all electronic devices should have any stored data permanently erased with tools that are available to accomplish this. This method of attack has been so harmful that many organizations now keep their waste in secured areas and utilize only bonded waste removal companies that certify waste disposal and provide chain of custody reports.

Employees have to be given the tools to understand and identify risks to corporate and personal confidential information. Organizations that provide an information security awareness program for their employees with ongoing refresher training have a competitive advantage to their business rivals that do not have such a program in place. The reason for this is because they are much less likely to face the publicity, associated embarrassment, and loss of goodwill brought on by an information security breach that exposes confidential data, consumer or otherwise.

Understanding information security risks, how it can affect your organization, and following industry standard best practices to safeguard information assets just makes good business sense.
Written by Claudio LoCicero, M.S.

Over his career he has held several technical and management positions both in the United States and overseas within the private and government sectors.

He holds a Master of Science in Information Technology with an Information Security Specialization from a university designated as a National Security Agency Certified Center of Academic Excellence for Information Assurance. He also holds numerous professional certifications such as the Project Management Professional (PMP), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Information Technology Infrastructure Library (ITIL) Foundation, along with several other professional certifications from Cisco, Microsoft, and the National Security Agency (NSA).

He is an active member of the International Information Systems Security Certification Consortium (ISC2), Information Systems Audit and Control Association (ISACA), Information Systems Security Association (ISSA), and the Project Management Institute (PMI).

Article Source: http://EzineArticles.com/?expert=Claudio_Locicero