Protecting Against Social Engineering

Certain types of companies are more susceptible to these types of attacks than others. They include the following:

• Large companies Smaller companies know their employees and would be aware if someone from outside their organization were snooping around their building.

• Companies with remote users Telecommuters and mobile users are more likely to be tricked because they do not often verify the identity of a caller.

• Companies that list full contact information on their website, including e-mail address and voice extension This information is like gold to a social engineer because it is the first step toward performing a successful scam.

• Companies that use temporary agencies to hire their receptionists Receptionists are more than people who greet others as they enter a company and answer phones. They are the first line of defense against social engineering. Companies that use temporary agencies are especially at risk because the frequent turnover often results in untrained staff members who do not know how to detect social engineering scams.

• Companies with call centers Customer service centers are prime candidates for social engineers looking to discover customer account information.

The best defense against social engineering tricks is training. Train employees in social engineering tactics and send regular notices of scams. Offer additional training for receptionists, help desk staff, and customer service representatives because they are more likely to be victims of social engineering attacks. Teach these staff members to verify the identity of callers by asking the caller questions. Unless the social engineer is exceptionally good, after enough questions, he will hang up. In effect, staff should perform social engineering of its own kind, where it seeks to discover the identity of a person suspected of being a social engineer. This will either result in catching social engineers or cause them to stop trying.

To prevent against dumpster divers discovering sensitive information, establish policies on how information and archives are to be disposed. Usually this is through shredders or incinerators.

Note

Undoubtedly, the most famous social engineer is Kevin Mitnick. He wrote a book with coauthor William Simon titled The Art of Deception: Controlling the Human Element of Security. It is an excellent resource if you are looking for additional information or examples on social engineering.