Background
Social engineering is an attack vector that relies heavily on human interaction and often involves deceiving people into breaking normal security procedures.
Today, while traditional technology based security solutions are getting more sophisticated and harder to penetrate, we see a trend where adaptation occurs towards social engineering. While social engineering is not a new method to gain access to a system, the tools that are used are getting more and more powerfull.
A social engineer runs what used to be called a “con game.” Techniques such as appeal to vanity, appeal to authority and appeal to greed are often used in social engineering attacks. Many social engineering exploits simply rely on people’s willingness to be helpful. For example, the attacker might pretend to be a co-worker who has some kind of urgent problem that requires access to additional network resources.
The weakness is not in the technology, but in the nature of the human being.
Awareness
The best social engineering security strategy is user awareness that these attacks do happen. Here are some good business practices:
- Train employees never to give out passwords or confidential information over the phone.
- Update your security policy to address social engineering attacks.
- Update your incident-handling procedures to include social engineering attacks.
- Don’t type in passwords while someone else is looking.
- Require all guests to be escorted. (Once inside they have full access!)
- Keep all trash in secured, monitored areas.
- Shred important and sensitive data.
- Conduct periodic security awareness training programs.
