Social engineering is the term used for manipulating company employees to gain access to unauthorized areas. Whether those areas are physical locations in the building or they are network file storage locations or network access, it does not matter. A social engineer attack is every bit as dangerous and can even be much more crippling than a computer virus or network hack. Some of the most dangerous attacks thefts have used have been based around social engineering. One of the reasons why social engineering works so well is because IT experts spend most of their time patching systems and securing their network rather than taking time to train the employee base on the basics of information security. The idea behind information security covers much more than just network and computer security, but also covers employee training and physical security as well.
Below are common flaws found in many corporate environments today and things that can be done to fix those vulnerabilities.
1) Website Information: When it comes to gathering information about a company, the first place that just about anyone will start at is the company’s website. Many companies post valuable information on their website not realizing that it is in fact a security risk. Things like phone numbers, employee names, and email addresses can all be found on these websites. These things should all be limited to outsider access. Phone numbers that are listed should always be to just main number call center numbers and not individual direct dial numbers. One common major mistake is to have active links to employee email addresses. For most companies, the user name in an email address is the same as their network logon. The theif already has half of what they need for network access.
2) Outside Contractors: Workers from outside companies visiting the premises to do temporary work should always be accompanied by a security liaison. Security liaisons should be told what the contractor is there to do and be familiar with what it takes to complete the task. This is so that they know when the contractor is completed with their work and that they don’t enter areas that don’t need to be entered to get the job done. The security liaison should also be aware if the contractor is removing items from the premises.
3) Telephone Scams: Phone scams are common as it is an easy way to make contact with company employees without being in face to face contact. Employees need to be trained to be helpful to callers, but at the same time cautious. A common phone scam is when the caller poses as a computer salesperson. They inquire about what type of systems the company uses, if there is a wireless network, and what type of operating systems are used. All this information is used to plan out a network attack. Employees need to be trained to always forward any type of network related questions or calls to the IT staff.
4) Dumpster Diving: A common way of getting any information about anyone or company is to go through the trash. Companies should always have private information shredded. Service companies that handle the shredding of documents and computer data should be hired. The trash dumpsters should never be left in an open unsecure area and surveillance cameras should be kept on the dumpsters on a 24 hour basis.
5) Password: It is imperative that there is a company policy regarding passwords. An IT tech should never call another employee and ask them for their username and password and all employees should know that. Passwords should also never be placed on sticky notes or anywhere else visible and written down. A password rotation should also be in effect so that old passwords get phased out.
6) Logging Off: A thief can use social engineering to gain access to buildings and there they can usually find workstations that are still logged in with a user account. Many times these user accounts will have access to a lot of confidential information. It should be a company policy that whenever someone leaves their desk, they must lock or log off their computers. IT should also enforce the issue with network security policies that automatically lock a computer after a short period of inactivity.
7) Employee Training: Finally, when all is said and done, it all comes down to training. It is important to hold annual or bi-annual training sessions regarding the network security policy of the company. Everything from the physical building security to how each workstation is configured to email policy should be covered.
The more layers you add to your security policy and the more your employees are trained on all their aspects, the harder it will be for a social engineering thief to steal information.