Social engineering attacks are, in essence, very straightforward -- and the more insidious for that, particularly in the age of social networking.
What is the straightforward part? It’s the same in the digital age as it was a hundred or a thousand years ago: Convince a mark (your co-worker or someone with access to your network) that the crook isn't a crook, but someone who has a legitimate professional reason to access sensitive business information.
The rise of social networking and constant communications, however, has made this sort of attack even more insidious. We share so much information today with so many people that the lines between appropriate and inappropriate activity start to blur.
It’s a process that can turn into a vicious cycle. And it’s up to your IT organization to break the cycle and protect your information assets.
Whatever form the social engineering attack takes -- a live attacker posing as someone he or she isn't, phishing and similar e-mail and digital communications attacks, or social networking and other "conversational" attacks -- there are several things you can do to defend against them:
Define clear policies. A strong, detailed, clear employee communications and Web usage policy should include instructions and descriptions of appropriate -- and prohibited requests for company information. This includes detailing the types of requests, such as unsolicited e-mails or unexpected telephone calls, to which employees should never respond.
Train your employees. A policy only works well if it's deeply and thoroughly understood. Training -- with ongoing reinforcement and continuing education materials and instruction -- has to be part of your security strategy.
New media require new rules. Social networks, blog posts, tweets, IMs, and other new media formats bring new opportunities for social engineering attackers. This relates directly to my previous point: Continuing education is central to an effective defense against social engineering and other attacks.
Trust (or don't) but verify. Below a certain level in the organization, consider requiring a sign-off or other verification when an employee receives an unexpected request for information, no matter how official it looks or sounds. And above that level? Well, considering how security-clueless some non-IT executives are, maybe you should require two sign-offs. Seriously, social engineering attacks pose a threat at every level of an enterprise, and you should design your response accordingly.
Remind employees to exercise common sense online. Whether in online groups, forums, and other digital gathering places, or at conventions, conferences and trade shows, industry and peer group gatherings are good places for social engineering crooks to look for marks. Reinforce your security and confidentiality rules before authorizing the travel vouchers and per diems.
By: Keith Ferrell (10/28/2010)
from Dell
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.