Read The Art of Deception: Controlling the Human Element of Security for Free Online Page B
some sort of secret. What difference could it make?
The answer isn't hard to figure out. Two or three pieces of information might be all it takes to mount an effective impersonation - the social engineer cloaking himself in someone else's identity. Get hold of an employee's name, his phone number, his employee number--and maybe, for good measure, his manager's name and phone number--and a halfway- competent social engineer is equipped with most of what he's likely to need to sound authentic to the next target he calls.
If someone who said he was from another department in your company had called yesterday, given a plausible reason, and asked for your employee number, would you have had any reluctance in giving it to him?
And by the way, what is your social security number?
MITNICK MESSAGE The moral of the story is, don't give out any personal or internal company information or identifiers to anyone, unless his or her voice is recognizable and the requestor has a need to know.
PREVENTING THE CON Your company has a responsibility to make employees aware of how a serious mistake can occur from mishandling non public information. A well thought-out information security policy, combined with proper education and training, will dramatically increase employee awareness about the proper handling of corporate business information. A data classification policy will help you to implement proper controls with respect to disclosing information. Without a data classification policy, all internal information must be considered confidential, unless otherwise specified.
Take these steps to protect your company from the release of seemingly innocuous information:
The Information Security Department needs to conduct awareness training detailing the methods used by social engineers. One method, as described above, is to obtain seemingly non sensitive information and use it as a poker chip to gain short-term trust. Each and every employee needs to be aware that when a caller has knowledge about company procedures, lingo, and internal identifiers it does not in any way, shape, or form authenticate the requestor or authorize him or her as having a need to know. A caller could be a former employee or contractor with the requisite insider information. Accordingly, each corporation has a responsibility to determine the appropriate authentication method to be used when employees interact with people they don't recognize in person or over the telephone.
The person or persons with the role and responsibility of drafting a data classification policy should examine the types of details that may be used to gain access for legitimate employees that seem innocuous, but could lead to information that is, sensitive. Though you'd never give out the access codes for your ATM card, would you tell somebody what server you use to develop company software products? Could that information be used by a person pretending to be somebody who has legitimate access to the corporate network?
Sometimes just knowing inside terminology can make the social engineer appear authoritative and knowledgeable. The attacker often relies on this common misconception to dupe his or her victims into compliance. For example, a Merchant ID is an identifier that people in the New Accounts department of a bank casually use every day. But such an identifier exactly the same as a password. If each and every employee understands the nature of this identifier - that it is used to positively authenticate a requestor--they might treat it with more respect.
MITNICK MESSAGE As the old adage goes - even real paranoids probably have enemies. We must assume that every business has its enemies, too - attackers that target the network infrastructure to compromise business secrets. Don't end up being a statistic on computer crime - it's high time to shore up the necessary defenses by implementing proper controls through well-thought-out security policies and procedures.
No companies -
The answer isn't hard to figure out. Two or three pieces of information might be all it takes to mount an effective impersonation - the social engineer cloaking himself in someone else's identity. Get hold of an employee's name, his phone number, his employee number--and maybe, for good measure, his manager's name and phone number--and a halfway- competent social engineer is equipped with most of what he's likely to need to sound authentic to the next target he calls.
If someone who said he was from another department in your company had called yesterday, given a plausible reason, and asked for your employee number, would you have had any reluctance in giving it to him?
And by the way, what is your social security number?
MITNICK MESSAGE The moral of the story is, don't give out any personal or internal company information or identifiers to anyone, unless his or her voice is recognizable and the requestor has a need to know.
PREVENTING THE CON Your company has a responsibility to make employees aware of how a serious mistake can occur from mishandling non public information. A well thought-out information security policy, combined with proper education and training, will dramatically increase employee awareness about the proper handling of corporate business information. A data classification policy will help you to implement proper controls with respect to disclosing information. Without a data classification policy, all internal information must be considered confidential, unless otherwise specified.
Take these steps to protect your company from the release of seemingly innocuous information:
The Information Security Department needs to conduct awareness training detailing the methods used by social engineers. One method, as described above, is to obtain seemingly non sensitive information and use it as a poker chip to gain short-term trust. Each and every employee needs to be aware that when a caller has knowledge about company procedures, lingo, and internal identifiers it does not in any way, shape, or form authenticate the requestor or authorize him or her as having a need to know. A caller could be a former employee or contractor with the requisite insider information. Accordingly, each corporation has a responsibility to determine the appropriate authentication method to be used when employees interact with people they don't recognize in person or over the telephone.
The person or persons with the role and responsibility of drafting a data classification policy should examine the types of details that may be used to gain access for legitimate employees that seem innocuous, but could lead to information that is, sensitive. Though you'd never give out the access codes for your ATM card, would you tell somebody what server you use to develop company software products? Could that information be used by a person pretending to be somebody who has legitimate access to the corporate network?
Sometimes just knowing inside terminology can make the social engineer appear authoritative and knowledgeable. The attacker often relies on this common misconception to dupe his or her victims into compliance. For example, a Merchant ID is an identifier that people in the New Accounts department of a bank casually use every day. But such an identifier exactly the same as a password. If each and every employee understands the nature of this identifier - that it is used to positively authenticate a requestor--they might treat it with more respect.
MITNICK MESSAGE As the old adage goes - even real paranoids probably have enemies. We must assume that every business has its enemies, too - attackers that target the network infrastructure to compromise business secrets. Don't end up being a statistic on computer crime - it's high time to shore up the necessary defenses by implementing proper controls through well-thought-out security policies and procedures.
No companies -
Similar Books
His Seduction Game Plan
Katherine Garbera
The Skin
Curzio Malaparte
Left To Die
Lisa Jackson
Neverland
Douglas Clegg
The Pool of Fire (The Tripods)
John Christopher
Iron Cast
Destiny; Soria
The Real Life Downton Abbey
Jacky Hyams
Peace
Antony Adolf
Chasing Happiness
Raine English
Chanel Bonfire
Wendy Lawless