Social Engineering Brief >> 08.06.2012 Social Engineering
Social Engineering Brief >> 08.06.2012Social EngineeringNew media and new socialapplications add to the long list oftools and techniques to elicit criticalbusiness information fromemployees. This information can beused to harm businesses and to putthem in a disadvantage position intheir competitive environment.
Social Engineering Brief >> 08.06.2012DefinitionSocial engineering is a non-technical way of intrusion thatexploits human behavior based onhuman interaction. Often socialengineering involves false claims,statements and identities to tricktarget individuals and have thembreak normal security procedures.Actually, social engineering is part ofall kinds of exploits.
Social Engineering Brief >> 08.06.2012ActivitiesPhishing – per e-mail or telephoneemployees are convinced todisclose sensitive informationMalware – employees are urged torun virus infected software oncorporate devicesShoulder surfing – social engineerslook over employees’ shoulders tomemorize passwords
Social Engineering Brief >> 08.06.2012ActivitiesDustbin searching – socialengineers search and analyzedustbin contentPassword guessing – socialengineers take advantage ofemployees’ natural habit to usepasswords that are meaningful totheir personal circumstances andthus can be easily guessed
Social Engineering Brief >> 08.06.2012TacticsSocial Engineering exploits humanbehavior and addresses traits suchas vanity, lack of self-confidence,greed, craving for recognition,helpfulness … A supportive fact tosuccessful social engineering is thatnowadays employees have notcompletely grasped the value ofinformation in general and ofbusiness related information inparticular. The complexity of theinformation society adds to this, too.
Social Engineering Brief >> 08.06.2012DefendBeyond a comprehensive and strictcorporate information policy andemployee guideline, there are fourrules that can be easily followed toprotect the employee and theemployer against social engineering:First rule – inhale and follow thecorporate information policy andguideline
Social Engineering Brief >> 08.06.2012DefendSecond rule – avoid time pressure;ask for a telephone number or e-mail address to get back in touchThird rule – verify claims /statements which put you on thespot and urge you to act withoutthinking; verify the urgency, theindividual, the situation, the requestat all
Social Engineering Brief >> 08.06.2012DefendFourth rule – in case of uncertaintyimmediately involve superiors /security personal