Countermeasures against Social Engineering
Social Engineering : According to Wiki “Social Engineering is the act
of manipulating people into performing actions or divulging confidential
information, rather than by breaking in or using technical cracking
techniques.”Social Engineering is not a new thing at all it’s the art of lie
and to get confidential information to access/Hacked into System.
Social Engineering attacks are one of the hardest threats to defend
against because they invole the human element.
à Be suspicious of unsolicited phone calls,
visits, or email messages from individuals asking about employees or other
internal information. If an unknown individual claims to be from a legitimate
organization, try to verify his or her identity directly with the company.
àDo not provide personal information or
information about your organization, including its structure or networks,
unless you are certain of a person's authority to have the information.
àDo not reveal personal or financial
information in email, and do not respond to email solicitations for this
information. This includes following links sent in email.
àDon't send sensitive information over the
Internet before checking a website's security (see Protecting Your Privacy for
more information).
à Pay attention to the URL of a website.
Malicious websites may look identical to a legitimate site, but the URL may use
a variation in spelling or a different domain (e.g., .com vs. .net).
àIf you are unsure whether an email request is
legitimate, try to verify it by contacting the company directly. Do not use
contact information provided on a website connected to the request; instead,
check previous statements for contact information. Information about known
phishing attacks is also available online from groups such as the Anti-Phishing
Working Group (http://www.antiphishing.org).
Other Important Points are :
IT
Security and other Units
Physical and IT security personnel often
have an uneasy and distant relationship, even in institutions
where they share a common node of the
management tree.
• IT
personnel should at least understand the need for physical controls and have some involvement
in the physical securing of IT equipment,
especially when sophisticated technical controls such as handheld authentication devices are employed.
• Non-IT
security people need at least a basic understanding of how IT
hardware hangs together in order to appreciate
where the weakness are: not only in terms of sabotage, theft and espionage,
but even in terms of accidental damage. In many cases, they’ll be the first line of defence against breaches of the
physical perimeter.
General
Education
General
users should not be expected to become security experts. Indeed, it’s
unrealistic to expect them to be particularly
IT-literate beyond the requirements
of their work. This makes the quality
of the educational and other resources
available to them particularly important,
not only in terms of accuracy
and
pertinence, but also accessibility.
Training and first-line documentation should be as brief and clear as possible, but more detailed resources should be available and
known to be available. In particular, such documentation
should make as few assumptions as possible about
the technical knowledge of the reader: unfortunately,
this is not always consistent with the equally pressing requirement that it should be as short as possible.
Risk Analysis
I hope
I’ve convinced you that social
engineering is a significant threat. However, it’s seriously under-documented, and committing major resources to deal with a threat many
people have never heard of or
considered is not always easy. This paper gives some background, but useful statistics are scarce: I can’t point you to a survey which tells you how much a year social engineering costs the
‘average’ organization. Statistics
on security breaches in general are easier to
come by, but they don’t tell
you how much use individual intruders
made of social engineering, so you
have to approach it from the other
end: gathering information on how
vulnerable you are to this threat,
and what measures are available
to counter it.
Security Policies
and Insurance Policies
Security is a cost centre.
Like fire insurance, it’s a large expense set against
the risk of an attack which may never
come, though with social engineering
it’s probably truer to say that such attacks are frequent, but not necessarily recognised as such. Security policies
aren’t popular: they take time to
put together properly and are of no
practical use without a realistic educational
program to back them up.
