How often do you hear about company personnel loosing data on the train, in a corner shop or even at the gym? Unfortunately, such incidents keep occurring on almost a daily basis. More worrying, however, is a recent revelation that many accidentally reveal passwords and user-names to anyone posing as a member of their organisation, for example, an IT support worker or a senior manager.
Shocking? Yes, it is. Some employees actually assume that anyone found within their office premises is a member of staff, whereas, the unfamiliar face in your office building asking you for confidential information could actually be an intruder with the sole aim of stealing information from you. Sometimes the impostor does not even have to go as far as being physically present in the office premises, a simple phone call could actually do the trick as proved by an experiment conducted at the BBC.
This act of gaining private information (for example, on a computer system) by a stranger pretending to be a legitimate person is termed as social engineering. Oftentimes, social engineering has been widely ignored in our society as a serious form of security attack; however, it can have very negative consequences on companies and individuals alike. Most times an attacker would appear respectable, claiming to be a member of the organisation and could even go as far as producing a form of identity to support his claims. Other times, he could take the cheaper route by simply checking the rubbish or even shoulder surfing.
Although some argue that this form of attack is not completely preventable, the following measures could assist in putting it under control.
- Unsolicited telephone calls, emails or visits should be handled with care especially when the individual appears to be interested in internal information. If in doubt, take every necessary measure to verify their identity.
- Organisations should invest more time and money in training employees about their network and security policies. Sometimes, it is actually the person who is most liable and not the infrastructure.
- Data leakage can also be reduced by limiting the number of private information about company staff that is made available on the company website as they could be used by hackers to plan a social engineering attack.
- Physical security is also important. Access to computing facilities and office premises should be restricted while the identity of contractors should be revealed to employees and security personnel.
- Wastes should be disposed properly and securely for example, by shredding paper documents. This would help to prevent dumpster diving.
Thanks for reading this article. If you're new here, why don't you subscribe for regular updates via RSS feed or via email. You can also subscribe by following @techsling on Twitter or becoming our fan on Facebook. Thanks for visiting!
2 Comments
Leave a Reply
Cancel reply
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
OPSEC
June 13, 2009 at 11:20 pm
This subject hits close to home. Much of this, covered here, is related to Operations Security.
The trick is that there’s a great deal of information that is not considered to be “classified”, but can give an adversary exactly what they need to accomplish their objective- which may be intrusion, data theft, etc.
As an example:
a dumpster dive might net an internal phone directory. This directory will allow the adversary to gain an understanding of the internal structure of the organization. From that, additional information could be gathered by other means, such as direct email, out of office replies, etc.
Each piece of information is actually a “piece of the puzzle”, and can reveal much more than is intended.
Admin
June 14, 2009 at 5:34 am
The key perhaps is thinking ahead of the game however inconvenient. The old saying that “prevention is better than cure” comes to mind here.