How to Counteract a Social Engineering Hack
You have only a few good lines of defense against social engineering hacks. Even with strong security systems, a naïve or untrained user can let the social engineer into the network. Never underestimate the power of social engineers.
Specific policies help ward off social engineering in the long term in the following areas:
Classifying information so that users don’t have access to certain levels of information they don’t need
Setting up user IDs when hiring employees or contractors
Establishing acceptable computer usage
Removing user IDs for employees, contractors, and consultants who no longer work for the organization
Setting and resetting passwords
Responding to security incidents, such as suspicious behavior
Properly handling proprietary and confidential information
These policies must be enforceable and enforced for everyone within the organization. Keep them up-to-date and tell your end users about them.
User awareness and training
The best line of defense against social engineering is training employees to identify and respond to social engineering attacks. User awareness begins with initial training for everyone and follows with security awareness initiatives to keep social engineering defenses fresh in everyone’s mind. Align training and awareness with specific security policies — you may also want to have a dedicated security training and awareness policy.
Consider outsourcing security training to a seasoned security trainer. Employees often take training more seriously if it comes from an outsider. Outsourcing security training is worth the investment.
While you approach ongoing user training and awareness in your organization, the following tips can help you combat social engineering in the long term:
Treat security awareness and training as a business investment.
Train users on an ongoing basis to keep security fresh in their minds.
Include information privacy and security tasks and responsibilities in everyone’s job descriptions.
Tailor your content to your audience whenever possible.
Create a social engineering awareness program for your business functions and user roles.
Keep your messages as nontechnical as possible.
Develop incentive programs for preventing and reporting incidents.
Lead by example.
Share these tips with your users to help prevent social engineering attacks:
Never divulge any information unless you can validate that the people requesting the information need it and are who they say they are. If a request is made over the telephone, verify the caller’s identity and call back.
Never click an e-mail link that supposedly loads a page with information that needs updating. This is especially true for unsolicited e-mails.
Mouse-over links can be just as dangerous as cross-site scripting, and related exploits can be carried out by a user innocently placing his or her mouse over a hyperlink. Mouse-over vulnerabilities can be handled by antimalware software at the network perimeter or computer level as well as within the application itself.
Be careful when sharing personal information on social networking sites, such as Facebook or LinkedIn. Also, be on the lookout for people claiming to know you or wanting to be your friend. Their intentions might be malicious.
Escort all guests within a building.
Never open e-mail attachments or other files from strangers.
Never give out passwords.
A few other general suggestions can ward off social engineering:
Never let a stranger connect to one of your network jacks or wireless networks — even for a few seconds. A hacker can place a network analyzer, Trojan-horse program, or other malware directly onto your network.
Classify your information assets, both hard copy and electronic. Train all employees how to handle each asset type.
Develop and enforce computer media and document destruction policies that help ensure data is handled carefully and stays where it should be.
Use cross-shredding paper shredders. Better still, hire a document-shredding company that specializes in confidential document destruction.
These techniques can reinforce the content of formal training:
New employee orientation, training lunches, e-mails, and newsletters
Social engineering survival brochure with tips and FAQs
Trinkets, such as screen savers, mouse pads, sticky notes, pens, and office posters that bear messages that reinforce security principles