• Choose a category
• All
• Classic-Fiction

Companies that conduct security penetration tests report that their attempts to break into client company computer systems by social engineering methods are nearly 100 percent successful. Security technologies can make these types of attacks more difficult by removing people from the decision-making process. However the only truly effective way to mitigate the threat of social engineering is through the use of security awareness combined with security policies that set ground rules for employee behavior, and appropriate education and training for employees.

There is only one way to keep your product plans safe and that is by having a trained, aware, and a conscientious workforce. This involves training on the policies and procedures, but also—and probably even more important—an ongoing awareness program. Some authorities recommend that 40 percent of a company’s overall security budget be targeted to awareness training.

The first step is to make everyone in the enterprise aware that unscrupulous people exist who will use deception to psychologically manipulate them. Employees must be educated about what information needs to be protected, and how to protect it. Once people have a better understanding of how they can be manipulated, they are in a far better position to recognize that an attack is underway.

Security awareness also means educating everyone in the enterprise on the company’s security policies and procedures. As discussed in Chapter 17, policies are necessary rules to guide employee behavior to protect corporate information systems and sensitive information.

This chapter and the next one provide a security blueprint that could save you from costly attacks. If you don’t have trained and alert employees following well-thought-out procedures, it’s not a matter of if, but when you will lose valuable information to a social engineer. Don’t wait for an attack to happen to you before instituting these policies: It could be devastating to your business and to your employees’ welfare.

UNDERSTANDING HOW ATTACKERS TAKE ADVANTAGE OF HUMAN NATURE

To develop a successful training program, you have to understand why people are vulnerable to attacks in the first place. By identifying these tendencies in your training—for example, by drawing attention to them in role-playing discussions—you can help your employees to understand why we can all be manipulated by social engineers.

Manipulation has been studied by social scientists for at least fifty years. Robert B. Cialdini, writing in Scientific American (February 2001), summarized this research, presenting six “basic tendencies of human nature” that are involved in an attempt to obtain compliance to a request.

These six tendencies are those that social engineers rely on (consciously or, most often, unconsciously) in their attempts to manipulate.

Authority

People have a tendency to comply when a request is made by a person in authority. As discussed elsewhere in these pages, a person can be convinced to comply with a request if he or she believes the requestor is a person in authority or a person who is authorized to make such a request.

In his book Influence, Dr. Cialdini writes of a study at three Midwestern hospitals in which twenty-two separate nurses’ stations were contacted by a caller who claimed to be a hospital physician, and given instructions for administering a prescription drug to a patient on the ward. The nurses who received these instructions did not know the caller. They did not even know whether he was really a doctor (he was not). They received the instructions for the prescription by telephone, which was a violation of hospital policy. The drug they were told to administer was not authorized for use on the wards, and the dosage they were told to administer was twice the maximum daily dosage, and thus could have endangered the life of the patient. Yet in 95 percent of the cases, Cialdini reported, “the nurse proceeded to obtain the necessary dosage from the ward medicine cabinet and was on her way to administer it to the patient” before