• Choose a category
• All
• Classic-Fiction

And one more tool, an essential element not easily acquired—the manipulative skills of the social engineer, refined through extensive practice and the unwritten lessons of bygone generations of confidence men.

MORE “WORTHLESS” INFO

Besides a cost center number and internal phone extensions, what other seemingly useless information can be extremely valuable to your enemy?

Peter Abel’s Phone Call

“Hi,” the voice at the other end of the line says. “This is Tom at Parkhurst Travel. Your tickets to San Francisco are ready. Do you want us to deliver them, or do you want to pick them up?”

“San Francisco?” Peter says. “I’m not going to San Francisco.”

“Is this Peter Abels?”

“Yes, but I don’t have any trips coming up.”

“Well,” the caller says with a friendly laugh, “you sure you don’t want to go to San Francisco?”

“If you think you can talk my boss into it ...” Peter says, playing along with the friendly conversation.

“Sounds like a mix-up,” the caller says. “On our system, we book travel arrangements under the employee number. Maybe somebody used the wrong number. What’s your employee number?”

Peter obligingly recites his number. And why not? It goes on just about every personnel form he fills out, lots of people in the company have access to it—human resources, payroll, and, obviously, the outside travel agency. No one treats an employee number like some sort of secret. What difference could it make?

The answer isn’t hard to figure out. Two or three pieces of information might be all it takes to mount an effective impersonation—the social engineer cloaking himself in someone else’s identity. Get hold of an employee’s name, his phone number, his employee number—and maybe, for good measure, his manager’s name and phone number—and a halfway-competent social engineer is equipped with most of what he’s likely to need to sound authentic to the next target he calls.

If someone who said he was from another department in your company had called yesterday, given a plausible reason, and asked for your employee number, would you have had any reluctance in giving it to him?

And by the way, what is your social security number?

mitnick message

The moral of the story is, don’t give out any personal or internal company information or identifiers to anyone, unless his or her voice is recognizable and the requestor has a need to know.

PREVENTING THE CON

Your company has a responsibility to make employees aware of how a serious mistake can occur from mishandling nonpublic information. A well-thought-out information security policy, combined with proper education and training, will dramatically increase employee awareness about the proper handling of corporate business information. A data classification policy will help you to implement proper controls with respect to disclosing information. Without a data classification policy, all internal information must be considered confidential, unless otherwise specified.

Take these steps to protect your company from the release of seemingly innocuous information:

• The Information Security Department needs to conduct awareness training detailing the methods used by social engineers. One method, as described above, is to obtain seemingly nonsensitive information and use it as a poker chip to gain short-term trust. Each and every employee needs to be aware that when a caller has knowledge about company procedures, lingo, and internal identifiers it does not in any way, shape, or form authenticate the requestor or authorize him or her as having a need to know. A caller could be a former employee or contractor with the requisite insider information. Accordingly, each corporation has a responsibility to determine the appropriate authentication method to be used when employees interact with people they don’t recognize in person or over the telephone.

• The person or persons with the role and responsibility of drafting a data classification policy should examine the types of details that may be used to gain access for legitimate