• Choose a category
• All
• Classic-Fiction

If you must keep credit card numbers on file, that process needs to be accompanied by security provisions that go beyond encryption or using access control. Employees need to be trained to recognize social engineering scams like the ones in this chapter. That fellow employee you’ve never met in person but who has become a telephone friend may not be who he or she claims to be. He may not have the “need to know” to access sensitive customer information, because he may not actually work for the company at all.

mitnick message

Everyone should be aware of the social engineer’s modus operandi: Gather as much information about the target as possible, and use that information to gain trust as an insider. Then go for the jugular!

Trust Wisely

It’s not just the people who have access to clearly sensitive information—the software engineers, the folks in R&D, and so on—who need to be on the defensive against intrusions. Almost everyone in your organization needs training to protect the enterprise from industrial spies and information thieves.

Laying the groundwork for this should begin with a survey of enterprise-wide information assets, looking separately at each sensitive, critical, or valuable asset, and asking what methods an attacker might use to compromise those assets through the use of social engineering tactics. Appropriate training for people who have trusted access to such information should be designed around the answers to these questions.

When anyone you don’t know personally requests some information or material, or asks you to perform any task on your computer, have your employees ask themselves some questions. If I gave this information to my worst enemy, could it be used to injure me or my company? Do I completely understand the potential effect of the commands I am being asked to enter into my computer?

We don’t want to go through life being suspicious of every new person we encounter. Yet the more trusting we are, the more likely that the next social engineer to arrive in town will be able to deceive us into giving up our company’s proprietary information.

What Belongs on Your Intranet?

Parts of your intranet may be open to the outside world, other parts restricted to employees. How careful is your company in making sure sensitive information isn’t posted where it’s accessible to audiences you meant to protect it from? When is the last time anyone in your organization checked to see if any sensitive information on your company’s intranet had inadvertently been made available through the public-access areas of your Web site?

If your company has implemented proxy servers as intermediaries to protect the enterprise from electronic security threats, have those servers been checked recently to be sure they’re configured properly?

In fact, has anyone ever checked the security of your intranet?

chapter 5

“Let Me Help You”

We’re all grateful when we’re plagued by a problem and some body with the knowledge, skill, and willingness comes along offering to lend us a hand. The social engineer understands that, and knows how to take advantage of it.

He also knows how to cause a problem for you ... then make you grateful when he resolves the problem ... and finally play on your gratitude to extract some information or a small favor from you that will leave your company (or maybe you, individually) very much worse off for the encounter. And you may never even know you’ve lost something of value.

Here are some typical ways that social engineers step forward to “help.”

THE NETWORK OUTAGE

Day/Time: Monday, February 12, 3:25 p.m.

Place: Offices of Starboard Shipbuilding

The First Call: Tom DeLay

“Tom DeLay, Bookkeeping.”

“Hey, Tom, this is Eddie Martin from the Help Desk. We’re trying to troubleshoot a computer networking problem. Do you know if anyone in your group has been having trouble staying on line?”

“Uh, not that I know of.”

“And you’re not having any problems yourself.”

“No, everything seems fine.”

“Okay, that