The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [67]
note
Passwords are such a central focus of social engineering attacks that we devote a separate section to the topic in Chapter 16, where you will find specific recommended policies on managing passwords.
A Central Reporting Point
Your security policy should provide a person or group designated as a central point for reporting suspicious activities that appear to be attempts to infiltrate your organization. All employees need to know who to call any time they suspect an attempt at electronic or physical intrusion. The phone number of the place to make these reports should always be close at hand so employees don’t have to dig for it if they become suspicious that an attack is taking place.
Protect Your Network
Employees need to understand that the name of a computer server or network is not trivial information, but rather it can give an attacker essential knowledge that helps him gain trust or find the location of the information he desires.
In particular, people such as database administrators who work with software belong to that category of those with technology expertise, and they need to operate under special and very restrictive rules about verifying the identity of people who call them for information or advice.
People who regularly provide any kind of computer help need to be well trained in what kinds of requests should be red flags, suggesting that the caller may be attempting a social engineering attack.
It’s worth noting, though, that from the perspective of the database administrator in the last story in this chapter, the caller met the criteria for being legitimate: He was calling from on campus, and he was obviously on a site that required an account name and password. This just makes clear once again the importance of having standardized procedures for verifying the identity of anybody requesting information, especially in a case like this where the caller was asking for help in obtaining access to confidential records.
All of this advice goes double for colleges and universities. It’s not news that computer hacking is a favorite pastime for many college students, and it should also be no surprise that student records—and sometimes faculty records, as well—are a tempting target. This abuse is so rampant that some corporations actually consider campuses a hostile environment, and create firewall rules that block access from educational institutions with addresses that end in edu.
The long and short of it is that all student and personnel records of any kind should be seen as prime targets of attack, and should be well protected as sensitive information.
Training Tips
Most social engineering attacks are ridiculously easy to defend against ... for anyone who knows what to be on the lookout for.
From the corporate perspective, there is a fundamental need for good training. But there is also a need for something else: a variety of ways to remind people of what they’ve learned.
Use splash screens that appear when the user’s computer is turned on, with a different security message each day. The message should be designed so that it does not disappear automatically, but requires the user to click on some kind of acknowledgement that he/she has read it.
Another approach I recommend is to start a series of security reminders. Frequent reminder messages are important; an awareness program needs to be ongoing and never-ending. In delivering content, the reminders should not be worded the same in every instance. Studies have shown that these messages are more effectively received when they vary in wording or when used in different examples.
One excellent approach is to use short blurbs in the company newsletter. This should not be a full column on the subject, although a security column would certainly be valuable. Instead, design a two- or three-column-wide insert, something like a small display ad in your local newspaper. In each