Your Free Virus Removal

Mary sits at her desk in the accounting office when her telephone rings, she answers and the person on the other end identifies himself as Charles Babbage, a manager with a subsidiary company who needs access to a tax account which Mary controls. Mr. Babbage sounded very busy and very impatient, the story he told her regarding how the computer was acting up and he was unable to access any corporate documents hooked her completely. Mary pulled up the file after verifying his name and work address and promptly faxed the document to a number which unbeknown to her was with a free online tax service which the perpetrator had set up via internet proxy. The file contained the Social Security and date of birth for an executive in the company, this man then used the information to leverage access into the corporate network and stole files and documents, although to the system, these files were merely checked out by the executive.

Sadly, the aforementioned attack on a company happens more than most like to admit. When these incidents do happen, they’re written off as an insurance claim, the employee who took the call or e-mail often has no clue that they were just conned into giving away very important data on employees or their employer. How can you protect yourself and those you work with from this bold attack? A social engineer uses cunning and a heightened sense of reading people to pull off their tasks. A social engineer goes by the mantra that over the semi-anonymous mode of communications, the telephone and internet, one can be whoever they wish to be.

Social engineering attacks the human sitting at the desk or in the cubicle. Unfortunately, there is no sort of network protection mechanism which will thwart a social engineering attack. The only defense is proper user training. Every business should form a defense in depth strategy to combat threats to the corporate infrastructure. Taking steps to combat this should include using strong passwords, physically securing the equipment (lock it to something), establish physical user credentials, and use some sort of role based access mechanism for accessing key files or areas. Additionally, users should be educated that no one is without suspect, what I mean by this is that all users should question who is requesting the data, simple conversational pointers like small talk, or asking how the office is, or asking about a person in the office are great steps to take to thwart social engineers. If a social engineer feels as though they’re not getting their way with a target, they will terminate the call and try another person. It is critical that the call be documented; documenting the call will prevent another person in your company from falling victim to the impersonator. Finally, I have to reiterate the physical securing of equipment, put locked doors and key card areas between the main entrance and the network center itself, what good is a high dollar computer security system if the criminal can just walk off with your data? Think about it.