Social Engineering
In the next of his weekly series for Cambridge Network members, BS7799 and IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at Social Engineering.
The Problem
Effective criminals have much the same characteristics as good business people: they search out the simplest ways for generating maximum profit for the lowest risk.
The least risk, least costly method of breaking into your computers system (to steal your confidential information, raid your bank accounts, set up key logging software, install Trojans, etc) is by means of a valid user name and password.
And the easiest way to obtain a valid user name and password is to ask someone for theirs. ‘Social engineering’ is the rather grand term given to an exploit where a criminal phones your company’s helpdesk, identifies himself as you, says he’s temporarily forgotten his password, and is given it. All he needs now is your username – and, if he’s got your e-mail address, the chances are that it will contain the username that you log on to the system with.
There are a number of variants on this basic concept: in a recent London street survey, for instance, nearly 90 percent of respondents gave complete strangers their passwords in exchange for a raffle ticket for some theatre tickets.
The Risks
You really won’t know when an intruder is inside your system when he’s using the online identity of a legitimate employee. And if it’s your username and password that’s been used, you’ll find you’ve been directly linked to the crime – with a struggle to explain why it wasn’t you, even though it was your user name and top secret password….
The Impacts
The most serious information security breaches and financial losses are associated with what’s loosely termed ‘insider crime’ – and being sure that the ‘insider’ was really an outsider is devilish difficult.
What do we do about it?
There are three procedural components to a defence, but the key defences really are in employee behaviour – which is about management, leadership, training, discipline, communication, awareness, etc. The procedural steps are:
1. Ensure that the structure of logon user names is fundamentally different from user names that are part of employee email addresses;
2. All requests for replacement passwords must be accompanied by authorisation and identification;
3. User accounts of contractors and departing employees must be closed the moment they leave your employment – if not sooner.
Anything else?
You can, of course, go to two factor authentication – using, for instance, a token or biometrics as well as the password, but for many organizations this may still be an expensive option.
Training is critical: passwords should never be shared, should not be next to the computer on post-it notes; employees should be drilled on the importance of keeping passwords confidential – and conducting regular internal surveys to raise awareness is an important part of this.
Next week: Phishing and pharming