Week 13: Social engineering --The low-tech side of high-tech

When
Can be an occasional security awareness point in your organizational education, training and awareness program, done as necessary when incidents occur in current events.

Why
If anyone unknown to you asks for key security information, your first thought should be Just Say No.

Common practices that fall under social engineering include spoofed e-mails that ask you to verify your name and password in an e-mail or to open an attachment containing a virus, worm or Trojan horse. Social engineering doesn't have to involve a person directly; it makes use of people's trusting nature to steal key information via multiple methods. The term, in fact, originally was coined by hackers to describe socializing techniques they developed for obtaining vital information from system and phone operators.

Strategy
It's your job to be paranoid. But most people who aren't paid to be paranoid aren't; they are trusting people who use their systems as a tool to get their job done. Tell everyone in your organization the ways, and ONLY those ways, that you will need to give or get key security information. Several other layers should be in place and practiced to make sure that information like passwords are handled correctly.

More information
Any search engine will help you find articles by Ira Winkler and Winn Schwartau, who have written copiously on the subject. If you want more in-depth information, many good but hard-to-find books are still in circulation. Also, books about intelligence-gathering, cyber or otherwise, often have chapters and excerpts about this specific aspect.

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to securityplanner@infosecuritymag.com

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Dan LoPresto, CISSP, an access management and information security specialist with a national brokerage firm, contributed to this article.

Last week: Your Web site -- Quality of your copyright, privacy policy and links
Next week: When viruses and worms run amok

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Weekly Security Planner,   Security Awareness Training and Internal Threats,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Weekly Security Planner Weekly Security Planner: April Weekly Security Planner: March Weekly Security Planner: January Weekly Security Planner: February Weekly Security Planner: December Weekly Security Planner: November Weekly Security Planner: September Weekly Security Planner: October Weekly Security Planner: August Weekly Security Planner: June Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.