Hackers can be quite clever, and often devious, when it comes to harvesting information from unsuspecting employees. Your helpdesk, IT staff and general user population care about helping, or sometimes just pacifying, people who need assistance. No matter how much your staff is paid, they can't be configured to drop calls like your firewall drops packets. In fact, most people want to be helpful if a seemingly innocent person needs assistance.
Social engineering can be a fruitful tactic for hackers, and it takes less time than trying to identify or bypass a firewall or an IPS. Unfortunately, or fortunately, depending on whom you ask, the security administrator can't screen everyone's calls or ask for ID from every person who steps foot into your company. It's up to the rest of your staff, those non-configurable human beings, to filter out malicious requests that come in through the doorways and over the phone lines. Are they up to the task? The best way to prepare them is to educate them on the social engineering hacker attack tactics they may encounter, both on and off the job.
Simply put, the art of social
In addition to educating your staff, these sorts of attacks are best prevented by creating a social engineering prevention policy that prohibits the divulging of sensitive information over the phone or email, tailgating through locked doorways and a policy requiring visitors to wear badges. I also highly recommend reading Kevin Mitnick's book on social engineering, called The Art of Deception. By looking at the human factor of security, you will help prevent unauthorized access to your company's crown jewels.
About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.
HACKER ATTACK TECHNIQUES AND TACTICS
Introduction: Hacker attack tactics
How to stop hacker theft
Hacker system fingerprinting, probing
Using network intrusion detection tools
Authentication system security weaknesses
Improve your access request process
Social engineering hacker attack tactics
Secure remote access points
Securing your Web sever
Wireless security basics
How to tell if you've been hacked
This was first published in February 2005