security plan. Visit here for an archive of previous columns.
Can be an occasional security awareness point in your organizational education, training and awareness program, done as necessary when incidents occur in current events.
If anyone unknown to you asks for key security information, your first thought should be Just Say No.
Common practices that fall under social engineering include spoofed e-mails that ask you to verify your name and password in an e-mail or to open an attachment containing a virus, worm or Trojan horse. Social engineering doesn't have to involve a person directly; it makes use of people's trusting nature to steal key information via multiple methods. The term, in fact, originally was coined by hackers to describe socializing techniques they developed for obtaining vital information from system and phone operators.
It's your job to be paranoid. But most people who aren't paid to be paranoid aren't; they are trusting people who use their systems as a tool to get their job done. Tell everyone in your organization the ways, and ONLY those ways, that you will need to give or get key security information. Several other layers should be in place and practiced to make sure that information like passwords are handled correctly.
Any search engine will help you find articles by Ira Winkler and Winn Schwartau, who have written copiously on the subject. If you want more in-depth information, many good but hard-to-find books are still in circulation. Also, books about intelligence-gathering, cyber or otherwise, often have chapters and excerpts about this specific aspect.
About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to firstname.lastname@example.org
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
Dan LoPresto, CISSP, an access management and information security specialist with a national brokerage firm, contributed to this article.
This was first published in March 2004