Re: Steps to avoid Social Engineering

[Raoul Armfield <armfield () amnh org>]

Tabs The Cat wrote:
> Hello y'all,
>
>      I have a question for you guys (and gals). We all know about social
> engineering. Some of us use it on a daily basis. And we all know how
> it can be even more dangerous than any computerized attacks, but how
> can we protect against it?
>
>      I'll give you an example: we have a database based program that
> was written by and maintained by a third party that is in another
> city. In the past when they needed access for maintenance, we would
> provide them it via VPN. Recently there has been a problem so they
> were contacted. Earlier today someone from that company phoned me to
> discuss details about the VPN. I haven't given them any information
> yet. In this case I am fairly positive it is legit since they knew the
> company that we use as well as who lodged the complaint.
>
>      But how could I get this person (or any one in the future) prove
> to me that they are the people who are they say they are? Any advice?
>
> Tabs

I am a security newbie so take this with a grain of salt.

How about if you agree, in advance, on an (list of) email address(es) 
you can send something to.  Then when they call send a message to that 
email address and have them read off a keyword.  The reason I suggest 
doing it in advance is that the person you speak with may give you a 
fake address rendering this method useless.



--
Raoul Armfield
Support Specialist
IT-Call Center
armfield at amnh dot org
American Museum of Natural History
Central Park West at 79th Street
New York, New York 10024-5192
(212) 313-7258

5152 1277 A04B 04C2 BBE4
3EE8 8369 3541 8B93 42DA