Why con artists are your biggest security threat

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/anchordesk/stories/story/0,10738,2859818,00.html

Lee Schlesinger,
Senior Technology Editor,
ZDNet Tech Update
Thursday, April 4, 2002  

Bottom line: No product you can buy will protect you completely from
the most serious threat to your network and your business.

That's not what you want to hear after laying out six figures to arm
yourself with firewalls, antivirus software, and intrusion-detection
applications, is it? Nevertheless, forewarned is forearmed, and there
is something you can do to fight this threat.

I'M TALKING ABOUT social engineering, which is simply a fancy way of
saying "getting people who should know better to do what you want." A
recent CERT report notes that attempts to hornswoggle those of you
using instant messaging and Internet Relay Chat (IRC) via social
engineering are on the rise.

Victims of these hoaxes are directed to sites that ostensibly will
help them, but really plant Trojan horse programs on their computers.  
Now what if the unsuspecting victim is infected with a Trojan horse at
the office? It could be very costly to your business.

So what can you do? Aside from disallowing IM applications in your
enterprise, your best bet is to train employees against such cons.

More common than the relatively impersonal social-engineering e-mail
or IM is the telephone call from someone who seems to know what he's
talking about. An unsuspecting staffer could disclose vital
information like user IDs and passwords to someone with a good line of
patter.

The one technology that could potentially deter this kind of caper is
two-factor authentication. If a smooth-talking fraud gets one of your
employees to give up user IDs and passwords, a second security layer
such as biometrics or smart cards could stop that would-be intruder
from accessing your network. But even if your company does employ such
technology, a social engineer could still convince an employee to
e-mail him information just as easily--or he may get all he needs on
the phone.

THE ONLY OPTION for preventing social-engineering intrusions is
awareness. Learn the perpetrators' secrets. Train everyone your
organization to recognize warning signs, like people who ask for
sensitive information but refuse to give contact information. Simply
asking for a phone number and verifying it is often enough to stop
such theft. Beware of someone trying to use intimidation or flattery
to extract information. And make sure your employees are confident and
wary enough to outsmart tricksters.

Here's another piece of advice: When one of your colleagues stops a
social-engineering exploit, let others in the company know, in case he
tries again. Hold an annual training session to heighten security
awareness, and try staging mock break-ins once in a while to be sure
people remember the lessons.

You can't stop con artists from trying to take advantage of your
employees and your business. But you can educate your workforce so
they're prepared to deal with them. If you follow the guidelines I've
set out, you're off to a good start.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.