Security and the Employee (Social Engineering)

In the end, no security control in the world will be its most effective without the support and compliance of all employees. With each of the items discussed in the chapter, employees must be informed and trained. Organizations can have the best technological controls in the world and still suffer debilitating attacks.

Social engineering is the act of obtaining or attempting to obtain otherwise secure information or access by conning an individual into revealing secure information. Social engineering attacks are hard to protect. The best means of protection is through security awareness training. Only by educating everyone in the enterprise on the company’s security policies and procedures can you begin to reduce this threat. Employees must be trained and know what information needs to be protected and how to protect it. Only then are employees in a much better position to recognize social engineering when it occurs. Social engineers, or con artists, have been studied for many years. Robert Cialdini developed a list of six basic techniques that social engineers use to attempt to gain compliance of a victim:

  • Authority— This form of attack attempts to use authority or power to gain compliance.

  • Liking— This attack works by making the victims believe that they are similar to the attacker, have common beliefs, or like him.

  • Consistency— This attack is made possible by the victim’s attempt to remain consistent. We all tend to follow through or want to do what seems acceptable.

  • Reciprocation— This attack relies on the fact that after you have been given something, behavior dictates that something must be given in return.

  • Social validation— This attack functions on the premise that it is the right thing to do. It seems to be what anyone else would do.

  • Scarcity— This attack feeds on the action that people respond when they believe time or quantities are limited.

Phishing, a Most Successful Form of Social Engineering

Phishing is a type of social engineering that attempts to lure the victim into revealing information of a sensitive or personal nature, including passwords and credit card details. In such an attack, the victim is approached by email from someone of authority, typically a bank or credit institution.

Zachary Hill is one of the individuals that practiced this scam until he was caught and sentenced to four years in prison. According to the criminal information to which Hill has entered his plea of guilty, Hill used the scheme to access 473 credit card numbers, 152 sets of bank account numbers and routing numbers, and 566 sets of usernames and passwords for Internet services accounts. The information also charges that Hill used the fraudulently obtained credit card numbers to obtain goods and services valued at more than $47,000.


..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset