Ethical Hacking: Social Engineering
Page 6 of 7
Impacts And Countermeasures
Defending against social engineering in an organization is difficult. We cannot defend using hardware and software alone. Therefore, a successful defense requires effective information security policies, standards, and education. There are some best practices. Know who is on the line. Use caller ID for all calls and if possible, use a separate ringtone for inside calls. Hesitate before transferring an outside call. Hackers use social engineering to navigate a company and learn the names of key employees.
Take down the name and the number and forward the message to the appropriate person. Create help desk procedures, so employees know how to verify someone on the other line. Know who's in your building. Allow only authorized individuals to roam freely about the building. Provide an escort if possible. Any service people must show appropriate identification. Train receptionists to make a phone call when unsure, especially when requesting forbidden information or access.
Know your employees. While in the building, have employees wear appropriate identification. Tell them to protect their ID badges and key cards. Have the employees remove the identification when going out into the public. Set privacy settings in your browser. Take a moment and read privacy policies. Use encryption for portal access and train employees to watch for the secure connection. Hackers clone websites and then lure victims to visit the bogus page and gather user and login information.
Review the company website and protect sensitive information from the public. Hackers use information gathered during reconnaissance to launch attacks on the network. Properly dispose of all media. Have shredders on each floor. And for large piles of documents, use a service that provides confidential storage bins with locks. Social engineering continues to be an effective way to obtain a password.
Educate employees to use strong, complex passwords and change them often. Do not give away passwords on the phone. Do not leave passwords lying around. And when resetting passwords, have some type of challenge question that only the user will know to ensure another level of authentication. Talk with your employees about security. Create and enforce realistic policies. Policies should be brief and to the point. As technology changes, review policies at least on a yearly basis.
State clearly what employees can and cannot do. In addition, stipulate what consequences if there is a violation. Train employees to protect the information resources the enterprise. Use caution when giving out personal information. Guide employees on how to spot phishing. Train supervisors and managers in security awareness, as they are your first line of defense. Be able to answer questions and post documents on the company intranet.
Create an interactive webpage dedicated to security. Update frequently and include security tips. A social engineer with enough time, patience, and resolve will eventually be able to break down barriers and be successful in breaching a system, so get everyone involved to stop this threat. In your organization, reinforce observant behavior. For example, if they find a phishing email and report it to the security officer, thank them for being observant.
Employees at all levels of the organization need to understand that they are important to the overall security strategy. With training and support, we can lessen the impact of social engineering.