The Best Defense Against Social Engineering

When discussing IT security it is very common to pair up defenses with attacks. Firewalls counter network attacks, anti-virus for viruses, anti-spyware for spyware and so forth. So what is paired up with social engineering? What is the best way to defend against the attacker using deception, lying, and pretexting?

If you read just about any column or article on the topic the universal answer appears to be training. I beg to differ. Are quarterly, half-day training sessions really the best way to get employees to use screen savers and passwords? Is customer education the way to counter phishing attacks? Should you invest in security awareness training?

Other Articles by Richard Stiennon

Network Admission Control is a Blind Alley

Spyware: 2004 Was Only the Beginning

The Economics of Cybercrime

Do You Need a CSO?

Take for example the concept of pretexting. This has gotten a lot of press recently because top executives of HP hired private investigators to obtain phone records of board members and journalists in an over zealous attempt to determine who was leaking information about board discussions.

The PI’s would masquerade as these individuals and call the telephone companies requesting their phone records. I am at a loss for how you could train a CSR to recognize a pretexting attack. Rather the phone companies should take two steps. One is policy: No customer information given out over the phone, phone records only mailed to the address of record, etc. Second, technology can be deployed to identify and alert when these types of attacks are underway.

In the just published Enemy at the Water Cooler, Matt Contos relates an incident where call center operators at a phone company were actually in league with the PI’s who were going beyond pretexting to outright bribery. Activity monitoring alerted management that operators were getting direct calls to their stations instead of being routed through the call dispatching system.

They were then accessing multiple accounts during a single call. Definitely suspicious behavior. In this way the phone company was able to track down the dishonest operators and fire them.

I must say, a great form of employee education is to fire violators of a privacy policy. That lesson sinks in.

Screen Savers and Passwords

What about screen savers and passwords? In years past, employees had to endure quarterly training sessions where they were berated for not using screen savers and “strong” passwords. They were taught how to pick passwords at least eight characters long and with special characters.

They would go back to their desks, set their screen savers to pop up every five minutes, and change their passwords from “Yankees” to f%^7!38o. And after about two days they would turn off their screen saver and revert to “abc123” for their password. Today, screen saver and password quality are set in policy and enforced with technology. No need to train anyone, just enforce policy.

The same goes for other forms of security awareness training. If you determine a need for awareness training you probably have a hole in your defenses that needs to be addressed.