Hackers are after you. Not just “you” as a consumer using your devices to shop. Not just “you” as an employee accessing your company network, e-mail or applications. They are after you. The more they know and can readily find out about you, the easier it is to impersonate you for purposes of further compromise. One of the most common ways this happens is through social engineering — psychological manipulation of people into performing actions or divulging confidential information. Social engineering has been around for a long time; in fact, one of the earliest examples cited was the original Trojan Horse made of wood!
However, in more modern times, we can learn about social engineering from the infamous ex-hacker Kevin Mitnick, who is also one of the foremost experts on social engineering. This is no coincidence as he was one of the most adept at getting access to facilities and systems through artifice, fraud and trickery before he became a white hat consultant. In his words, “the easiest way to penetrate high-tech systems is through the people who manage, operate, and use them.” Fooling a person is easier than breaking through network security. This is why hackers are after you. You will cough up the information when pressed. So how do we protect ourselves against these kinds of attacks targeting our human fallibility?
Ongoing or regular training is emphasized — at Centrify we go through a number of mandatory security training regimes that help prepare employees through role playing and learning about hacker tactics, like: phishing attempts, odd callers seeking information, random people in parking lots or lobbies trying to get physical access to facilities. However, training is only part of the answer.
A companywide security policy must also “address a number of areas in order to be a foundation for social engineering resistance. It should address information access controls, setting up accounts, access approval and password changes. It should also deal with locks, IDs, paper shredding, and escorting of visitors. The policy must have discipline built in and, above all, it must be enforced (Granger, “Combat Strategies”, p. 2)” Sans Institute.
This is no longer a nice “to have” — protect yourself by securing your critical assets with a companywide security policy.
Learn more about how to secure your corporate identities here.