Subscribe
About

Trust no one

Today's executives often overlook social engineering in meeting their corporate governance responsibilities.
By Amir Lubashevsky, Director of Magix Integration.
Johannesburg, 05 Oct 2007

Social engineering is the phenomenon of exploiting human trust, ignorance and naivety for malicious purposes. Social engineers are masters at the art of misrepresenting themselves, gaining the trust of their victims and extracting information from them.

As organised crime takes advantage of new technologies, corporations have to take care in ensuring they remain safe from the multitude of attacks they can easily fall prey to. While electronic gates can be guarded, how can executives ensure their people don't fall prey to social engineering and inadvertently give away the keys to the kingdom?

How many clerks would refuse to provide their user name and password to someone calling from the IT department? Very few. How many middle or even senior managers would refuse the same request? Sadly, the answer remains the same.

When a total stranger calls and informs you that you have won a competition and need to give them your identity number to confirm you are the actual winner, who refuses? Who asks the caller to identify himself or herself?

Intelligent engineering

While we all know social engineering works well on uneducated people who think Bill Gates is going to send them money, there are more sophisticated swindles that can catch even the cleverest among us off guard.

In April 2007, ITPro released the results of a survey by Infosecurity Europe of 300 office workers and IT professionals. The survey found nearly two-thirds of people would give up sensitive information, such as their passwords, in exchange for a bar of chocolate.

The survey also found that even people who initially refused to divulge their passwords could be tricked into inadvertently revealing it when interviewers used social engineering techniques.

Since it is so simple to convince people to divulge valuable information, even inadvertently, what can companies realistically do to prevent social engineers from gaining access to sensitive data?

Proactive measures

There are more sophisticated swindles that can catch even the cleverest among us off guard.

Amir Lubashevsky is director of Magix Integration.

The first preventative measure is to stop using passwords as an access management mechanism. Using tokens and/or biometric technologies to manage access control is a governance necessity today.

Along with this, location- and device-based access is also becoming critical. If the system recognises that Joe Bloggs is logging on from within the company, it will allow him full access.

On the other hand, if he is accessing the system from an unknown device in an unknown location, such as an Internet cafe, even if he has all correct access permissions, he may only be able to read and answer e-mail. The exact permission specifics will be determined in each company according to its security policy.

The second measure is to accept that social engineers will gain access and prepare for it. To keep critical information safe, even after criminals are in the system, requires constant, non-intrusive monitoring of users' activities.

According to each company's security policy, only certain information can be accessed or altered by specific users. And few users have permission to access the corporation's bank account or copy the customer database to a portable storage device.

Non-intrusive monitoring can identify when suspicious activities occur, raise the alarm and stop them or put a transaction on hold until a further level of authorisation is received.

Improving access controls and providing the necessary education are critical aspects in the ERM process. However, they will only be of limited use if organisations do not have the ability to automatically and non-intrusively monitor employees' activities and stop suspicious actions before losses occur.

Stopping a hacker with technology or a physical thief with an alarm system is achievable these days; stopping criminals with information gleaned from social engineering exercises can be near impossible. The realistic, responsible reaction is therefore to assume and prepare for the worst.

* Amir Lubashevsky is director of Magix Integration.

Share