Awareness : Security Awareness Tips

Beware of Social Engineering Attacks

“Social engineering” is a fairly new term used in information security to describe activities that attempt to con and deceive people. The aim is to get someone to willingly give privileged information by taking advantage of the user’s good will, trust and desire to be helpful. The attacker can be a person inside or outside the organization who pretends to be someone else:

  • In person
  • On the telephone
  • Via conventional mail or e-mail
  • Through a malicious program disguised as an interesting message or legitimate program

Social engineering attack activities can include:

  • Gathering username and passwords, sometimes through phishing emails
  • Tricking the victim into opening an e-mail or file that, in turn, opens the door for malicious code such as a worm or virus
  • Uncovering proprietary or confidential, personal information

A social engineer will walk into a busy office in a manner that suggests he belongs there, announce he’s been sent to fix the dean’s computer, impatiently demand to be shown where it is, then calmly say, “I need his user name and password - what are they?” Sometimes he’ll call on the phone and say, “This is Joe from the Help Desk. There’s a problem with your account I’m trying to fix, and I need your password to test it.” In both cases he is hoping that no one challenges his authority or asks for some verification of identity. Here are some steps to guard against social engineering attacks:

  • Get to know your IT support staff and their procedures. If someone else calls saying they’re from IT and need your password, which you probably should never give out anyway, you can respond in an appropriate manner.
  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Never allow anyone you don’t know to piggyback physical access into a room on your security ID card.
  • Do not provide personal information or information about your organization, including its structure or computer networks, unless you are certain of that person’s authority to have the information.
  • Ask questions of strangers (politely). Ask if you can take them to someone’s office or help escort them outside.
  • Never write down your network/system password on a Post-it Note or tape it to the bottom of your keyboard; attackers, if inside the building, know where to look.

Posted March 9, 2006