There's both good news and bad news in defending against social engineering tactics. The bad news is that there's no technical fix for the problem. Turn to your CIO for an answer and you're more than likely to come up empty-handed. There is neither hardware nor software available to protect an organization against such intrusion tactics. But since the answer is not a technical fix, the good news is that the solution doesn't cost a bundle in hardware or software: Establish good policies and procedures to protect against a malicious person using social engineering.
Your first and most crucial components in any information security program are the security policies and procedures that strengthen your first line of defensethe "human firewall."
Now before you run off and create some draconian policies that look great on paper, keep in mind that you're dealing with human beings. Any rules or directives that you put in place should be attainable. For example, don't expect your staff to change their password every time they sign onto your network. Compliance with that rule would be minimal. The policies and procedures you create should be simple to understand and implementyet thorough. And remember that policies are not formed in concrete. An organization evolves, and so should its policies. They need to be kept current. Consider making them "paperless" by putting them on your organization's intranet. This is a simple and sure way of everyone getting a look at the latest version of a policy.
What makes a good human firewall security policy? Here are the minimum policy elements as recommended by the SANS Institute:
Set up accounts properly. Implement a set of procedures for setting up new employees on your network. Train them from the get-go on the security policies and procedures of your organization. Show them where they can find the policies and procedures on your organization's intranet, and tell them to check periodically for updates and additions. As important as procedures for setting up accounts for new employees are procedures for employees leaving your organization. Make sure that proper procedures are followed when removing employees from your system.
Create a password policy. Have your employees change their passwords periodically, and when they do, insist on passwords that are hard to break. Don't let your employees use only letters of the alphabet. Hackers can use a lexicon program that acts as a dictionary to crack passwords. Require that passwords include special characters, numbers, misspelled wordseven double wordsto make them more difficult to crack. But remember the human equation. Make the password policy too stringent and your employees won't follow it. Strike a balance between security and ease of use of your network.
Secure your help desk. Before a help desk employeeor any employee, for that mattergives out a password, make sure that he or she follows written procedures on what steps to take before doing so. For example, use a caller ID system on your phones. This can help determine from where a call originates. If there's doubt, your procedure should require that the help desk call the employee back to verify his location. Another way to ensure that a password (or any information, for that matter) is being given to the right person is to require a certain piece of information or code word before the password is given out. A more draconian method is to not allow any passwords to be given out over the phone.
Proper support is another issue. If the help desk refuses to give an angry vice president his password, that help desk must be supported if the vice president complains to the employee's manager. Finally, make sure that your help desk knows who should be contacted in the event of an attempted security breach.
Create and maintain access privileges. Just because an employee works at an organization, that doesn't mean that he or she should have access to every part of the network. Specific procedures should state who has access to various parts of your network, and how. These procedures should also state who is authorized to approve access, and who can approve any exceptions.
Use employee ID badges. All employees of your organization should wear a picture ID badge. When guests come into your organization, require them to wear a "visitor" badge at all times. If someone on your site is not wearing an ID badge, he or she should be challenged. Be especially alert to vendors, such as coffee, candy, or soft drink vendor employees who enter your building to refresh the snack areas.
Keep your information private. People like to be helpful, but this attitude can be used against you. Specific policies should state that employees should be careful about the information they give out. A good example is a phone survey. Phone surveys are common, and a useful and effective tool in the quiver of a social engineer. When surveys come into the office, have one designated person answer them. This person should be educated in what information is appropriate or inappropriate to give out. If the designated person is asked about information that he or she is not authorized to provide, a procedure should state where or to whom the employee can escalate the question for an answer.
Shred all confidential documents. Provide paper shredders in all areas of your organization that handle sensitive informationnot just in your accounting department. Such seemingly innocent information as a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to your network. Shred all documents in your IT area to protect sensitive information about your network and access to it. Shred documents in your marketing and sales department that discuss new products soon to be released or being developed. Shred documents from your HR department that can be used to impersonate employees or vendors using confidential information. Establish a disposal policy specifying that all paper, including printouts, will be shredded in a crosscut shredder before being recycled. If you don't want someone outside of your organization to see it, shred it, and use it at as confetti at your next company New Year's Eve party.
Protect your modems. One of the most overlooked security risks is your organization's modems. Why? Because they don't go through your firewall, they open your network to the outside world. Simply stated: Don't allow any modems to be attached to a network computer. When modems were a popular way to connect to the Net, hackers used war dialing software to dial all phones in an organization's range of numbers and check for any modems in auto-answer mode. Once the modem answered, the hacker was given access to the network. If you must use modems in your organization for whatever reason, connect them to computers that are not connected to your network.
Protect your physical plant. Your offices and buildings should be treated like your computer network: they must be protected against security breaches. Sensitive areas in your building should be physically protected, with limited access. The doors in these areas should be lockedperhaps with passkeys or passwordsand access granted only to those with a need to be in that area.
Report all violations. If a security breach is detected, or if someone in the organization is not following proper procedures that can affect the security of the network, there should be a process by which such a violation can be reported. Employees should also be assured of support for reporting any suspicious activity concerning the security of the organization. Action must be taken against employees who violate policy, to show that management is serious about security. Finally, keep in mind that even one attempt can be just the tip of the iceberg and reveal a possible social engineering attack underway. That's why reporting all violations is important. They can act as an early warning for others in the organization and a tip-off to look for other possible social engineering intrusions.