The Security Breach
The term identity theft is well known today. Magazine articles are written about it, TV viewers are exposed to it, and radio programs preach the dangers of it. To steal someone's identity or impersonate them online, by mail, over the phone, or in person, no technology is neededjust an understanding of social engineering.
Like hacking into a computer network, the goal of social engineering is the samegaining unauthorized access to a network.
It's said that one man's garbage is another man's treasure. For identity thieves and impersonators, this is literally true. Your organization's trash can be a gold mine that can help a malicious person acquire the information he needs to steal or impersonate one of your employees or trusted suppliers. There's even a term for ittrashing. If you're not careful about the information you trash each and every day, you open the door to this kind of security breach. How? Consider the documents your company trashes every day: company phone books and organization charts; printed memos and company letterhead and forms; policy manuals and system manuals; HR directives and calendars of meetings, events, and vacation schedules; computer printouts; and computer media such as disks, tapes, and tossed hard drives.
All of this material can include important information for an identity thief to use to gain access to your organization and network, using social engineering. For example, if an identity thief can get his hands on your organization's phone book, knowing who to impersonate and who to call in your organization for the information is the first step in gaining access to your network. Let's face ita harried secretary, asked for information from someone who sounds like he or she legitimately works for the organization, will more often then not respond to a request.
A person trained in the techniques of social engineering can gain access to your organization and its network with a phone, just as a computer hacker can with a mouse. In the words of Dave Del Torto, a software designer with Pretty Good Privacy: "People are absolutely pathetic about maintaining security policies, and social engineering is the easiest way in."