- I'm a Social Person; Does That Make Me a Hacker?
- The Telephone: Primary Tool for Social Engineering
- Dumpster Diving
- Desktop Hacking
- And Knowing Is Half the Battle
...And Knowing Is Half the Battle
There are countermeasures that a corporation can implement to guard against social engineering. Since many of these attacks, especially over the telephone, are not technical exploits, defenses against these attacks will mainly be to prepare staff to recognize and resist them. Effective security awareness training and constant reminders are key.
Specific procedures can be implemented that will make a successful attack more difficult. Staff should be trained never to give out confidential personal or account information unless they're absolutely certain they're giving it to members of technical support with a demonstrable need for the information. If there is ever any doubt, the user should simply call his or her own supervisor for confirmation. And this goes both ways: Standard operating procedures for customer service/tech support should include provisions for verifying caller identity before performing critical operations such as resetting accounts. In addition, all employees should be trained to report suspicious events (such as phone calls, people lurking around the office, anything) to the company's security staff. The security staff may be able to determine through these reports that the company is being targeted for social engineering and send out warnings to all personnel.
To prevent dumpster diving, the firm should have a strict policy of shredding all paper documents, regardless of their sensitivity; this will restrict the amount of information that a hacker will be able to gather. While it's possible to reconstruct shredded documents, it's a hassle. However, sticky notes are rarely shredded and remain a valuable source of potentially compromising information.
Video surveillance cameras can help discourage snooping around an employee's workspace. However, employees may not want to be monitored while at work, and monitoring may be expensive. Security awareness training should stress the importance of reporting any suspected event to the appropriate security department (physical or technical).