Defense Against the Dark Arts
"If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death together with the man to whom the secret was told."—Sun Tzu, The Art of War
I love Sun Tzu! Okay, so this is a bit harsh. If your users give up information about the internals of your company, network, software, etc., putting them to death along with the social engineer is probably not an option, although I'm sure that some people would love to put that into law somewhere. So now that we have all the people in your office suspicious of every Xerox guy who shows up claiming to be there to fix some copier, what's the next step?
The first defense against social engineering is education. Your employees and coworkers should understand the threats that exist out there. This instruction can be achieved with classes, seminars, or even periodically sending employees email reminders.
Next, if an employee detects that something is wrong when speaking to a potential attacker, what should she do? What escalation path should she take to make sure that the entire company is aware of this issue and doesn't fall prey to the attacker? Chances are, if the attacker is calling to get information, he will systematically call different people in your company to see whether he can convince one person to tell him what he needs to know. Policies should be in place to help lay down the rules of engagement. Most companies focus on making that perfect policy that will solve all the world's problems. In the meantime, however, there's no policy. My suggestion is put a policy in place as soon as possible. It doesn't have to be perfect, and you can fine-tune it over time. But having no policy at all is worse.
To help start you off, I've included a short checklist of areas that should be addressed in your security policies:
- Passwords are the property of the company. This rule should
be stated in the paperwork that each employee signs on hiring day. It should be
explained that because the company owns your password, you are not allowed to
use it for any other purpose. With the growing number of passwords people have
to remember, many people resort to using the same password for corporate logins
and for most web sites they visit.
So how does this issue relate to social engineering? Let's look at this in the context of phishing. Phishing is when someone sends you an email message asking you to click a link and log into a site. Most of the time the email appears to have come from eBay or some bank somewhere. Most users aren't savvy enough to understand that the target site for the link is actually the phisher's (it just looks like eBay or the bank site) and is just collecting usernames and passwords for malicious use. This type of attack isn't face-to-face, but is still attempting to manipulate human beings and is still considered a form of social engineering. To add to the trouble of a phisher having your employees' eBay account info, he also may gain a login to your network if the same password is used on both the eBay account and the network.
Another concern: Even if your employees are visiting a valid site, there's no guarantee as to how secure that site is. Suppose the user uses the corporate password on that web site. Now suppose that a hacker gets the usernames, user email addresses, and passwords from that site. The hacker could now have all the information he needs to hack your company as well.
- Instructions for handling visitors properly. If your company allows visitors inside the building, you need a process for identifying and handling those visitors. You may want to make sure that each visitor has a clearly visible badge. It's also a good idea to make sure that a visitor is constantly escorted by an employee when inside the building. If a guest is found roaming the building without an escort or without a badge, employees should have a proper, polite, and direct process that explains how to ask this person why she is there and where her escort is. By providing a process, you ensure that there's no fuzzy area of how to deal with visitors. Put it in writing and everyone knows what to do.
- Information disclosure policy. Most information gathered by social engineers comes from actually talking to your employees. You should have a policy that spells out the proper ways of disseminating information to anyone. Notice that I don't just focus on people outside the company. In large companies, a social engineer may be able to convince someone that she's actually an employee and just needs help. Perhaps the proper process is that all requests for information about systems, accounts, and internal processes have to be logged into a system and approved by department management before any information is released.
Each time you come in contact with people from outside the company—and even with most people inside the company—it should be considered a potentially dangerous situation. Divulging information about your company is like handling live nuclear materials: Neither one is a recommended procedure. If someone were to detect or even merely suspect a social engineer, the proper people in your company should be notified, and everyone should know who those proper people are.
Finally, follow the prudent words of Professor "Mad-Eye" Moody, Defense Against the Dark Arts teacher at Hogwarts School of Witchcraft and Wizardry:
"CONSTANT VIGILANCE!"—J. K. Rowling, Harry Potter and the Goblet of Fire
Your employees need to be on guard against these types of attacks. A good policy is useless without practical application. You should periodically test your employees or the company as a whole to make sure that they not only know the policy but are astute enough to act in the proper way. A soldier who has never practiced war tactics will not fare very well when thrown into a live wartime situation.