http://www.zdnet.com/anchordesk/stories/story/0,10738,2859818,00.html Lee Schlesinger, Senior Technology Editor, ZDNet Tech Update Thursday, April 4, 2002 Bottom line: No product you can buy will protect you completely from the most serious threat to your network and your business. That's not what you want to hear after laying out six figures to arm yourself with firewalls, antivirus software, and intrusion-detection applications, is it? Nevertheless, forewarned is forearmed, and there is something you can do to fight this threat. I'M TALKING ABOUT social engineering, which is simply a fancy way of saying "getting people who should know better to do what you want." A recent CERT report notes that attempts to hornswoggle those of you using instant messaging and Internet Relay Chat (IRC) via social engineering are on the rise. Victims of these hoaxes are directed to sites that ostensibly will help them, but really plant Trojan horse programs on their computers. Now what if the unsuspecting victim is infected with a Trojan horse at the office? It could be very costly to your business. So what can you do? Aside from disallowing IM applications in your enterprise, your best bet is to train employees against such cons. More common than the relatively impersonal social-engineering e-mail or IM is the telephone call from someone who seems to know what he's talking about. An unsuspecting staffer could disclose vital information like user IDs and passwords to someone with a good line of patter. The one technology that could potentially deter this kind of caper is two-factor authentication. If a smooth-talking fraud gets one of your employees to give up user IDs and passwords, a second security layer such as biometrics or smart cards could stop that would-be intruder from accessing your network. But even if your company does employ such technology, a social engineer could still convince an employee to e-mail him information just as easily--or he may get all he needs on the phone. THE ONLY OPTION for preventing social-engineering intrusions is awareness. Learn the perpetrators' secrets. Train everyone your organization to recognize warning signs, like people who ask for sensitive information but refuse to give contact information. Simply asking for a phone number and verifying it is often enough to stop such theft. Beware of someone trying to use intimidation or flattery to extract information. And make sure your employees are confident and wary enough to outsmart tricksters. Here's another piece of advice: When one of your colleagues stops a social-engineering exploit, let others in the company know, in case he tries again. Hold an annual training session to heighten security awareness, and try staging mock break-ins once in a while to be sure people remember the lessons. You can't stop con artists from trying to take advantage of your employees and your business. But you can educate your workforce so they're prepared to deal with them. If you follow the guidelines I've set out, you're off to a good start. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Apr 04 2002 - 02:20:25 PST