[ISN] Firms must be alert to social engineering tricks

From: InfoSec News (alerts@private)
Date: Thu Sep 27 2007 - 23:14:25 PDT


By Phil Muncaster in Warsaw
IT Week 
26 Sep 2007

Enterprises must invest more heavily in staff training and social 
engineering tests to ensure corporate data cannot be compromised by 
outsiders who trick their way into the company, according to experts at 
this years ISSE event in Warsaw.

Sharon Conheady, a consultant in social engineering for consultancy 
Ernst & Young, explained that the scale of the problem is often 
underestimated by firms, because many are unaware it is even going on. 
She revealed criminals are using tools such as Google and company web 
sites to research and gather information about a particular firm, before 
conning their way into the building with the aim of stealing sensitive 

The key to preventing [attacks] is education and awareness, Conheady 
argued. Its a good thing to employ someone to test your physical and 
security controls and see how aware staff are about them.

Other speakers at the event advised firms how best to go about educating 
their staff. Gigi Tagliapietra of Italian computer security association 
CLUSIT, argued that managers need to personalise their message and build 
a relationship of trust with their users, so individuals understand the 
consequences of their actions.

Its all about continuity, simplicity and taking one subject at a time, 
he said. People will do things if you show them why they should 
corporate security depends on the individual because information is 
their future.

Tagliapietra added that local government should be charged with the IT 
security education of its citizens, because the safety of their 
information should be at the heart of its democratic mandate.

Dirk De Maeyer, a security officer at KPMG in Belgium, argued that in 
order to communicate security awareness campaigns more effectively, 
firms should tailor their messages to specific user groups.

You have to recognise the target audience so for managers you should be 
talking about the impact on budgets and the reputation of the company, 
he explained.

But such campaigns can be complex and time consuming, according to Arno 
Fiedler of Nimbus Network. You need to keep it simple its not easy and 
you need a lot of knowledge and budget to attempt it, he added.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com

This archive was generated by hypermail 2.1.3 : Thu Sep 27 2007 - 23:31:53 PDT