Tips for Defending Against Social Engineering

It is 1PM on a Wednesday afternoon. Thus far it has been a normal day in the office, and employees are returning from their lunch breaks. Suddenly, the network goes offline and crucial data seems to have disappeared. Your network has just suffered an attack, but the firewall shows nothing and the intrusion detection system didn't raise an alarm. You are able to determine what computer was the source of the attack, and find that it originated from the workstation of Sandra, the head of the accounting department, who had - up until just a few minutes before the attack - been eating lunch at her desk with her new boyfriend, minding her own business.

Now you find Sandra visibly upset, and she informs you that she was dumped that afternoon. Apparently she had been eating her lunch with her boyfriend, gone to the restroom, and returned to find him gone and a note in his place.

Sandra, and therefore your entire network, has just been a victim of social engineering.

What really is social engineering? It is a strange way of describing what is, in reality, "loose lips". You see, you can enforce all the security policies in the world, lock down data, etc., etc., but if your head accountant decides to tell her new boyfriend her password, all that expensive and painstaking security is for nothing.

The facts are, you can devise the most technologically secure network ever, but you cannot control the people that use it. So what can you do to avoid the woes of social engineering and its impact on your employees, and therefore on your entire security structure?

One of the most important things to know about social engineering is how it works. If attempts at garnering crucial information from employees in order to compromise your network security were obvious they would be a lot less common. Unfortunately anyone trying to use social engineering to get a password isn't going to outright ask for it. These are con artists that will painstakingly earn the trust of your employees in order to get their foot in the door.

Another type of "social engineering" is just downright anti-social: Dumpster Diving. It may not be socially acceptable, but if they think it will get them valuable information, someone trying to gain access to your network will dive in the garbage of your company, your vendors, your clients, and your employees.

Social networking websites open up another avenue for Social Engineering. I use Twitter, and have a decent following of people who read my updates and click on links contained in them. If I were trying to gain access to one of those people's computers or networks, it would be pretty easy for me to convince them to download something helpful or funny that was, in fact, some kind of malware that opened a backdoor into their system.

Windows networks traditionally rely on passwords for authentication. The problem with passwords is that they are hard to remember. Employees may use the same password for their work login as they do for MySpace, World of Warcraft, and a sketchy adult website membership. Through keyloggers, or fraudulent websites they sign up on, it can be easy for someone to glean a password.

It is for this reason that password security policies are commonly enforced in most Windows networks. These require passwords to meet complexity and length requirements, and force passwords to expire and be replaced after a certain length of time. Forcing your employees to change their passwords frequently opens up another issue. Remember from above that passwords are hard to remember? Well, it's even harder if they get changed every 30 days. In cases like this, many employees will just write their password down. I've even seen someone with their password on a post-it stuck to their monitor. Go Security.

A good way around this, and around many other social networking attempts that may produce a password, is to use two-part authentication. Basicly, in order to login, users will need to provide something they know (like a password) in conjunction with something that they have (token code, thumb print, etc.). If these measures are in effect, the chances of a slipped password compromising your network are all but eliminated.

Beyond physical measures like this, though, the most important defense is education. If you want your employees' help in maintaining security then you need to educate them about what that means. They need to be convinced that security is important, and they need to know what things they need to safeguard. Training sessions and random tests (like calling and claiming you're from tech support and asking for their password) will help to ensure that your network is safe from social engineering.