Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Oct 29, 2008

New awareness module on social engineering


The eponymous man in the street may think information security primarily involves technical security controls but in fact other types of control are equally important in protecting information assets. For example, physical controls (locks, gates, fire/intruder/water alarms etc.), legal and regulatory controls (data protection/privacy laws, PCI DSS, HIPAA etc.) and procedural controls (policies, procedures, guidelines, management reviews, audits etc.). Most security risks are countered by a combination of controls from these different categories. Social engineering is fairly unusual in that technical controls are more or less irrelevant: social engineers aim to bypass the technology completely either by physically penetrating the organization or by fooling employees into giving them unauthorized access to information assets. We have covered awareness of physical security controls and compliance obligations in other NoticeBored modules but November’s module concentrates on pretexting, phishing and other techniques used by social engineers to fool employees.

Policies, procedures and guidelines are essential controls against social engineering, but these are useless unless employees both know about them and follow them in practice. Social engineering is therefore a particularly important security awareness topic, one of our “core topics” in fact that merits being covered annually in all awareness programs. Employees need to be taught about how social engineers work in order to spot them and stop them. It’s a tricky task since social engineers are adept at finding ways to build and exploit trust, slipping quietly beneath the corporate radar. The best social engineering attacks are never detected. Our aim is not to completely prevent social engineering attacks from succeeding but to create significant barriers that block simple attacks and frustrate more advanced ones, such that social engineers hopefully move along to softer targets.

One of the issues we cover, for instance, concerns the publication of personal details by employees on social networking sites. Names, addresses and birthdates are fabulous starting points for enterprising identity thieves and social engineers to pretend to be someone. Being cautious about what you publish is a simple control but is only valuable if you appreciate the risk sufficiently to be careful, hence the value of awareness.

Find out what's in the awareness module and read all about the NoticeBored service.