This paper provides security management information about the threats posed by social engineering and the defenses that are available to help resist social engineering hackers. Social engineering describes primarily non-technical threats to company security. The broad nature of these potential threats necessitates providing information about threats and potential defenses to a range of management and technical staff within a company.
To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hacker—someone who tries to gain unauthorized access to your computer systems—are similar to those of any other hacker: they want your company’s money, information, or IT resources.
A social engineering hacker attempts to persuade your staff to provide information that will enable him or her to use your systems or system resources. Traditionally, this approach is known as a confidence trick. Many midsize and small companies believe that hacker attacks are a problem for large corporations or organizations that offer large financial rewards. Although this may have been the case in the past, the increase in cyber-crime means that hackers now target all sectors of the community, from corporations to individuals. Criminals may steal directly from a company, diverting funds or resources, but they may also use the company as a staging point through which they can perpetrate crimes against others. This approach makes it more difficult for authorities to trace these criminals.
To protect your staff from social engineering attacks, you need to know what kinds of attack to expect, understand what the hacker wants, and estimate what the loss might be worth to your organization. With this knowledge, you can augment your security policy to include social engineering defenses. This paper assumes that you have a security policy that sets out the goals, practices, and procedures that the company recognizes as necessary to protect its informational assets, resources, and staff against technological or physical attack. The changes to your security policy will help to provide staff with guidance on how to react when faced with a person or a computer application that tries to coerce or persuade them to expose business resources or disclose security information.
Click here to download the full paper