Social Engineering Tactics AND Defenses

Social Engineering Tactics:

Phishing: Phishing elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution. The e-mail message may ask the user to reply with the sensitive data, or to access a website to update information such as a bank account number.

Malvertising: This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.

Phone scams: It is not uncommon for someone to call up an employee and attempt to convince employees to divulge information about themselves or others within the organization.

Defenses Against Social Engineering:

Password management: Guidelines such as the number and type of characters that each password must include how often a password must be changed, and even a simple declaration that employees should not disclose passwords to anyone (even if they believe they are speaking with someone at the corporate help desk) will help secure information assets.

Two-factor authentication: Authentication for high-risk network services such as modem pools and VPNs should use two-factor authentication rather than fixed passwords.

Antivirus/antiphishing defenses: Multiple layers of antivirus defenses, such as at mail gateways and end-user desktops, can minimize the threat of phishing and other social engineering attacks.

Change management: A documented change-management process is more secure than an ad hoc process, which is more easily exploited by an attacker who claims to be in a crisis.

Information classification: A classification policy should clearly describe what information is considered sensitive and how to label and handle it.

Document handling and destruction: Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash.

Physical security: The organization should have effective physical security controls such
as visitor logs, escort requirements, and background checks.