Defending against deception

Jim Allred of NetVision contributed the following essay. I have no financial interest whatever in NetVision.

* * *

Social engineering is the art of lying, cheating, tricking, seducing, extorting, intimidating and even threatening employees into revealing confidential information that can be used to break into a company’s systems. Such tricks include sending phony e-mail messages or placing phone calls to “confirm” password information, or deliberately locking out an account using bad passwords and then phoning the help desk in a panic, telling them to open the system before an important meeting supposedly begins.

Some organizations conduct social-engineering penetration tests, but others feel more comfortable using education without such trials.

For example, employees can be taught to report and not respond to any phone or e-mail request for any password. They should be taught to report any unknown person walking the premises without an identity badge. Helpdesk personnel can be taught to recognize the tactics incoming callers may use to disguise their identities.

In addition to possible penetration testing or consulting, organizations are building comprehensive security policy resource centers. The NV Policy Resource Center, from my company, NetVision (managed by Meta Security Group), is a subscriber-based Web service that provides automated training to test, track and document employees’ understanding and compliance with security policies.

For example, a company may issue a memo, a policy and even an educational program on social engineering. But in a typical scenario, the written policy document is never read and the program is damaged two weeks later when several new employees join the firm without training. With an automated resource program, each new employee is taken through the security training as a Web-based program. At the end of the program, each employee is tested for comprehension and signs a formal compliance agreement. The training is administered in language the users understand, and the employer can verify that the training was received, understood and accepted.

The organization can require compliance testing at set intervals, such as every year, or can invoke compliance testing each time a critical new element is added to company policy. The system can track compliance and can send out education and update materials from a database of best practices drawn from a variety of security organizations as well as from current events.

The intent of resource centers is to be ongoing and automated. They can address user training and awareness at every level in an organization. They can address compliance issues such as those related to the Health Insurance Portability and Accountability Act of 1996 and the Gramm-Leach-Bliley Act of 1999, and it can also address human issues such as the newest tricks that might be tried by the unfortunately ever-creative society of social engineers.

About the author:

Jim Allred is vice president of marketing at NetVision, an Orem, Utah, IT security vendor.