If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
Yes but as RSA demonstrated, it is a moving target.
You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the 'social engineers'. Fight psychology with psychology!
Over and above that I would recommend technical controls. At least one level of mail filtering to block not only the very obvious spam (Viagra, fake watches, pharma, solicitations) and the "Spanish Prisoner" variations but also filter mail with attachments, or at the very lest quarantine it.
Until recently, many of my clients had a policy that all MS-Office attachments were either blocked or discarded because they could contain embedded executables. For Word and Excel there were plain text equivalents. PDF used to be preferred where applicable. But now PDF
has been subverted.
I realise that there are patches to deal with many of these threats, but the reality is that we are playing catch-up with the Bad Guys even if we do apply the patches the instant they are issued and that they work perfectly and the end users do what they are supposed to and don't find ways to subvert them.
I used to give a workshop "Why Employees Don't Follow Policy (and what you can do about it)". I found that people really don't think in terms of Policy and are quite willing to argue as to why a particular policy does not or should not apply to them. Realistically, you have to approach this from how people perceive their jobs, what they think they are supposed to be doing to earn their wage.
As has been pointed out many times, if 'security' gets in the way of that - the perception, regardless of the reality - then they will try subverting security. To this day I face managers who believe without questioning that security is about saying "NO!" and that security will slow down business and adds cost. Trying to get them to see security as an enabler ("car brakes let you drive faster") or as a means of focus or as a means of loss avoidance ("well employees shouldn't be pilfering in the first place...") is often difficult.
Most people focus on getting their jobs done; t takes a lot of pressure and reinforcement to make them stop and think about the security implications of every action they take. Its us who are "paid to be paranoid", not them.
- Social Engineering Attacks: Management and Prevention | Webroot Software (webroot.com)
- 6 Tips for Drafting a Social Media Policy (siliconbayounews.com)
- What makes a good Information Security Policy? (deurainfosec.com)
- Are You Securely Delivering Enterprise Data and Services? (webroot.com)
- Over-sharing 101: How to Make Your Enterprise Social Software Secure... (webroot.com)
- Career Advice Tuesday - Why Info Sec Position Go Unfilled (infosecleaders.com)
- Social Toxicity : Why Firms Need To Up Their Games (itproportal.com)
- A Quick Primer On Social Engineering Attacks in the Cloud (And How to Stop Them) (backupify.com)
- Creating an internet security policy for your business (techradar.com)
- Social Engineering and sufficency of awareness training (infosecblog.antonaylward.com)
- Be a Paranoid Pessimistic Programmer (grokcode.com)
- Linux Distros For The Paranoid: What Are The Most Secure Distros? (makeuseof.com)
- TNT's 'Perception' And Paranoid Schizophrenia (huffingtonpost.com)
- 8 Tools for the Online Privacy Paranoid (techland.time.com)
Posted by Anton Aylward
I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity