All the security measures in the world aren't going to help you if your employees fall prey to a pretexter. Calvin Sun offers some insights to help you educate staff, implement effective policies, and stay a step ahead of would-be intruders.
In 1978, Security Pacific Bank, in California, lost $10 million to someone who claimed to be an internal investigator for the bank. Through convincing and plausible arguments, he was able to persuade various employees to wire him the money to a foreign bank account. This was a classic example of pretexting — the practice by which an intruder, via guile and deception, gains money or information from another person. And although not every incident of pretexting is as high profile as the Security Pacific incident, social engineering or pretexting attacks have risen dramatically over the past few years. By keeping the following thoughts in mind, you can reduce your exposure to pretexters.
Note: This information is also available as a PDF download.
#1: Technology is no substitute for employee education
The Titanic had advanced (for the time) technology and a reputation for being "unsinkable." Nonetheless, it still sank, the tragic result of human error and omission.
Don't look at your spam filters and firewalls as being a substitute for training your employees. If they give out unauthorized information or passwords, your hardware and software technology probably won't be able to stop an intrusion. In other words, your employees could well be the weakest link.
#2: Educate the entire organization, not just IT
To address this weak link, you may need to educate your users about pretexting attacks and train them, perhaps using some of the tips listed below. However, keep in mind that all employees of a company are subject to a pretexting attack, not just those in the IT department. Even though we associate security breaches with technology, we still have to remember that an attacker doesn't need to use a computer or have access to an IT person to conduct a pretexting attack. Indeed, such an attack could target a receptionist, an administrative assistant, or a security guard. All parts of a company need to be aware of pretexting, not just IT.
#3: Provide a "safe harbor" for subordinates
A common tactic of pretexters, when contacting a staff person/victim, is to claim friendship with an executive. By doing so, the pretexter implies that by failing to comply, the victim is jeopardizing his or her career. Therefore, executives and managers should implement safe harbor procedures. In other words, they should establish (and then follow) procedures that safeguard a lower-level employee from disciplinary action for refusing to divulge information, provided the employee followed accepted procedures.
The story is told of how the Duke of Wellington, while riding through a field, came across a young boy who was guarding a gate. When the duke ordered the boy to let him pass, the latter replied that his master gave him orders not to let anyone through. Even after the duke revealed his identity, the boy still refused. At this last refusal, the duke praised the young boy, saying that if the duke had 12 such boys, he could conquer all of Europe.
#4: Establish communications and delegation
If you, as a manager or executive, are going to be away from the office, establish clear guidelines on how staff members should handle requests for information. For example, they might politely decline to provide information, take a message, or refer callers to your assistant. Whatever policy you decide on, make sure your staff knows about it.
#5: Consider bluffing via the mentioning of false details
This tip shows that I've been watching too much television. It takes extreme presence of mind and great improvisational ability, but it might help confirm whether a caller is real. Suppose you get a call from a man who purports to be a friend of Tom, your absent boss. He says that your boss authorized you to give him information. You could try making an offhanded comment with details you know to be false, such as, "Oh, I guess Tom's wife, Mary, is going to have to stay longer in the hospital, huh?" For this technique to work, obviously, you must know that Tom either has no wife, that his wife has a name other than Mary, or that his wife is not in the hospital. If the caller then makes comments such as "Yes, she's really sick, and Tom is really stressed," you'll have a good idea the caller is a pretexter.
#6: Exercise respectful caution
I once called the alumni office of a college to ask for information about a recent graduate. From the response I got to my question, you would have thought I was asking for the nuclear launch codes: "We don't give that information out." "That's personal information." "You're not allowed to ask for that information."
Sure, this alumni office has little chance of being victimized by pretexters. However, they have gone too far to the other extreme, to the point of potentially offending legitimate callers. There's no reason for such a similar attitude on your part. An attitude of respectful assertiveness works equally well, such as, "I'm sorry, but we will require verification before we can release that information."
#7: Use diplomacy when questioning a caller
One way of conveying a respectful but assertive attitude lies in the way we explain procedures to the unknown caller. Yes, when the caller asks the reasons for all these verification questions, it's possible to answer, "It's because you could be an impostor." However, that answer probably will be received poorly. Why not reword it diplomatically and say, "I'm sorry, but we must verify all callers before we can proceed" or "I'm sorry, but in the past we've had issues with unauthorized callers, and we want to protect customer data."
#8: Rely only on known/trusted sources
I once attended a talk on security policies given by former hacker-turned-consultant Kevin Mitnick. He told a story about two young men who entered a research facility. When questioned by the guard, the men asked the guard to call the manager in charge. The guard spoke to the manager, then gave the phone to one of the men. The latter spoke to the manager, and his comments to the unseen manager ("Yes, we'll be inside no longer than an hour," "Yes, we'll make sure everything is shut down properly when we leave") implied that the manager had given permission. The man hung up the phone and told the guard that the men had authorization from the manager.
Of course, the men were impostors, and the manager never gave authorization. The problem arose because the guard never spoke to the manager, but merely relied on the visitors, an untrusted source. If an in-person visitor asks to speak to someone at your location, make sure you are either on the phone at the same time or that you speak to the person after the visitor does.
#9: Make your trash unattractive for dumpster divers
During Mitnick's talk, he discussed his early career of dumpster diving, in which he would sort through company trash (before the days of shredders) in search of useful information, such as account numbers or passwords. However, he stressed that he would avoid any trash bags that had wet garbage inside. Therefore, as an additional safeguard, consider putting wet paper towels inside your trash, along with your shredded papers. This practice illustrates the principle, taught by Sun Tzu in The Art of War, of knowing your enemy.
#10: Establish a policy to handle suspected pretexters
What happens when you catch one? Say an employee is talking with a caller and determined that the caller is a pretexter — how should that employee respond? Develop a policy on how to handle the situation. Should your employees simply hang up? Should they try to notify the police or your internal security department? Should they start a telephone trace? If the pretexter is physically on the premises, should someone detain the pretexter? It's important to work through a policy, keeping in mind legal ramifications.
Calvin Sun is an attorney who writes about technology and legal issues for TechRepublic.