Inspired by the article IRS employees socially engineered. Some of this is reposted.
I know a few tried and true tricks. I won’t publish them for obvious reasons, but I do tell people what to look out for.
Included are steps to avoid.
1)”idiot traps”, these are along the line of a big red button that says “don’t push”. The trick works by playing on basic human curiousity. A variant of that is the ‘forbidden secret’ be it a malicious file labeled ‘HR salary info’ or a secret about a celebrity.
DEFENSE: set up a few “idiot traps” of your own and catch your own employees. NOTE: this is not to be a tool for disciplinary action, but for instruction. A user falling for one of the idiot traps should have their account disabled, until they call the help desk. When they do, an email should be sent to that user detailing that they fell for a trap and that had it been an actual criminal hacker, severe damage to the company, or identity theft of the user could occur.
Again, no disciplinary action should result because the goal is to establish a culture of awareness and not a culture of fear.
2)The “I don’t want to get in trouble” trap. You see this one in the movies all the time when someone bluffs their way past a guard asking them to cut them some slack because they lost their ID for the third time this month or some other sob story. This one works well too. The irony of this one is that the more tightly security clamps down, the more effective this one is. Fellow employees who have been hassled by security for seemingly trivial matters will be VERY sympathetic and hold the door open for that ’employee’ who ‘lost his ID card’.
DEFENSE: Once again, make security a culture of awareness, not fear. Instruct security to be polite but firm. Have a quick resolution available for the lost/forgotten ID that does not involve management. I.E. employee reports to security, informs them that their ID was forgotten. Security puts a block on that ID and issues a temporary ID until the employee returns to security with his perm ID. This will eliminate the whole fear of getting into trouble. You WANT employees to come forward immediately when security is breached, not try to hide it.
3)DO THIS OR YOU’RE GOING TO BE IN TROUBLE! Simple intimidation. The scammer pretends to be someone in a position of power and simply damands the information they want.
DEFENSE: Strict policies and procedures created to discourage this kind of bullying. If it’s allowed from management, someone engaging in social engineering will be able to employ it. Furhtermore, cowed employees will not be good at security as their focus will be to keep their heads down and avoid making waves.
4)Standard procedures: This one nails bureaucracies every time. When employees are trained to be mindless robots and policies are never explained, someone can just walk in, grab anything they want and leave with it if they simply assert that they are following a new procedure.
DEFENSE: Communication, infrequent changes in policy, Low turnover and high morale. Employee apathy is the enemy here. If employees are force-fed ’embrace change’ (in other words, don’t ask questions, just do what we tell you) to the point of lunacy, they will not care and they will not question. No amount of precautions will help if the employees don’t care. Get the employees involved. Communicate WHY something is needed in a clear, concise way without insulting their intelligence.
Any additions/amendments to the ideas above?
