You are here: Computer Attacks and Prevention > Subtopic 2 > Content

Subtopic 2: Social Engineering

	Social engineering tactics may allow unscrupulous individual to gain access to sensitive information. Fortunately, these techniques can be rendered ineffective with appropriate knowledge and training. One way this weakness is exploited is via the telephone. For example, an employee receives a call from someone in the IT department and is told that a virus has been tracked to their computer. The IT person can eradicate the virus automatically, but needs the employee’s login and password to scan his or her system.
	Another very successful social engineering tactic is dumpster diving. A surprising amount of sensitive information is simply tossed in the garbage. Passwords, social security numbers, phone numbers, addresses, financial statements and pay documents can all be found in the trash.
	Another tactic is for an attacker to simply examine the area around an employee’s computer. Employees often keep their passwords on sticky notes around their system, under the keyboard, or on an easily accessible notepad.
Prevention – Social Engineering Training is the most effective countermeasure to social engineering. Individuals and company employees should be informed of methods by social engineers. They should also be instructed on actions to take if such a scam is suspected. Passwords should require periodic changes. Companies should establish procedures for the destruction of sensitive documents. This includes paper, CDs, floppy disks and other magnetic media. Procedures should also be developed to ensure that sensitive information is properly safeguarded on outdated/discarded computer systems and storage media.

References

Further reading and research can be found at the following links:

• http://labmice.techtarget.com/security/socialengineering.htm
• http://www.treas.gov/tigta/auditreports/2005reports/200520042fr.html
• http://www.windowsecurity.com/articles/Social_Engineers.html