Stopping the Social Engineer

As with any information security threat, your institution needs to plan for them, and social engineering from outside of your institution needs to be expected. You’ll be best protected from social engineering attacks against your employees when you’ve set some core controls.

When developing these controls you’ll want to consider the implications of the controls. Don’t let your controls disrupt your institution’s regular operations, and ensure that the controls are strong enough to stop more than one or two types of attacks that may happen at the same time; these controls should be able to easily spot the difference between a social engineering attack and the regular activity that happens everyday at your institution.

You’ll also want to have the complete acceptance of your board, the institution’s management team -- they need to know what part they need to take, ask each of them to help identify what needs to be protected.

Set the security for physical access for everyone across the institution, with no exceptions. Not even your president should be able to get into your computer site or get access to systems without proper authorization. Most institutions have access identification, (badges or some type of identification that must be presented upon entering the facility) which is something that is recommended. Tell your staff to make sure the badge photo matches the person who’s wearing it.

Make your security policy and procedures crystal clear to everyone in the institution. If in doubt, tell everyone to check with the policy, or better, ask the security department for clarification. It’s not always hard to ask before, and encourage staff to know the limits of what they’re allowed to do, especially when it comes to giving out information of any kind.

Security Awareness and Education will solve many of the kinds of social engineering attempts that are tried. Letting your staff know it is okay to question someone as to who they are, and why they’re asking for a certain piece of information is a good start. A smart institution staff will know to report suspicious behavior immediately. Give your staff a list of things that may help them spot a social engineer at work, run through several scenarios with them that focus on the type of attack their department may be prone to, this will help train the behavior you want in your staff.

Setting up solid security framework through the infrastructure helps the institution’s staff focus on their work. Setting firewalls to monitor both outgoing and incoming traffic will help your firewall administrator identify when something looks out of the ordinary.

Make public only generic information – doing this limits the amount of area an attack can cover. Your website, public databases, internet registration and other public data sources will show only the institution’s main phone number and job titles, with no staff names, for example (ABC Financial Institution webmaster, rather than Jane Smith, webmaster).

Create your institution’s incident response plan. Write it ahead of when the IT is hitting the fan, and let your institution’s staff have this document. Say a staffer gets an urgent phone call requesting a certain action be taken immediately; the staffer should know exactly what to do, according to the incident response plan. Checking on the caller’s identity and authority is part of the action that should be taken, authorization to perform the request is given, and then everything is done according to your plan.

Build your institution’s security posture by creating a positive knowledge that information security is up to the individual. Help them by creating security awareness; instruct them how to act when faced with an information security question. Let them know your door is open and that their questions are welcome.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.