Article On Computer
Security
Social Engineering
in its basic form is hacker talk for manipulating computer users
out of their username and password. Social engineering really
goes beyond just usernames and passwords. A well planned social
engineering attack can destroy companies. All of the most
devastating information thefts have used some sort of social
engineering attack. Social engineering is so effective
because computer admins and security experts spend all their
time patching systems and not training employees about
information security. Information security goes beyond
patching computers, it is a combination of physical security,
computer/network policy and employee training.
This article will describe many of the
common security flaws that information thieves take
advantage off and how you can prevent them.
1. Web sites Information – Company web
sites are the best place to start when gathering information.
Often a company will post all their employees names, email
addresses, positions and phone numbers for everyone to see. You
want to limit the number of employees and phone numbers listed
on a web site. Also, live active links to employee email
addresses should be avoided. A common mistake is a company’s
email user name will be the same as their network logon,
example: email address of jsmith@nocompany.com has a user name
of jsmith for the network with the same password for email and
the network.
2. Phone Scams – Scamming someone on a
phone is very simple. Company employees need to be trained to be
courteous but cautious when giving callers information over the
phone. One hacking scam is a hacker will call a company posing
as computer salesmen. The salesmen will ask the secretary what
type of computers they have, do they have a wireless network and
what type of operating systems they run. Hackers can use this
information to plan their attack on the network. Train your
employees to refer any IT related questions to Tech Support.
3. Outside Contractors – Outside
contractors should have a security liaison to monitor their
activities. Security liaisons should be briefed on what
work the contractor is hired to perform, area of operation,
identity of contractor and if the contractor will be removing
items from the work site.
4. Dumpster Diving – The easiest way
to get information about anyone is to go through their trash.
Shredders should be used in all cases or shredding services
should be hired. Also, the Dumpster should be in a secure
location and under surveillance.
5. Secretaries – They are your first
line of defense, train them to not let anyone into your building
unless they are for certain whom they are. Security cameras
should be place in the main entrance way and also on the outside
of the building. A thief who is probing your network will test
to see if he is challenged upon entering the building, cameras
can help identify patterns and suspicious people.
6. NO PASSWORDS – Make it company
policy that the tech department will never call you or email you
asking for your username or password. If somebody does call and
ask for a password or username red flags will go up every where.
7. LOG OFF – Social Engineering
attacks get the hacker into the building and they will usually
find many workstations where the user hasn’t logged off. Make
it company policy that all users must log off their workstations
every time they leave it. If the policy is not followed then the
employee should be written up or docked pay. Don’t make a
hacker’s job any easier than it already is.
8. Training – Information security
training is a must for any size company. Information security is
a layered approach that starts with the physical structure of
the building down to how each work station is configured. The
more layers your security plan has the harder it is for an
information thief to accomplish his mission.
