Welcome to the fourth edition of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to ISO 17799 and information security.
The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.
Guidance and information included in this issue:
SOCIAL ENGINEERING - ARE YOU SUSCEPTIBLE?
The term 'social engineering' can conjure up a variety of ideas, usually based around the concept of genetic tampering. However, when applied to IT security, it has its own implications and its own vocabulary.
Following interviews with known computer criminals, a list of approaches has been produced. These are designed to gather information without the target even realizing that they have parted with it.
The attempts are often made on an opportune bases, with common locations for this sort of activity being planes, trains and pubs. The telephone is probably the major source of pre-meditated acts.
The following are some of the major techniques employed:
This essentially involves asking a variety of questions, including some leading questions designed to 'catch' the right answers. Often, items of conversation are introduced based upon replies received. The fiction is legitimized with small amounts of fact in the right places.
The information given freely in surveys can often be extremely useful to a criminal. The surveys can initially be for entirely legitimate purposes, or can be completely bogus from the start. In either case sensitive information can often be obtained and unwittingly disclosed.
This amounts ot the perpetrator assuming a more senior position in the company than the victim and is usually enacted on the telephone. It does not necessitate direct impersonation... only the POSITION needs to be assumed.
Basically this is looking over someone's shoulder at something confidential. This could be directly, through a window, through a doorway, etc.
This involves asking a constant stream of similar questions to wear down the target.
There are of course many other techniques. However, disclosure can be prevented via the use of a series of common sense rules and policies.
Before releasing any information it is essential to at least establish:
a) the sensitivity of the information
b) the real identity of the third party (proper authentication)
c) your authority to exchange or release the information
d) the purpose of the exchange
The act of exchange should also be recorded for audit purposes.