Johannesburg, 06 May 2008
The basic goal of social engineering is to obtain unauthorised access to company information, through human interaction, says PricewaterhouseCoopers advisory senior manager, Naeem Seedat.
Social engineers use this information to commit fraud, network and system intrusion, industrial espionage, identity theft, or simply to cause disruption to a company's network, he adds.
"Social engineering protection is all about maintaining the confidentiality and integrity of corporate information. A comprehensive assessment should be undertaken to determine how exposed a company is to the possibility of social engineering attacks."
According to Seedat, a company should start by assessing the organisation's overall level of social engineering awareness. It should also determine whether appropriate awareness, training and communication policies, plans and programmes are in place. This should then be followed by an assessment of three specific areas: information leakages, opportunities for industrial espionage and physical access weaknesses.
Seedat recommends that a company first determine whether information can be leaked through its Internet and intranet facilities. It must also ensure the various forms of mail such as traditional paper mail, e-mail and voicemail are secured and cannot be misused to disclose sensitive information.
There should be controls over information sent to the press, delivery and disposal processes must be properly designed to secure all information and equipment entering and leaving the premises, and should not be left unchecked, says Seedat. Mechanisms of interacting with employees and visitors, such as call centres, help-desks and reception desks, should be adequately secured, he continues.
"Social engineering is often used to conduct industrial espionage. To combat this, companies must adequately classify, protect and encrypt sensitive information and implement adequate security processes and technology. Specifically, it needs to put controls in place to prevent hardware and software key-loggers from being used within the organisation."
Seedat believes there should be a roll-out of enterprise anti-spyware solutions, and that wireless networking facilities must be adequately secured. In addition, there should be processes to identify scams targeting staff and customers, and measures must be put in place to prevent eavesdropping on company conversations.
"Any risk assessment must consider physical access controls protecting premises against unauthorised entry; processes and technology that control visitors entering the premises; the monitoring of sensitive locations; security of storage areas; and appropriate signage that does not unnecessarily identify the nature of sensitive areas to unauthorised personnel," says Seedat.
All companies are susceptible to or have been victims of social engineering. The value of information is unquestionable and the threats to this information are very real. A comprehensive assessment of mechanisms and controls designed to reduce exposure to social engineering attacks is vital, he concludes.
Related story:
Going. Going. Gone.
Share