Only just over half (51%) of all victims of personal identity theft were immediately aware that some form of their identity was stolen, according to a Federal Trade Commission (FTC) survey of 4 000 victims in the US. The remainder (49%) would only discover the incident once a fraudulent crime had been committed. In some cases, where and how identity theft occurred would never be known.
This is alarming, because corporate identity theft, performed by both hackers and organised crime, is on the rise and the FTC estimates that it costs the consumer and businesses around $53 billion annually. Yet, it is relatively simple to prevent.
"The modern corporation has invested millions in firewalls, VPN, AV, content filtering and network intrusion detection systems, proxy servers and many other software devices to secure the perimeter. But, the human element is often left to chance," says Chris Pick, Vice-President, Security Products for the NetIQ Corporation.
To combat the potentially damaging effects of elicitation and social engineering, corporations need to create and adhere to security policies and procedures. Various probing questions can be asked to ascertain the effectiveness of your current policies, for example: Can you enforce your security policies fairly, consistently and legally? Are your policies well read and understood? Would employees recognise a security incident and know how to report it? Is information security everyone`s business, or just that of the IT security department?
Part of the initial problem in trying to combat the human security issues of social engineering and elicitation was the lack of freely available information. The Human Firewall Council (www.humanfirewall.org) was created to perform just this function. "Social engineering can take two forms - human or technical," explains Pick. The human form is essentially comprised of an initial encounter, building trust, targeted intimidation and exploitation of that trust. The technical `attack` could be embodied in an e-mail or take the form of a pop-up window on the Internet. "Phising" (pronounced "fishing") is one of the most recent and hardest to spot forms of technical identity theft. It is a technique that uses e-mail to lure individuals to a replica of a legitimate Web site to steal their identity. This could be a bank site, for example, requesting you to re-enter credit card and other account details, etc.
It may seem daunting at first, but there are a number of cautionary measures. These include not replying to unexpected e-mail, especially if along the lines of: "Your account will be closed unless you verify your details." If you are suspicious of a Web site, contact the company via telephone or physical address. Another safeguard is to look for the `lock` icon in the browser status bar. This indicates that the site being viewed is a legitimate, encrypted Web site. Lastly, if you unknowingly supplied your any personal information, take the necessary measures to stop or minimise damage.
NetIQ`s integrated security management solutions provide a cost-effective route to securing information assets across the organisation. The solutions systematically help companies enforce security policies, efficiently administer users and systems, minimise vulnerabilities and prevent intrusions.
Within the sub-Saharan Africa region, 10Net distributes the complete range of NetIQ integrated security management products, in addition to system management and Web analytics solutions.
Share
Editorial contacts