How To Protect Insiders From Social Engineering Threats

Midsize Business Security Guidance
How to Protect Insiders from Social

Engineering Threats
Published: August 2006
For the latest information, please see
www.microsoft.com/technet/security/midsizebusiness/default.mspx
2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial
License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to
Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
Contents
Introduction...............................................................................................
Who Should Read this Paper....................................................................
Overview..............................................................................................
Social Engineering Threats and Defenses........................................................
Online Threats.......................................................................................
E-Mail Threats..................................................................................
Pop-Up Applications and Dialog Boxes.................................................
Instant Messaging............................................................................
Telephone-Based Threats........................................................................
Private Branch Exchange...................................................................
Service Desk....................................................................................
Waste Management Threats...................................................................
Personal Approaches.............................................................................
Virtual Approaches..........................................................................
Physical Approaches........................................................................
Reverse Social Engineering....................................................................
Designing Defenses Against Social Engineering Threats...................................
Developing a Security Management Framework........................................
Risk Assessment..................................................................................
Social Engineering in the Security Policy..................................................
Implementing Defenses Against Social Engineering Threats.............................
Awareness..........................................................................................
Managing Incidents..............................................................................
Operational Considerations....................................................................
Social Engineering and the Defense-in-Depth Layered Model.......................
Appendix 1: Security Policy for Social Engineering Threat Checklists..................
Company Social Engineering Attack Vector Vulnerabilities...........................
Steering Committee Security Requirement and Risk Matrix.........................
Steering Committee Procedure and Document Requirements......................
Security Policy Implementation Checklist.................................................
Incident Report....................................................................................
Appendix 2: Glossary.................................................................................
Introduction
Welcome to this document from the Midsize Business Security Guidance collection.
Microsoft hopes that the following information will help you create a more secure and
productive computing environment.
Who Should Read this Paper

This paper provides security management information about the threats posed by social
engineering and the defenses that are available to help resist social engineering hackers.
Social engineering describes primarily non-technical threats to company security. The
broad nature of these potential threats necessitates providing information about threats
and potential defenses to a range of management and technical staff within a company,
including:
Board management
Technical operation and service managers
Support staff
Security staff
Business managers
Overview
To attack your organization, social engineering hackers exploit the credulity, laziness,
good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against
a socially engineered attack, because the targets may not realize that they have been
duped, or may prefer not to admit it to other people. The goals of a social engineering
hackersomeone who tries to gain unauthorized access to your computer systemsare
similar to those of any other hacker: they want your companys money, information, or IT
resources.
A social engineering hacker attempts to persuade your staff to provide information that
will enable him or her to use your systems or system resources. Traditionally, this
approach is known as a confidence trick. Many midsize and small companies believe that
hacker attacks are a problem for large corporations or organizations that offer large
financial rewards. Although this may have been the case in the past, the increase in
cyber-crime means that hackers now target all sectors of the community, from
corporations to individuals. Criminals may steal directly from a company, diverting funds
or resources, but they may also use the company as a staging point through which they
can perpetrate crimes against others. This approach makes it more difficult for authorities
to trace these criminals.
To protect your staff from social engineering attacks, you need to know what kinds of
attack to expect, understand what the hacker wants, and estimate what the loss might be
worth to your organization. With this knowledge, you can augment your security policy to
include social engineering defenses. This paper assumes that you have a security policy
that sets out the goals, practices, and procedures that the company recognizes as
necessary to protect its informational assets, resources, and staff against technological or
physical attack. The changes to your security policy will help to provide staff with
guidance on how to react when faced with a person or a computer application that tries to
coerce or persuade them to expose business resources or disclose security information.
Social Engineering Threats and

Defenses
There are five major attack vectors that a social engineering hacker uses:
Online
Telephone
Waste management
Personal approaches
Reverse social engineering
Beyond recognizing these entry points, you also need to know what the hacker hopes to
gain. Their goals are based on the same needs that drive us allmoney, social
advancement, and self worth. Hackers want to take your money or resources, they want
to be recognized within society or their own peer group, and they want to feel good about
themselves. Unfortunately, hackers achieve these things illegally by theft or damage to
computer systems. Attacks of any sort will cost you money, through loss of revenue,
resources, information, business availability, or business credibility. When you design
your defenses against such threats, you should estimate what an attack will cost you.
Online Threats
In our increasingly connected business world, staff often use and respond to requests
and information that come electronically from both inside and outside the company. This
connectivity enables hackers to make approaches to your staff from the relative
anonymity of the Internet. You often hear about online attacks in the press, such as email, pop-up application, and instant message attacks that use Trojan horses, worms, or
virusescollectively called malwareto damage or subvert computer resources. You
can begin to help address many of these malware attacks through the implementation of
strong antivirus defenses.
Note For more information about antivirus defenses, see The Antivirus Defense-in-Depth Guide
at http://go.microsoft.com/fwlink/?linkid=28732.
The social engineering hacker persuades a staff member to provide information through
a believable ruse, rather than infecting a computer with malware through a direct attack.
An attack may provide information that will enable the hacker to make a subsequent
malware attack, but this result is not a function of social engineering. Therefore, you must
advise staff on how best to identify and avoid online social engineering attacks.
E-Mail Threats
Many staff members receive tens or even hundreds of e-mails each day, both from
business and from private e-mail systems. The volume of e-mail can make it difficult to
give full attention to each message. This fact is very useful to a social engineering hacker.
Most e-mail users feel good about themselves when they deal with a piece of
correspondence; it is the electronic equivalent of moving paper from the in-tray to the outtray. If the hacker can make a simple request that is easy to deal with, then the target will
often acquiesce without even thinking about what he or she is doing.
An example of such an easy attack is sending e-mail to a staff member that says that the
boss wants all of the holiday schedules sent for a meeting and could everyone on the list
be copied in on the e-mail. It is simple to slip an external name into the copy list and to
spoof the senders name so that the mail appears to originate from an internal source.
Spoofing is especially simple if a hacker gains access to a company computer system,
How to Protect Insiders from Social Engineering Threats
because there is no need to break through perimeter firewalls. Knowledge of a

departmental holiday schedule may not appear to be a security threat, but it means that a
hacker knows when a member of staff is absent. The hacker can then impersonate this
person with a reduced risk of discovery.
The use of e-mail as a social engineering tool has become endemic over the last decade.
Phishing describes the use of e-mail to gain personal identifiable or restricted information
from a user. Hackers may send e-mail messages that appear to have come from valid
organizations, such as banks or partner companies.
The following figure shows an apparently valid link to the Contoso account management
site.
Figure 1. E-mail phishing hyperlink

However, if you look more closely you can spot two differences:
The text in the mail states that the site is secure, using https, although the screen tip
shows that the site actually uses http.
The company name in the mail is Contoso, but the link goes to a company called
Comtoso.
As the term phishing implies, these approaches are typically speculative, with a generic
request for information for a customer. The realistic camouflage used in the e-mail
messages, with company logos, fonts, and even apparently valid free Help Desk support
phone numbers, makes the e-mail appear more believable. Within each phishing e-mail
is a request for user information, often to facilitate an upgrade or additional service. An
extension of phishing is spear-phishing, in which an explicit target or departmental group
is approached. This approach is far more sophisticated, because personal and relevant
company information is necessary to make the deception believable. It requires greater
knowledge of the target, but can elicit more specific and detailed information.
E-mail can also carry hyperlinks that may tempt a member of staff to breach company
security. As shown in Figure 1, links do not always take a user to an expected or
promised location. There are a range of other options for the hacker in a phishing e-mail,
including images that are hyperlinks that download malware, such as viruses or spyware,
or text that is presented in an image, to bypass hyperlink security filters.
Most security measures help keep unauthorized users out. A hacker can bypass many
defenses if he or she can dupe a user into bringing a Trojan horse, worm, or virus into the
company via a link. The hyperlink may also take a user to a site that uses pop-up
applications to request information or offer assistance.
You can use a matrix of attack vectors, attack goals, descriptions, and cost to your
company similar to the one shown in the following table to help you classify attacks and
establish their risk to your company. Sometimes a threat represents more than one risk.
Where this is the case, the following examples show the major risk or risks in bold.
Table 1. Online E-mail Attacks and Costs

Attack goals
Description
Cost
Theft of company
information
Hacker impersonates (spoofs) an

internal user to get company
information.
Confidential information
Theft of financial
information
Hacker uses phishing (or spearphishing) technique to request

company confidential information,
such as account details.
Money
Hacker tricks a user into clicking a

hyperlink or opening an
attachment, thus infecting the
company network.
Business availability
Download malware
Download hackers
software
Business credibility

Resources
attachment, thus downloading a
hacker program that uses company Money
network resources.
Like most confidence tricks, you can help to resist social engineering hacker attacks most
effectively by approaching with skepticism anything unexpected in your Inbox. To support
this approach in an organization, you should include in the security policy a specific email usage guideline that covers:
Attachments in documents.
Hyperlinks in documents.
Requests for personal or company information from within the company.
Requests for personal or company information from outside the company.
In addition to these guidelines, you must include examples of phishing attacks. After a
user recognizes one phishing swindle, they will find it much easier to notice others.
Pop-Up Applications and Dialog Boxes

It is unrealistic to think that members of staff do not use company Internet access for nonbusiness activities. Most employees browse the Web for personal reasons, such as
online shopping or research, at some time. Personal browsing may bring employees, and
therefore the company computer systems, in contact with generic social engineers.
Although these may not specifically target your company, they will use your staff in an
effort to gain access to your company resources. One of the most popular goals is to
embed a mail engine within your computer environment through which the hacker can
launch phishing or other e-mail attacks on other companies or individuals.
The following figure shows how a hyperlink appears to link to a secure account
management site (secure.contosa.com account_id?Amendments), while the status bar
shows that it takes the user to a hacker site. Depending on the browser that you use, a
hacker can suppress or reformat the status bar information.
Figure 2. Web page phishing hyperlink

The two most common methods of enticing a user to click a button inside a dialog box
are by warning of a problem, such as displaying a realistic operating system or
application error message, or by offering additional servicesfor example, a free
download that makes the users computer go faster. For experienced IT and Web users,
these methods may seem transparent deceptions. But to inexperienced users, such popup applications or dialog boxes can be intimidating or attractive.
Table 2. Online Pop-Up and Dialog Box Attacks and Costs
Attack goals
Description
Cost
Theft of personnel
information
Hacker requests staff members

personal information
Download malware

hyperlink or opening an attachment

hyperlink or opening an attachment
Resources
Download hackers
software
Money (staff member)

Money
Protecting users from social engineering pop-up applications is mostly a function of

awareness. To avoid the issue, you may set a default browser configuration that blocks
pop-ups and automated downloads, but some pop-ups can bypass browser settings. It is
more effective to make sure that users are aware that they should not click pop-ups
unless they check with support staff. Therefore, your business staff must be able to trust
that the support staff will not be judgmental if the user was browsing the Web. This trust
relationship may be influenced by your company policy on personal Internet browsing.
Instant Messaging
Instant messaging (IM) is a relatively new communications medium, but it has gained
widespread popularity as a business tool, and some analysts estimate that there will be
200 million users of IM products in 2006. The immediacy and familiarity of IM makes it a
rich hunting ground for social engineering attacks, because users regard it much as the
telephone and do not associate it with potential computer software threats. The two main
attacks made using IM are the delivery of a malware link within an IM message and the
delivery of an actual file. Of course, IM also represents another way of simply asking for
information.
There are a number of potential threats inherent to IM when addressing social
engineering. The first is the informality of IM. The chatty nature of IM, together with the
option of giving oneself a spurious or false name, means that it is not entirely clear that
you are talking to the person you believe you are talking to, which greatly enhances the
option for casual spoofing.
The following figure shows how spoofing works, for both e-mail and IM.
Figure 3. Instant messaging and e-mail spoofing

The hacker (red) impersonates another known user and sends either an e-mail or IM
message that their target will assume comes from someone they know. Familiarity
relaxes user defenses, so they are far more likely to click a link or open an attachment
from someone that they knowor they think that they know. Most IM providers allow
identification of users based on e-mail address, which can enable a hacker who has
identified an addressing standard within your company to send IM contact invitations to
other people in the organization. This functionality does not pose a threat, but it does
means that the number of targets within your company is greatly increased.
Table 3. Instant Messaging Attacks and Costs

Attack goals
Description
Cost
Request for company

Hacker uses IM spoofing to
confidential information impersonate a coworker to
request business information.
Download malware
Hacker tricks a user into clicking

a hyperlink or opening an
company network.
Hacker tricks a user into clicking

a hyperlink or opening an
hacker program, such as a mail
engine, that uses company
network resources.
Resources
Download hackers
software
Money
If you are anxious to embrace the immediacy and cost reductions that IM can provide,
you must include IM-specific defenses in your security policies. To help control IM within
your business, you must establish the following five usage rules:
Standardize on a single IM platform. This rule will minimize support effort and will
discourage users from chatting by using their own personal IM provider. If you want a
more controlled approach to limiting user choice, you can choose to block ports that
the common IM services use.
Define deployment security settings. IM clients offer a range of security and

privacy options, such as virus scanning.
Set contact guidelines. Recommend that users do not accept new contact
invitations by default.
Set password standards. Make your IM passwords comply with the strong
password standards that you have set for host passwords.
Provide usage guidance. Develop a set of best practice guidelines for your users,
explaining the reasoning behind these recommendations.
Telephone-Based Threats
The telephone offers a unique attack vector for social engineering hackers. It is a familiar
medium, but it is also impersonal, because the target cannot see the hacker. The
communications options for most computer systems can also make the Private Branch
Exchange (PBX) an attractive target. Another, perhaps very crude, attack is to steal either
credit card or telephone card PINs at telephone booths. This attack is most commonly a
theft from an individual, but company credit cards are just as useful. Most people are
aware that they should be wary of prying eyes when using an ATM, but most people are
less cautious when using a PIN in a telephone booth.
Voice over Internet Protocol (VoIP) is a developing market that offers cost benefits to
companies. Currently, due to the relatively restricted number of installations, VoIP
hacking is not considered to be a major threat. However, as more businesses embrace
this technology, VoIP spoofing is set to become as widespread as e-mail and IM spoofing
is now.
Private Branch Exchange

There are three major goals for a hacker who attacks a PBX:
Request information, usually through the imitation of a legitimate user, either to

access the telephone system itself or to gain remote access to computer systems.
Gain access to free telephone usage.
Gain access to communications network.
Each of these goals is a variation on a theme, with the hacker calling the company and
attempting to get telephone numbers that provide access directly to a PBX or through a
PBX to the public telephone network. The hacker term for this is phreaking. The most
common approach is for the hacker to pretend to be a telephone engineer, requesting
either an outside line or a password to analyze and resolve the problems reported on the
internal telephone system, as shown in the following figure.
Figure 4. Telephony PBX attacks

Requests for information or access over the telephone are a relatively risk-free form of
attack. If the target becomes suspicious or refuses to comply with a request, the hacker
can simply hang up. But realize that such attacks are more sophisticated than a hacker
simply calling a company and asking for a user ID and password. The hacker usually
presents a scenario, asking for or offering help, before the request for personal or
business information happens, almost as an afterthought.
Table 4. Private Branch Exchange Attacks and Costs

Attack goals
Description
Cost
Request company
information
Hacker impersonates a legitimate

user to gain confidential
information.
Request telephone
information
Hacker impersonates a telephone

engineering to gain access to the
PBX in order to make external
calls.
Resources
Use PBX to access

computer systems
Hacker breaks into computer

systems, through PBX, to steal or
manipulate information, infect with
malware, or use resources.
Money
Most users do not have any knowledge of the internal telephone system, beyond the
telephone itself. This is the most important piece of defense that you can put into your
security policy. It is uncommon for hackers to approach general users in this way. The
most common targets are reception or switchboard staff. You must state that only the
service desk has authorization to provide assistance to telephone suppliers. In this way,
all authorized personnel deal with all engineering support calls. This approach enables
targeted staff to reroute such queries efficiently and quickly to a qualified staff member.
Service Desk
The service deskor Help Deskis one of the mainstay defenses against hackers, but it
is, conversely, a target for social engineering hackers. Although support staff is often
aware of the threat of hacking, they also train to help and support callers, offering them
advice and solving their problems. Sometimes the enthusiasm demonstrated by technical
support staff in providing a solution overrides their commitment to adherence to security
procedures and presents service desk staff with a dilemma: If they enforce strict security
standards, asking for proofs that validate that the request or question comes from an
authorized user, they may appear unhelpful or even obstructive. Production or sales and
marketing staff who feel that the IT department is not providing the immediate service that
they require are apt to complain, and senior managers asked to prove their identities are
often less than sympathetic to the support staffs thoroughness.
Table 5. Service Desk Telephony Attacks and Costs
Attack goals
Description
Cost
Request information

user to get business information.
Request access

user to get security access to
business systems.
Resources
Money
The service desk needs to balance security with business efficiency, and as such security
policies and procedures must support them. Proof of identification, such as providing an
employee number, department, and manager name, will not be too much for a service
10
desk analyst to request, as everyone knows these. But this proof may not be completely
secure, because a hacker may have stolen this information. It is a realistic start, however.
In truth, the only 99.99 percent accurate means of identification is a DNA swab test,
which is clearly unrealistic.
It is more difficult to defend the service desk analyst against an internal or contract worker
hacker. Such a hacker will have a good working knowledge of internal procedures and
will have time to make sure that they have all the information required, before they make
a service desk call. The security procedures must provide a dual role in this situation:
The service desk analyst must ensure that there is an audit trail of all actions. If a
hacker succeeds in gaining unauthorized access to information or resources through
a service desk call, the service desk must record all activities so that they can quickly
rectify or limit any damage or loss. If each call triggers an automated or manual email message stating the problem or request, it will also be easier for an employee
who has suffered identity theft to realize what has happened and call the service
desk.
The service desk analyst must have a well-structured procedure for how to handle
call types. For example, if the employees manager must make access change
requests by e-mail, there can be no unauthorized or informal changes to security
levels.
If users are aware of these rules, and management supports their implementation, it will
prove much harder for hackers to succeed or remain undetected. The 360-degree audit
trail is a most valuable tool in the avoidance and discovery of wrongdoing.
Waste Management Threats

Illicit waste analysisdumpster diving, as it is commonly termedis a valuable activity
for hackers. Business paper waste can contain information that is of immediate benefit to
a hacker, such as discarded account numbers and user IDs, or can serve as background
information, for example telephone lists and organization charts. This latter type of
information is invaluable to a social engineering hacker, because it makes him or her
appear credible when launching an attack. For example, if the hacker appears to have a
good working knowledge of the staff in a company department, he or she will probably be
more successful when making an approach; most staff will assume that someone who
knows a lot about the company must be a valid employee.
Electronic media can be even more useful. If companies do not have waste management
rules that include disposal of redundant media, it is possible to find all sorts of information
on discarded hard disk drives, CDs, and DVDs. The robust nature of fixed and removable
media means that those responsible for IT security must stipulate media management
policies that include wiping or destruction instructions.
11
Table 6: Waste Management Attacks and Costs

Attack goals
Description
Cost
Paper waste in external

bins
Hacker takes paper from

externally housed dumpsters to
steal any relevant company
information.
Paper waste in internal

bins
Hacker takes paper from

internal office bins, bypassing
any management guidelines for
management of external paper
waste management.
Electronic media waste
Hacker steals information and

applications from discarded
electronic media. Hacker also
steals the media itself.
Resources
Your staff must fully understand the implications of throwing waste paper or electronic
media in a bin. After this waste moves outside your building, its ownership can become a
matter of legal obscurity. Dumpster diving may not be deemed illegal in all circumstances,
so you must ensure that you advise staff how to deal with waste materials. Always shred
paper waste and wipe or destroy magnetic media. If any waste is too large or tough to put
in a shredder, such as a telephone directory, or it is technically beyond the ability of a
user to destroy it, you must develop specific protocol for disposal. You should also place
trash dumpsters in a secure area that is inaccessible to the public.
When designing a waste management policy, it is important to make sure that you comply
with local regulatory rules regarding healthy and safety. It can also be socially valuable to
adopt ecologically-sound waste management strategies.
In addition to the management of external wastethe paper or electronic media that may
be made available to those outside the companyyou must also manage internal waste.
Security policies often overlook this issue, because it is often assumed that anyone
granted access to the company must be trustworthy. Clearly, this is not always the case.
One of the most effective measures in managing waste paper is the specification of a
data classification. You define different categories of paper-based information and specify
how staff should manage their disposal. Example categories might include:
Company Confidential. Shred all company confidential waste documents before

disposal in any bin.
Private. Shred all private waste documents before disposal in any bin.
Departmental. Shred all departmental waste documents before disposal in public

dumpsters.
Public. Dispose of public documents in any bin or recycle them as waste paper.
For more information about developing data classifications, see the Security
Management SMF on Microsoft TechNet at http://go.microsoft.com/fwlink/?
linkid=37696.
Personal Approaches
The simplest and cheapest way for a hacker to get information is for them to ask for it
directly. This approach may seem crude and obvious, but it has been the bedrock of
12
confidence tricks since time began. Four main approaches prove successful for social
engineers:
Intimidation. This approach may involve the impersonation of an authority figure to

coerce a target to comply with a request.
Persuasion. The most common forms of persuasion include flattery or name

dropping.
Ingratiation. This approach is usually a more long term ploy, in which a subordinate
or peer coworker builds a relationship to gain trust and, eventually, information from a
target.
Assistance. In this approach, the hacker offers to help the target. The assistance will
ultimately require the target to divulge personal information that will enable the
hacker to steal the targets identity.
Most people assume that anyone who talks to them is being truthful, which is interesting
because it is a fact that most people admit that they will tell lies themselves. (The Lying
Ape: An Honest Guide to a World of Deception, Brian King, Icon Books Limited).
Unquestioning trust is one of the goals of a social engineering hacker.
Defending users against these types of personal approach is very difficult. Some users
are naturally disposed to social engineering using one of these four attacks. The defense
against an intimidation attack is the development of a no fear culture within a business.
If normal behavior is politeness, then the success of intimidation is reduced, because
individual staff members are more likely to escalate confrontational situations. A
supportive attitude within management and supervisory roles toward the escalation of
problems and decision-making is the worst thing that can happen to a social engineering
hacker. Their goal is to encourage a target to make a quick decision. With the problem
escalated to a higher authority, they are less likely to achieve this goal.
Persuasion has always been an important human method of achieving personal goals.
You cannot engineer this out of your workforce, but you can provide strict guidance on
what an individual should and should not do. The hacker will always ask or manufacture a
scenario where a user volunteers restricted information. Ongoing awareness campaigns
and basic guidance covering security devices such as passwords are your best defense.
Hackers need time to ingratiate themselves with your users. The hacker will need to be in
regular contact, probably by taking the role of a coworker. For most midsized companies,
the main coworker threat comes from regular service or contract personnel. The HR
group must take as much care over the security screening of contract staff as they do
with permanent staff. You can pass most of this work to the contract supplier. To make
sure that the supplier does an effective job, you may ask them to comply with your own
screening policies on permanent staff. If a social engineering hacker gains permanent
employment within your company, then the best defense is the awareness of your staff
and their adherence to the security policy rules on information security.
Finally, assistance attacks can be minimized it you have an effective service desk. The inhouse assistant is often a result of disaffection with existing company support services.
You need to enforce two elements in order to make sure that staff contacts the service
desk rather than an unauthorized in-house expertor worse, an expert from outside the
company:
Specify in your security policy that the service desk is the only point to which users
should report issues.
Ensure that the service desk has an agreed response process within the
departmental service-level agreement. Audit the service desk performance regularly,
to make sure that users receive the right level of response and solution.
13
You must not underestimate the importance of the service desk in providing the first-level
defense against social engineering attacks.
Virtual Approaches
Social engineering hackers need to make contact with their targets to make their attacks.
Most commonly, this will take place through some electronic medium, such as an e-mail
message or a pop-up window. The volume of junk and spam mail that arrives in most
personal mailboxes has made this method of attack less successful, as users become
more skeptical of chain mail and conspiratorial requests to take part in legal and
lucrative financial transactions. Despite this, the volume of such mail and the use of
Trojan horse mail engines mean that it remains attractive, with only a minimal success
rate, to some hackers. Most of these attacks are personal and aim to discover
information about the targets identity. However, for businesses, the widespread abuse of
business systems, such as computers and Internet access, for personal use means that
hackers can enter the corporate network.
Telephones offer a more personal, lower-volume method of approach. The limited risk of
arrest means that some hackers use the telephone as a means of approach, but this
approach is primarily for PBX and service desk attacks; most users would be dubious
about a call requesting information from someone that they did not know personally.
Physical Approaches
Less common, but more effective for the hacker, is direct, personal contact with a target.
Only the most suspicious employee will doubt the validity of someone who presents
themselves and asks for or offers help with a computer system. Although these
approaches have far greater risks for the perpetrator, the advantages are obvious. The
hacker can gain unfettered access to computer systems within the company, within any
technological perimeter defenses that exist.
The growth in the use of mobile technologies, which enable users to attach to corporate
networks while on the road or in their homes, are another major threat to company IT
resources. The attacks that are possible here include the most simple observation attack,
in which a hacker watches over the shoulder of a mobile computer user on a train to see
their user ID and password, to more sophisticated attacks where a card reader or router
upgrade is delivered and installed by a very helpful service engineer who gains access to
the business network by asking for the users ID, password, and perhaps a cup of coffee.
A thorough hacker would even request an authorization signature from the usernow
they have the users signature! Between these types of attacks come threats like
neighbors who use the bandwidth paid for by the company to access the Internet through
an unprotected wireless LAN.
Although most large companies have highly developed site security infrastructures,
smaller, midsized offices can be more relaxed about building access. Tailgating, in which
an unauthorized person follows someone with a pass into an office, is a very simple
social engineering attack. The intruder opens the door, which the authorized user walks
through, and then engages them in conversation about the weather or weekend sport
while they walk past the reception area together. This approach would not work in a large
company, where each individual may need to swipe a card through a turnstile, or in a
small company where everyone knows everyone else. However, it is perfectly suited for a
company with a thousand employees, where it is common for one employee not to know
everyone. If the impostor has previously gained access to company information, such as
department names, staff names, or internal memo information, the diversionary
conversation will be more credible.
Home worker security is usually limited to technology. The security policy must require
firewalls to ensure that external hackers cannot gain access to networks. Beyond this
14
requirement, most midsized companies allow their home worker employees to manage
their own security, and even backups.
Table 7. Physical Access Attacks and Costs
Attack goals
Description
Cost
Theft of mobile user

identity
Hacker observes legitimate

user typing logon or other
details into computer. This
may preempt theft of
physical computer
equipment.
Theft of home worker user

identity
Hacker poses as an IT
support worker or
maintenance partner to gain
access to a home worker
network, requesting user ID
and password to test
upgrade success.
Direct network contact

through home worker
network
Hacker accesses company

network via home worker
network by posing as a
support engineer. The
hacker has unfettered
access to network and
company resources.
Ongoing access to home

worker network
Hacker or local user gains

access to broadband
Internet access through an
unsecured home network.
Resources
Access company offices

unaccompanied
Hacker tailgates an
authorized employee into
the company offices.
Resources
Money
Money
Resources
Access an individual
company office
Hacker gains access to an

individual where he or she
Resources
can attempt to use computer
equipment or paper
Money
resources, such as filing
cabinets.
Defenses against these threats are essentially dependent on the implementation of best
practices by users, based on an effective company security policy that must address the
following three areas:
The company site
The home
Mobile working
15
It should be impossible to gain entry to a company building or site without the proper
authorization. Reception staff must be polite but firm when they deal with staff,
contractors, and visitors. A few simple conditions within the company security policy will
make it nearly impossible for a physical social engineering attack within the building.
These conditions may include use of:
Photographic identification passes, shown whenever a staff member enters or leaves

the building.
A visitors book signed by the visitor and countersigned by the member of staff that
they are visiting on both arrival and departure.
Dated visitor passes visible at all times and returned to reception on departure.
A contractors book signed by the contractor and countersigned by the staff member
who has authorized their work on both arrival and departure.
Dated contractor passes visible at all times and returned to reception on departure.
To make sure that everyone presents themselves to the receptionist, the company must
erect barriers to ensure that visitors must walk directly past the receptionist so that they
can present their credentials or sign in. Such barriers do not have to be turnstiles or
barriers between which they need to squeeze.
For example, a reception area may use something as relaxed as a sofa to steer people
toward the receptionist, as the two examples in the following figure illustrate.
Figure 5. Reception planning

The reception area on the left allows an unauthorized visitor to tailgate, using a legitimate
employee as a screen. The example on the right requires any visitor to walk past
reception. The position of the computer terminal does not obscure the receptionists view.
The gap must be large enough to allow anyone to pass through comfortably, including
wheelchair users. It is essential that reception staff members are well-drilled and
consistent when they welcome and check each person. Every entrance to the building
must comply with these standards, and staff must only use authorized building entrances
and exitsthere must be no back doors.
When erecting any form of barrier or door management system, you must make sure that
you comply with regulatory requirements for health, safety, and accessibility.
16
In the home, it is not realistic to authorize every visitor or tradesman. In reality, most
people are far more cautious about visitors to their home than they are in the office. More
important, you should ensure that an attack cannot gain access to business resources. A
protocol on off-site IT services must include rules that stipulate the following conditions:
Each technical support action, whether it is an onsite fix or an upgrade, must be

planned and authorized by support staff.
Contractors and internal staff who undertake onsite maintenance or installation must
have identification, preferably including a photograph.
The user must contact the IT support department to tell them when the engineer
arrives and when the job is complete.
Each job has a job sheet, signed off on by the user.
The user must never provide personal access information or sign on to the computer
to provide an engineer with access.
This last point is crucial. It is beholden on the IT services group to make sure that any
offsite engineer has sufficient personal access to undertake the work. If the engineer
does not have sufficient user access to complete a task, he or she must contact the
service desk. This requirement is essential, because working as a lowly engineer for a
computer services company is one of the most profitable jobs a prospective hacker can
find. It makes the hacker both a figure of technical authority and a helper at the same
time.
Mobile workers will often use their computers in a crowded environment, such as on a
train or in stations, airports, or restaurants. Clearly, it is almost impossible to make sure
that no one is watching you type in such an environment, but the company security policy
must offer advice on how to minimize the risks to personal and business information. If
staff members use personal digital assistants (PDAs), you should include information on
managing security and synchronization.
Reverse Social Engineering

Reverse social engineering describes a situation in which the target or targets make the
initial approach and offer the hacker the information that they want. Such a scenario may
seem unlikely, but figures of authorityparticularly technical or social authorityoften
receive vital personal information, such as user IDs and passwords, because they are
above suspicion. For example, no Help Desk support worker would ask for a user ID or
password from a caller; they solve problems without this information. Many users who
have IT problems will volunteer these vital security elements to expedite a solution. The
hacker does not even have to ask. Social engineering attacks are not reactive, as this
scenario suggests.
A social engineering attack creates a situation, advertises a solution, and provides
assistance when requested, perhaps as simply as in the following scenario:
A coworker hacker renames or moves a file so that the target thinks that it no longer
exists. The hacker speculates that they can get the file back. The target, keen to get on
with their work, or concerned that the loss of the information could be their own fault,
leaps at this offer. The hacker states that this could only be done if they were to log on as
the target. He or she may even say company policy prohibits this. The target will beg the
hacker to log on as them and try to reinstate the file. Grudgingly, the hacker agrees,
reinstates the original file, and steals the targets user ID and password. He or she has
even embellished their reputation such that they receive requests to assist other
coworkers. This approach can bypass the regular IT support channels and make it easier
for the hacker to remain unnoticed.
17
It is not always necessary to be familiar or even meet a target to use reverse social
engineering. Imitating problems or issues using dialog boxes can be effective in a nonspecific, reverse social engineering attack. The dialog box announces that there is a
problem or that an update is necessary to continue. The dialog box offers a download to
solve the problem. When the download is complete, the engineered problem disappears,
and the user continues working, oblivious to the fact that they have breached security
and downloaded a malware program.
Table 8. Reverse Social Engineering Attacks and Costs
Attack goals
Description
Cost
Theft of identity
Hacker receives user ID and

password from authorized user.
Money
Resources
Theft of information
Hacker uses authorized user ID

and password to gain access to
company files.
Money
Resources
Download malware
Download hackers
software

company network.

hacker program, such as a mail
engine, that uses company
network resources.
Resources
Money
Defending against reverse social engineering is probably the most difficult challenge. The
target has no reason to suspect the hacker, because he or she feels that they are in
command of the situation. The main defense is the stipulation in your security policy that
all issues must be resolved through the service desk. If service desk staff members are
efficient, polite, and non-judgmental, other employees will approach them, rather than ask
unauthorized staff or acquaintances for help.
18
Designing Defenses Against Social

Engineering Threats
After you understand the wide range of threats that exists, three steps are necessary to
design a defense against social engineering threats against the staff within your
company. An effective defense is a function of planning. Often defenses are reactive
you discover a successful attack and erect a barrier to ensure that the problem cannot
reoccur. Although this approach demonstrates a level of awareness, the solution comes
too late if the problem is a major or expensive one. To preempt this scenario, you must
take the following three steps:
Develop a security management framework. You must define a set of social

engineering security goals and staff members who are responsible for the delivery of
these goals.
Undertake risk management assessments. Similar threats do not present the

same level of risk to different companies. You must review each of the social
engineering threats and rationalize the danger that each presents to your
organization.
Implement social engineering defenses within your security policy. Develop a

written set of policies and procedures that stipulate how your staff should manage
situations that may be social engineering attacks. This step assumes the existence of
a security policy, outside the threat presented by social engineering. If you do not
currently have a security policy, then you need to develop one. The elements
identified by your social engineering risk assessment will get you started, but you will
need to look at other potential threats.
For more information on security policies, see the Microsoft Security Web site at
www.microsoft.com/security.
Developing a Security Management

Framework
A security management framework defines an overall view of the possible threats to your
organization from social engineering and allocates named job roles responsible for the
development of policies and procedures that mitigate these threats. This approach does
not mean that you have to employ a staff whose only function is to ensure the security of
business assets. Although such an approach may be an option within large organizations,
it is seldom viable or desirable to have such roles within midsized organizations. The
requirement is to make sure that a group of people take on the key responsibilities of the
following security roles:
Security sponsor. A senior manager, probably board-level, who can provide the
necessary authority to ensure that all staff take the business of security seriously.
Security manager. A management-level employee who has responsibility for

orchestrating the development and upkeep of a security policy.
IT security officer. A technical staff member who has responsibility for developing
the IT infrastructure and operational security policies and procedures.
Facilities security officer. A member of the facilities team who is responsible for
developing site and operational security policies and procedures.
Security awareness officer. A management-level member of staffoften from

within the human resources or personnel development departmentwho is
responsible for the development and execution of security awareness campaigns.
19
This groupthe Security Steering Committeerepresents the facilitators within the

company. As the selected champions for security, the Security Steering Committee needs
to establish the core goals of the security management framework. Without a set of
definable goals, it is difficult to encourage participation of other staff or to measure the
success of the project. The initial task of the Security Steering Committee is to identify
what social engineering vulnerabilities exist within the company. A simple table like the
following one quickly enables you to develop a picture of these attack vectors.
Table 9. Company Social Engineering Attack Vector Vulnerabilities
Attack vector
Describe company usage
Comments
Online
E-mail
All users have Microsoft

Outlook on desktop
computers.
Internet Mobile users have Outlook

Web Access (OWA) in
addition to Outlook client
access.
Pop-up applications
There is currently no technological

barrier implemented against popups.
Instant Messaging The company allows

unmanaged use of a
variety of IM products.
Telephone
PBX
Service Desk Currently the Service
Desk is a casual support
function provided by the IT
department.
We need to extend support

provisions beyond the IT area.
Waste management
Internal All departments manage
their own waste disposal.
External Dumpsters are placed
outside the company site.
Garbage collection is on
Thursday.
We do not currently have any

space for dumpsters within the site.
Personal approaches
Physical Security
Office security All offices remain unlocked
throughout the day.
Home workers We have no protocols of
home worker onsite
maintenance.
Other/Company-
25 percent of staff works from

home. We have no written
standards for home worker security.
20
Attack vector
Describe company usage
Comments
specific
In-house franchisees All catering is managed
through a franchise.
We do not know anything about

these staff, and there is no security
policy for them.
When the Security Steering Committee has a good understanding of the vulnerabilities, it
can develop a Company Social Engineering Attack Vector Vulnerabilities table (shown in
the previous example). The table outlines the companys protocols in potentially
vulnerable areas. Knowledge of the vulnerabilities enables the committee to develop a
blueprint for the potential policy requirements.
The Security Steering Committee needs to first identify areas that may pose a risk to the
company. This process should include all of the attack vectors identified within this paper
and company-specific elements, such as use of public terminals or office management
procedures.
Risk Assessment
All security requires you to assess the level of risk that an attack presents to your
company. Although risk assessment needs to be thorough, it does not have to be timeconsuming. Based on the work done in identifying the core elements of a security
management framework by the Security Steering Committee, you can categorize and
prioritize the risks. The risk categories include:
Resources
Money
You set priorities by identification of the risk and calculation of the cost of mitigating the
riskif mitigating the risk is more expensive than the occurrence of the risk, it may not be
justifiable. This risk assessment phase can be very useful in the final development of the
security policy.
For example, the Security Steering Committee may highlight the danger of visitor security
at reception. For a company that expects no more than 20 visitors in an hour, there is no
need to consider having anything more sophisticated than one receptionist, a sign-in
book, and some numbered visitor badges. But for a company that expects 150 visitors
per hour, it may be that more reception staff or self-service registration terminals are
necessary. Although the smaller company could not justify the costs of self-service
registration terminals, the large one could not justify the cost of lost business due to
lengthy delays.
Alternatively, a company that never has visitors or contract staff may feel that there is a
minimal risk in leaving printed output in a central location while it awaits collection.
However, a company with a large number of non-employee staff may feel that it can only
circumvent the business risk presented by potentially confidential information lying in a
printer by installing local print facilities at every desk. The company can obviate this risk
by stipulating that a member of staff accompanies a visitor throughout their visit. This
solution is far less expensive, except, possibly, in terms of staff time.
21
Based on the business assessment from the Company Social Engineering Attack Vector
Vulnerabilities matrix, the Security Steering Committee can define the policy
requirements, risk types, and risk levels for the company, as shown in the following table.
Table 10. Steering Committee Security Requirement and Risk Matrix
Attack Vector
Possible Policy
Requirement
Risk Type
Risk Level Action
Confidential
information
High = 5
Business
credibility
Business
availability
Resources
Money
Written set of
social
engineering
security policies
Changes to
make policy
compliance part
of the standard
employee
contract
Changes to
make policy
compliance part
of the standard
contractor
contract
Online
E-mail
Policy on types
of attachments
and how to
manage them
Internet Internet usage

policy
Pop-up applications Policy for
Internet usage,
with specific
focus on what to
do with
unexpected
dialog boxes
Instant Messaging Policy on
supported and
allowable IM
clients
Low = 1
22
Attack Vector
Possible Policy
Requirement
Risk Type
Risk Level Action
Confidential
information
High = 5
Business
credibility
Business
availability
Resources
Money
Telephone
PBX Policy for PBX
support
management
Service Desk Policy for the
provision of data
access
Waste Management
Paper Policy for waste
paper
management
Dumpster
management
guidelines
Electronic Policy for the
management of
electronic media
waste materials
Personal Approaches
Physical Security Policy for visitor
management
Office security Policy for user ID
and password
management
no writing
passwords on a
sticky note and
attaching it to a
screen, for
example
Home workers Policy for the use
of mobile
computers
outside the
company
Low = 1
Attack Vector
Possible Policy
Requirement
23
Risk Type
Risk Level Action
Confidential
information
High = 5
Low = 1
Business
credibility
Business
availability
Resources
Money
Other/
Company-Specific
In-house franchisees Policy for
screening inhouse franchise
employees
The Security Steering Committee must achieve consensus on the importance of a risk.
Each business group will have different views on the risks that different threats present.
For more information about risk assessment methodologies and tools, see the Security
Risk Management Guide at http://go.microsoft.com/fwlink/?linkid=30794.
Social Engineering in the Security Policy

A companys management and IT personnel must develop and help implement an
effective security policy within the organization. Sometimes, the focus of a security policy
is technological controls that will help protect against technological threats, such as
viruses and worms. Technological controls help defend technologies, such as data files,
program files, and operating systems. Social engineering defenses must help anticipate
generic social engineering assaults against staff members.
The Security Steering Committee has the core security areas and risk assessment for
which it must delegate the development of procedure, process, and business
documentation. The following table shows how the Security Steering Committee, with the
assistance of interest groups, may define the documentation required to support the
security policy.
Table 11. Steering Committee Procedure and Document Requirements
Policy requirement
Procedure / document
requirement
Written set of social engineering

security policies
None
Changes to make policy

compliance part of the standard
employee contract
1. Wording for new contract

requirements (Legal)
Changes to make policy

compliance part of the standard
contractor contract
1. Wording for new contract

requirements (Legal)
2. New format for contractor

contracts
2. New format for contractor
Action on / date
24
Policy requirement
requirement
Action on / date
contracts
Policy for visitor management
1. Procedure for visitor sign

in and sign out
2. Procedure for visitor
accompaniment
Dumpster management guidelines 1. Procedure for waste

paper disposal (see
Data)
2. Procedure for electronic
media disposal (see
Data)
Policy for the provision of data
access
Policy for waste paper
management
Policy for the management of
electronic media waste materials
Policy for Internet usage, with
specific focus on what to do with
unexpected dialog boxes
Policy for user ID and password
management no writing
passwords on a sticky note and
attaching it to a screen, etc.
Policy for the use of mobile
computers outside the company
Policy for managing issues when
connecting to partner applications
(banking, financial, buying, stock
management)
As you can see, this list can become quite long. You may decide to contract expert help
to speed this element of the process. The Security Steering Committee must focus on
areas that it considers high value, based on the risk assessment process.
Implementing Defenses Against Social

Engineering Threats
After you write and agree to the security policy, you must make the policy available to the
staff and have them comply with it. Although you can implement technical controls without
the knowledge of your employees, you must win their support if you want to implement
social engineering defenses successfully. To support the implementation, you must
develop incident response protocols for your service desk staff.
25
Awareness
There is no substitute for a good awareness campaign when you implement the social
engineering elements of your security policy. The implementation is, of course, a form of
social engineering, and you must train your staff so that they know the policy, understand
why it is there, and know how they should react to a suspected attack. The key element
of a social engineering attack is trustthe target trusts the hacker. To resist this form of
attack, you need to stimulate a healthy skepticism within your staff of anything out of the
ordinary and engender their trust in the company IT support infrastructure.
The elements of an awareness campaign depend on how you communicate information
to staff within the company. You may choose to have structured training, less formal
meetings, poster campaigns, or other events to publicize the security policies. The more
you reinforce the messages within your policies, the more successful their
implementation. Although you can launch security awareness with a big event, it is just as
important to keep security prominent on the agenda of management and staff. Security is
a company mindset, so you must make sure that security suggestions on how to maintain
security awareness come from everyone in the company. Obtain opinions from all
business departments and from different types of users, especially those who work
outside the office environment.
Managing Incidents
When a social engineering attack occurs, make sure that the service desk staff knows
how to manage the incident. Reactive protocols should exist in the procedures
associated with the security policy, but incident management means that you use the
attack to initiate further security reviews. Security is a journey rather than a destination,
because attack vectors change.
Each incident provides new input for an ongoing review of security within the incident
response model, which is shown in the following figure.
Figure 6. Incident response model

As new incidents occur, the Security Steering Committee reviews whether it represents a
new or changed risk to the company and creates or renews policies and procedures
26
based on its findings. All amendments to security policies should adhere to your company
change management standards.
To manage an incident, service desk staff must have a robust incident-reporting protocol
that records the following information:
Target name
Target department
Date
Attack vector
Attack description
Attack outcome
Attack effect
Recommendations
By recording incidents, it is possible to identify patterns and possibly preempt further

attacks. An incident report form template is available in Appendix 1 at the end of this
document.
Operational Considerations
When you review security, it is possible to become overly sensitive to the myriad of
potential threats against your company. Your security policy must maintain an
appreciation that your business is there to do business. If your security proposals
adversely affect the profitability or commercial agility of the organization, you may need to
reassess the risk. You must achieve a balance between security and operational usability.
It is also important to appreciate that a reputation as a security-conscious company can
have commercial advantages. It will not only discourage hackers, but it will also enhance
the companys business profile with customers and partners.
Social Engineering and the Defense-in-Depth

Layered Model
The defense-in-depth layered model categorizes the security solutions against attack
vectorsareas of weaknessthat hackers may use to threaten your computer
environment. These attack vectors include:
Policies, procedures, and awareness. The written rules that you develop to
manage all areas of security, and the education program that you put in place to help
ensure that staff members know, understand, and implement these rules.
Physical security. The barriers that manage access to your premises and
resources. It is important to remember this latter element; if you place waste
containers outside the company, for example, then they are outside the physical
security of the company.
Data. Your business informationaccount details, mail, and so on. When you
consider social engineering threats, you must include both hard and soft copy
materials in your data security planning.
Application. The programs run by your users. You must address how social
engineering hackers may subvert applications, such as e-mail or instant messaging.
Host. The servers and client computers used within your organization. Help ensure
that you protect users against direct attacks on these computers by defining strict
27
guidelines on what software to use on business computers and how to manage

security devices, such as user IDs and passwords.
Internal network. The network through which your computer system communicates.
It may be a local, wireless, or wide area network (WAN). The internal network has
become less internal over the last few years, with home and mobile working gaining
in popularity. So, you must make sure that users understand what they must do to
work securely in all networked environments.
Perimeter. The contact point between your internal networks and external networks,
such as the Internet or networks that belong to your business partners, perhaps as
part of an extranet. Social engineering attacks often attempt to breach the perimeter
to launch attacks on your data, applications, and hosts through your internal network.
Figure 7. The defense-in-depth security model

When you design your defenses, the defense-in-depth model helps you to visualize the
areas of your business that are under threat. The model is not specific to social
engineering threats, but each of the layers should have social engineering defenses.
The overarching defenses in the model are security policies, procedures, and awareness.
These defenses target staff within an organization, explaining what to do, when, why, and
by whom. The remaining layers may fine-tune your defenses, but the essential protection
comes from having a well-structured and well-known set of rules that protect your IT
environment.
For more information about the defense-in-depth security model, see the Security
Management SMF on Microsoft TechNet at http://go.microsoft.com/fwlink/?linkid=37696.
28
Appendix 1: Security Policy for Social

Engineering Threat Checklists
You have seen a number of tables used to capture social engineering vulnerabilities and
defense policy requirements within the documents. Template versions of these are
available in this appendix for you to copy and populate.
Company Social Engineering Attack Vector

Vulnerabilities
Attack Vector
Describe Company Usage
Online
E-mail
Internet
Pop-up applications
Instant Messaging
Telephone
PBX
Service Desk
Waste Management
Internal
External
Personal Approaches
Physical Security
Office security
Other/ Company-specific
Comments
29
Steering Committee Security Requirement

and Risk Matrix
Attack Vector
Possible Policy
Requirement
Risk Type
Risk Level Action
Confidential
information
High = 5
Low = 1
Business
credibility
Business
availability
Resources
Money
Online
Telephone
Waste Management
Personal Approaches
Other/
Company-Specific
Steering Committee Procedure and

Document Requirements
Policy requirement
requirement
Action on / date
30
Security Policy Implementation Checklist

Action
Description
Develop Online
Security Policies
Develop Physical
Security Policies
Develop Telephony
Security Policies
Develop Waste
Management
Security Policies
Develop Service
Desk Security
Management
Policies
Develop Incident
Response Model
Develop
Awareness
Campaign
Incident Report
Service Desk
Representative
Target name
Target department
Date
Attack vector
Attack description
Attack outcome
Attack effect
Recommendations
Action on /
date
31
Appendix 2: Glossary
Term
Definition
access
In respect to privacy, an individual's ability to view, modify, and contest

the accuracy and completeness of personally identifiable information
collected about him or her. Access is an element of the Fair Information
Practices.
antivirus (AV)
software
A computer program designed to detect and respond to malicious

software, such as viruses and worms. Responses may include blocking
user access to infected files, cleaning infected files or computers, or
informing the user that an infected program was detected.
attack
A deliberate attempt to compromise the security of a computer system

or deprive others of the use of the system.
authentication
The process of validating the credentials of a person, computer

process, or device. Authentication requires that the person, process, or
device making the request provide a credential that proves it is what or
who it says it is. Common forms of credentials are digital signatures,
smart cards, biometric data, and a combination of user names and
passwords.
authorization
The process of granting a person, computer process, or device access

to certain information, services, or functionality. Authorization is derived
from the identity of the person, computer process, or device requesting
access, which is verified through authentication.
change
management
The practice of administering changes with the help of tested methods

and techniques in order to avoid new errors and minimize the impact of
changes.
computer
security
The protection of information assets using technology, processes, and

training.
cracker
A wrongdoer who breaks into a computer system using technological,

rather than social engineering, strategies.
download
To transfer a copy of a file from a remote computer to a requesting

computer by means of a modem or network.
extranet
An extension of an organization's intranet used to facilitate

communication with the organization's trusted partners. An extranet
enables such trusted partners to gain limited access to the
organization's internal business data.
firewall
A security solution that segregates one portion of a network from

another, allowing only authorized network traffic to pass through
according to traffic filtering rules.
malware
Software that fulfills the deliberately harmful intent of an attacker when

run. For example, viruses, worms, and Trojan horses are malicious
code.
network logon
The process of logging on to a computer by means of a network.

Typically, a user first interactively logs on to a local computer, then
provides logon credentials to another computer on the network, such
as a server, that he or she is authorized to use.
32
Term
Definition
password
A string of characters entered by a user to verify his or her identity to a

network or to a local computer. See also strong password.
permissions
Authorization to perform operations associated with a specific shared

resource, such as a file, directory, or printer. Permissions must be
granted by the system administrator to individual user accounts or
administrative groups.
personal
identification
number (PIN)
A secret identification code similar to a password that is assigned to an

authorized user. A PIN is used in combination with an ATM card or
smart card, for example, to unlock an authorized functionality such as
access to a bank account.
personally
identifiable
information
(PII)
Any information relating to an identified or identifiable individual. Such

information may include name, country, street address, e-mail address,
credit card number, Social Security number, government ID number, IP
address, or any unique identifier that is associated with PII in another
system. Also known as personal information or personal data.
personal
information
See personally identifiable information (PII).
phreaker
A malicious user who makes unauthorized use of PBX facilities to

make telephone calls.
phisher
A malicious user or Web site that deceives people into revealing

personal information, such as account passwords and credit card
numbers. A phisher typically uses deceptive e-mail messages or online
advertisements as bait to lure unsuspecting users to fraudulent Web
sites, where the users are then tricked into providing personal
information.
physical
vulnerability
Failure to provide physical security for a computer, such as leaving an

unlocked workstation running in a workspace that is accessible to
unauthorized users.
privacy
The control customers have over the collection, use, and distribution of
their personal information.
security
vulnerability
A vulnerability in software that is addressed by a Microsoft security

update and security bulletin or a service pack.
spam
Unsolicited commercial e-mail. Also known as junk e-mail.
spoof
To make a transmission appear to come from a user other than the

user who performed the action.
spyware
Software that can display advertisements (such as pop-up ads), collect

information about you, or change settings on your computer, generally
without appropriately obtaining your consent.
strong
password
A password that provides an effective defense against unauthorized

access to a resource. A strong password is at least six characters long,
does not contain all or part of the user's account name, and contains at
least three of the four following categories of characters: uppercase
letters, lowercase letters, base 10 digits, and symbols found on the
keyboard, such as !, @, and #.
Trojan horse
A program that appears to be useful or harmless but that contains
Term
33
Definition
hidden code designed to exploit or damage the computer on which it is
run. Trojan horse programs are most commonly delivered to users
through e-mail messages that misrepresent the program's purpose and
function. Also called Trojan code.
upgrade
A software package that replaces an installed version with a newer

version of the same software. The upgrade process typically leaves
existing customer data and preferences intact, while replacing the
existing software with the newer version.
user ID
A unique name with which a user can log on to a computer system.
virus
Code written with the express intention of replicating itself. A virus

attempts to spread from computer to computer by attaching itself to a
host program. It may damage hardware, software, or data. Compare to
worm. See also the definition provided by the Virus Info Alliance (fsecure.com).
vulnerability
Any weakness, administrative process or act, or physical exposure that

makes a computer susceptible to exploit by a threat.
worm
Self-propagating malicious code that can automatically distribute itself

from one computer to another through network connections. A worm
can take harmful action, such as consuming network or local system
resources, possibly causing a denial of service attack. Compare virus.

How To Protect Insiders From Social Engineering Threats

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

How To Protect Insiders From Social Engineering Threats

Diunggah oleh

Hak Cipta:

Format Tersedia

Midsize Business Security Guidance