2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial
License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to
Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
Contents
Introduction...............................................................................................
Who Should Read this Paper....................................................................
Overview..............................................................................................
Social Engineering Threats and Defenses........................................................
Online Threats.......................................................................................
E-Mail Threats..................................................................................
Pop-Up Applications and Dialog Boxes.................................................
Instant Messaging............................................................................
Telephone-Based Threats........................................................................
Private Branch Exchange...................................................................
Service Desk....................................................................................
Waste Management Threats...................................................................
Personal Approaches.............................................................................
Virtual Approaches..........................................................................
Physical Approaches........................................................................
Reverse Social Engineering....................................................................
Designing Defenses Against Social Engineering Threats...................................
Developing a Security Management Framework........................................
Risk Assessment..................................................................................
Social Engineering in the Security Policy..................................................
Implementing Defenses Against Social Engineering Threats.............................
Awareness..........................................................................................
Managing Incidents..............................................................................
Operational Considerations....................................................................
Social Engineering and the Defense-in-Depth Layered Model.......................
Appendix 1: Security Policy for Social Engineering Threat Checklists..................
Company Social Engineering Attack Vector Vulnerabilities...........................
Steering Committee Security Requirement and Risk Matrix.........................
Steering Committee Procedure and Document Requirements......................
Security Policy Implementation Checklist.................................................
Incident Report....................................................................................
Appendix 2: Glossary.................................................................................
Introduction
Welcome to this document from the Midsize Business Security Guidance collection.
Microsoft hopes that the following information will help you create a more secure and
productive computing environment.
Board management
Support staff
Security staff
Business managers
Overview
To attack your organization, social engineering hackers exploit the credulity, laziness,
good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against
a socially engineered attack, because the targets may not realize that they have been
duped, or may prefer not to admit it to other people. The goals of a social engineering
hackersomeone who tries to gain unauthorized access to your computer systemsare
similar to those of any other hacker: they want your companys money, information, or IT
resources.
A social engineering hacker attempts to persuade your staff to provide information that
will enable him or her to use your systems or system resources. Traditionally, this
approach is known as a confidence trick. Many midsize and small companies believe that
hacker attacks are a problem for large corporations or organizations that offer large
financial rewards. Although this may have been the case in the past, the increase in
cyber-crime means that hackers now target all sectors of the community, from
corporations to individuals. Criminals may steal directly from a company, diverting funds
or resources, but they may also use the company as a staging point through which they
can perpetrate crimes against others. This approach makes it more difficult for authorities
to trace these criminals.
To protect your staff from social engineering attacks, you need to know what kinds of
attack to expect, understand what the hacker wants, and estimate what the loss might be
worth to your organization. With this knowledge, you can augment your security policy to
include social engineering defenses. This paper assumes that you have a security policy
that sets out the goals, practices, and procedures that the company recognizes as
necessary to protect its informational assets, resources, and staff against technological or
physical attack. The changes to your security policy will help to provide staff with
guidance on how to react when faced with a person or a computer application that tries to
coerce or persuade them to expose business resources or disclose security information.
Online
Telephone
Waste management
Personal approaches
Beyond recognizing these entry points, you also need to know what the hacker hopes to
gain. Their goals are based on the same needs that drive us allmoney, social
advancement, and self worth. Hackers want to take your money or resources, they want
to be recognized within society or their own peer group, and they want to feel good about
themselves. Unfortunately, hackers achieve these things illegally by theft or damage to
computer systems. Attacks of any sort will cost you money, through loss of revenue,
resources, information, business availability, or business credibility. When you design
your defenses against such threats, you should estimate what an attack will cost you.
Online Threats
In our increasingly connected business world, staff often use and respond to requests
and information that come electronically from both inside and outside the company. This
connectivity enables hackers to make approaches to your staff from the relative
anonymity of the Internet. You often hear about online attacks in the press, such as email, pop-up application, and instant message attacks that use Trojan horses, worms, or
virusescollectively called malwareto damage or subvert computer resources. You
can begin to help address many of these malware attacks through the implementation of
strong antivirus defenses.
Note For more information about antivirus defenses, see The Antivirus Defense-in-Depth Guide
at http://go.microsoft.com/fwlink/?linkid=28732.
The social engineering hacker persuades a staff member to provide information through
a believable ruse, rather than infecting a computer with malware through a direct attack.
An attack may provide information that will enable the hacker to make a subsequent
malware attack, but this result is not a function of social engineering. Therefore, you must
advise staff on how best to identify and avoid online social engineering attacks.
E-Mail Threats
Many staff members receive tens or even hundreds of e-mails each day, both from
business and from private e-mail systems. The volume of e-mail can make it difficult to
give full attention to each message. This fact is very useful to a social engineering hacker.
Most e-mail users feel good about themselves when they deal with a piece of
correspondence; it is the electronic equivalent of moving paper from the in-tray to the outtray. If the hacker can make a simple request that is easy to deal with, then the target will
often acquiesce without even thinking about what he or she is doing.
An example of such an easy attack is sending e-mail to a staff member that says that the
boss wants all of the holiday schedules sent for a meeting and could everyone on the list
be copied in on the e-mail. It is simple to slip an external name into the copy list and to
spoof the senders name so that the mail appears to originate from an internal source.
Spoofing is especially simple if a hacker gains access to a company computer system,
The text in the mail states that the site is secure, using https, although the screen tip
shows that the site actually uses http.
The company name in the mail is Contoso, but the link goes to a company called
Comtoso.
As the term phishing implies, these approaches are typically speculative, with a generic
request for information for a customer. The realistic camouflage used in the e-mail
messages, with company logos, fonts, and even apparently valid free Help Desk support
phone numbers, makes the e-mail appear more believable. Within each phishing e-mail
is a request for user information, often to facilitate an upgrade or additional service. An
extension of phishing is spear-phishing, in which an explicit target or departmental group
is approached. This approach is far more sophisticated, because personal and relevant
company information is necessary to make the deception believable. It requires greater
knowledge of the target, but can elicit more specific and detailed information.
E-mail can also carry hyperlinks that may tempt a member of staff to breach company
security. As shown in Figure 1, links do not always take a user to an expected or
promised location. There are a range of other options for the hacker in a phishing e-mail,
including images that are hyperlinks that download malware, such as viruses or spyware,
or text that is presented in an image, to bypass hyperlink security filters.
Most security measures help keep unauthorized users out. A hacker can bypass many
defenses if he or she can dupe a user into bringing a Trojan horse, worm, or virus into the
company via a link. The hyperlink may also take a user to a site that uses pop-up
applications to request information or offer assistance.
You can use a matrix of attack vectors, attack goals, descriptions, and cost to your
company similar to the one shown in the following table to help you classify attacks and
establish their risk to your company. Sometimes a threat represents more than one risk.
Where this is the case, the following examples show the major risk or risks in bold.
Description
Cost
Theft of company
information
Confidential information
Theft of financial
information
Money
Business availability
Download malware
Download hackers
software
Business credibility
Confidential information
Business credibility
Business credibility
Like most confidence tricks, you can help to resist social engineering hacker attacks most
effectively by approaching with skepticism anything unexpected in your Inbox. To support
this approach in an organization, you should include in the security policy a specific email usage guideline that covers:
Attachments in documents.
Hyperlinks in documents.
In addition to these guidelines, you must include examples of phishing attacks. After a
user recognizes one phishing swindle, they will find it much easier to notice others.
The following figure shows how a hyperlink appears to link to a secure account
management site (secure.contosa.com account_id?Amendments), while the status bar
shows that it takes the user to a hacker site. Depending on the browser that you use, a
hacker can suppress or reformat the status bar information.
Description
Cost
Theft of personnel
information
Confidential information
Download malware
Business availability
Resources
Download hackers
software
Instant Messaging
Instant messaging (IM) is a relatively new communications medium, but it has gained
widespread popularity as a business tool, and some analysts estimate that there will be
200 million users of IM products in 2006. The immediacy and familiarity of IM makes it a
rich hunting ground for social engineering attacks, because users regard it much as the
telephone and do not associate it with potential computer software threats. The two main
attacks made using IM are the delivery of a malware link within an IM message and the
delivery of an actual file. Of course, IM also represents another way of simply asking for
information.
There are a number of potential threats inherent to IM when addressing social
engineering. The first is the informality of IM. The chatty nature of IM, together with the
option of giving oneself a spurious or false name, means that it is not entirely clear that
you are talking to the person you believe you are talking to, which greatly enhances the
option for casual spoofing.
The following figure shows how spoofing works, for both e-mail and IM.
Description
Cost
Confidential information
Download malware
Business availability
Resources
Download hackers
software
Business credibility
Business credibility
Business credibility
Money
If you are anxious to embrace the immediacy and cost reductions that IM can provide,
you must include IM-specific defenses in your security policies. To help control IM within
your business, you must establish the following five usage rules:
Standardize on a single IM platform. This rule will minimize support effort and will
discourage users from chatting by using their own personal IM provider. If you want a
more controlled approach to limiting user choice, you can choose to block ports that
the common IM services use.
Set contact guidelines. Recommend that users do not accept new contact
invitations by default.
Set password standards. Make your IM passwords comply with the strong
password standards that you have set for host passwords.
Provide usage guidance. Develop a set of best practice guidelines for your users,
explaining the reasoning behind these recommendations.
Telephone-Based Threats
The telephone offers a unique attack vector for social engineering hackers. It is a familiar
medium, but it is also impersonal, because the target cannot see the hacker. The
communications options for most computer systems can also make the Private Branch
Exchange (PBX) an attractive target. Another, perhaps very crude, attack is to steal either
credit card or telephone card PINs at telephone booths. This attack is most commonly a
theft from an individual, but company credit cards are just as useful. Most people are
aware that they should be wary of prying eyes when using an ATM, but most people are
less cautious when using a PIN in a telephone booth.
Voice over Internet Protocol (VoIP) is a developing market that offers cost benefits to
companies. Currently, due to the relatively restricted number of installations, VoIP
hacking is not considered to be a major threat. However, as more businesses embrace
this technology, VoIP spoofing is set to become as widespread as e-mail and IM spoofing
is now.
Each of these goals is a variation on a theme, with the hacker calling the company and
attempting to get telephone numbers that provide access directly to a PBX or through a
PBX to the public telephone network. The hacker term for this is phreaking. The most
common approach is for the hacker to pretend to be a telephone engineer, requesting
either an outside line or a password to analyze and resolve the problems reported on the
internal telephone system, as shown in the following figure.
Description
Cost
Request company
information
Confidential information
Request telephone
information
Resources
Business credibility
Money
Most users do not have any knowledge of the internal telephone system, beyond the
telephone itself. This is the most important piece of defense that you can put into your
security policy. It is uncommon for hackers to approach general users in this way. The
most common targets are reception or switchboard staff. You must state that only the
service desk has authorization to provide assistance to telephone suppliers. In this way,
all authorized personnel deal with all engineering support calls. This approach enables
targeted staff to reroute such queries efficiently and quickly to a qualified staff member.
Service Desk
The service deskor Help Deskis one of the mainstay defenses against hackers, but it
is, conversely, a target for social engineering hackers. Although support staff is often
aware of the threat of hacking, they also train to help and support callers, offering them
advice and solving their problems. Sometimes the enthusiasm demonstrated by technical
support staff in providing a solution overrides their commitment to adherence to security
procedures and presents service desk staff with a dilemma: If they enforce strict security
standards, asking for proofs that validate that the request or question comes from an
authorized user, they may appear unhelpful or even obstructive. Production or sales and
marketing staff who feel that the IT department is not providing the immediate service that
they require are apt to complain, and senior managers asked to prove their identities are
often less than sympathetic to the support staffs thoroughness.
Table 5. Service Desk Telephony Attacks and Costs
Attack goals
Description
Cost
Request information
Confidential information
Request access
Confidential information
Business credibility
Business availability
Resources
Money
The service desk needs to balance security with business efficiency, and as such security
policies and procedures must support them. Proof of identification, such as providing an
employee number, department, and manager name, will not be too much for a service
10
desk analyst to request, as everyone knows these. But this proof may not be completely
secure, because a hacker may have stolen this information. It is a realistic start, however.
In truth, the only 99.99 percent accurate means of identification is a DNA swab test,
which is clearly unrealistic.
It is more difficult to defend the service desk analyst against an internal or contract worker
hacker. Such a hacker will have a good working knowledge of internal procedures and
will have time to make sure that they have all the information required, before they make
a service desk call. The security procedures must provide a dual role in this situation:
The service desk analyst must ensure that there is an audit trail of all actions. If a
hacker succeeds in gaining unauthorized access to information or resources through
a service desk call, the service desk must record all activities so that they can quickly
rectify or limit any damage or loss. If each call triggers an automated or manual email message stating the problem or request, it will also be easier for an employee
who has suffered identity theft to realize what has happened and call the service
desk.
The service desk analyst must have a well-structured procedure for how to handle
call types. For example, if the employees manager must make access change
requests by e-mail, there can be no unauthorized or informal changes to security
levels.
If users are aware of these rules, and management supports their implementation, it will
prove much harder for hackers to succeed or remain undetected. The 360-degree audit
trail is a most valuable tool in the avoidance and discovery of wrongdoing.
11
Description
Cost
Confidential information
Resources
Business credibility
Your staff must fully understand the implications of throwing waste paper or electronic
media in a bin. After this waste moves outside your building, its ownership can become a
matter of legal obscurity. Dumpster diving may not be deemed illegal in all circumstances,
so you must ensure that you advise staff how to deal with waste materials. Always shred
paper waste and wipe or destroy magnetic media. If any waste is too large or tough to put
in a shredder, such as a telephone directory, or it is technically beyond the ability of a
user to destroy it, you must develop specific protocol for disposal. You should also place
trash dumpsters in a secure area that is inaccessible to the public.
When designing a waste management policy, it is important to make sure that you comply
with local regulatory rules regarding healthy and safety. It can also be socially valuable to
adopt ecologically-sound waste management strategies.
In addition to the management of external wastethe paper or electronic media that may
be made available to those outside the companyyou must also manage internal waste.
Security policies often overlook this issue, because it is often assumed that anyone
granted access to the company must be trustworthy. Clearly, this is not always the case.
One of the most effective measures in managing waste paper is the specification of a
data classification. You define different categories of paper-based information and specify
how staff should manage their disposal. Example categories might include:
Private. Shred all private waste documents before disposal in any bin.
Public. Dispose of public documents in any bin or recycle them as waste paper.
For more information about developing data classifications, see the Security
Management SMF on Microsoft TechNet at http://go.microsoft.com/fwlink/?
linkid=37696.
Personal Approaches
The simplest and cheapest way for a hacker to get information is for them to ask for it
directly. This approach may seem crude and obvious, but it has been the bedrock of
12
confidence tricks since time began. Four main approaches prove successful for social
engineers:
Ingratiation. This approach is usually a more long term ploy, in which a subordinate
or peer coworker builds a relationship to gain trust and, eventually, information from a
target.
Assistance. In this approach, the hacker offers to help the target. The assistance will
ultimately require the target to divulge personal information that will enable the
hacker to steal the targets identity.
Most people assume that anyone who talks to them is being truthful, which is interesting
because it is a fact that most people admit that they will tell lies themselves. (The Lying
Ape: An Honest Guide to a World of Deception, Brian King, Icon Books Limited).
Unquestioning trust is one of the goals of a social engineering hacker.
Defending users against these types of personal approach is very difficult. Some users
are naturally disposed to social engineering using one of these four attacks. The defense
against an intimidation attack is the development of a no fear culture within a business.
If normal behavior is politeness, then the success of intimidation is reduced, because
individual staff members are more likely to escalate confrontational situations. A
supportive attitude within management and supervisory roles toward the escalation of
problems and decision-making is the worst thing that can happen to a social engineering
hacker. Their goal is to encourage a target to make a quick decision. With the problem
escalated to a higher authority, they are less likely to achieve this goal.
Persuasion has always been an important human method of achieving personal goals.
You cannot engineer this out of your workforce, but you can provide strict guidance on
what an individual should and should not do. The hacker will always ask or manufacture a
scenario where a user volunteers restricted information. Ongoing awareness campaigns
and basic guidance covering security devices such as passwords are your best defense.
Hackers need time to ingratiate themselves with your users. The hacker will need to be in
regular contact, probably by taking the role of a coworker. For most midsized companies,
the main coworker threat comes from regular service or contract personnel. The HR
group must take as much care over the security screening of contract staff as they do
with permanent staff. You can pass most of this work to the contract supplier. To make
sure that the supplier does an effective job, you may ask them to comply with your own
screening policies on permanent staff. If a social engineering hacker gains permanent
employment within your company, then the best defense is the awareness of your staff
and their adherence to the security policy rules on information security.
Finally, assistance attacks can be minimized it you have an effective service desk. The inhouse assistant is often a result of disaffection with existing company support services.
You need to enforce two elements in order to make sure that staff contacts the service
desk rather than an unauthorized in-house expertor worse, an expert from outside the
company:
Specify in your security policy that the service desk is the only point to which users
should report issues.
Ensure that the service desk has an agreed response process within the
departmental service-level agreement. Audit the service desk performance regularly,
to make sure that users receive the right level of response and solution.
13
You must not underestimate the importance of the service desk in providing the first-level
defense against social engineering attacks.
Virtual Approaches
Social engineering hackers need to make contact with their targets to make their attacks.
Most commonly, this will take place through some electronic medium, such as an e-mail
message or a pop-up window. The volume of junk and spam mail that arrives in most
personal mailboxes has made this method of attack less successful, as users become
more skeptical of chain mail and conspiratorial requests to take part in legal and
lucrative financial transactions. Despite this, the volume of such mail and the use of
Trojan horse mail engines mean that it remains attractive, with only a minimal success
rate, to some hackers. Most of these attacks are personal and aim to discover
information about the targets identity. However, for businesses, the widespread abuse of
business systems, such as computers and Internet access, for personal use means that
hackers can enter the corporate network.
Telephones offer a more personal, lower-volume method of approach. The limited risk of
arrest means that some hackers use the telephone as a means of approach, but this
approach is primarily for PBX and service desk attacks; most users would be dubious
about a call requesting information from someone that they did not know personally.
Physical Approaches
Less common, but more effective for the hacker, is direct, personal contact with a target.
Only the most suspicious employee will doubt the validity of someone who presents
themselves and asks for or offers help with a computer system. Although these
approaches have far greater risks for the perpetrator, the advantages are obvious. The
hacker can gain unfettered access to computer systems within the company, within any
technological perimeter defenses that exist.
The growth in the use of mobile technologies, which enable users to attach to corporate
networks while on the road or in their homes, are another major threat to company IT
resources. The attacks that are possible here include the most simple observation attack,
in which a hacker watches over the shoulder of a mobile computer user on a train to see
their user ID and password, to more sophisticated attacks where a card reader or router
upgrade is delivered and installed by a very helpful service engineer who gains access to
the business network by asking for the users ID, password, and perhaps a cup of coffee.
A thorough hacker would even request an authorization signature from the usernow
they have the users signature! Between these types of attacks come threats like
neighbors who use the bandwidth paid for by the company to access the Internet through
an unprotected wireless LAN.
Although most large companies have highly developed site security infrastructures,
smaller, midsized offices can be more relaxed about building access. Tailgating, in which
an unauthorized person follows someone with a pass into an office, is a very simple
social engineering attack. The intruder opens the door, which the authorized user walks
through, and then engages them in conversation about the weather or weekend sport
while they walk past the reception area together. This approach would not work in a large
company, where each individual may need to swipe a card through a turnstile, or in a
small company where everyone knows everyone else. However, it is perfectly suited for a
company with a thousand employees, where it is common for one employee not to know
everyone. If the impostor has previously gained access to company information, such as
department names, staff names, or internal memo information, the diversionary
conversation will be more credible.
Home worker security is usually limited to technology. The security policy must require
firewalls to ensure that external hackers cannot gain access to networks. Beyond this
14
requirement, most midsized companies allow their home worker employees to manage
their own security, and even backups.
Table 7. Physical Access Attacks and Costs
Attack goals
Description
Cost
Confidential information
Hacker poses as an IT
support worker or
maintenance partner to gain
access to a home worker
network, requesting user ID
and password to test
upgrade success.
Confidential information
Confidential information
Resources
Hacker tailgates an
authorized employee into
the company offices.
Confidential information
Business credibility
Business availability
Resources
Money
Business credibility
Business availability
Money
Resources
Access an individual
company office
Defenses against these threats are essentially dependent on the implementation of best
practices by users, based on an effective company security policy that must address the
following three areas:
The home
Mobile working
15
It should be impossible to gain entry to a company building or site without the proper
authorization. Reception staff must be polite but firm when they deal with staff,
contractors, and visitors. A few simple conditions within the company security policy will
make it nearly impossible for a physical social engineering attack within the building.
These conditions may include use of:
A visitors book signed by the visitor and countersigned by the member of staff that
they are visiting on both arrival and departure.
Dated visitor passes visible at all times and returned to reception on departure.
A contractors book signed by the contractor and countersigned by the staff member
who has authorized their work on both arrival and departure.
Dated contractor passes visible at all times and returned to reception on departure.
To make sure that everyone presents themselves to the receptionist, the company must
erect barriers to ensure that visitors must walk directly past the receptionist so that they
can present their credentials or sign in. Such barriers do not have to be turnstiles or
barriers between which they need to squeeze.
For example, a reception area may use something as relaxed as a sofa to steer people
toward the receptionist, as the two examples in the following figure illustrate.
16
In the home, it is not realistic to authorize every visitor or tradesman. In reality, most
people are far more cautious about visitors to their home than they are in the office. More
important, you should ensure that an attack cannot gain access to business resources. A
protocol on off-site IT services must include rules that stipulate the following conditions:
Contractors and internal staff who undertake onsite maintenance or installation must
have identification, preferably including a photograph.
The user must contact the IT support department to tell them when the engineer
arrives and when the job is complete.
The user must never provide personal access information or sign on to the computer
to provide an engineer with access.
This last point is crucial. It is beholden on the IT services group to make sure that any
offsite engineer has sufficient personal access to undertake the work. If the engineer
does not have sufficient user access to complete a task, he or she must contact the
service desk. This requirement is essential, because working as a lowly engineer for a
computer services company is one of the most profitable jobs a prospective hacker can
find. It makes the hacker both a figure of technical authority and a helper at the same
time.
Mobile workers will often use their computers in a crowded environment, such as on a
train or in stations, airports, or restaurants. Clearly, it is almost impossible to make sure
that no one is watching you type in such an environment, but the company security policy
must offer advice on how to minimize the risks to personal and business information. If
staff members use personal digital assistants (PDAs), you should include information on
managing security and synchronization.
17
It is not always necessary to be familiar or even meet a target to use reverse social
engineering. Imitating problems or issues using dialog boxes can be effective in a nonspecific, reverse social engineering attack. The dialog box announces that there is a
problem or that an update is necessary to continue. The dialog box offers a download to
solve the problem. When the download is complete, the engineered problem disappears,
and the user continues working, oblivious to the fact that they have breached security
and downloaded a malware program.
Table 8. Reverse Social Engineering Attacks and Costs
Attack goals
Description
Cost
Theft of identity
Confidential information
Business credibility
Business availability
Money
Resources
Theft of information
Confidential information
Money
Resources
Business credibility
Business availability
Download malware
Download hackers
software
Business availability
Resources
Business credibility
Business credibility
Money
Defending against reverse social engineering is probably the most difficult challenge. The
target has no reason to suspect the hacker, because he or she feels that they are in
command of the situation. The main defense is the stipulation in your security policy that
all issues must be resolved through the service desk. If service desk staff members are
efficient, polite, and non-judgmental, other employees will approach them, rather than ask
unauthorized staff or acquaintances for help.
18
Security sponsor. A senior manager, probably board-level, who can provide the
necessary authority to ensure that all staff take the business of security seriously.
IT security officer. A technical staff member who has responsibility for developing
the IT infrastructure and operational security policies and procedures.
Facilities security officer. A member of the facilities team who is responsible for
developing site and operational security policies and procedures.
19
Comments
Online
E-mail
Waste management
Internal All departments manage
their own waste disposal.
External Dumpsters are placed
outside the company site.
Garbage collection is on
Thursday.
Personal approaches
Physical Security
Office security All offices remain unlocked
throughout the day.
Home workers We have no protocols of
home worker onsite
maintenance.
Other/Company-
20
Attack vector
Comments
specific
In-house franchisees All catering is managed
through a franchise.
When the Security Steering Committee has a good understanding of the vulnerabilities, it
can develop a Company Social Engineering Attack Vector Vulnerabilities table (shown in
the previous example). The table outlines the companys protocols in potentially
vulnerable areas. Knowledge of the vulnerabilities enables the committee to develop a
blueprint for the potential policy requirements.
The Security Steering Committee needs to first identify areas that may pose a risk to the
company. This process should include all of the attack vectors identified within this paper
and company-specific elements, such as use of public terminals or office management
procedures.
Risk Assessment
All security requires you to assess the level of risk that an attack presents to your
company. Although risk assessment needs to be thorough, it does not have to be timeconsuming. Based on the work done in identifying the core elements of a security
management framework by the Security Steering Committee, you can categorize and
prioritize the risks. The risk categories include:
Confidential information
Business credibility
Business availability
Resources
Money
You set priorities by identification of the risk and calculation of the cost of mitigating the
riskif mitigating the risk is more expensive than the occurrence of the risk, it may not be
justifiable. This risk assessment phase can be very useful in the final development of the
security policy.
For example, the Security Steering Committee may highlight the danger of visitor security
at reception. For a company that expects no more than 20 visitors in an hour, there is no
need to consider having anything more sophisticated than one receptionist, a sign-in
book, and some numbered visitor badges. But for a company that expects 150 visitors
per hour, it may be that more reception staff or self-service registration terminals are
necessary. Although the smaller company could not justify the costs of self-service
registration terminals, the large one could not justify the cost of lost business due to
lengthy delays.
Alternatively, a company that never has visitors or contract staff may feel that there is a
minimal risk in leaving printed output in a central location while it awaits collection.
However, a company with a large number of non-employee staff may feel that it can only
circumvent the business risk presented by potentially confidential information lying in a
printer by installing local print facilities at every desk. The company can obviate this risk
by stipulating that a member of staff accompanies a visitor throughout their visit. This
solution is far less expensive, except, possibly, in terms of staff time.
21
Based on the business assessment from the Company Social Engineering Attack Vector
Vulnerabilities matrix, the Security Steering Committee can define the policy
requirements, risk types, and risk levels for the company, as shown in the following table.
Table 10. Steering Committee Security Requirement and Risk Matrix
Attack Vector
Possible Policy
Requirement
Risk Type
Confidential
information
High = 5
Business
credibility
Business
availability
Resources
Money
Written set of
social
engineering
security policies
Changes to
make policy
compliance part
of the standard
employee
contract
Changes to
make policy
compliance part
of the standard
contractor
contract
Online
E-mail
Policy on types
of attachments
and how to
manage them
Low = 1
22
Attack Vector
Possible Policy
Requirement
Risk Type
Confidential
information
High = 5
Business
credibility
Business
availability
Resources
Money
Telephone
PBX Policy for PBX
support
management
Service Desk Policy for the
provision of data
access
Waste Management
Paper Policy for waste
paper
management
Dumpster
management
guidelines
Electronic Policy for the
management of
electronic media
waste materials
Personal Approaches
Physical Security Policy for visitor
management
Office security Policy for user ID
and password
management
no writing
passwords on a
sticky note and
attaching it to a
screen, for
example
Home workers Policy for the use
of mobile
computers
outside the
company
Low = 1
Attack Vector
Possible Policy
Requirement
23
Risk Type
Confidential
information
High = 5
Low = 1
Business
credibility
Business
availability
Resources
Money
Other/
Company-Specific
In-house franchisees Policy for
screening inhouse franchise
employees
The Security Steering Committee must achieve consensus on the importance of a risk.
Each business group will have different views on the risks that different threats present.
For more information about risk assessment methodologies and tools, see the Security
Risk Management Guide at http://go.microsoft.com/fwlink/?linkid=30794.
Procedure / document
requirement
None
Action on / date
24
Policy requirement
Procedure / document
requirement
Action on / date
contracts
Policy for visitor management
25
Awareness
There is no substitute for a good awareness campaign when you implement the social
engineering elements of your security policy. The implementation is, of course, a form of
social engineering, and you must train your staff so that they know the policy, understand
why it is there, and know how they should react to a suspected attack. The key element
of a social engineering attack is trustthe target trusts the hacker. To resist this form of
attack, you need to stimulate a healthy skepticism within your staff of anything out of the
ordinary and engender their trust in the company IT support infrastructure.
The elements of an awareness campaign depend on how you communicate information
to staff within the company. You may choose to have structured training, less formal
meetings, poster campaigns, or other events to publicize the security policies. The more
you reinforce the messages within your policies, the more successful their
implementation. Although you can launch security awareness with a big event, it is just as
important to keep security prominent on the agenda of management and staff. Security is
a company mindset, so you must make sure that security suggestions on how to maintain
security awareness come from everyone in the company. Obtain opinions from all
business departments and from different types of users, especially those who work
outside the office environment.
Managing Incidents
When a social engineering attack occurs, make sure that the service desk staff knows
how to manage the incident. Reactive protocols should exist in the procedures
associated with the security policy, but incident management means that you use the
attack to initiate further security reviews. Security is a journey rather than a destination,
because attack vectors change.
Each incident provides new input for an ongoing review of security within the incident
response model, which is shown in the following figure.
26
based on its findings. All amendments to security policies should adhere to your company
change management standards.
To manage an incident, service desk staff must have a robust incident-reporting protocol
that records the following information:
Target name
Target department
Date
Attack vector
Attack description
Attack outcome
Attack effect
Recommendations
Operational Considerations
When you review security, it is possible to become overly sensitive to the myriad of
potential threats against your company. Your security policy must maintain an
appreciation that your business is there to do business. If your security proposals
adversely affect the profitability or commercial agility of the organization, you may need to
reassess the risk. You must achieve a balance between security and operational usability.
It is also important to appreciate that a reputation as a security-conscious company can
have commercial advantages. It will not only discourage hackers, but it will also enhance
the companys business profile with customers and partners.
Policies, procedures, and awareness. The written rules that you develop to
manage all areas of security, and the education program that you put in place to help
ensure that staff members know, understand, and implement these rules.
Physical security. The barriers that manage access to your premises and
resources. It is important to remember this latter element; if you place waste
containers outside the company, for example, then they are outside the physical
security of the company.
Data. Your business informationaccount details, mail, and so on. When you
consider social engineering threats, you must include both hard and soft copy
materials in your data security planning.
Application. The programs run by your users. You must address how social
engineering hackers may subvert applications, such as e-mail or instant messaging.
Host. The servers and client computers used within your organization. Help ensure
that you protect users against direct attacks on these computers by defining strict
27
Internal network. The network through which your computer system communicates.
It may be a local, wireless, or wide area network (WAN). The internal network has
become less internal over the last few years, with home and mobile working gaining
in popularity. So, you must make sure that users understand what they must do to
work securely in all networked environments.
Perimeter. The contact point between your internal networks and external networks,
such as the Internet or networks that belong to your business partners, perhaps as
part of an extranet. Social engineering attacks often attempt to breach the perimeter
to launch attacks on your data, applications, and hosts through your internal network.
28
Online
E-mail
Internet
Pop-up applications
Instant Messaging
Telephone
PBX
Service Desk
Waste Management
Internal
External
Personal Approaches
Physical Security
Office security
Other/ Company-specific
Comments
29
Possible Policy
Requirement
Risk Type
Confidential
information
High = 5
Low = 1
Business
credibility
Business
availability
Resources
Money
Online
Telephone
Waste Management
Personal Approaches
Other/
Company-Specific
Procedure / document
requirement
Action on / date
30
Description
Develop Online
Security Policies
Develop Physical
Security Policies
Develop Telephony
Security Policies
Develop Waste
Management
Security Policies
Develop Service
Desk Security
Management
Policies
Develop Incident
Response Model
Develop
Awareness
Campaign
Incident Report
Service Desk
Representative
Target name
Target department
Date
Attack vector
Attack description
Attack outcome
Attack effect
Recommendations
Action on /
date
31
Appendix 2: Glossary
Term
Definition
access
antivirus (AV)
software
attack
authentication
authorization
change
management
computer
security
cracker
download
extranet
firewall
malware
network logon
32
Term
Definition
password
permissions
personal
identification
number (PIN)
personally
identifiable
information
(PII)
personal
information
phreaker
phisher
physical
vulnerability
privacy
The control customers have over the collection, use, and distribution of
their personal information.
security
vulnerability
spam
spoof
spyware
strong
password
Trojan horse
Term
33
Definition
hidden code designed to exploit or damage the computer on which it is
run. Trojan horse programs are most commonly delivered to users
through e-mail messages that misrepresent the program's purpose and
function. Also called Trojan code.
upgrade
user ID
virus
vulnerability
worm