||How to shield your network from
got antivirus software and firewalls guarding your
computers and routers. You religiously download
security updates. You've done everything you can
think of to stay secure. But your network is still
Why? Because an employee could
unwittingly give away the castle's keys.
biggest threat to a computer is not a hardware or
software problem. It's social engineering.
it boils down to is this: Someone will attempt to
gain an employee's trust. Information can be
elicited from that employee that puts everything
Social engineering relies on the fact
that most people are nice. They want to be
helpful. There's a natural inclination to lend a
hand when someone has a problem.
efforts can be conducted over the telephone, via
e-mail, or through instant messaging. Larger
organizations are especially at risk, because
employees do not know one another, but small
businesses can be victimized too. Anonymity is
important to the hacker. But the little fish at a
company can also be "gamed."
So let's look at
four different social engineering situations --
and the ways to thwart them.
isn't working on your network. One of
your newer employees gets a call from a computer
repair technician. "My name is Joe Smith," says
the technician. "Your company's network is
having problems, and I'm working on it. I need
you to type in some commands."|
On the face of
it, this is silly. Any legitimate repair tech is
going to have access to the network, if that's
what he needs. How else could he fix the
The caller is playing on your
employee's natural desire to be helpful. The
employee is unlikely to understand the commands
he is asked to enter. They may expose the
structure of the network, or open a security
The caller then asks the employee to
enter commands that identify his desktop
computer. "Aha," he says. "That's the machine
that has been causing the problems. I'll need
your username and password."
Once the caller
has collected this information, you could have
an identity theft problem. He has a route into
your system and he knows how your network is
structured. If you have a database of customers
and their credit card numbers, he may download
it. Or he could get into your payroll system.
There, he'll find Social Security numbers.
your business is large enough, the caller could
claim to be from the in-house IT department.
Either way, the result is the same.
do? Train your employees to never, ever give out
information to such callers. Computer repair
personnel already have access to the network. If
they don't, there's probably a good reason. And
they should already have a password with system
privileges. They don't need an individual
At the very least,
employees should check with a supervisor before
disclosing sensitive information.
isn't from Joe. One of your employees
gets an e-mail. It's from her friend Joe. It has
an attachment. Without giving it much thought,
she opens the attachment. It's something
unappealing, so she deletes the e-mail and
Unfortunately, that attachment
includes a Trojan horse. Your antivirus software
should whack it. But maybe you haven't kept the
antivirus software up-to-date. The Trojan could
use a backdoor port in Windows to download more
These programs could find
their way around your network, digging for
credit card and Social Security
Employees should never open
attachments they were not expecting. Legitimate
return addresses are easily stolen by worms. The
fact that the e-mail bore Joe's return address
is meaningless. If your employee wasn't
expecting something from Joe, she should have
checked with him before opening it.
hackers go "phishing," don't take the
bait. An employee gets an e-mail
message that her eBay (or PayPal, Citibank,
America Online, etc.) account has a problem.
She's told that she must go to a certain page
for more information. The spam includes a
When she clicks the link, a page with
the company's logo opens. It explains that her
account will lapse unless she re-authorizes it.
It then asks for her username and
Or it may ask for a credit card
number, or perhaps a Social Security number.
Sometimes, it requests her mother's maiden name
(often used as a hint to get a password
Your average crook isn't a Rhodes
Scholar, so, early on, these schemes were
unsophisticated. The "phishing" pages were
poorly designed and often contained bad English.
And their Web addresses clearly had nothing to
do with the companies they supposedly
More recently, the pages have
been much better designed. And the pages often
contain the logos of eBay or other companies.
You'll find links to the company's real pages.
It's easy to be suckered.
So remember this:
eBay isn't going to ask for a password. Neither
will AOL or any other legitimate company. Delete
all spam, including these pitches.
may ask, does an eBay password have to do with
my business? Just this: People often use the
same password for everything. So the eBay
password may also give access to your network, a
bank account and other confidential
protect your company. A good security
system will protect you technologically and
Your employees are there to do a
job. They're probably overburdened, so they'll
resist worrying about security. But you must
train them never to give out sensitive
information, unless they are certain of the
caller's identity, and never to open an
attachment they were not expecting. (Do you
think passwords are safe? In a London study,
passersby were asked at random to give up their
passwords in exchange for a candy bar. Seventy
But even the best-trained
employees can be suckered. The desire to be
helpful can lead them down the garden path.
Assume your system eventually will be invaded;
keep critical information walled off from most
employees. Only those with a real need should
have access to databases or payroll
Even if a worm gets into your
system, it can be thwarted. If you religiously
update your antivirus software and Windows,
worms can be knocked out or blocked. Be sure the
firewall in your router has been activated and
Worm and virus
technology is rapidly growing in sophistication.
Coupled with social engineering problems, the
threat to your company is very real. You must