Gathering information on your competitors is a fact of life in business. And you can bet they do the same to you. But when probing your information network for corporate espionage turns to criminal use of your network to gain access to sensitive information, such intrusions can help malicious individuals or organizations facilitate attacks -- both virtual and physical -- on our nation's infrastructure.
The problem is that gaining access to your network is easier than you think. It could happen with as little as one phone call. In this tip, excerpted from InformIT, authors Frank Fiore and Jean Francois discuss how easy it often is to get into a corporate network, and offer some things to look out for.
The term identity theft is well known today. Magazine articles are written about it, TV viewers are exposed to it, and radio programs preach the dangers of it. To steal someone's identity or impersonate them online, by mail, over the phone, or in person, no technology is needed -- just an understanding of social engineering. Like hacking into a computer network, the goal of social engineering is the same -- gaining unauthorized access to a network.
It's said that one man's garbage is another man's treasure. For identity thieves and impersonators, this is literally true. Your organization's trash can be a gold mine that can help a malicious person acquire the information he needs to steal or impersonate one of your employees or trusted suppliers. There's even a term for it -- trashing. If you're not careful about the information you trash each and every day, you open the door to this kind of security breach. How? Consider the documents your company trashes every day: company phone books and organization charts; printed memos and company letterhead and forms; policy manuals and system manuals; HR directives and calendars of meetings, events, and vacation schedules; computer printouts; and computer media such as disks, tapes, and tossed hard drives.
All of this material can include important information for an identity thief to use to gain access to your organization and network, using social engineering. For example, if an identity thief can get his hands on your organization's phone book, knowing who to impersonate and who to call in your organization for the information is the first step in gaining access to your network. Let's face it -- a harried secretary, asked for information from someone who sounds like he or she legitimately works for the organization, will more often then not respond to a request.
A person trained in the techniques of social engineering can gain access to your organization and its network with a phone, just as a computer hacker can with a mouse. In the words of Dave Del Torto, a software designer with Pretty Good Privacy: "People are absolutely pathetic about maintaining security policies, and social engineering is the easiest way in."
Though identity theft and impersonation is easy for someone trained in the art of social engineering, there are ways to detect when this type of break-in is in progress. To counter this security risk, there are a number of red flags to look for when someone outside your organization is asking for information.
Be suspicious if someone calls your organization and requests that something be faxed or emailed back to him or her, but refuses to provide a direct callback number. This tactic works especially well for the social engineer when combined with pushing, rushing, yelling, and even screaming at a member of your staff for the information to be sent without delay.
Intimidation and name-dropping are two other red flags. Don't let your employees be intimidated into giving out information to an irate caller, or one who seems to know the structure of your organization. The social engineer could easily pick up the name of someone in senior management and then, stating that he or she is the manager's spouse, try to obtain additional information about the manager or other members of your organization.
Another red flag is the "odd" request. If a caller asks for information that seems strange--such as what kind of operating system your network uses -- that caller may be someone trying to understand the infrastructure of your network.
Finally, educate your employees on a regular basis about identity theft and impersonation. Hold annual education classes, notify targeted groups during attempts, coordinate responses when scams are identified, and above all, test your readiness and your employees' knowledge.
To read the article from which this tip is excerpted, click over to InformIT. You have to register there, but the registration is free.
This was first published in July 2002