LOCKNET IT Solutions

LOCKNET

Social Engineering for Your Safety

August 27, 2008

“Ten years ago a hacker hacked in (to a computer system) because they could. Now, organized crime has caught on that ‘if I can hack into your computer data systems, I can make more money than with anything else.’

”Tom Ezdon, Compliance director for LOCKNET™, Inc., defines compliance this way: “Compliance means let’s look at the information we have in your system, and determine how this information needs to be secured.”

Much of Ezdon’s work is dedicated to firms in the financial and other highly regulated industries, including those that conduct credit card transactions, have security features related to data record keeping, and those who accept e-data transfers.

He works in a field called social engineering — getting access to information through people, namely employees. “I work more on the people side and safeguarding the information,” he explains. “How do we get our staff to keep this information secure? Are they going to allow people they don’t know access to this information? Can they get on my email?”

Here’s where the trusting nature of Midwesterners works to our disadvantage, according to Ezdon. “By nature, especially in the Midwest, we are very helpful people. It is ingrained in us not to be distrustful. We only think things like this happen only in L.A. or Chicago or New York, not in La Crosse or Appleton. We all want to feel safe and secure.”

He describes a scenario where he strikes up a conversation with an employee of a leading financial institution, posing as a potential customer. Talk turns to the employee’s family and interests, and before you know it, they’ve revealed the names of their spouse, children and/or family pet, things they will readily discuss with a stranger.

“Bingo! You just gave me your password!” Ezdon triumphs.

When Ezdon “infiltrates” an organization through these means, he stresses to company executives that they should view his work as a training opportunity, a learning experience, information security awareness training. Requests for his services are picking up, he says. Protecting data assets should be just another business basic, he says. Here are steps to implement.

Policies & Procedures
Test your network firewall at least once a year. “Auditors check our books once a year. It’s not that the bookkeeping department is bad. It’s just good business. Social engineering really isn’t any different. You have policies and procedures for employees to follow. Why don’t you check to be sure they are following those policies?”

Clean Desk Policy
“This concept says that if you are working on something and you get a visitor, or a client, even before you bring them in you close down (the document or file), stick it in a drawer or behind the door so that they can’t even get a glimpse of anything that would be embarrassing to your company or that they might use in a way you don’t want to see a confidential matter used,” Ezdon explains. On a computer, he says, use a screen protector to be sure a visitor cannot read what is on the monitor.

Information Is $$$
Protect it like you would protect any other valuable asset. “I tell financial institutions:
you spent all this money building a vault to protect your cash. But what are you doing to protect the information in your computers? It’s just building awareness that the information you have, someone else may want. Just use good common sense.”

Another recent dilemma centers around cell phones. “Everybody’s cell phone now has a camera on it,” Ezdon says. They may be playing a game. Or sending a text message. Or punching in your password! How do you tell someone to put the phone down without being rude? Figure out a way to do that in a non-confrontational way but still protect your assets.”

Risk Assessment
File cabinets. Server. Jump drive. Cell phones. Electronic messages. Paper. Jump drive. “What information assets do you have? Ezdon quizzes. “How are they stored? Who has access to them? What are the contact points where a customer with malicious intent could have access to them?

“We show them their risk exposure. Here’s what you can do. Businesses are not used to looking at this and wonder why people would want to steal. Determine what you can do to better protect your assets from theft.

“Very often this doesn’t take much money to implement at all. It can be as simple as training your employees.”