How Social Engineering Impacts In Information Security?

1. Business Plan - How Important Is It? When used in context of Information Technology, Social Engineering means manipulation of people into divulging confidential information. Social referred to as low tech hacking, as no special technical skills are required to penetrate the computer system. However, Social Engineering requires great social skills (Bhagyavati, 2008). The Social Engineering Hacker exploits natural human desire to trust. Deceiving users and convincing them to divulge password or open an infected attachment is easier than penetrating firewalls and passing through network monitoring systems (Aiello, 2008). Best of all, once mastered by a hacker, Social Engineering can be used applied to any operating system since it is platform independent. Engineering is also Social Engineering can be used by itself or in conjunction within larger cyber attack. Using Social Engineering techniques hackers can “seemingly innocuous information” (Bhagyavati, 2008), such as employee directory or building access codes, which later can be integrated into large pool of sensitive data that can be used to deliver significant cyber attack obtain various pieces of against the victim organization. Bhagyavanti (2008) points out that a well-orchestrated cyber attack, involving social engineering can cause panic in addition to causing damage to the infrastructure. One of the most effective techniques in fighting social engineering is teaching employees to recognize name-dropping, intimidation techniques, not being able to correctly respond to a fake question, and not providing correct authentication. the telltale signs such as Gragg (2010) suggests training employees to be able to identify the type of information that Social Engineers might be interested and employee’s responsibility in guarding it. Employees should also be aware that passwords should remain private, and regarded as “keys” to the company. Employees should also realize that depending on the information that Social Engineers may try to access, they might go to great length in establishing trusting relationship over weeks, months, and sometimes years, prior to asking for any privileged information (Gragg, 2010).

2. Employees must also understand the modes that Social Engineers may apply to target them, be it through telephone, in-person, or via e-mail. Employees need to be aware that a less than a minute access to a computer can be sufficient to sabotage it for a Reverse Social Engineering attack. Company needs to implement security policy that includes the following components: Information Release rules – the policy needs to spell out what kind of information can be released, under which circumstances, and to whom.  Data Disposal rules – the policy needs to specify how the sensitive information is identified and handled for disposal in printed form (i.e. shredding), and in electronic form (i.e. multi erase on the hard drive).  Password rules – the security policy should make it clear that passwords should not be shared under any circumstances. The policy should also enforce password aging. It should specify the account lockdown procedure to be followed when an employee is terminated.  Reporting security issues – policy should specify confidential means for reporting the security issues (Andersen, 20010).  Physical Security – security policy needs to specify physical security aspects, including badge usage for every employee, vendor, and visitor.  Penalties – security policy needs to communicate the penalties for noncompliance with the corporate security policies.  References Aiello, M. (2008). Social Engineering (Cyber Warfare and Cyber Terrorism). Bhagyavati, B. (2008). Social Engineering (Cyber Warfare and Cyber Terrorism). Gragg, D. (2010). A Multi-Level Defense Against Social Engineering. Orlando, Florida: SANS Institute. CxT Group Michigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills, MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539