How to Protect Insiders from Social Engineering Threats
On This Page
Introduction
Social Engineering Threats and Defenses
Designing Defenses Against Social Engineering Threats
Implementing Defenses Against Social Engineering Threats
Appendix 1: Security Policy for Social Engineering Threat Checklists
Appendix 2: Glossary
Introduction
Welcome to this document from the Midsize Business Security Guidance collection. Microsoft hopes that the following information will help you create a more secure and productive computing environment.
Who Should Read this Paper
This paper provides security management information about the threats posed by social engineering and the defenses that are available to help resist social engineering hackers. Social engineering describes primarily non-technical threats to company security. The broad nature of these potential threats necessitates providing information about threats and potential defenses to a range of management and technical staff within a company, including:
Board management
Technical operation and service managers
Support staff
Security staff
Business managers
Overview
To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hacker—someone who tries to gain unauthorized access to your computer systems—are similar to those of any other hacker: they want your company’s money, information, or IT resources.
A social engineering hacker attempts to persuade your staff to provide information that will enable him or her to use your systems or system resources. Traditionally, this approach is known as a confidence trick. Many midsize and small companies believe that hacker attacks are a problem for large corporations or organizations that offer large financial rewards. Although this may have been the case in the past, the increase in cyber-crime means that hackers now target all sectors of the community, from corporations to individuals. Criminals may steal directly from a company, diverting funds or resources, but they may also use the company as a staging point through which they can perpetrate crimes against others. This approach makes it more difficult for authorities to trace these criminals.
To protect your staff from social engineering attacks, you need to know what kinds of attack to expect, understand what the hacker wants, and estimate what the loss might be worth to your organization. With this knowledge, you can augment your security policy to include social engineering defenses. This paper assumes that you have a security policy that sets out the goals, practices, and procedures that the company recognizes as necessary to protect its informational assets, resources, and staff against technological or physical attack. The changes to your security policy will help to provide staff with guidance on how to react when faced with a person or a computer application that tries to coerce or persuade them to expose business resources or disclose security information.
Social Engineering Threats and Defenses
There are five major attack vectors that a social engineering hacker uses:
Online
Telephone
Waste management
Personal approaches
Reverse social engineering
Beyond recognizing these entry points, you also need to know what the hacker hopes to gain. Their goals are based on the same needs that drive us all—money, social advancement, and self worth. Hackers want to take your money or resources, they want to be recognized within society or their own peer group, and they want to feel good about themselves. Unfortunately, hackers achieve these things illegally by theft or damage to computer systems. Attacks of any sort will cost you money, through loss of revenue, resources, information, business availability, or business credibility. When you design your defenses against such threats, you should estimate what an attack will cost you.
Online Threats
In our increasingly connected business world, staff often use and respond to requests and information that come electronically from both inside and outside the company. This connectivity enables hackers to make approaches to your staff from the relative anonymity of the Internet. You often hear about online attacks in the press, such as e-mail, pop-up application, and instant message attacks that use Trojan horses, worms, or viruses—collectively called malware—to damage or subvert computer resources. You can begin to help address many of these malware attacks through the implementation of strong antivirus defenses.
Note For more information about antivirus defenses, see The Antivirus Defense-in-Depth Guide at https://go.microsoft.com/fwlink/?linkid=28732.
The social engineering hacker persuades a staff member to provide information through a believable ruse, rather than infecting a computer with malware through a direct attack. An attack may provide information that will enable the hacker to make a subsequent malware attack, but this result is not a function of social engineering. Therefore, you must advise staff on how best to identify and avoid online social engineering attacks.
E-Mail Threats
Many staff members receive tens or even hundreds of e-mails each day, both from business and from private e-mail systems. The volume of e-mail can make it difficult to give full attention to each message. This fact is very useful to a social engineering hacker. Most e-mail users feel good about themselves when they deal with a piece of correspondence; it is the electronic equivalent of moving paper from the in-tray to the out-tray. If the hacker can make a simple request that is easy to deal with, then the target will often acquiesce without even thinking about what he or she is doing.
An example of such an easy attack is sending e-mail to a staff member that says that the boss wants all of the holiday schedules sent for a meeting and could everyone on the list be copied in on the e-mail. It is simple to slip an external name into the copy list and to spoof the sender’s name so that the mail appears to originate from an internal source. Spoofing is especially simple if a hacker gains access to a company computer system, because there is no need to break through perimeter firewalls. Knowledge of a departmental holiday schedule may not appear to be a security threat, but it means that a hacker knows when a member of staff is absent. The hacker can then impersonate this person with a reduced risk of discovery.
The use of e-mail as a social engineering tool has become endemic over the last decade. Phishing describes the use of e-mail to gain personal identifiable or restricted information from a user. Hackers may send e-mail messages that appear to have come from valid organizations, such as banks or partner companies.
The following figure shows an apparently valid link to the Contoso account management site.
.gif "Figure 1. E-mail phishing hyperlink")
Figure 1. E-mail phishing hyperlink
However, if you look more closely you can spot two differences:
The text in the mail states that the site is secure, using https, although the screen tip shows that the site actually uses http.
The company name in the mail is “Contoso,” but the link goes to a company called “Comtoso.”
As the term phishing implies, these approaches are typically speculative, with a generic request for information for a customer. The realistic camouflage used in the e-mail messages, with company logos, fonts, and even apparently valid free Help Desk support phone numbers, makes the e-mail appear more believable. Within each phishing e-mail is a request for user information, often to facilitate an upgrade or additional service. An extension of phishing is spear-phishing, in which an explicit target or departmental group is approached. This approach is far more sophisticated, because personal and relevant company information is necessary to make the deception believable. It requires greater knowledge of the target, but can elicit more specific and detailed information.
E-mail can also carry hyperlinks that may tempt a member of staff to breach company security. As shown in Figure 1, links do not always take a user to an expected or promised location. There are a range of other options for the hacker in a phishing e-mail, including images that are hyperlinks that download malware, such as viruses or spyware, or text that is presented in an image, to bypass hyperlink security filters.
Most security measures help keep unauthorized users out. A hacker can bypass many defenses if he or she can dupe a user into bringing a Trojan horse, worm, or virus into the company via a link. The hyperlink may also take a user to a site that uses pop-up applications to request information or offer assistance.
You can use a matrix of attack vectors, attack goals, descriptions, and cost to your company similar to the one shown in the following table to help you classify attacks and establish their risk to your company. Sometimes a threat represents more than one risk. Where this is the case, the following examples show the major risk or risks in bold.
Table 1. Online E-mail Attacks and Costs
Attack goals |
Description |
Cost |
|---|---|---|
Theft of company information |
Hacker impersonates (spoofs) an internal user to get company information. |
Confidential information Business credibility |
Theft of financial information |
Hacker uses phishing (or spear-phishing) technique to request company confidential information, such as account details. |
Money Confidential information Business credibility |
Download malware |
Hacker tricks a user into clicking a hyperlink or opening an attachment, thus infecting the company network. |
Business availability Business credibility |
Download hacker’s software |
Hacker tricks a user into clicking a hyperlink or opening an attachment, thus downloading a hacker program that uses company network resources. |
Resources Business credibility Money |
Like most confidence tricks, you can help to resist social engineering hacker attacks most effectively by approaching with skepticism anything unexpected in your Inbox. To support this approach in an organization, you should include in the security policy a specific e-mail usage guideline that covers:
Attachments in documents.
Hyperlinks in documents.
Requests for personal or company information from within the company.
Requests for personal or company information from outside the company.
In addition to these guidelines, you must include examples of phishing attacks. After a user recognizes one phishing swindle, they will find it much easier to notice others.
Pop-Up Applications and Dialog Boxes
It is unrealistic to think that members of staff do not use company Internet access for non-business activities. Most employees browse the Web for personal reasons, such as online shopping or research, at some time. Personal browsing may bring employees, and therefore the company computer systems, in contact with generic social engineers. Although these may not specifically target your company, they will use your staff in an effort to gain access to your company resources. One of the most popular goals is to embed a mail engine within your computer environment through which the hacker can launch phishing or other e-mail attacks on other companies or individuals.
The following figure shows how a hyperlink appears to link to a secure account management site (secure.contosa.com account_id?Amendments), while the status bar shows that it takes the user to a hacker site. Depending on the browser that you use, a hacker can suppress or reformat the status bar information.
.gif "Cc875841.HPISET02(en-us,TechNet.10).gif")
Figure 2. Web page phishing hyperlink
The two most common methods of enticing a user to click a button inside a dialog box are by warning of a problem, such as displaying a realistic operating system or application error message, or by offering additional services—for example, a free download that makes the user’s computer go faster. For experienced IT and Web users, these methods may seem transparent deceptions. But to inexperienced users, such pop-up applications or dialog boxes can be intimidating or attractive.
Table 2. Online Pop-Up and Dialog Box Attacks and Costs
Attack goals |
Description |
Cost |
|---|---|---|
Theft of personnel information |
Hacker requests staff member’s personal information |
Confidential information Money (staff member) |
Download malware |
Hacker tricks a user into clicking a hyperlink or opening an attachment |
Business availability Business credibility |
Download hacker’s software |
Hacker tricks a user into clicking a hyperlink or opening an attachment |
Resources Business credibility Money |
Protecting users from social engineering pop-up applications is mostly a function of awareness. To avoid the issue, you may set a default browser configuration that blocks pop-ups and automated downloads, but some pop-ups can bypass browser settings. It is more effective to make sure that users are aware that they should not click pop-ups unless they check with support staff. Therefore, your business staff must be able to trust that the support staff will not be judgmental if the user was browsing the Web. This trust relationship may be influenced by your company policy on personal Internet browsing.
Instant Messaging
Instant messaging (IM) is a relatively new communications medium, but it has gained widespread popularity as a business tool, and some analysts estimate that there will be 200 million users of IM products in 2006. The immediacy and familiarity of IM makes it a rich hunting ground for social engineering attacks, because users regard it much as the telephone and do not associate it with potential computer software threats. The two main attacks made using IM are the delivery of a malware link within an IM message and the delivery of an actual file. Of course, IM also represents another way of simply asking for information.
There are a number of potential threats inherent to IM when addressing social engineering. The first is the informality of IM. The chatty nature of IM, together with the option of giving oneself a spurious or false name, means that it is not entirely clear that you are talking to the person you believe you are talking to, which greatly enhances the option for casual spoofing.
The following figure shows how spoofing works, for both e-mail and IM.
.gif "Figure 3. Instant messaging and e-mail spoofing")
Figure 3. Instant messaging and e-mail spoofing
The hacker (red) impersonates another known user and sends either an e-mail or IM message that their target will assume comes from someone they know. Familiarity relaxes user defenses, so they are far more likely to click a link or open an attachment from someone that they know—or they think that they know. Most IM providers allow identification of users based on e-mail address, which can enable a hacker who has identified an addressing standard within your company to send IM contact invitations to other people in the organization. This functionality does not pose a threat, but it does means that the number of targets within your company is greatly increased.
Table 3. Instant Messaging Attacks and Costs
Attack goals |
Description |
Cost |
|---|---|---|
Request for company confidential information |
Hacker uses IM spoofing to impersonate a coworker to request business information. |
Confidential information Business credibility |
Download malware |
Hacker tricks a user into clicking a hyperlink or opening an attachment, thus infecting the company network. |
Business availability Business credibility |
Download hacker’s software |
Hacker tricks a user into clicking a hyperlink or opening an attachment, thus downloading a hacker program, such as a mail engine, that uses company network resources. |
Resources Business credibility Money |
If you are anxious to embrace the immediacy and cost reductions that IM can provide, you must include IM-specific defenses in your security policies. To help control IM within your business, you must establish the following five usage rules:
Standardize on a single IM platform. This rule will minimize support effort and will discourage users from chatting by using their own personal IM provider. If you want a more controlled approach to limiting user choice, you can choose to block ports that the common IM services use.
Define deployment security settings. IM clients offer a range of security and privacy options, such as virus scanning.
Set contact guidelines. Recommend that users do not accept new contact invitations by default.
Set password standards. Make your IM passwords comply with the strong password standards that you have set for host passwords.
Provide usage guidance. Develop a set of best practice guidelines for your users, explaining the reasoning behind these recommendations.
Telephone-Based Threats
The telephone offers a unique attack vector for social engineering hackers. It is a familiar medium, but it is also impersonal, because the target cannot see the hacker. The communications options for most computer systems can also make the Private Branch Exchange (PBX) an attractive target. Another, perhaps very crude, attack is to steal either credit card or telephone card PINs at telephone booths. This attack is most commonly a theft from an individual, but company credit cards are just as useful. Most people are aware that they should be wary of prying eyes when using an ATM, but most people are less cautious when using a PIN in a telephone booth.
Voice over Internet Protocol (VoIP) is a developing market that offers cost benefits to companies. Currently, due to the relatively restricted number of installations, VoIP hacking is not considered to be a major threat. However, as more businesses embrace this technology, VoIP spoofing is set to become as widespread as e-mail and IM spoofing is now.
Private Branch Exchange
There are three major goals for a hacker who attacks a PBX:
Request information, usually through the imitation of a legitimate user, either to access the telephone system itself or to gain remote access to computer systems.
Gain access to “free” telephone usage.
Gain access to communications network.
Each of these goals is a variation on a theme, with the hacker calling the company and attempting to get telephone numbers that provide access directly to a PBX or through a PBX to the public telephone network. The hacker term for this is phreaking. The most common approach is for the hacker to pretend to be a telephone engineer, requesting either an outside line or a password to analyze and resolve the problems reported on the internal telephone system, as shown in the following figure.
.gif "Figure 4. Telephony PBX attacks")
Figure 4. Telephony PBX attacks
Requests for information or access over the telephone are a relatively risk-free form of attack. If the target becomes suspicious or refuses to comply with a request, the hacker can simply hang up. But realize that such attacks are more sophisticated than a hacker simply calling a company and asking for a user ID and password. The hacker usually presents a scenario, asking for or offering help, before the request for personal or business information happens, almost as an afterthought.
Table 4. Private Branch Exchange Attacks and Costs
Attack goals |
Description |
Cost |
|---|---|---|
Request company information |
Hacker impersonates a legitimate user to gain confidential information. |
Confidential information Business credibility |
Request telephone information |
Hacker impersonates a telephone engineering to gain access to the PBX in order to make external calls. |
Resources Money |
Use PBX to access computer systems |
Hacker breaks into computer systems, through PBX, to steal or manipulate information, infect with malware, or use resources. |
|
Most users do not have any knowledge of the internal telephone system, beyond the telephone itself. This is the most important piece of defense that you can put into your security policy. It is uncommon for hackers to approach general users in this way. The most common targets are reception or switchboard staff. You must state that only the service desk has authorization to provide assistance to telephone suppliers. In this way, all authorized personnel deal with all engineering support calls. This approach enables targeted staff to reroute such queries efficiently and quickly to a qualified staff member.
Service Desk
The service desk—or Help Desk—is one of the mainstay defenses against hackers, but it is, conversely, a target for social engineering hackers. Although support staff is often aware of the threat of hacking, they also train to help and support callers, offering them advice and solving their problems. Sometimes the enthusiasm demonstrated by technical support staff in providing a solution overrides their commitment to adherence to security procedures and presents service desk staff with a dilemma: If they enforce strict security standards, asking for proofs that validate that the request or question comes from an authorized user, they may appear unhelpful or even obstructive. Production or sales and marketing staff who feel that the IT department is not providing the immediate service that they require are apt to complain, and senior managers asked to prove their identities are often less than sympathetic to the support staff’s thoroughness.
Table 5. Service Desk Telephony Attacks and Costs
Attack goals |
Description |
Cost |
|---|---|---|
Request information |
Hacker impersonates a legitimate user to get business information. |
Confidential information |
Request access |
Hacker impersonates a legitimate user to get security access to business systems. |
Confidential information Business credibility Business availability Resources Money |
The service desk needs to balance security with business efficiency, and as such security policies and procedures must support them. Proof of identification, such as providing an employee number, department, and manager name, will not be too much for a service desk analyst to request, as everyone knows these. But this proof may not be completely secure, because a hacker may have stolen this information. It is a realistic start, however. In truth, the only 99.99 percent accurate means of identification is a DNA swab test, which is clearly unrealistic.
It is more difficult to defend the service desk analyst against an internal or contract worker hacker. Such a hacker will have a good working knowledge of internal procedures and will have time to make sure that they have all the information required, before they make a service desk call. The security procedures must provide a dual role in this situation:
The service desk analyst must ensure that there is an audit trail of all actions. If a hacker succeeds in gaining unauthorized access to information or resources through a service desk call, the service desk must record all activities so that they can quickly rectify or limit any damage or loss. If each call triggers an automated or manual e-mail message stating the problem or request, it will also be easier for an employee who has suffered identity theft to realize what has happened and call the service desk.
The service desk analyst must have a well-structured procedure for how to handle call types. For example, if the employee’s manager must make access change requests by e-mail, there can be no unauthorized or informal changes to security levels.
If users are aware of these rules, and management supports their implementation, it will prove much harder for hackers to succeed or remain undetected. The 360-degree audit trail is a most valuable tool in the avoidance and discovery of wrongdoing.
Waste Management Threats
Illicit waste analysis—dumpster diving, as it is commonly termed—is a valuable activity for hackers. Business paper waste can contain information that is of immediate benefit to a hacker, such as discarded account numbers and user IDs, or can serve as background information, for example telephone lists and organization charts. This latter type of information is invaluable to a social engineering hacker, because it makes him or her appear credible when launching an attack. For example, if the hacker appears to have a good working knowledge of the staff in a company department, he or she will probably be more successful when making an approach; most staff will assume that someone who knows a lot about the company must be a valid employee.
Electronic media can be even more useful. If companies do not have waste management rules that include disposal of redundant media, it is possible to find all sorts of information on discarded hard disk drives, CDs, and DVDs. The robust nature of fixed and removable media means that those responsible for IT security must stipulate media management policies that include wiping or destruction instructions.
Table 6: Waste Management Attacks and Costs
Attack goals |
Description |
Cost |
|---|---|---|
Paper waste in external bins |
Hacker takes paper from externally housed dumpsters to steal any relevant company information. |
Confidential information Business credibility |
Paper waste in internal bins |
Hacker takes paper from internal office bins, bypassing any management guidelines for management of external paper waste management. |
Confidential information Business credibility |
Electronic media waste |
Hacker steals information and applications from discarded electronic media. Hacker also steals the media itself. |
Confidential information Resources Business credibility |
Your staff must fully understand the implications of throwing waste paper or electronic media in a bin. After this waste moves outside your building, its ownership can become a matter of legal obscurity. Dumpster diving may not be deemed illegal in all circumstances, so you must ensure that you advise staff how to deal with waste materials. Always shred paper waste and wipe or destroy magnetic media. If any waste is too large or tough to put in a shredder, such as a telephone directory, or it is technically beyond the ability of a user to destroy it, you must develop specific protocol for disposal. You should also place trash dumpsters in a secure area that is inaccessible to the public.
When designing a waste management policy, it is important to make sure that you comply with local regulatory rules regarding healthy and safety. It can also be socially valuable to adopt ecologically-sound waste management strategies.
In addition to the management of external waste—the paper or electronic media that may be made available to those outside the company—you must also manage internal waste. Security policies often overlook this issue, because it is often assumed that anyone granted access to the company must be trustworthy. Clearly, this is not always the case. One of the most effective measures in managing waste paper is the specification of a data classification. You define different categories of paper-based information and specify how staff should manage their disposal. Example categories might include:
Company Confidential. Shred all company confidential waste documents before disposal in any bin.
Private. Shred all private waste documents before disposal in any bin.
Departmental. Shred all departmental waste documents before disposal in public dumpsters.
Public. Dispose of public documents in any bin or recycle them as waste paper.
For more information about developing data classifications, see the Security Management SMF on Microsoft® TechNet at https://go.microsoft.com/fwlink/?linkid=37696.
Personal Approaches
The simplest and cheapest way for a hacker to get information is for them to ask for it directly. This approach may seem crude and obvious, but it has been the bedrock of confidence tricks since time began. Four main approaches prove successful for social engineers:
Intimidation. This approach may involve the impersonation of an authority figure to coerce a target to comply with a request.
Persuasion. The most common forms of persuasion include flattery or name dropping.
Ingratiation. This approach is usually a more long term ploy, in which a subordinate or peer coworker builds a relationship to gain trust and, eventually, information from a target.
Assistance. In this approach, the hacker offers to help the target. The assistance will ultimately require the target to divulge personal information that will enable the hacker to steal the target’s identity.
Most people assume that anyone who talks to them is being truthful, which is interesting because it is a fact that most people admit that they will tell lies themselves. (The Lying Ape: An Honest Guide to a World of Deception, Brian King, Icon Books Limited). Unquestioning trust is one of the goals of a social engineering hacker.
Defending users against these types of personal approach is very difficult. Some users are naturally disposed to social engineering using one of these four attacks. The defense against an intimidation attack is the development of a “no fear” culture within a business. If normal behavior is politeness, then the success of intimidation is reduced, because individual staff members are more likely to escalate confrontational situations. A supportive attitude within management and supervisory roles toward the escalation of problems and decision-making is the worst thing that can happen to a social engineering hacker. Their goal is to encourage a target to make a quick decision. With the problem escalated to a higher authority, they are less likely to achieve this goal.
Persuasion has always been an important human method of achieving personal goals. You cannot engineer this out of your workforce, but you can provide strict guidance on what an individual should and should not do. The hacker will always ask or manufacture a scenario where a user volunteers restricted information. Ongoing awareness campaigns and basic guidance covering security devices such as passwords are your best defense.
Hackers need time to ingratiate themselves with your users. The hacker will need to be in regular contact, probably by taking the role of a coworker. For most midsized companies, the main coworker threat comes from regular service or contract personnel. The HR group must take as much care over the security screening of contract staff as they do with permanent staff. You can pass most of this work to the contract supplier. To make sure that the supplier does an effective job, you may ask them to comply with your own screening policies on permanent staff. If a social engineering hacker gains permanent employment within your company, then the best defense is the awareness of your staff and their adherence to the security policy rules on information security.
Finally, assistance attacks can be minimized it you have an effective service desk. The in-house assistant is often a result of disaffection with existing company support services. You need to enforce two elements in order to make sure that staff contacts the service desk rather than an unauthorized in-house expert—or worse, an expert from outside the company:
Specify in your security policy that the service desk is the only point to which users should report issues.
Ensure that the service desk has an agreed response process within the departmental service-level agreement. Audit the service desk performance regularly, to make sure that users receive the right level of response and solution.
You must not underestimate the importance of the service desk in providing the first-level defense against social engineering attacks.
Virtual Approaches
Social engineering hackers need to make contact with their targets to make their attacks. Most commonly, this will take place through some electronic medium, such as an e-mail message or a pop-up window. The volume of junk and spam mail that arrives in most personal mailboxes has made this method of attack less successful, as users become more skeptical of chain mail and conspiratorial requests to take part in “legal” and lucrative financial transactions. Despite this, the volume of such mail and the use of Trojan horse mail engines mean that it remains attractive, with only a minimal success rate, to some hackers. Most of these attacks are personal and aim to discover information about the target’s identity. However, for businesses, the widespread abuse of business systems, such as computers and Internet access, for personal use means that hackers can enter the corporate network.
Telephones offer a more personal, lower-volume method of approach. The limited risk of arrest means that some hackers use the telephone as a means of approach, but this approach is primarily for PBX and service desk attacks; most users would be dubious about a call requesting information from someone that they did not know personally.
Physical Approaches
Less common, but more effective for the hacker, is direct, personal contact with a target. Only the most suspicious employee will doubt the validity of someone who presents themselves and asks for or offers help with a computer system. Although these approaches have far greater risks for the perpetrator, the advantages are obvious. The hacker can gain unfettered access to computer systems within the company, within any technological perimeter defenses that exist.
The growth in the use of mobile technologies, which enable users to attach to corporate networks while on the road or in their homes, are another major threat to company IT resources. The attacks that are possible here include the most simple observation attack, in which a hacker watches over the shoulder of a mobile computer user on a train to see their user ID and password, to more sophisticated attacks where a card reader or router upgrade is delivered and installed by a very helpful service engineer who gains access to the business network by asking for the user’s ID, password, and perhaps a cup of coffee. A thorough hacker would even request an authorization signature from the user—now they have the user’s signature! Between these types of attacks come threats like neighbors who use the bandwidth paid for by the company to access the Internet through an unprotected wireless LAN.
Although most large companies have highly developed site security infrastructures, smaller, midsized offices can be more relaxed about building access. Tailgating, in which an unauthorized person follows someone with a pass into an office, is a very simple social engineering attack. The intruder opens the door, which the authorized user walks through, and then engages them in conversation about the weather or weekend sport while they walk past the reception area together. This approach would not work in a large company, where each individual may need to swipe a card through a turnstile, or in a small company where everyone knows everyone else. However, it is perfectly suited for a company with a thousand employees, where it is common for one employee not to know everyone. If the impostor has previously gained access to company information, such as department names, staff names, or internal memo information, the diversionary conversation will be more credible.
Home worker security is usually limited to technology. The security policy must require firewalls to ensure that external hackers cannot gain access to networks. Beyond this requirement, most midsized companies allow their home worker employees to manage their own security, and even backups.
Table 7. Physical Access Attacks and Costs
Attack goals |
Description |
Cost |
|---|---|---|
Theft of mobile user identity |
Hacker observes legitimate user typing logon or other details into computer. This may preempt theft of physical computer equipment. |
Confidential information |
Theft of home worker user identity |
Hacker poses as an IT support worker or maintenance partner to gain access to a home worker network, requesting user ID and password to test upgrade success. |
Confidential information |
Direct network contact through home worker network |
Hacker accesses company network via home worker network by posing as a support engineer. The hacker has unfettered access to network and company resources. |
Confidential information Business credibility Business availability Resources Money |
Ongoing access to home worker network |
Hacker or local user gains access to broadband Internet access through an unsecured home network. |
Resources |
Access company offices unaccompanied |
Hacker tailgates an authorized employee into the company offices. |
Confidential information Business credibility Business availability Money Resources |
Access an individual company office |
Hacker gains access to an individual where he or she can attempt to use computer equipment or paper resources, such as filing cabinets. |
Confidential information Resources Money |
Defenses against these threats are essentially dependent on the implementation of best practices by users, based on an effective company security policy that must address the following three areas:
The company site
The home
Mobile working
It should be impossible to gain entry to a company building or site without the proper authorization. Reception staff must be polite but firm when they deal with staff, contractors, and visitors. A few simple conditions within the company security policy will make it nearly impossible for a physical social engineering attack within the building. These conditions may include use of:
Photographic identification passes, shown whenever a staff member enters or leaves the building.
A visitor’s book signed by the visitor and countersigned by the member of staff that they are visiting on both arrival and departure.
Dated visitor passes visible at all times and returned to reception on departure.
A contractor’s book signed by the contractor and countersigned by the staff member who has authorized their work on both arrival and departure.
Dated contractor passes visible at all times and returned to reception on departure.
To make sure that everyone presents themselves to the receptionist, the company must erect barriers to ensure that visitors must walk directly past the receptionist so that they can present their credentials or sign in. Such barriers do not have to be turnstiles or barriers between which they need to squeeze.
For example, a reception area may use something as relaxed as a sofa to steer people toward the receptionist, as the two examples in the following figure illustrate.
.gif "Figure 5. Reception planning")
Figure 5. Reception planning
The reception area on the left allows an unauthorized visitor to tailgate, using a legitimate employee as a screen. The example on the right requires any visitor to walk past reception. The position of the computer terminal does not obscure the receptionist’s view. The gap must be large enough to allow anyone to pass through comfortably, including wheelchair users. It is essential that reception staff members are well-drilled and consistent when they welcome and check each person. Every entrance to the building must comply with these standards, and staff must only use authorized building entrances and exits—there must be no back doors.
When erecting any form of barrier or door management system, you must make sure that you comply with regulatory requirements for health, safety, and accessibility.
In the home, it is not realistic to authorize every visitor or tradesman. In reality, most people are far more cautious about visitors to their home than they are in the office. More important, you should ensure that an attack cannot gain access to business resources. A protocol on off-site IT services must include rules that stipulate the following conditions:
Each technical support action, whether it is an onsite fix or an upgrade, must be planned and authorized by support staff.
Contractors and internal staff who undertake onsite maintenance or installation must have identification, preferably including a photograph.
The user must contact the IT support department to tell them when the engineer arrives and when the job is complete.
Each job has a job sheet, signed off on by the user.
The user must never provide personal access information or sign on to the computer to provide an engineer with access.
This last point is crucial. It is beholden on the IT services group to make sure that any offsite engineer has sufficient personal access to undertake the work. If the engineer does not have sufficient user access to complete a task, he or she must contact the service desk. This requirement is essential, because working as a lowly engineer for a computer services company is one of the most profitable jobs a prospective hacker can find. It makes the hacker both a figure of technical authority and a helper at the same time.
Mobile workers will often use their computers in a crowded environment, such as on a train or in stations, airports, or restaurants. Clearly, it is almost impossible to make sure that no one is watching you type in such an environment, but the company security policy must offer advice on how to minimize the risks to personal and business information. If staff members use personal digital assistants (PDAs), you should include information on managing security and synchronization.
Reverse Social Engineering
Reverse social engineering describes a situation in which the target or targets make the initial approach and offer the hacker the information that they want. Such a scenario may seem unlikely, but figures of authority—particularly technical or social authority—often receive vital personal information, such as user IDs and passwords, because they are above suspicion. For example, no Help Desk support worker would ask for a user ID or password from a caller; they solve problems without this information. Many users who have IT problems will volunteer these vital security elements to expedite a solution. The hacker does not even have to ask. Social engineering attacks are not reactive, as this scenario suggests.
A social engineering attack creates a situation, advertises a solution, and provides assistance when requested, perhaps as simply as in the following scenario:
A coworker hacker renames or moves a file so that the target thinks that it no longer exists. The hacker speculates that they can get the file back. The target, keen to get on with their work, or concerned that the loss of the information could be their own fault, leaps at this offer. The hacker states that this could only be done if they were to log on as the target. He or she may even say company policy prohibits this. The target will beg the hacker to log on as them and try to reinstate the file. Grudgingly, the hacker agrees, reinstates the original file, and steals the target’s user ID and password. He or she has even embellished their reputation such that they receive requests to assist other coworkers. This approach can bypass the regular IT support channels and make it easier for the hacker to remain unnoticed.
It is not always necessary to be familiar or even meet a target to use reverse social engineering. Imitating problems or issues using dialog boxes can be effective in a non-specific, reverse social engineering attack. The dialog box announces that there is a problem or that an update is necessary to continue. The dialog box offers a download to solve the problem. When the download is complete, the engineered problem disappears, and the user continues working, oblivious to the fact that they have breached security and downloaded a malware program.
Table 8. Reverse Social Engineering Attacks and Costs
Attack goals |
Description |
Cost |
|---|---|---|
Theft of identity |
Hacker receives user ID and password from authorized user. |
Confidential information Business credibility Business availability Money Resources |
Theft of information |
Hacker uses authorized user ID and password to gain access to company files. |
Confidential information Money Resources Business credibility Business availability |
Download malware |
Hacker tricks a user into clicking a hyperlink or opening an attachment, thus infecting the company network. |
Business availability Business credibility |
Download hacker’s software |
Hacker tricks a user into clicking a hyperlink or opening an attachment, thus downloading a hacker program, such as a mail engine, that uses company network resources. |
Resources Business credibility Money |
Defending against reverse social engineering is probably the most difficult challenge. The target has no reason to suspect the hacker, because he or she feels that they are in command of the situation. The main defense is the stipulation in your security policy that all issues must be resolved through the service desk. If service desk staff members are efficient, polite, and non-judgmental, other employees will approach them, rather than ask unauthorized staff or acquaintances for help.
Designing Defenses Against Social Engineering Threats
After you understand the wide range of threats that exists, three steps are necessary to design a defense against social engineering threats against the staff within your company. An effective defense is a function of planning. Often defenses are reactive—you discover a successful attack and erect a barrier to ensure that the problem cannot reoccur. Although this approach demonstrates a level of awareness, the solution comes too late if the problem is a major or expensive one. To preempt this scenario, you must take the following three steps:
Develop a security management framework. You must define a set of social engineering security goals and staff members who are responsible for the delivery of these goals.
Undertake risk management assessments. Similar threats do not present the same level of risk to different companies. You must review each of the social engineering threats and rationalize the danger that each presents to your organization.
Implement social engineering defenses within your security policy. Develop a written set of policies and procedures that stipulate how your staff should manage situations that may be social engineering attacks. This step assumes the existence of a security policy, outside the threat presented by social engineering. If you do not currently have a security policy, then you need to develop one. The elements identified by your social engineering risk assessment will get you started, but you will need to look at other potential threats.
For more information on security policies, see the Microsoft Security Web site at www.microsoft.com/security.
Developing a Security Management Framework
A security management framework defines an overall view of the possible threats to your organization from social engineering and allocates named job roles responsible for the development of policies and procedures that mitigate these threats. This approach does not mean that you have to employ a staff whose only function is to ensure the security of business assets. Although such an approach may be an option within large organizations, it is seldom viable or desirable to have such roles within midsized organizations. The requirement is to make sure that a group of people take on the key responsibilities of the following security roles:
Security sponsor. A senior manager, probably board-level, who can provide the necessary authority to ensure that all staff take the business of security seriously.
Security manager. A management-level employee who has responsibility for orchestrating the development and upkeep of a security policy.
IT security officer. A technical staff member who has responsibility for developing the IT infrastructure and operational security policies and procedures.
Facilities security officer. A member of the facilities team who is responsible for developing site and operational security policies and procedures.
Security awareness officer. A management-level member of staff—often from within the human resources or personnel development department—who is responsible for the development and execution of security awareness campaigns.
This group—the Security Steering Committee—represents the facilitators within the company. As the selected champions for security, the Security Steering Committee needs to establish the core goals of the security management framework. Without a set of definable goals, it is difficult to encourage participation of other staff or to measure the success of the project. The initial task of the Security Steering Committee is to identify what social engineering vulnerabilities exist within the company. A simple table like the following one quickly enables you to develop a picture of these attack vectors.
Table 9. Company Social Engineering Attack Vector Vulnerabilities
Attack vector |
Describe company usage |
Comments |
|---|---|---|
Online |
|
|
All users have Microsoft Outlook® on desktop computers. |
|
|
Internet |
Mobile users have Outlook Web Access (OWA) in addition to Outlook client access. |
|
Pop-up applications |
|
There is currently no technological barrier implemented against pop-ups. |
Instant Messaging |
The company allows unmanaged use of a variety of IM products. |
|
Telephone |
|
|
PBX |
|
|
Service Desk |
Currently the “Service Desk” is a casual support function provided by the IT department. |
We need to extend support provisions beyond the IT area. |
Waste management |
|
|
Internal |
All departments manage their own waste disposal. |
|
External |
Dumpsters are placed outside the company site. Garbage collection is on Thursday. |
We do not currently have any space for dumpsters within the site. |
Personal approaches |
|
|
Physical Security |
|
|
Office security |
All offices remain unlocked throughout the day. |
25 percent of staff works from home. We have no written standards for home worker security. |
Home workers |
We have no protocols of home worker onsite maintenance. |
|
Other/Company-specific |
|
|
In-house franchisees |
All catering is managed through a franchise. |
We do not know anything about these staff, and there is no security policy for them. |
When the Security Steering Committee has a good understanding of the vulnerabilities, it can develop a Company Social Engineering Attack Vector Vulnerabilities table (shown in the previous example). The table outlines the company’s protocols in potentially vulnerable areas. Knowledge of the vulnerabilities enables the committee to develop a blueprint for the potential policy requirements.
The Security Steering Committee needs to first identify areas that may pose a risk to the company. This process should include all of the attack vectors identified within this paper and company-specific elements, such as use of public terminals or office management procedures.
Risk Assessment
All security requires you to assess the level of risk that an attack presents to your company. Although risk assessment needs to be thorough, it does not have to be time-consuming. Based on the work done in identifying the core elements of a security management framework by the Security Steering Committee, you can categorize and prioritize the risks. The risk categories include:
Confidential information
Business credibility
Business availability
Resources
Money
You set priorities by identification of the risk and calculation of the cost of mitigating the risk—if mitigating the risk is more expensive than the occurrence of the risk, it may not be justifiable. This risk assessment phase can be very useful in the final development of the security policy.
For example, the Security Steering Committee may highlight the danger of visitor security at reception. For a company that expects no more than 20 visitors in an hour, there is no need to consider having anything more sophisticated than one receptionist, a sign-in book, and some numbered visitor badges. But for a company that expects 150 visitors per hour, it may be that more reception staff or self-service registration terminals are necessary. Although the smaller company could not justify the costs of self-service registration terminals, the large one could not justify the cost of lost business due to lengthy delays.
Alternatively, a company that never has visitors or contract staff may feel that there is a minimal risk in leaving printed output in a central location while it awaits collection. However, a company with a large number of non-employee staff may feel that it can only circumvent the business risk presented by potentially confidential information lying in a printer by installing local print facilities at every desk. The company can obviate this risk by stipulating that a member of staff accompanies a visitor throughout their visit. This solution is far less expensive, except, possibly, in terms of staff time.
Based on the business assessment from the Company Social Engineering Attack Vector Vulnerabilities matrix, the Security Steering Committee can define the policy requirements, risk types, and risk levels for the company, as shown in the following table.
Table 10. Steering Committee Security Requirement and Risk Matrix
Attack Vector |
Possible Policy Requirement |
Risk Type Confidential information Business credibility Business availability Resources Money |
Risk Level High = 5 Low = 1 |
Action |
|---|---|---|---|---|
|
Written set of social engineering security policies |
|
|
|
|
Changes to make policy compliance part of the standard employee contract |
|
|
|
|
Changes to make policy compliance part of the standard contractor contract |
|
|
|
Online |
|
|
|
|
Policy on types of attachments and how to manage them |
|
|
|
|
Internet |
Internet usage policy |
|
|
|
Pop-up applications |
Policy for Internet usage, with specific focus on what to do with unexpected dialog boxes |
|
|
|
Instant Messaging |
Policy on supported and allowable IM clients |
|
|
|
Telephone |
|
|
|
|
PBX |
Policy for PBX support management |
|
|
|
Service Desk |
Policy for the provision of data access |
|
|
|
Waste Management |
|
|
|
|
Paper |
Policy for waste paper management |
|
|
|
|
Dumpster management guidelines |
|
|
|
Electronic |
Policy for the management of electronic media waste materials |
|
|
|
Personal Approaches |
|
|
|
|
Physical Security |
Policy for visitor management |
|
|
|
Office security |
Policy for user ID and password management – no writing passwords on a sticky note and attaching it to a screen, for example |
|
|
|
Home workers |
Policy for the use of mobile computers outside the company |
|
|
|
Other/ |
|
|
|
|
In-house franchisees |
Policy for screening in-house franchise employees |
|
|
|
The Security Steering Committee must achieve consensus on the importance of a risk. Each business group will have different views on the risks that different threats present.
For more information about risk assessment methodologies and tools, see the Security Risk Management Guide at https://go.microsoft.com/fwlink/?linkid=30794.
Social Engineering in the Security Policy
A company’s management and IT personnel must develop and help implement an effective security policy within the organization. Sometimes, the focus of a security policy is technological controls that will help protect against technological threats, such as viruses and worms. Technological controls help defend technologies, such as data files, program files, and operating systems. Social engineering defenses must help anticipate generic social engineering assaults against staff members.
The Security Steering Committee has the core security areas and risk assessment for which it must delegate the development of procedure, process, and business documentation. The following table shows how the Security Steering Committee, with the assistance of interest groups, may define the documentation required to support the security policy.
Table 11. Steering Committee Procedure and Document Requirements
Policy requirement |
Procedure / document requirement |
Action on / date |
|---|---|---|
Written set of social engineering security policies |
None |
|
Changes to make policy compliance part of the standard employee contract |
|
|
Changes to make policy compliance part of the standard contractor contract |
|
|
Policy for visitor management |
|
|
Dumpster management guidelines |
|
|
Policy for the provision of data access |
|
|
Policy for waste paper management |
|
|
Policy for the management of electronic media waste materials |
|
|
Policy for Internet usage, with specific focus on what to do with unexpected dialog boxes |
|
|
Policy for user ID and password management – no writing passwords on a sticky note and attaching it to a screen, etc. |
|
|
Policy for the use of mobile computers outside the company |
|
|
Policy for managing issues when connecting to partner applications (banking, financial, buying, stock management) |
|
|
As you can see, this list can become quite long. You may decide to contract expert help to speed this element of the process. The Security Steering Committee must focus on areas that it considers high value, based on the risk assessment process.
Implementing Defenses Against Social Engineering Threats
After you write and agree to the security policy, you must make the policy available to the staff and have them comply with it. Although you can implement technical controls without the knowledge of your employees, you must win their support if you want to implement social engineering defenses successfully. To support the implementation, you must develop incident response protocols for your service desk staff.
Awareness
There is no substitute for a good awareness campaign when you implement the social engineering elements of your security policy. The implementation is, of course, a form of social engineering, and you must train your staff so that they know the policy, understand why it is there, and know how they should react to a suspected attack. The key element of a social engineering attack is trust—the target trusts the hacker. To resist this form of attack, you need to stimulate a healthy skepticism within your staff of anything out of the ordinary and engender their trust in the company IT support infrastructure.
The elements of an awareness campaign depend on how you communicate information to staff within the company. You may choose to have structured training, less formal meetings, poster campaigns, or other events to publicize the security policies. The more you reinforce the messages within your policies, the more successful their implementation. Although you can launch security awareness with a big event, it is just as important to keep security prominent on the agenda of management and staff. Security is a company mindset, so you must make sure that security suggestions on how to maintain security awareness come from everyone in the company. Obtain opinions from all business departments and from different types of users, especially those who work outside the office environment.
Managing Incidents
When a social engineering attack occurs, make sure that the service desk staff knows how to manage the incident. Reactive protocols should exist in the procedures associated with the security policy, but incident management means that you use the attack to initiate further security reviews. Security is a journey rather than a destination, because attack vectors change.
Each incident provides new input for an ongoing review of security within the incident response model, which is shown in the following figure.
.gif "Figure 6. Incident response model")
Figure 6. Incident response model
As new incidents occur, the Security Steering Committee reviews whether it represents a new or changed risk to the company and creates or renews policies and procedures based on its findings. All amendments to security policies should adhere to your company change management standards.
To manage an incident, service desk staff must have a robust incident-reporting protocol that records the following information:
Target name
Target department
Date
Attack vector
Attack description
Attack outcome
Attack effect
Recommendations
By recording incidents, it is possible to identify patterns and possibly preempt further attacks. An incident report form template is available in Appendix 1 at the end of this document.
Operational Considerations
When you review security, it is possible to become overly sensitive to the myriad of potential threats against your company. Your security policy must maintain an appreciation that your business is there to do business. If your security proposals adversely affect the profitability or commercial agility of the organization, you may need to reassess the risk. You must achieve a balance between security and operational usability.
It is also important to appreciate that a reputation as a security-conscious company can have commercial advantages. It will not only discourage hackers, but it will also enhance the company’s business profile with customers and partners.
Social Engineering and the Defense-in-Depth Layered Model
The defense-in-depth layered model categorizes the security solutions against attack vectors—areas of weakness—that hackers may use to threaten your computer environment. These attack vectors include:
Policies, procedures, and awareness. The written rules that you develop to manage all areas of security, and the education program that you put in place to help ensure that staff members know, understand, and implement these rules.
Physical security. The barriers that manage access to your premises and resources. It is important to remember this latter element; if you place waste containers outside the company, for example, then they are outside the physical security of the company.
Data. Your business information—account details, mail, and so on. When you consider social engineering threats, you must include both hard and soft copy materials in your data security planning.
Application. The programs run by your users. You must address how social engineering hackers may subvert applications, such as e-mail or instant messaging.
Host. The servers and client computers used within your organization. Help ensure that you protect users against direct attacks on these computers by defining strict guidelines on what software to use on business computers and how to manage security devices, such as user IDs and passwords.
Internal network. The network through which your computer system communicates. It may be a local, wireless, or wide area network (WAN). The internal network has become less “internal” over the last few years, with home and mobile working gaining in popularity. So, you must make sure that users understand what they must do to work securely in all networked environments.
Perimeter. The contact point between your internal networks and external networks, such as the Internet or networks that belong to your business partners, perhaps as part of an extranet. Social engineering attacks often attempt to breach the perimeter to launch attacks on your data, applications, and hosts through your internal network.
.gif "Figure 7. The defense-in-depth security model")
Figure 7. The defense-in-depth security model
When you design your defenses, the defense-in-depth model helps you to visualize the areas of your business that are under threat. The model is not specific to social engineering threats, but each of the layers should have social engineering defenses.
The overarching defenses in the model are security policies, procedures, and awareness. These defenses target staff within an organization, explaining what to do, when, why, and by whom. The remaining layers may fine-tune your defenses, but the essential protection comes from having a well-structured and well-known set of rules that protect your IT environment.
For more information about the defense-in-depth security model, see the Security Management SMF on Microsoft TechNet at https://go.microsoft.com/fwlink/?linkid=37696.
Appendix 1: Security Policy for Social Engineering Threat Checklists
You have seen a number of tables used to capture social engineering vulnerabilities and defense policy requirements within the documents. Template versions of these are available in this appendix for you to copy and populate.
Company Social Engineering Attack Vector Vulnerabilities
Attack Vector |
Describe Company Usage |
Comments |
|---|---|---|
Online |
|
|
|
|
|
Internet |
|
|
Pop-up applications |
|
|
Instant Messaging |
|
|
Telephone |
|
|
PBX |
|
|
Service Desk |
|
|
Waste Management |
|
|
Internal |
|
|
External |
|
|
Personal Approaches |
|
|
Physical Security |
|
|
Office security |
|
|
Other/ Company-specific |
|
|
|
|
|
Steering Committee Security Requirement and Risk Matrix
Attack Vector |
Possible Policy Requirement |
Risk Type Confidential information Business credibility Business availability Resources Money |
Risk Level High = 5 Low = 1 |
Action |
|---|---|---|---|---|
Online |
|
|
|
|
|
|
|
|
|
Telephone |
|
|
|
|
|
|
|
|
|
Waste Management |
|
|
|
|
|
|
|
|
|
Personal Approaches |
|
|
|
|
|
|
|
|
|
Other/ |
|
|
|
|
|
|
|
|
|
Steering Committee Procedure and Document Requirements
Policy requirement |
Procedure / document requirement |
Action on / date |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Security Policy Implementation Checklist
Action |
Description |
Action on / date |
|---|---|---|
Develop Online Security Policies |
|
|
Develop Physical Security Policies |
|
|
Develop Telephony Security Policies |
|
|
Develop Waste Management Security Policies |
|
|
Develop Service Desk Security Management Policies |
|
|
Develop Incident Response Model |
|
|
Develop Awareness Campaign |
|
|
... |
|
|
Incident Report
Service Desk Representative |
|
Target name |
|
Target department |
|
Date |
|
Attack vector |
|
Attack description |
|
Attack outcome |
|
Attack effect |
|
Recommendations |
|
Appendix 2: Glossary
Term |
Definition |
|---|---|
access |
In respect to privacy, an individual's ability to view, modify, and contest the accuracy and completeness of personally identifiable information collected about him or her. Access is an element of the Fair Information Practices. |
antivirus (AV) software |
A computer program designed to detect and respond to malicious software, such as viruses and worms. Responses may include blocking user access to infected files, cleaning infected files or computers, or informing the user that an infected program was detected. |
attack |
A deliberate attempt to compromise the security of a computer system or deprive others of the use of the system. |
authentication |
The process of validating the credentials of a person, computer process, or device. Authentication requires that the person, process, or device making the request provide a credential that proves it is what or who it says it is. Common forms of credentials are digital signatures, smart cards, biometric data, and a combination of user names and passwords. |
authorization |
The process of granting a person, computer process, or device access to certain information, services, or functionality. Authorization is derived from the identity of the person, computer process, or device requesting access, which is verified through authentication. |
change management |
The practice of administering changes with the help of tested methods and techniques in order to avoid new errors and minimize the impact of changes. |
computer security |
The protection of information assets using technology, processes, and training. |
cracker |
A wrongdoer who breaks into a computer system using technological, rather than social engineering, strategies. |
download |
To transfer a copy of a file from a remote computer to a requesting computer by means of a modem or network. |
extranet |
An extension of an organization's intranet used to facilitate communication with the organization's trusted partners. An extranet enables such trusted partners to gain limited access to the organization's internal business data. |
firewall |
A security solution that segregates one portion of a network from another, allowing only authorized network traffic to pass through according to traffic filtering rules. |
malware |
Software that fulfills the deliberately harmful intent of an attacker when run. For example, viruses, worms, and Trojan horses are malicious code. |
network logon |
The process of logging on to a computer by means of a network. Typically, a user first interactively logs on to a local computer, then provides logon credentials to another computer on the network, such as a server, that he or she is authorized to use. |
password |
A string of characters entered by a user to verify his or her identity to a network or to a local computer. See also strong password. |
permissions |
Authorization to perform operations associated with a specific shared resource, such as a file, directory, or printer. Permissions must be granted by the system administrator to individual user accounts or administrative groups. |
personal identification number (PIN) |
A secret identification code similar to a password that is assigned to an authorized user. A PIN is used in combination with an ATM card or smart card, for example, to unlock an authorized functionality such as access to a bank account. |
personally identifiable information (PII) |
Any information relating to an identified or identifiable individual. Such information may include name, country, street address, e-mail address, credit card number, Social Security number, government ID number, IP address, or any unique identifier that is associated with PII in another system. Also known as personal information or personal data. |
personal information |
See personally identifiable information (PII). |
phreaker |
A malicious user who makes unauthorized use of PBX facilities to make telephone calls. |
phisher |
A malicious user or Web site that deceives people into revealing personal information, such as account passwords and credit card numbers. A phisher typically uses deceptive e-mail messages or online advertisements as bait to lure unsuspecting users to fraudulent Web sites, where the users are then tricked into providing personal information. |
physical vulnerability |
Failure to provide physical security for a computer, such as leaving an unlocked workstation running in a workspace that is accessible to unauthorized users. |
privacy |
The control customers have over the collection, use, and distribution of their personal information. |
security vulnerability |
A vulnerability in software that is addressed by a Microsoft security update and security bulletin or a service pack. |
spam |
Unsolicited commercial e-mail. Also known as junk e-mail. |
spoof |
To make a transmission appear to come from a user other than the user who performed the action. |
spyware |
Software that can display advertisements (such as pop-up ads), collect information about you, or change settings on your computer, generally without appropriately obtaining your consent. |
strong password |
A password that provides an effective defense against unauthorized access to a resource. A strong password is at least six characters long, does not contain all or part of the user's account name, and contains at least three of the four following categories of characters: uppercase letters, lowercase letters, base 10 digits, and symbols found on the keyboard, such as !, @, and #. |
Trojan horse |
A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the computer on which it is run. Trojan horse programs are most commonly delivered to users through e-mail messages that misrepresent the program's purpose and function. Also called Trojan code. |
upgrade |
A software package that replaces an installed version with a newer version of the same software. The upgrade process typically leaves existing customer data and preferences intact, while replacing the existing software with the newer version. |
user ID |
A unique name with which a user can log on to a computer system. |
virus |
Code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. Compare to worm. See also the definition provided by the Virus Info Alliance (f-secure.com). |
vulnerability |
Any weakness, administrative process or act, or physical exposure that makes a computer susceptible to exploit by a threat. |
worm |
Self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial of service attack. Compare virus. |
Download
Get the How to Protect Insiders from Social Engineering Threats paper