Social Engineering a
The basic goal of social engineering is to obtain unauthorized access to
company information, through human interaction, says PricewaterhouseCoopers
advisory senior manager, Naeem Seedat.
Social engineers use this information to commit fraud, network
and system intrusion, industrial espionage, identity theft, or simply to cause
disruption to a company's network, he adds.
“Social engineering protection is all about maintaining the confidentiality
and integrity of corporate information. A comprehensive assessment should be
undertaken to determine how exposed a company is to the possibility of social
According to Seedat, a company should start by assessing the organization's
overall level of social engineering awareness. It should also determine whether
appropriate awareness, training and communication policies, plans and programmes
are in place. This should then be followed by an assessment of three specific
areas: information leakages, opportunities for industrial espionage and physical
Seedat recommends that a company first determine whether information can be
leaked through its Internet
and intranet facilities. It must also ensure the various forms of mail such as
traditional paper mail, e-mail
and voicemail are secured and cannot be misused to disclose sensitive
There should be controls over information sent to the press, delivery and
disposal processes must be properly designed to secure all information and
equipment entering and leaving the premises, and should not be left unchecked,
says Seedat. Mechanisms of interacting with employees and visitors, such as call
centres, help-desks and reception desks, should be adequately secured, he
“Social engineering is often used to conduct industrial espionage. To combat
this, companies must adequately classify, protect and encrypt sensitive
information and implement adequate security processes and technology.
Specifically, it needs to put controls in place to prevent hardware and software
key-loggers from being used within the organisation.”
Seedat believes there should be a roll-out of enterprise anti-spyware solutions,
and that wireless networking facilities must be adequately secured. In addition,
there should be processes to identify scams targeting staff and customers, and
measures must be put in place to prevent eavesdropping on company conversations.
“Any risk assessment must consider physical access controls protecting
premises against unauthorised entry; processes and technology that control
visitors entering the premises; the monitoring of sensitive locations; security
of storage areas; and appropriate signage that does not unnecessarily identify
the nature of sensitive areas to unauthorised personnel,” says Seedat.
All companies are susceptible to or have been victims of social engineering. The
value of information is unquestionable and the threats to this information are
very real. A comprehensive assessment of mechanisms and controls designed to
reduce exposure to social engineering attacks is vital, he concludes.
Back To Top