Social Engineering: A Psychological Hacking to Temper Medical Security - Proceedings of All India Seminar on Biomedical Engineering 2012 (AISOBE-2012)

Biomedical Engineering Reference

In-Depth Information

How to Defend?

Social Engineering attacks are hardest threats to defend because it involves

humans as an alternative of firewalls, routers, Web servers or database. They are

relatively unpredictable. Yet, there are some measures which can definitely bring

the risk of social engineering attacks to tolerable levels.

Clearly defined objectives are a must for a useful social engineering safeguard.

''Obtain sensitive information'' is usually too vague, and presents opportunities for

blame, hurt feelings, and lawsuits. Consider tying your goals to the controls in

your security program.

For example:

• The security awareness presentation explains how to identify phishing scams.

Test what percentage of targeted peoples will click on a link in a phishing-like

email you send out.

• Helpdesk training materials outline procedures for resetting a caller's forgotten

password. Test whether helpdesk personnel follow protocol when you call

impersonating a colleague who cannot log in.

• The security policy warns employees against strangers walking into the building

behind an employee who swiped his badge at the entrance. Test how employees

will react when you try to follow them through the door they opened. Without

specific goals, the social engineering test might conjure some war stories, but it

will

not

produce

actionable

recommendations

for

improving

the

people's

security posture.

Integrating Social Engineering into Your Security

Consideration

• People empathize with those in trouble: ''Please reset my password. My boss

will kill me if I don't submit the time sheet in time!''

• People reciprocate a favor: You picked up the papers the person dropped; he

holds the door to let you in.

• Your scenario should specify the individuals or groups designated for social

engineering, timing of the test, location, and persuasion tactics. Account for

laws, contractual commitments, policies, and the company's culture. Also

consider the possibility of something going wrong, and define back-out and

escalation procedures.

Search WWH ::

Custom Search

Home