Chapter 9. Prevention and Mitigation
The preceding chapters show you all the methods and ways that social engineers trick and scam targets into divulging valuable information. They also describe many of the psychological principles that social engineers use to influence and manipulate people.
Sometimes after I give a speech or security training, people will look very paranoid and scared and say something like, "It just seems there is no hope to even attempt security. How do I do it?"
That is a good question. I promote having a good disaster-recovery plan and incident response plan because nowadays it seems that it is not a matter of "if" you will get hacked, but "when." You can take precautions to give you at least a fighting chance at security.
Social engineering mitigation is not as easy as ensuring hardware security. With traditional defensive security you can throw money into intrusion detection systems, firewalls, antivirus programs, and other solutions to maintain perimeter security. With social engineering no software systems exist that you can attach to your employees or yourself to remain secure.
In this chapter I present the top six steps I tell my clients they can take to prevent and mitigate social engineering attempts:
Learning to identify social engineering attacks
Creating a personal security awareness program
Creating awareness of the value of the information ...