11.2. Social Engineering Attacks
Assuming you've read Chapter 4, you've probably come to the conclusion that these are the hardest attacks to defend against. Unfortunately, this is true. However, there are two major steps you can take to mitigate the risk:
Enforce an Appropriate Security Policy – Documenting procedures can minimize risk in any given area. If it is not possible for one person to release sensitive material then a vast amount of social engineering attacks can be stopped dead. Ensure that at least some of the people involved in the process are of a naturally skeptical mind.
Educate the staff – Ensure that staff members are aware of the threats they face and the common attack vectors. This is the first and most important point. People who are not aware of the existence of risk have no chance of defending against it.
It's easy to make comments such as 'Educate your staff against social engineering attacks!' I suspect however that you are looking for a little more than that. Security awareness training is much more than simply telling users not to give out their passwords. Kevin Mitnick (the famous hacker and social engineer) has stated on more than one occasion that he never once asked anyone for their password. The following areas should be addressed as a baseline when educating staff:
Understanding the threat.
Understanding what has value.
Recognizing and dealing with a potential attack.
11.2.1. Understanding the Threat
This is actually the hardest obstacle to overcome. ...
