Social Engineering Policy Responses
All posts must be (2) substantive responses with a minimum of 150 words each for Responses 1 and 2. Ensure you list and break down each response in a word document, along with its reference. Response provided should further discuss the subject or provide more insight. To further understand the response, below is the discussion post that’s discusses the responses. 100% original work and not plagiarized. Must meet deadline.
Training is key to understanding what social engineering is and the various methods that are used to socially engineer. Training staff in a way that allows them to fully understand what social engineering is, rather than simply using examples from past incidents to warn them against it. Having procedures in place that require identifiers that are special to a person is another method. This can be done by having a passphrase to access your account data, the staff member would be required to have the customer give this along with name and number before any service could be rendered. This is a standard practice in medicine with full name and birthday. However, I think because of social media and online breaches full name and birthday are far too common for threat actors to find, so they should no longer be used, or at least used with another form of identification. This concept is basically two factor identification for a person’s identity. Another tactic would be to send fake phishing emails, to educate/train staff on what they look like, this would give them practice looking out for malicious emails. Phishing can also be done via text or phone with links send over text message and automated voice messages telling users of overdue bills or other tasks that require action, insisting the user give over detailed information. Ensuring that all documents are disposed of properly is another factor along with regular walk throughs and audits to ensure sensitive data is not in the open. There are many facets to social engineering, but training and authentication procedures are key to every policy, in conjunction with controls enacted by the security officer.
What are the most common social engineering techniques? Vircom. (2018, October 9). Retrieved January 10, 2022, from https://www.vircom.com/blog/common-social-engineering-techniques/
Five ways to prevent social engineering attacks. Maureen Data Systems. (n.d.). Retrieved January 10, 2022, from https://www.mdsny.com/5-ways-to-prevent-social-engineering-attacks/
At the Bank of the Great Danes (BGD) we hold strong cybersecurity principles to ensure that attacks and hacks are mitigated or prevented as much as possible. Social engineering is a type of attack that is easy to fall victim to and the BGD does not want to be a victim of social engineering. There are a few policies that have been put in place to ensure the likely hood of this happening is minimal. These attacks usually involve a person doing research on an organization and taking what they learned from that and using it against that company to get past security and authentication (Pilette, 2021).
At BGD it has been implemented that, documents will be discarded properly in a container that is sent off to be shredded in a secure offsite location. These trash bins do not allow for someone to be able to reach in and take documents out. It also prevents these documents from being thrown in the outside dumpster where a hacker can dumpster dive for sensitive information (Mitnick, 2021). Another social engineering countermeasure is to make sure all meetings are held in a secure office environment. Previously BGD held meetings in coffee shops to make the environment less work like but that must now be stopped to prevent people from eavesdropping.
Another social engineering countermeasure to take is added verification security when guests, vendors, or outside hired workers come into the building. If a hired worker comes in stating they are so and so, from ABC company, hired by BGD management, before they are allowed to come into the building this must be verified with management (Washo, 2021). Management must be sent to the front desk and confirm they are legitimately sent by management to prevent a hacker from posing to get access. Many things will be in place to prevent social engineering, people try and be deceptive but with training, it can be prevented.
Mitnick, S. (2021, April 5). 6 types of social engineering attacks. Retrieved January 09, 2022, from https://www.mitnicksecurity.com/blog/6-types-of-social-engineering-attacks
Pilette, C. (2021, June 26). What is social engineering? A definition + techniques to watch for. Retrieved January 09, 2022, from https://us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html
Washo, A. (2021, July 25). An interdisciplinary view of social engineering: A call to action for research. Retrieved January 09, 2022, from https://www.sciencedirect.com/science/article/pii/S2451958821000749