OSI: Securing the Stack, Layer 8 -- Social engineering and security policy

Willie Sutton, one of America's most notorious bank robbers, is supposed to have said, "I rob banks because that's where the money is." Hackers attack computers because that's where the information is. But where else can this kind of information be found? Where can an attacker go for information where it won't be protected by firewalls, IDSs and IPSs? The answer is -- people! By some estimates, 80% of a corporation's knowledge resides in the heads of its people. That's good for the attacker because people -- without proper training -- can be easier targets than computer systems. The primary means by which people are exploited is through social engineering.

Social engineering is the art of manipulating. One of the best-known social engineers is Kevin Mitnick. His book, The Art of Deception, details the techniques social engineers use. These techniques can be carried out in person, on the phone, or even by email. Regardless of how the victim is approached, the social engineer will typically use one of the following six techniques:

Security training

As logical controls such as firewalls become more advanced, hackers look for easier means of attack. Just consider the increase in the many new targeted

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments The OSI Model Which OSI layers are network managers responsible for? What network monitoring tools monitor all OSI layers? How do routers and switches differ in the OSI model? How can I define the layered approach to protocols? How does a Layer 3 switch work in a network? OSI -- Securing the stack OSI: Securing the Stack, Layer 7 -- Applications OSI: Securing the Stack, Layer 6 -- Encryption Network security -- Taking the layered approach Is it possible to convert a Layer 2 switch to a Layer 3 switch?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ES-IS  (WhatIs.com) FTAM  (SearchNetworking.com) layer 2  (SearchNetworking.com) Network layer  (SearchNetworking.com) OSI  (SearchNetworking.com) physical layer  (SearchNetworking.com) Session layer  (SearchNetworking.com) Technical Office Protocol  (SearchNetworking.com) TP0-TP4  (SearchNetworking.com) Transport Services Access Point  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

phishing attacks known as spear phishing. The best defense against social engineering is to make sure employees are trained and aware of such potential attacks. You can help educate your employees using one or more of the following:

Security policy

The second line of Layer 8 defense is policy. Establishing security policies, guidelines and procedures is a critical step in securing an organization against an attack. The lack of well-designed, viable security polices and documents is one of the biggest vulnerabilities many organizations have. Policies put everyone on the same page and make it clear where senior management stands on policy issues. They also set the overall tone and define how security is perceived by those within an organization.

Policy enforcement must flow from the top of the organization. Bill Gates gave us a good example of this back in 2002 when he wrote a memo addressed to all employees. In this memo, Gates spoke about how security was to become Microsoft's No. 1 priority. What's most important about this story is that Gates did more than just state that security was the objective; he provided a strategic roadmap that detailed how security goals would be met. These changes can be seen in products that have been developed since the memo. Good policies and procedures are not effective if they are not taught and reinforced to the employees. Employees must be trained so that they understand the importance of security policies and procedures. Finally, after receiving training, the employees should sign a statement acknowledging that they understand the policies.

People are an organization's most valuable asset, but they can also be its greatest vulnerability. To reduce the threat of social engineering, employees must be trained to make sure they are knowledgeable about the threats they face. Employees don't automatically know good procedures and practices. Policies define the specific controls and conditions developed to help protect a company's assets and its ability to conduct business.

About the author:
Michael Gregg has more than 15 years of experience in IT. He is the president of Superior Solutions Inc., a Houston-based training and consulting firm. Michael is an expert on networking, security and Internet technologies. He holds two associate degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.