Technical savvy alone cannot stop social engineering. A social
engineer cons the weakest link in the security fence: the gullible
humans who have the power to compromise the whole security system from
the inside without realizing they are being used.
The only way to stop social engineers is by defensively socially engineering people to be prepared against them.
Social engineers use a variety of tactics:
Impersonating trusted group members and technicians
Forge emails, faxes and other documents to lend credibility to their deceptions
Display an impressive knowledge of internal technical jargon and organizational policy to sound like an insider
Succumbing to a social engineering attack is a trust failure.
Trust Discipline
Trust discipline is essential to ensuring people are who they say they are.
Establish methods of proving credentials
Use PGP to sign all messages
Trust Discipline Qualify all team members to prepare them to see through social engineering attempts.
A group can establish innocuous sounding protocols and code
phrases to say that have corresponding correct responses. A
surveillance-using attacker could game this in a number of ways, such
as by listening to ascertain what challenges and responses are in use.
Multiple conditionally appropriate challenge-response pairs could be
established to make this more difficult.
Street Wars is a good way to practice social engineering defenses
and practices.
For example, roommates should be given a list of approved people who
can visit and warned to view others with suspicion and lull them into
false sense of security or entrapment for you so you can observe them.
"you tell just half the truth
you're pulling strings and pushing buttons
wheels are turning in your head
i know that you are up to something
in your mind a plan is hatching
behind your innocent disguise
you know i'm onto you
so you won't look me in the eyes
you are a mastermind - manipulate
it's all by your design - manipulate
you think that i am blind - manipulate
but i'm not far behind..."
