Thursday, April 17, 2008

Social Engineer defense for Receptionists

Receptionists are prime target for Social engineer's because receptionists know more about people, they have access to their data like phone number, department they work, home location, etc. here are some tips for your receptionist to so that they dont fall prey to a social engineer.
1. Don't trust strangers.

Social engineering scams -- where crooks extract information from victims through interaction and by building trust -- is on the rise, according to Bill Nichols, an information security consultant at Control Risks Group Ltd. in Washington. Receptionists represent a prime target because they have access to employees' phone numbers and home addresses and, in some cases, to company systems. The scammer gathers bits of information over time, becomes increasingly credible and eventually gains access or passwords. "That's a real situation that we see all the time," Nichols says.

IT's response: A clearly written policy should classify what information shouldn't be distributed. Access to financial or human resources databases, as well as to sensitive customer information, should be restricted. Receptionists should also be trained with real-world scenarios to learn how to respond to information requests.
2. Social networking sites can hold dangers.

Receptionists might kill some time by browsing their Facebook or MySpace accounts, watching an online video or downloading music. But malicious code can now be hidden in video streams, downloaded from YouTube or embedded in songs streamed from social-networking Web sites.

What's more, Web users often have no control over the audio or video they browse. "You can embed these media types directly into Web pages," said David Thiel, a consultant at iSec Partners Inc., an applications security consulting company in San Francisco, in a February webcast. "So for anybody who browses to a Web page, a lot of different media file types are launched automatically as background music or embedded video" without the user clicking on anything.

IT's response: Install a filtering proxy. IT departments can block access to social networking sites completely with firewall software. "But if you want to be more liberal and allow [access], use a filtering proxy to check what's coming across and get rid of the known nasty stuff," says Avishai Wool, chief technology officer at Algorithmic Security Inc., a firewall management company in Reston, Va. "You could also include mail filters on incoming and outgoing e-mail to strip out executable attachments. You don't want to be the deliverer of malware, either."
3. Peer-to-peer software creates legal risks.

For many employees, their PCs at work are more powerful than their home computers, and receptionists might want to take advantage of the ample bandwidth to download or share large files using peer-to-peer software like eMule, Kazaa and BitTornado. Problem is, that opens up the organization to potential legal risk.

"A lot of the content is either pirated, illegal, inappropriate or copyrighted," Wool says. "So the organization is opening itself up to legal problems by hosting the content on their servers -- even inadvertently."

On the IT side, peer-to-peer products are resource hogs and can easily drain significant chunks of bandwidth meant for company business. The adware they distribute can bombard systems with advertisements and pop-ups, hijack Web browsers and even slow computers to a grinding halt.

IT's response: Block access and train employees. IT staffs are almost uniformly against using P2P services, and they take measures to block access to them. Individual employees should be aware that company policies prohibit viewing or downloading pirated or indecent material.
4. Keep your personal e-mail account personal.

Receptionists who access their personal Yahoo, Hotmail or Gmail accounts at work open up the network to potential malware attacks. What's more, they may be violating the company's compliance requirements.

At regulated companies, sending company files to a home computer could violate corporate guidelines. "If the file that you sent to yourself goes through [the Web mail provider's] network, then they have a copy of what you sent, and they don't throw it away -- so you personally lose control of that information," Wool says.

IT's response: Block access to known personal e-mail providers and train employees.
5. Beware the messy desk.

Incoming and outgoing postal mail containing corporate information crosses the receptionist's desk daily. "Clean desk" policies are often not enforced, and a lot of information that can be readily used by scammers may be in plain sight. Even worse, passwords are often left under keyboards or even taped to computer monitors.
IT's response: Tighten up paper security. Keep the reception desk clear of visible mail and papers. And have a strong policy that outlines when to shred company documents.

-Abhi

No comments: