Human Firewalls

Employee vigilance is the key to thwarting ‘social engineering’ attacks.

Technology is only one line of defense against hackers. Establishing a “human firewall” through strong internal security policies, training and education is just as important as investing in antivirus software, firewalls and virtual private networks.

Hackers often take advantage of the kindness and trust basic to most humans to gain access to an otherwise secure computer system — a strategy called social engineering. The recent News Corp. scandal in which reporters hacked cellphone voice mail accounts of 9/11 victims, politicians, celebrities and crime victims is likely a high-profile example of social engineering. Although details haven’t been confirmed, many security experts are speculating that the reporters used a technique known as pretexting, which involves calling the phone company and convincing a technician to change the PIN for a customer’s voice mail.

Social engineering works because hackers are able to prey on people’s trust, lack of awareness and curiosity. Anytime an unknown person calls requesting information, it should raise a red flag. Other signs to watch for include the caller refusing to provide contact information, rushing the call or flattering the employee excessively, using intimidation tactics, making out-of-the-ordinary requests or claiming a request was approved by an authority.

What makes a good human firewall security policy? The SANS Institute makes the following recommendations:

Educate Employees. Implement a set of procedures for setting up new employees on your network. New hires should immediately begin training on the organization’s security policies and procedures. Policies and procedures should be placed on the company’s intranet where they can be checked frequently for updates and additions.

Create a password policy. Employees should change their passwords periodically, and passwords should include special characters, numbers and even misspelled words to make them more difficult to crack. But remember the human equation. If the password policy is too stringent, employees won’t follow it. Strike a balance between security and ease of use.

Be suspicious of unsolicited phone calls. Never provide personal information, such as credit card or bank details, to an unsolicited caller — even if they claim to represent a respected company.

Secure your help desk. Establish procedures for giving out passwords to employees. For example, the procedure should require that the help desk call the employee back to verify his location. Consider requiring the use of personal information or code words before the password is given out. Many organizations simply don’t allow any passwords to be given out over the phone.

Provide proper support. If a help desk staffer refuses to give an angry vice president his password, that employee must be supported if the vice president complains to his manager. Finally, make sure that your help desk knows who should be contacted in the event of an attempted security breach.

Create and maintain access privileges. Specific procedures should state who has access to various parts of your network, and how. These procedures should also state who is authorized to approve access, and who can approve any exceptions.

Consider using ID badges. Large organizations should require employees to wear picture ID badges and guests to wear “visitor” badges at all times. Anyone without a badge should be challenged. Be especially alert to vendors, such as coffee, candy or soft drink vendor employees who enter your building to refresh the snack areas.

Shred all confidential documents. Provide paper shredders in all areas of your organization that handle sensitive information. Remember that such seemingly innocent information as a phone list, calendar or organizational chart can be used to assist an attacker using social engineering techniques to gain access to your network.

Protect your physical plant. Sensitive areas in a building should be physically protected, with limited access. The doors in these areas should be locked — perhaps with passkeys or passwords — and access granted only to those with a need to be in that area.

Report all violations. Develop a process for reporting and insist that all violations of security policy be reported. Even a minor policy infraction could be the first sign of an impending social engineering attack.