Tuesday, December 5, 2006 - Almanac Vol. 53, No. 14
Beware of "social engineers"
Though it sounds like something that might be a four-year degree program at Penn, "social engineering" is a term that refers to the practice of leveraging and manipulating human nature to gather sensitive and confidential information the "old fashioned way" by means of deceit, guile, subterfuge and fraud. In short, "social engineer" is a euphemism for "con artist".
Rather than spend hours stealing and cracking encrypted passwords, social engineers understand that the best way to get someone to reveal their password is to ask them for it. By posing on the phone as someone "from the Help Desk" who needs the username and password to "fix a problem with your account", the experienced social engineer can count on reaching more than a few people who will willingly divulge that information. In some cases, he may show up in person posing as a service representative or vendor and walk around looking for things like passwords affixed to screens with post-it notes. "Dumpster divers" are social engineers who comb through trash bins in search of confidential documents and printouts that have not been properly disposed of (i.e, shredded).
To foil social engineers, take the time to verify the identity of any person asking you for sensitive or confidential information, whether yours or anybody else’s, and verify as much as possible the legitimacy of the request. Likewise, verify the identity of visitors and monitor their activity, especially if it involves access to computers. Where possible, orient monitors so passers-by cannot read what is on the screen. Keep confidential printouts away from prying eyes, store them securely when not in use and shred them when no longer needed. All the electronic security measures in the world are useless if the information ends up being unwittingly given away.