How to Prevent Social Engineering

What is Social Engineering?
Instead of attacking a computer, Social Engineering is the act of interacting and manipulating people to obtain important/sensitive information or perform an act that is latently harmful. To be blunt, it is hacking a person instead of a computer. A social engineer can the use the phone, the internet, or even show up in person to perform the malicious act. They can be after data such as ID number, username, password, server names, machine names, remote connection settings, schedules, credit card numbers, etc. They may also try to get someone to install some malicious software, visit an unscrupulous website, or even access unauthorized locations.

What can I do?
Be educated, aware, and a little bit paranoid.
Never give out

usernames; Administrators should know it or can find out themselves
passwords; Administrators can ask your to enter it into the computer, but don't tell anyone
ID numbers
PIN numbers
server names
system information
credit card numbers
schedules
sensitive data
etc.

Be aware of what is being asked

via the phone

ask for a full and correct spelling of their name, a call back number, and why they need the information
have them contact the correct information source directly if asked for information managed by someone else
when in doubt, put the caller on hold or tell them you will call them back. This gives you time to log any strange calls and verify if it is ok to give out information.

via the internet

watch for any attachments that someone wants you to run in an e-mail
avoid any requests to enter account information for verification by following a link in the e-mail (this is known as phishing)
administrators will never tell you passwords over e-mail
e-mails from SEASnet will be in plain text without attachments unless you asked for the attachment
SEASnet may give you password guidelines, but never tell you to change it to something specific like "abcde"
when in doubt, you can also contact the e-mail sender in a phone call or new e-mail and ask if their e-mail with the subject of <copy the subject> was valid

in person

never be pressured to comply when someone says "Do you know who I am?"
ask for a contact to verify the person's need for information
have someone asking for configuration/access questions to contact the source directly
someone from SEASnet should only need you to enter your username/password on the computer; not write it down or verbally say it
always be aware of people around you when entering your username/password
when in doubt, contact SEASnet or your supervisor

other

shred and secure any documents that someone can obtain by looking through your trash

Always: when in doubt, ask the person to wait while you verify (a) identity, (b) need to know, and (c) if you are the rightful/authorized source of the information.

Examples of Social Engineering
Phishing:
Recent e-mails have been sent stating that your account has been compromised or that the account needs to be confirmed. They are false!:

>From: FCU <update@ncua.com>
>Subject: FEDERAL CREDIT UNION
>
>    [ The following text is in the "Windows-1251" character set. ]
>    [ Your display is set for the "ISO-8859-1" character set.  ]
>    [ Some special characters may be displayed incorrectly. ]
>
>NCUA Seal
>Dear FCU client,
>
>As part of our security measures, we regularly screen activity in Federal
>Credit Unions (FCU) network.
>We recently noticed the following issue on your account: A recent review
>of your transaction history determined that we require some additional
>information from you in order to provide you with secure service. Case ID
>Number: PP-065-617-349 For your protection, we have limited  your
>access,  until additional security measures can be completed. We
>apologize for any inconvenience this may cause. Please log and restore
>your access as soon as possible.
>
>You must click the link below and fill in the form on the following page
>to complete the verification process.
>
>              Click here to update your account
>
>Please do not reply to this e-mail. Mail sent to this address cannot be
>answered.
>
>NCUA Share Insurance Logo

E-mail pretending to be from tech support:

> From: service@seas.ucla.edu [mailto:service@seas.ucla.edu]
> Sent: Monday, June 06, 2005 1:17 PM
> Subject: IMPORTANT NOTIFICATION
>
> Dear Valued Member,
>
> According to our site policy you will have to confirm your account by the
> following link or else your account will be suspended within 24 hours for
> security reasons.
>
> http://www.seas.ucla.edu/confirm.php?email=user@seas.ucla.edu

The link above actually pointed to http://209.67.220.164/confirm.php?email=user@seas.ucla.edu
Which is a malicious web server trying to obtain information.

>
> Thank you fr your attention to this question. We apologize for any
> inconvenience.
>
> Sincerely,Seas Security Department Assistant.