Do you want to tell employees about social engineering? / SurprizingFacts

Yes, I know that the term "social engineering" has been around for years, that Kevin has long been let go, that there is a lot of materials about how to protect yourself from these "engineers". I'm not going to kick a dead mare, I want to know from whom the same mare also died, but who lives well. In other words, we teach users the basics of information security at the enterprise, we send them information on different types of attacks and ways to deal with them. An example of such a mailing about social engineering I want to share with you.

Social engineering is a method of managing human actions without the use of technical means. The essence of the method is to use human weaknesses, mental characteristics of a person.

The easiest way to understand the meaning of this term is with examples:

1. One bank employee, let's call him Mark, goes to work in the morning. He went through the turnstile at the entrance, climbed the stairs, opened the door to the floor with his pass and met a man in the corridor. This person says that he went to pour coffee, and the pass left in the office and now can not get inside. Stupid situation, which probably everyone got to. Mark graciously opens his door to the stranger's office and goes further on his business.

At first glance nothing terrible happened. And it does not matter that Mark saw this man for the first time – you will not remember all the employees. Or maybe this person generally works the first day. And in fact a stranger might turn out to be a fraudster who jumped over the turnstile when the guard turned away. Then he went to the floor with other employees. And on the floor, he took advantage of the trustfulness of the amiable Mark, who let him into the necessary office.
This person is not a hacker, he did not use a computer. He, maybe, does not know how to use it at all. He is simply masterly "rubbed into trust."

2. Another example. Already familiar to us, Mark went to lunch in the dining room. And only he picked up a knife with a fork, as he noticed that someone had forgotten the flash drive at the next table, which had not yet been removed from the dirty dishes. Our Mark decided that the owner of the flash drive is very upset to learn that he lost it. And I decided to return the flash drive to the owner. To do this, you first need to find out whose it is. This can help files stored on it. Back in the office, Mark inserted the media into a USB port and … infected with a computer virus. Because the flash drive was specially thrown by scammers. Until that day, they did not have access to the corporate network of the bank. And anyone can enter the dining room. It turns out that leaving a USB flash drive in the dining room is easier than hacking a secure network.

From these examples it is clear that for successful implementation of the attack on the bank, the attackers used employees, enjoyed their integrity and trustfulness. In order not to become a Mark, one must always be vigilant and follow several rules:

1. Never trust anyone by phone. If you are called by an internal work phone and are represented by a technical support officer, the head of an adjacent unit, an accountant, an investigative committee employee, an ambulance doctor, your colleague's wife or someone else, check this number in the telephone directory or in any other available way Is this person the one for whom he betrays himself.

2. Never tell anyone your password. Neither by phone nor in writing. No colleagues, no boss. Even if the fulfillment of an urgent task depends on this.

3. Do not insert media into the computer, except those that must be used in accordance with business processes.

4. Do not open emails coming from unfamiliar addresses. Especially do not open attachments from such letters. Do not open letters that are not specifically addressed to you. For example, an allegedly erroneous mailing from a corporate mailbox with the heading "compromising evidence on employees" or "payroll of senior management" will contain a virus, not the promised information. Do not be tempted.

5. Use different passwords on different systems. It is very important that the passwords do not match. And they were not even alike. If you can not remember several complicated passwords, use special programs – password managers. But only use different managers – one for passwords from systems at work, another for passwords from entertainment sites.

6. Do not open the door to strangers. At the visitor there should always be an attendant from among the company's employees.

7. And familiar people, too, do not open the door. A man you've known for five years as an employee of an adjacent unit could have been fired yesterday. If someone forgot the pass in the office, then he should call his boss to solve this situation.

8. In any incomprehensible situation, call the security service by phone (xxx) -xxxx.
Found someone else's flash drive? Give her to the security service. Have you seen a stranger without an escort who walks down the corridor and tries to get into any office? Call the security team. Is someone asking for your personal password? Call the security service.

These simple rules will help catch the fraudster.
Do not be Mark, be vigilant.