The State of Maryland has formed a chain of security to protect its assets. These assets are comprised of not only State financial information, but of Personnel and Health Benefits information about you and me! Along with virus protection software, firewalls, Intrusion Detection software and vulnerability assessments, you form one of these links. With this in mind, please, read the following information on Social Engineering.
'Social Engineering is the acquisition of sensitive information or inappropriate access privileges by an outsider, based on the building of inappropriate trust relationships with insiders’ says Rick Tims in a SANS Institute Social Engineering publication.
Social engineers, better known as ‘hackers’, rely on a person’s natural instinct to be helpful. They develop trust over a period of time, asking for small favors or gaining information through seemingly innocent conversations. They may give the impression that they are a co-worker in need of assistance to access the network, your PC, data files, etc. Often they will impersonate someone with more authority than you, demanding that you provide the necessary information immediately! Or that they have been given the okay by ‘Mr. Big’ (who just happens to be on vacation) to access this information. They often use surprise (early morning calls), anticipation (Win!, Win!, Win!) or anger (You people have done it again!) to distract and interfere with your ability to evaluate their request. Their goal is to create a sense of trust, then exploit it.
Some basic signs of a social engineering attack are refusal to give contact information, rushing, name-dropping, intimidation, misspellings, odd questions and requesting forbidden information. (Granger, ‘Combat Strategies’)
To combat these ‘hackers’, never provide access information, yours or anyone else’s, to anyone. If you receive a phone call from an unknown ‘co-worker’ requesting access to any assets, direct them to your Agency's Service Desk. Your Service Desk will handle these requests, directing them to the appropriate unit, which will verify the need for access. If the caller continues to demand information you are not comfortable sharing, refer that caller to your supervisor.
Also, printed material containing sensitive data (SSNs, health or employee information, even vacation schedules) is of value to the ‘dumpster diver’ and must be shredded before disposal.
To learn more about Social Engineering, go to http://www.sans.org/rr/, click on "Social Engineering."