1. Kelly Corning Julie Sharp

2.  Human-based techniques: impersonation  Computer-based techniques: malware and scams

3.  Manipulates legitimate users into undermining their own security system  Abuses trusted relationships between employees  Very cheap for the attacker  Attacker does not need specialized equipment or skills

4.  Impersonation  Help Desk  Third-party Authorization  Tech Support  Roaming the Halls  Repairman  Trusted Authority Figure  Snail Mail

5.  Computer-Based Techniques  Pop-up windows  Instant Messaging and IRC  Email Attachments  Email Scams  Chain Letters and Hoaxes  Websites

6.  Hacker pretends to be an employee  Recovers “forgotten” password  Help desks often do not require adequate authentication

7.  Targeted attack at someone who has information  Access to assets  Verification codes  Claim that a third party has authorized the target to divulge sensitive information  More effective if the third party is out of town

8.  Hacker pretends to be tech support for the company  Obtains user credentials for troubleshooting purposes.  Users must be trained to guard credentials.

9.  Hacker dresses to blend in with the environment  Company uniform  Business attire  Looks for sensitive information that has been left unattended  Passwords written down  Important papers  Confidential conversations

10.  Hacker wears the appropriate uniform  Often allowed into sensitive environments  May plant surveillance equipment  Could find sensitive information

11.  Hacker pretends to be someone in charge of a company or department  Similar to “third-party authorization” attack  Examples of authority figures  Medical personnel  Home inspector  School superintendent  Impersonation in person or via telephone

12.  Hacker sends mail that asks for personal information  People are more trusting of printed words than webpages  Examples  Fake sweepstakes  Free offers  Rewards programs  More effective on older generations

13.  Window prompts user for login credentials  Imitates the secure network login  Users can check for visual indicators to verify security

14.  Hacker uses IM, IRC to imitate technical support desk  Redirects users to malicious sites  Trojan horse downloads install surveillance programs.

15.  Hacker tricks user into downloading malicious software  Programs can be hidden in downloads that appear legitimate  Examples  Executable macros embedded in PDF files  Camouflaged extension: “NormalFile.doc” vs. “NormalFile.doc.exe”  Often the final extension is hidden by the email client.

16.  More prevalent over time  Begins by requesting basic information  Leads to financial scams

17.  More of a nuisance than a threat  Spread using social engineering techniques  Productivity and resource cost

18.  Offer prizes but require a created login  Hacker capitalizes on users reusing login credentials  Website credentials can then be used for illegitimate access to assets

19.  Never disclose passwords  Limit IT Information disclosed  Limit information in auto-reply emails  Escort guests in sensitive areas  Question people you don't know  Talk to employees about security  Centralize reporting of suspicious behavior

20.  Remind employees to keep passwords secret  Don’t make exceptions  It’s not a grey area!

21.  Only IT staff should discuss details about the system configuration with others  Don’t answer survey calls  Check that vendor calls are legitimate

22.  Keep details in out-of-office messages to a minimum  Don’t give out contact information for someone else.  Route requests to a receptionist

23.  Guard all areas with network access  Empty offices  Waiting rooms  Conference rooms  This protects against attacks  “Repairman”  “Trusted Authority Figure”

24.  All employees should have appropriate badges  Talk to people who you don’t recognize  Introduce yourself and ask why they are there

25.  Regularly talk to employees about common social engineering techniques  Always be on guard against attacks  Everyone should watch what they say and do.

26.  Designate an individual or group  Social engineers use many points of contact  Survey calls  Presentations  Help desk calls  Recognizing a pattern can prevent an attack

27. Davidson, Justin. "Best Practices to Prevent Social Engineering Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar. 2013.. Information, Network & Managed IT Security Services. "Social Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013.. "Types of Social Engineering." NDPN.org. National Plant Diagnostic Network, 2013. Web. 26 Mar. 2013..