As many of you know, we are living in the information age. You can use Google to find a plethora of information on nearly every possible subject. However, there is some information that should obviously be kept secret. Things like your customer information, company R&D reports, financial records, etc.
Odds are the IT group at your company has installed all the latest security patches all the greatest network firewalls, and network gear with intrusion detection. Where these things are excellent measures to keep your companies secrets, secret, there’s one thing they and their fancy gadgets can’t account for. A lose lip’ed employee.
How many phone calls did you take today? Yesterday? Last week? How many times have co-workers given you a quick ring, just to grab that account number for a project the company is working on? Did you hesitate to give it to them? Did you know this co-worker personally? Do you remember all the questions they asked? What if it was a person on the other end of that line, which did not actually work for your company? You may think this is a silly question, but this happens more than you think.
There are folks out there commonly referred to as “Social engineers”. They call companies or people, posing as a person of authority, or as a fellow co-worker. They will ask you a string of questions. Not all are important to them. However, they sneak in questions that will get them the info they need.
We have all seen those “fun” surveys that float around on social networks.
What school did you go to
what is your favorite color
What street did you grow up on
First pets name
Home town
Hobbies
favorite food, drink
ETC
Simple questions right? Wrong. This is a common phishing scheme. Did you notice that many of those questions are the same security questions some websites have you fill out in case you ever need to unlock your account or change your password when you have forgotten it?
A social engineer does the same thing, only over the phone. Typically they are super chatty and very friendly. This is their way of putting you at ease, they will call using some lingo common in your industry and try to dupe you into letting go of information.
But how would the caller know the lingo you use in your shop? He could search for common terms in your field. Or perhaps, you are not their first call. They can be quite patient. They may have called your company 3 or 4 times posing as a different person each time to chip away at the list of questions they have.
You should be cautious about what information you give out over the phone. Unless it is a voice you recognize as a coworker you should think to yourself “If I gave this information to my worst enemy could it damage me or my company?” If a coworker you have never met, nor spoke to asks you for account Id’s, client list, or financial information you should ask them for their name and call back number at which ever office they are claiming to be from. Write this information down. This way you have a record of the call. Tell them you will call them right back. Before calling back, do you have a companywide directory to look them up in? Did the numbers match up? Are they on the directory?
If not, alert your co-workers that a person is calling to try and gain access to sensitive information.
It’s not just phone calls you should be worried about. Did you receive an unsolicited CD, DVD, thumb drive in the mail? Social engineers, or hackers may send you a CD, DVD, thumb drive, etc claiming to be from one of your clients or co-workers. It may not be from who you think it is. This piece of media they sent you could have malicious software on it that will automatically install without you even knowing. They may put fun pictures of cats or a few company logos on the media so it doesn’t appear blank, or to distract you while it installs its secret software. This software could, be a program that logs all your keystrokes, which will then email all those keystrokes to the attacker. Or perhaps the program allows them to have remote access to your computer so they may go through all your files during afterhours.
When you receive something like this. Before trying to access it, you should contact the client or co-worker it appears to be from and ask them if they sent you anything and if so, what is it? If they have no knowledge of a package being sent to you. DO NOT open the media. Alert your IT staff. Let them know what you received, and who it says it’s from and let them know the client has no knowledge of the package. They will want to send out an alert to the company about potential malicious packages coming in the mail. It would also be wise to turn the media over to them. They have safe ways to find out exactly what is on it, so they can ensure the network security is able to detect and prevent these things from causing problems. Keep in mind the packages may not all appear to come from the same company. If they know one client it’s a good chance they know more.
As I mentioned earlier, there are no devices or fail proof ways to protecting against lose lip’ed employees. The best way to try to prevent sensitive information from going out is educating your staff about these potential threats. Teach them to be mindful of little tidbits they let out during a casual conversation.