Nations are Jittery as hundreds of governmental secret documents and being published by WikiLeaks every day. Indeed Governments are stripped naked!!!
In India Secret conversation between Public Relation Consultant and MNC bosses to influence Government policies are heard by every one through stealed voice tapes!
Secrets are no more Secrets.
Time is over when You can do things secretly.
Bible says "
"What you have said in the dark will be heard in the daylight, and what you have whispered in the ear in the inner rooms will be proclaimed from the roofs"
Above all Nothing ia secret before God, He sees you totally.
Monday, December 6, 2010
Tuesday, August 31, 2010
BPR - Business Process Re-Engineering Principle
1. "If It's Not Broken, Don't Fix It"
2. "It It is Broken, Make Sure You Understand the Process Before You Try to Fix It"
3. "When You Fix It, Make Sure That There Is Value in Fixing It"
4. "After You Fix It, Make Sure You Don't Have Any Leftover Parts"
2. "It It is Broken, Make Sure You Understand the Process Before You Try to Fix It"
3. "When You Fix It, Make Sure That There Is Value in Fixing It"
4. "After You Fix It, Make Sure You Don't Have Any Leftover Parts"
Thursday, July 29, 2010
BP Oil SLick/Gulf of Mexico - Americas Toilet Bowl
When Nazia Dardar looks at the seemingly endless lake of water behind her stilted bayou home, the 76-year-old sees what once was a farm.
Cows roamed there, she says, back when the lake was land.
"C'est le jour et la nuit," she says in French, the most common language down here on the farthest and swampiest reaches of the Mississippi River delta. "It's day and night."
Perhaps nowhere is the protracted death of the Gulf Coast more apparent than in Pointe-Aux-Chenes, Louisiana, and other indigenous bayou communities where, decades before the BP oil disaster, the marsh started disintegrating and environmental problems washed in from as far away as North Dakota and New York.
The Gulf of Mexico became, in effect, the United States' toilet bowl -- known for its seasonal "dead zones," high erosion rates, dirty industry, ingrained poverty and, now, for the biggest oil disaster in the history of the country. Compare that legacy on the Gulf Coast with the East Coast, with its wealth, and the West, with its more-sterling record of environmental stewardship.
Since the massive oil disaster began nearly 100 days ago, some American Indian communities on the coast here for centuries, including Pointe-Aux-Chenes, have begun grappling with the idea that they may need to retreat from the oil-sullied marshes.
Some fear cultural extinction.
READ FURTHER ON CNN http://edition.cnn.com/2010/US/07/27/gulf.history.environment.toilet/index.html#fbid=mZVWtInEJRN
Cows roamed there, she says, back when the lake was land.
"C'est le jour et la nuit," she says in French, the most common language down here on the farthest and swampiest reaches of the Mississippi River delta. "It's day and night."
Perhaps nowhere is the protracted death of the Gulf Coast more apparent than in Pointe-Aux-Chenes, Louisiana, and other indigenous bayou communities where, decades before the BP oil disaster, the marsh started disintegrating and environmental problems washed in from as far away as North Dakota and New York.
The Gulf of Mexico became, in effect, the United States' toilet bowl -- known for its seasonal "dead zones," high erosion rates, dirty industry, ingrained poverty and, now, for the biggest oil disaster in the history of the country. Compare that legacy on the Gulf Coast with the East Coast, with its wealth, and the West, with its more-sterling record of environmental stewardship.
Since the massive oil disaster began nearly 100 days ago, some American Indian communities on the coast here for centuries, including Pointe-Aux-Chenes, have begun grappling with the idea that they may need to retreat from the oil-sullied marshes.
Some fear cultural extinction.
READ FURTHER ON CNN http://edition.cnn.com/2010/US/07/27/gulf.history.environment.toilet/index.html#fbid=mZVWtInEJRN
Monday, June 21, 2010
Currency without a Head
On my desk as I write are two banknotes — £20 sterling and 20 euros. On the former is a picture of the Bank of England, the signature of Andrew Bailey, its Chief Cashier, and the head of the Queen. The euro note also carries a signature. It is illegible but, since it comes under the letters “ECB” (European Central Bank), perhaps it is that of Jean-Claude Trichet, the bank’s President.
There is no picture of a financial location, and nobody’s head. Instead, one side of the euro note depicts a couple of gothic windows, and the other, beside the map of Europe, a fine old bridge. It is no accident that the note carries no head. It is because the single European currency came into being without a single European economic government and without political union. It therefore has no ultimate authority. When the euro was launched at the end of the last century, both its friends and its foes predicted that this lack of authority could not last. At some point more power would have to be put behind it, or it would collapse.
We have now got close to that point. Euro notes carry the word “euro” in Roman lettering, of course, but also, in deference to one EU member, print it in Greek characters. It is Greece’s sovereign debt crisis which began the current agonies. Will those Greek letters have to come off the notes? The same crisis threatens Portugal and now — much more serious — Spain. If it reaches Italy, the country with the third biggest public debt in the world, the game would appear to be over. The fine old bridge would be blown up. So far, European leaders have tried to deal with this spreading disaster by ruses. Existing European treaties ban bail-outs of member states. So the “European Stabilisation Mechanism”, recently set up precisely to provide these illegal bail-outs, does so under Article 122.2 of the Lisbon Treaty. This article gives emergency assistance to a member state “threatened with severe difficulties caused by natural disasters or exceptional circumstances beyond its control”.
Natural disasters! We are experiencing a totally unnatural disaster, one brought about by the artificial structure of the European project. Exceptional circumstances beyond its control! It was this system that every eurozone member state proudly (though usually without asking their electorates) voted for. The situation is not funny for the people of Greece, Portugal, Spain, and so on, because their governments have run up dreadful public debts while sacrificing their power to devalue to become competitive. They cannot cut their exchange rate, so they must cut wages and jobs. Unemployment in Spain is already 20 per cent — and 40 per cent among young people. It is not funny for Germany, either. German banks are overcommitted in the southern countries now afflicted. The German people are fed up with paying for the profligacy of their poorer neighbours and furious at the suggestion that the only solution is that they should pay even more.
What will actually happen? Among people who follow bond markets and consider financial realities, certainty about the European currency has evaporated. Many think that the £750 billion “shock and awe” fund promised by the EU and the IMF is a bluff. The unthinkable idea that the eurozone might break up is now being thought. And the version of break up gathering ground in people’s minds is not that the poor, indebted countries would fall out — they are prostrate and helpless — but that Germany would rise up like Gulliver, snap the insubstantial euro-ropes tied round its body, and walk away. Offering a foretaste, a German stockmarket website called Borsenews has now started pricing shares in Deutschmarks as well as euros.
On the other hand, what makes economic sense also looks politically impossible. Angela Merkel, the German Chancellor, promised to put her foot down and punish the Greeks three months ago, only to give in and launch the rescue a few weeks later, a delay that dramatically increased her country's bill. The German political class has spent 60 years recovering respectability through “Europe”. It simply cannot face losing it.
But there is no alternative vision in the eurozone. The leaders remain determined to have no Plan B. So what we are about to get is the missing bit of Plan A. They will try to create a sort of European Treasury with centralised economic and fiscal policy — the imposition, in short, of undemocratic European economic government.
Again and again in politics, great schemes don’t work — Soviet Communism, for example, and now the euro. Rational people tend to conclude that, because a scheme doesn't work, it will quickly stop. Unfortunately, rational people are wrong. Bad political schemes are usually given up only when they have been tested literally to destruction. It would be much better for Europe if the euro had never happened, and I long for it somehow to fade away, but the process of destruction will be horrendous, and it is only just beginning.
© The Daily Telegraph
There is no picture of a financial location, and nobody’s head. Instead, one side of the euro note depicts a couple of gothic windows, and the other, beside the map of Europe, a fine old bridge. It is no accident that the note carries no head. It is because the single European currency came into being without a single European economic government and without political union. It therefore has no ultimate authority. When the euro was launched at the end of the last century, both its friends and its foes predicted that this lack of authority could not last. At some point more power would have to be put behind it, or it would collapse.
We have now got close to that point. Euro notes carry the word “euro” in Roman lettering, of course, but also, in deference to one EU member, print it in Greek characters. It is Greece’s sovereign debt crisis which began the current agonies. Will those Greek letters have to come off the notes? The same crisis threatens Portugal and now — much more serious — Spain. If it reaches Italy, the country with the third biggest public debt in the world, the game would appear to be over. The fine old bridge would be blown up. So far, European leaders have tried to deal with this spreading disaster by ruses. Existing European treaties ban bail-outs of member states. So the “European Stabilisation Mechanism”, recently set up precisely to provide these illegal bail-outs, does so under Article 122.2 of the Lisbon Treaty. This article gives emergency assistance to a member state “threatened with severe difficulties caused by natural disasters or exceptional circumstances beyond its control”.
Natural disasters! We are experiencing a totally unnatural disaster, one brought about by the artificial structure of the European project. Exceptional circumstances beyond its control! It was this system that every eurozone member state proudly (though usually without asking their electorates) voted for. The situation is not funny for the people of Greece, Portugal, Spain, and so on, because their governments have run up dreadful public debts while sacrificing their power to devalue to become competitive. They cannot cut their exchange rate, so they must cut wages and jobs. Unemployment in Spain is already 20 per cent — and 40 per cent among young people. It is not funny for Germany, either. German banks are overcommitted in the southern countries now afflicted. The German people are fed up with paying for the profligacy of their poorer neighbours and furious at the suggestion that the only solution is that they should pay even more.
What will actually happen? Among people who follow bond markets and consider financial realities, certainty about the European currency has evaporated. Many think that the £750 billion “shock and awe” fund promised by the EU and the IMF is a bluff. The unthinkable idea that the eurozone might break up is now being thought. And the version of break up gathering ground in people’s minds is not that the poor, indebted countries would fall out — they are prostrate and helpless — but that Germany would rise up like Gulliver, snap the insubstantial euro-ropes tied round its body, and walk away. Offering a foretaste, a German stockmarket website called Borsenews has now started pricing shares in Deutschmarks as well as euros.
On the other hand, what makes economic sense also looks politically impossible. Angela Merkel, the German Chancellor, promised to put her foot down and punish the Greeks three months ago, only to give in and launch the rescue a few weeks later, a delay that dramatically increased her country's bill. The German political class has spent 60 years recovering respectability through “Europe”. It simply cannot face losing it.
But there is no alternative vision in the eurozone. The leaders remain determined to have no Plan B. So what we are about to get is the missing bit of Plan A. They will try to create a sort of European Treasury with centralised economic and fiscal policy — the imposition, in short, of undemocratic European economic government.
Again and again in politics, great schemes don’t work — Soviet Communism, for example, and now the euro. Rational people tend to conclude that, because a scheme doesn't work, it will quickly stop. Unfortunately, rational people are wrong. Bad political schemes are usually given up only when they have been tested literally to destruction. It would be much better for Europe if the euro had never happened, and I long for it somehow to fade away, but the process of destruction will be horrendous, and it is only just beginning.
© The Daily Telegraph
Friday, January 15, 2010
Protect Your Company from Social Engineering
What you need to know about this most insidious of security attacks
By Joan Goodchild
January 11, 2010 (CSO) You've got all the bells and whistles when it comes to network firewalls and your building's security has a state-of-the-art access system. You've invested in the technology. But what about the staff?
Social engineers, or criminals who take advantage of human behavior to pull of a scam, aren't worried about a badge system. They will just walk right in and confidently ask someone to help them get inside. And that firewall? It won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend.
In this guide, we outline the common tactics social engineers often use, and give you tips on how to ensure your staff is on guard.
What is social engineering?
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, although the idea and many of the techniques have been around as long as there have been scam artists of any sort.
How is my company at risk?
Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. In the example given above, once a social engineer has a trusted employee's password, he can simply log in and snoop around for sensitive data. Another try might be to scam someone out of an access card or code in order to physically get inside a facility, whether to access data, steal assets, or even to harm people.
Chris Nickerson, founder of Lares, a Colorado-based security consultancy, conducts 'red team testing' for clients using social engineering techniques to see where a company is vulnerable. Nickerson detailed for CSO how easy it is to get inside a building without question.
In one penetration test, Nickerson used current events, public information available on social network sites, and a $4 Cisco shirt he purchased at a thrift store to prepare for his illegal entry. The shirt helped him convince building reception and other employees that he was a Cisco employee on a technical support visit. Once inside, he was able to give his other team members illegal entry as well. He also managed to drop several malware-laden USBs and hack into the company's network, all within sight of other employees. Read Anatomy of a Hack to follow Nickerson through this exercise.
How do social engineers pull off their tricks?
Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.
But once they are ready, knowing the right thing to say, knowing whom to ask for, and having confidence are often all it takes for an unauthorized person to gain access to a facility or sensitive data, according to Nickerson.
The goal is always to gain the trust of one or more of your employees. In Mind Games: How Social Engineers Win Your Confidence Brian Bushwood, host of the Internet video series Scam School, describes some of the tricks scam artists use to gain that trust, which can vary depending on the communication medium:
On the phone:
A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor). According to Sal Lifrieri, a 20-year veteran of the New York City Police Department who now educates companies on social engineering tactics through an organization called Protective Operations, the criminal tries to make the person feel comfortable with familiarity. They might learn the corporate lingo so the person on the other end thinks they are an insider. Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone. See more such tricks in Social Engineering: Eight Common Tactics.
In the office:
"Can you hold the door for me? I don't have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
In the same exercise where Nickerson used his thrift-shop shirt to get into a building, he had a team member wait outside near the smoking area where employees often went for breaks. Assuming this person was simply a fellow-office-smoking mate, real employees let him in the back door with out question. "A cigarette is a social engineer's best friend," said Nickerson. He also points out other places where social engineers can get in easily in 5 Security Holes at the Office.
This kind of thing goes on all the time, according to Nickerson. The tactic is also known as tailgating. Many people just don't ask others to prove they have permission to be there. But even in places where badges or other proof is required to roam the halls, fakery is easy, he said.
"I usually use some high-end photography to print up badges to really look like I am supposed to be in that environment. But they often don't even get checked. I've even worn a badge that said right on it 'Kick me out' and I still was not questioned."
Online:
Social networking sites have opened a whole new door for social engineering scams, according to Graham Cluley, senior technology consultant with U.K.-based security firm Sophos. One of the latest involves the criminal posing as a Facebook "friend." But one can never be certain the person they are talking to on Facebook is actually the real person, he noted. Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.
One popular tactic used recently involved scammers hacking into Facebook accounts and sending a message on Facebook claiming to be stuck in a foreign city and they say they need money.
"The claim is often that they were robbed while traveling and the person asks the Facebook friend to wire money so everything can be fixed," said Cluley.
"If a person has chosen a bad password, or had it stolen through malware, it is easy for a con to wear that cloak of trustability," he said. "Once you have access to a person's account, you can see who their spouse is, where they went on holiday the last time. It is easy to pretend to be someone you are not."
See 9 Dirty Tricks: Social Engineers Favorite Pick-up Linesfor more examples.
Why do people fall for social engineering techniques?
People are fooled every day by these cons because they haven't been adequately warned about social engineers. As CSO blogger Tom Olzak points out, human behavior is always the weakest link in any security program. And who can blame them? Without the proper education, most people won't recognize a social engineer's tricks because they are often very sophisticated.
Social engineers use a number of psychological tactics on unsuspecting victims. As Bushwood outlines in Mind Games, successful social engineers are confident and in control of the conversation. They simply act like they belong in a facility, even if they should not be, and their confidence and body posture puts others at ease.
"People running concert security often aren't even looking for badges," said Brushwood. "They are looking for posture. They can always tell who is a fan trying to sneak back and catch a glimpse of the star and who is working the event because they seem like they belong there."
Social engineers will also use humor and compliments in a conversation. They may even give a small gift to a gate-keeping employee, like a receptionist, to curry favor for the future. These are often successful ways to gain a person's trust, said Bushwood, because 'liking' and 'feeling the need to reciprocate' are both fixed-action patterns that humans naturally employ under the right circumstances.
Online, many social engineering scams are taking advantage of both human fear and curiosity. Links that ask "Have you seen this video of you?' are impossible to resist if you aren't aware it is simply a social engineer looking to trap you into clicking on a bad link.
Successful phishing attacks often warn that "Your bank account has been breached! Click here to log in and verify your account." Or "You have not paid for the item you recently won on eBay. Please click here to pay." This ploy plays to a person's concerns about negative impact on their eBay score.
"Since people spend years building eBay feedback score or 'reputation,' people react quickly to this type of email. But, of course, it leads to a phishing site," said Shira Rubinoff, founder of Green Armor Solutions, a security software firm in Hackensack, New Jersey. "Many people use eBay, and users often bid days before a purchase is complete. So, it's not unreasonable for a person to think that he or she has forgotten about a bid they made a week prior."
Recent phishing lures even take advantage of the economic downturn, said Rubinoff. It has not been uncommon for fake emails to turn up that claim to be from human resources which say: 'You have been let go due to a layoff. If you wish to register for severance please register here,' and includes a malicious link.
No one wants to be the person that causes problems in this economy, so any email that appears to be from an employer will likely elicit a response, noted Rubinoff. Lares' Nickerson has also seen cons that use fake employer emails.
"It might say, 'In an effort to cut costs, we are sending W-2 forms electronically this year,'" said Nickerson.
How can I educate my employees to prevent social engineering?
Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used.
For elements of an effective security awareness program, see Seven Practical Ideas for Security Awareness and Now Hear This!.
Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Chris Nickerson's success posing as a technician is an example of a story that gets the message across in an interesting way. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.
"In my educational sessions, I tell people you always need to be slightly paranoid and anal because you never really know what a person wants out of you," said Lifrieri. The targeting of employees "starts with the receptionist, the guard at the gate who is watching a parking lot. That's why training has to get to the staff."
Social engineering tricks are always evolving, and awareness training has to be kept fresh and up to date. For example, as social networking sites grow and evolve, so do the scams social engineers try to use there; see5 Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid.
By Joan Goodchild
January 11, 2010 (CSO) You've got all the bells and whistles when it comes to network firewalls and your building's security has a state-of-the-art access system. You've invested in the technology. But what about the staff?
Social engineers, or criminals who take advantage of human behavior to pull of a scam, aren't worried about a badge system. They will just walk right in and confidently ask someone to help them get inside. And that firewall? It won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend.
In this guide, we outline the common tactics social engineers often use, and give you tips on how to ensure your staff is on guard.
What is social engineering?
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, although the idea and many of the techniques have been around as long as there have been scam artists of any sort.
How is my company at risk?
Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. In the example given above, once a social engineer has a trusted employee's password, he can simply log in and snoop around for sensitive data. Another try might be to scam someone out of an access card or code in order to physically get inside a facility, whether to access data, steal assets, or even to harm people.
Chris Nickerson, founder of Lares, a Colorado-based security consultancy, conducts 'red team testing' for clients using social engineering techniques to see where a company is vulnerable. Nickerson detailed for CSO how easy it is to get inside a building without question.
In one penetration test, Nickerson used current events, public information available on social network sites, and a $4 Cisco shirt he purchased at a thrift store to prepare for his illegal entry. The shirt helped him convince building reception and other employees that he was a Cisco employee on a technical support visit. Once inside, he was able to give his other team members illegal entry as well. He also managed to drop several malware-laden USBs and hack into the company's network, all within sight of other employees. Read Anatomy of a Hack to follow Nickerson through this exercise.
How do social engineers pull off their tricks?
Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.
But once they are ready, knowing the right thing to say, knowing whom to ask for, and having confidence are often all it takes for an unauthorized person to gain access to a facility or sensitive data, according to Nickerson.
The goal is always to gain the trust of one or more of your employees. In Mind Games: How Social Engineers Win Your Confidence Brian Bushwood, host of the Internet video series Scam School, describes some of the tricks scam artists use to gain that trust, which can vary depending on the communication medium:
On the phone:
A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor). According to Sal Lifrieri, a 20-year veteran of the New York City Police Department who now educates companies on social engineering tactics through an organization called Protective Operations, the criminal tries to make the person feel comfortable with familiarity. They might learn the corporate lingo so the person on the other end thinks they are an insider. Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone. See more such tricks in Social Engineering: Eight Common Tactics.
In the office:
"Can you hold the door for me? I don't have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
In the same exercise where Nickerson used his thrift-shop shirt to get into a building, he had a team member wait outside near the smoking area where employees often went for breaks. Assuming this person was simply a fellow-office-smoking mate, real employees let him in the back door with out question. "A cigarette is a social engineer's best friend," said Nickerson. He also points out other places where social engineers can get in easily in 5 Security Holes at the Office.
This kind of thing goes on all the time, according to Nickerson. The tactic is also known as tailgating. Many people just don't ask others to prove they have permission to be there. But even in places where badges or other proof is required to roam the halls, fakery is easy, he said.
"I usually use some high-end photography to print up badges to really look like I am supposed to be in that environment. But they often don't even get checked. I've even worn a badge that said right on it 'Kick me out' and I still was not questioned."
Online:
Social networking sites have opened a whole new door for social engineering scams, according to Graham Cluley, senior technology consultant with U.K.-based security firm Sophos. One of the latest involves the criminal posing as a Facebook "friend." But one can never be certain the person they are talking to on Facebook is actually the real person, he noted. Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.
One popular tactic used recently involved scammers hacking into Facebook accounts and sending a message on Facebook claiming to be stuck in a foreign city and they say they need money.
"The claim is often that they were robbed while traveling and the person asks the Facebook friend to wire money so everything can be fixed," said Cluley.
"If a person has chosen a bad password, or had it stolen through malware, it is easy for a con to wear that cloak of trustability," he said. "Once you have access to a person's account, you can see who their spouse is, where they went on holiday the last time. It is easy to pretend to be someone you are not."
See 9 Dirty Tricks: Social Engineers Favorite Pick-up Linesfor more examples.
Why do people fall for social engineering techniques?
People are fooled every day by these cons because they haven't been adequately warned about social engineers. As CSO blogger Tom Olzak points out, human behavior is always the weakest link in any security program. And who can blame them? Without the proper education, most people won't recognize a social engineer's tricks because they are often very sophisticated.
Social engineers use a number of psychological tactics on unsuspecting victims. As Bushwood outlines in Mind Games, successful social engineers are confident and in control of the conversation. They simply act like they belong in a facility, even if they should not be, and their confidence and body posture puts others at ease.
"People running concert security often aren't even looking for badges," said Brushwood. "They are looking for posture. They can always tell who is a fan trying to sneak back and catch a glimpse of the star and who is working the event because they seem like they belong there."
Social engineers will also use humor and compliments in a conversation. They may even give a small gift to a gate-keeping employee, like a receptionist, to curry favor for the future. These are often successful ways to gain a person's trust, said Bushwood, because 'liking' and 'feeling the need to reciprocate' are both fixed-action patterns that humans naturally employ under the right circumstances.
Online, many social engineering scams are taking advantage of both human fear and curiosity. Links that ask "Have you seen this video of you?' are impossible to resist if you aren't aware it is simply a social engineer looking to trap you into clicking on a bad link.
Successful phishing attacks often warn that "Your bank account has been breached! Click here to log in and verify your account." Or "You have not paid for the item you recently won on eBay. Please click here to pay." This ploy plays to a person's concerns about negative impact on their eBay score.
"Since people spend years building eBay feedback score or 'reputation,' people react quickly to this type of email. But, of course, it leads to a phishing site," said Shira Rubinoff, founder of Green Armor Solutions, a security software firm in Hackensack, New Jersey. "Many people use eBay, and users often bid days before a purchase is complete. So, it's not unreasonable for a person to think that he or she has forgotten about a bid they made a week prior."
Recent phishing lures even take advantage of the economic downturn, said Rubinoff. It has not been uncommon for fake emails to turn up that claim to be from human resources which say: 'You have been let go due to a layoff. If you wish to register for severance please register here,' and includes a malicious link.
No one wants to be the person that causes problems in this economy, so any email that appears to be from an employer will likely elicit a response, noted Rubinoff. Lares' Nickerson has also seen cons that use fake employer emails.
"It might say, 'In an effort to cut costs, we are sending W-2 forms electronically this year,'" said Nickerson.
How can I educate my employees to prevent social engineering?
Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used.
For elements of an effective security awareness program, see Seven Practical Ideas for Security Awareness and Now Hear This!.
Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Chris Nickerson's success posing as a technician is an example of a story that gets the message across in an interesting way. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.
"In my educational sessions, I tell people you always need to be slightly paranoid and anal because you never really know what a person wants out of you," said Lifrieri. The targeting of employees "starts with the receptionist, the guard at the gate who is watching a parking lot. That's why training has to get to the staff."
Social engineering tricks are always evolving, and awareness training has to be kept fresh and up to date. For example, as social networking sites grow and evolve, so do the scams social engineers try to use there; see5 Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid.
Subscribe to:
Posts (Atom)
