Some simple steps can help you and your company avoid being the patsy in an online scam.
1 Never run a program unless you trust the source of the program.
2 Secure your computer with antivirus, antispyware, and a personal firewall. Such software can warn you if a program appears to be doing something suspicious.
3 Never give out your passwords. Only your employer and your bank should require your Social Security number.
4 Deploy a network intrusion-prevention system to detect the signs of an attack early.
5 Managers should require all workers who use computers to undergo training in the best computer-security practices.
The following article are from PC.Magazine.April.25.2006.
Any company need to know these about security for company assets.
If a respectable-looking person handing out sample CDs on the street offered you one, would you take it home and run it? If he handed it to you on your commute to the office, would you run it at work? If someone called and said she was with IT and needed your computer’s password, would you give it? If you said yes to any of these questions, you’re a prime target for social engineering.
Social engineering tries to bypass security altogether by fooling the user. As operating systems and apps become more secure, online attackers can still rely on social engineering to compromise systems and access high-value data. Phishing attacks, Trojan horses, and many viruses use social-engineering tactics to trick users into compromising their own computer systems.
The stakes are higher than just losing data on a compromised system: A single PC can become a springboard within a company’s network from which enemies can launch further attacks. Insider attackswhether executed by malicious employees or workers ignorant of the risksare the most expensive class of cyber threats. Companies’ need to let their employees work free from stringent security measures can help insiders do extensive damage before being detected.
A year ago, law enforcement agencies announced that Sumitomo Mitsui Bank had foiled an attempt to steal $423 million after detecting suspicious money transfers.
An investigation revealed a keyloggera program that records keystrokesinstalled on an employee’s system.
Many workers aren’t aware of the risks. In a recent study, The Training Camp, a U.K. firm focused on training workers in information technology, handed out CDs with a simple Trojan horse program to people at a subway station.
The CDs didn’t do anything malicious, but phoned home when run on a computer, the company said. Employees at banks, insurance companies, and other businesses obligingly put the CDs into their work computers and ran the
program. A few years ago, a similar study found that as many as 90 percent of people gave their passwords to a person conducting a survey.
Education is critical for defanging social engineering. Though many users know to be wary of questionable e-mail attachments, a person handing out offi cial-looking CDs adds a layer of trust to the equation.
The Sony BMG copy protection system is an extreme example of that: People trusted the brand to such an extent that no one thought to check for questionable code.
The necessity of protecting users from themselves has Microsoft and other software makers adding components
to turn their software into expert security systems.
Microsoft’s next browser, IE 7, will switch to a green address bar when the user is on a trusted site. And its personal fi rewall will protect systems against applications that attempt to connect to the Internet.
The threat will only worsen. Security professionals have noticed evidence of better social-engineering attacks,
frequently targeted at just a few people within an organization. Computer security incident-response groups in the U.K., Canada, and Australia have confirmed such attacks.
Security is only as good as the weakest link. And most often, the weakest link is the human one.
Author: Robert Lemos is a freelance technology journalist and the editor-at-large for SecurityFocus.