Start by training employees to evaluate "requests" in isolation, not the circumstances under which they are made. Mitnick says social engineers use flattery, as in "you're the only one smart enough to do this for me, please run the attachment I'm about to send you", and intimidation, as in "if you don't give me your password so I can log in to get my mail you'll lose your job".
If you separate the circumstance from the request, you have half the battle won, he says.
"They key is... to train staff to determine what is a legitimate and what is an illegitimate request," he says.
There are also some easy rules and policies that can help. Almost all the time a social engineer will refuse to give a call-back number. "They'll come up with an excuse... like 'my cell-phone battery is dying'," Mitnick explains. By putting in a policy that "states if someone is making a request of a sensitive nature... and you don't personally know this person, then you have to call them back," around seven out of 10 social engineering attacks will be foiled.
Implementing a policy of calling back at their desk anyone who is requesting a password reset is one smart policy designed to crack down on social engineers.
Mitnick isn't an IT security generalist; social engineering is his bag. Mitnick has studied the psychology at play during his success as a criminal attacker, and built a business around his understanding of it.
"Social psychology tells us people are in two modes of thinking: systematic mode and heuristic mode," Mitnick explains. When a person is operating in systematic mode, they have the wherewithal to think. When operating in heuristic mode, however, "we're simply idling by. We're distracted, we're thinking of something else. We're there 90 percent of the time".
It's at this time that we're most likely to cooperate with an attacker. The social engineer can bend the will of their victim, not giving them reason enough to think twice. They can do this by making requests that involve a favour or a request that is not by nature something the target normally does as a part of their job. Currying favour is also high on the hit-list.
"If you are talking to somebody and you notice that coincidentally they grew up in the same state, or are interested in the same types of hobbies or sports... the attacker wants to mirror you because psychologically you're more likely to like someone like yourself," Mitnick says. "And when you like someone you're more likely to comply with their request."
"If there are too many coincidences it may be a yellow flag," he says.
Hello,
This is part of my research. I would like to write a thesis in computer security, specializing in Social Engineering. Could you provide me with some examples of good titles?
Thanks in advance,
Christian