Your bank account is the one user account you don't want to give a social engineer access to. We asked the Bank of Queensland's IT security manager, Karl Hanmore, about what he has put in place to reduce the effectiveness of social engineering.
"All Bank of Queensland staff receive IT security training as part of their corporate induction, which is then followed up by periodic bulletins," Hanmore says. "This is the first line of defence in social engineering: trying to prevent the attack from occurring in the first place."
The bank doesn't allow password resets "for electronic channels" over the telephone. Where an Internet banking password is reset, the new credential is sent via post to the customer's listed postal address.
Bank staff are monitored, too. "There are a number of checks surrounding the quality of staff performance, including ensuring they properly identify the customer. We supplement the standard processes with externally provided audits of the quality of the [call centre] responses."
Educating staff and assessing risk are the keys to reducing the risks. "A focus on staff training, documented processes and known escalation paths is critical... a risk assessment of the services you provide where authentication is especially prone to social engineering, like call centres, is highly recommended," Hanmore says.
The ex-cop
If you ask former Australian Federal Police officer Neil Campbell to socially engineer your company for the purposes of an audit, he will refuse.
"This is a tough thing for me. When I started out in IT security I did do the testing, but the negative impact of the testing outstrips the benefits," says Campbell, who now runs Dimension Data's security practice. "No matter how much an organisation is prepared to have its physical security tested, it's a very painful process to go through. You embarrass individuals by succeeding. It's difficult as a provider to engage in that exercise and remain friends afterwards."
"If you don't get in you've failed, and if you do get in you've embarrassed them and from a relationship perspective you've failed," he adds.
Despite the risks, Australian companies aren't spending big on providing their staff with specialist training offered by companies such as Mitnick's consultancy, Campbell says. "If you're cynical about it... how can I say to my boss 'Hey, I spent $50,000 on awareness' and justify it?" he asks. "I think its one of the critical security problems that we have to deal with. There are services for it, but people don't buy them."
Hello,
This is part of my research. I would like to write a thesis in computer security, specializing in Social Engineering. Could you provide me with some examples of good titles?
Thanks in advance,
Christian