Updated: November 15, 2004
Social Engineering the Human Factor: The Checklist
1. Install and maintain technical safeguards.
All computers on the network should be running anti-virus software, firewalls, and e-mail filters to reduce spam, phishing, and other types of malicious e-mail solicitations. Take inventory periodically to ensure that employees have not disabled these safeguards on their systems.
2. Provide employees with guidelines for phone and e-mail security safeguards.
Educate your employees about how to protect personal and company information. For example, implement a call back policy. When non-public information is requested over the phone, employees should always verify the source with a callback. You can refer to the handbook for additional security guidance
3. Make Web browsing more secure.
| • | Always run the latest version of Internet Explorer to ensure that all the security enhancements. |
| • | Keep all security patches and service packs for Web browsers and operating systems up to date. For example, Windows XP Service Pack 2 adds security features like pop-up blocking. |
| • | Configure the security level of Internet Explorer to medium or higher so that users do not automatically download unsigned ActiveX controls, or run scripts, Java applets, or other code. |
| • | Establish an organizational policy about Web sites that employees can access on company computers. For example, create and enforce a blacklist of Web sites by using ISA Server 2004 in combination with offerings from partners like Surf Control. |
4. Establish and enforce strict password policies.
| • | Implement a strong password policy. For example, passwords should be at least eight characters in length and include a combination of numbers, letters, and symbols. |
| • | Ensure that users change their passwords on a regular basis. The password policy features in Windows Server 2003 can help you implement this practice |
| • | Impart to users the importance of not sharing their passwords with others or using a corporate password for other purposes. |
| • | Consider two factors of authentication, such as smart cards or biometric technology, for situations that warrant additional security controls. |
5. Support team awareness with ongoing user education.
| • | Distribute the Information Workers Security Handbook to all your employees. |
| • | Keep employees up-to-date on the latest social engineering attacks. |
| • | Establish a central location, such as an e-mail alias or intranet site, where employees can report unusual activity. |
6. Perform audits on a regular basis to assess the effectiveness of your security policies
Be prepared to modify and update your policies as necessary and be sure to communicate policy updates to your employees on an ongoing basis.
Related Resources
