Beware the digital con artist
Lately, the worst technical threats associated with personal computers and the Internet aren’t necessarily technical at all. They are now more and more socially based on the distinctly human nature of the con man.
As the Internet blossomed, so did related problems. These included malignant spam e-mail, phishing expeditions for personal identity information, and security breaches into sensitive data warehoused servers.
Enterprises and individuals have invested heavily in protecting information from the prying eyes of unscrupulous marketers and identity thieves bent on taking what doesn’t belong to them.
Most of security investments have been very good at working in terms of bits and bytes and all of the technical details of protecting systems and limiting scourges like spam.
For example, a good antivirus program can filter out seemingly innocent e-mail by examining all of its technical aspects. Or, a firewall can analyze the flow of data into a business network and look for tell-tale signs of threatening data and, consequently, block that threat.
Perhaps the most sophisticated and malevolent computer threat to crack isn’t made of silicon, but instead of flesh and blood.
The latest and most effective means to gain access to a person’s identity information is as old as the con itself.
For example, instead of spamming with a virus-infected e-mail that may be filtered by antivirus software, today’s con artists disperse digitally-clean e-mail urging users to visit a particular Web site or even call a particular telephone number.
The urging may be in the form of a statement promising financial gain or a warning that something is terribly wrong with a bank account or a nefarious invitation to something very personal or naughty.
And these invitations are well disguised with a cloak of legitimacy by pretending to be from eBay, or PayPal, or your own bank.
The bottom line is that to a technical watchdog - like a firewall - these messages may be free of any malicious computer code, but the contents of the message are carefully worded to get a person to pick up a phone or visit a Web site where a sinister trap waits.
So if a business has already invested in the technical side of security, what can be done about the social threat?
Bob Marichak, account executive, Next Step Systems Integration LLC (www.nextstepsys.com), located in Scranton, offers some simple human suggestions to help foil socially engineered computer threats (Next Step Systems Integration LLC specializes in the integration and migration of hardware and software for end to end network data solutions for small and large businesses.):
Enforce a policy including:
* Restricting the number of permitted users on work stations;
* Having automatic password changes and instructing users on how to create hard-to-crack passwords;
* Educating users on what constitutes threatening e-mail, including:
1. Instructing users to delete e-mails that have unfamiliar or unknown senders.
2. Advising users not to follow links or call numbers from suspicious e-mail.
3. Looking up banks and other financial institutions directly through other known legitimate means.
Many of these precepts are relatively easy to implement and can be very effective in hindering socially engineered attacks. When done in conjunction with known technical solutions, a business will have a much lower chance of being compromised.
By: Andrew Ohrman
NEPA Business Journal