Social Engineering Tactics:
Phishing: Phishing elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution. The e-mail message may ask the user to reply with the sensitive data, or to access a website to update information such as a bank account number.
Malvertising: This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.
Phone scams: It is not uncommon for someone to call up an employee and attempt to convince employees to divulge information about themselves or others within the organization.
Defenses Against Social Engineering:
Password management: Guidelines such as the number and type of characters that each password must include how often a password must be changed, and even a simple declaration that employees should not disclose passwords to anyone (even if they believe they are speaking with someone at the corporate help desk) will help secure information assets.
Two-factor authentication: Authentication for high-risk network services such as modem pools and VPNs should use two-factor authentication rather than fixed passwords.
Antivirus/antiphishing defenses: Multiple layers of antivirus defenses, such as at mail gateways and end-user desktops, can minimize the threat of phishing and other social engineering attacks.
Change management: A documented change-management process is more secure than an ad hoc process, which is more easily exploited by an attacker who claims to be in a crisis.
Information classification: A classification policy should clearly describe what information is considered sensitive and how to label and handle it.
Document handling and destruction: Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash.
Physical security: The organization should have effective physical security controls such
as visitor logs, escort requirements, and background checks.