Social engineering is one of the most frightening techniques used to attack users of an IT system. Social engineering is based on subtle psychological techniques that get people to share the desired information. By exploiting human vulnerabilities, e.g. the desire to help a peer or the need to impress a superior, an ill-intentioned person can obtain access to data and confidential systems from an individual.
In order to avoid the involuntary disclosure of information, it is important to make staff aware of the general principles of “social engineering” and teach them the appropriate ways to react and communicate. This means, amongst other things:
There is a large range of human error, going from inadvertently sending an email to the wrong person right up to the accidental deletion of vital company data.
For the best chance at avoiding such errors, it is important to provide:
IT resources available to users may be misappropriated for personal use. An organisation must respect the privacy of its employees just as the employees should not exploit the IT infrastructure for personal use during their working day, in particular regarding the use of the Internet and electronic messaging. You could, for example, include:
The availability of the information system is linked to the availability of staff in general. Ideally, you should ensure that all information is accessible at all times. This can be organised through the use of authorisations, the implementation of a staff rota and on-call service, which is all the more important where system administrators are concerned. It may be useful to introduce the following elements:
An information system administrator, as part of their role as supervisor, has specific access permissions. They can therefore have access to all information stored in the IT system and, in the event of a cyberattack, block access to the information system. As a security measure, it is useful to ensure:
Spam is unsolicited email. This type of advertising email is sent to the owner of the mailbox in the aim of getting them to view a service/product or a website. In the best case scenario, the time wasted and electronic space taken up by this type of email may unnecessarily overload an information system and must, as a result, be fought against. Furthermore, the spam could also contain malicious software and so become a concrete threat to the organisation’s assets.
Phishing is a special social engineering technique that primarily uses emails and aims to obtain personal information (bank account details, in particular) by claiming to be a trusted organisation (e.g. a bank) via a fraudulent website. This type of attack is primarily aimed at individuals, but the company’s vital information may also be targeted.
Both of these threats currently plague email inboxes. You can guard against them by:
To be able to access an information system, users are given access rights according to their IT system user profile. The most simple case is physical access to a device. When a third party uses a resource without having been authorised to do so, we call that intrusion. When a third party uses a user’s rights to access a resource, we call that identity fraud. It is important to ensure that authentication always entails identification and that physical intrusion is avoided. It is useful: