The Art of Deception

When you steal money or goods, somebody will notice it's gone. When you steal information, most of the time no one will notice because the information is still in their possession.

Policy: Personal identifiers such as employee number, social security number, driver's license number, date and place of birth, and mother's maiden name should never be used as a means of verifying identity.

Policy: M1 privileged accounts must have a strong password: The password must:

Not be a word found in a dictionary in any language

Be mixed upper and lower case with at least one letter, one symbol, and one numeral

Be at least 12 characters in length

Not be related to the company or individual in any way.

Policy: The company's external Web site shall not reveal any details of corporate structure or identify any employees by name.

Items of Confidential information generally fall into one of these categories:

Information concerning trade secrets, proprietary source code, technical or functional specifications, or product information that could be of advantage to a competitor.

Marketing and financial information not available to the public. Any other information that is vital to the operation of the company such as future business strategies.

In fact, as improvements are made if I the technological weapons against security breaches, the social engineering approach to using people to access proprietary company information or penetrate the corporate network will almost certainly become significantly more frequent and attractive to information thieves.

New employees should be required to attend the training as part of their initial indoctrination.

Members of the Hare Krishna religious cult were very effective at influencing people to donate to their cause by first giving them a book or flower as a gift. If the recipient tried to return the gift, the giver would refuse remarking, "It's our gift to you." This behavioral principle of reciprocation was used by the Krishnas to substantially increase donations.

For some strange reason, antivirus manufacturers do not market products that will detect commercially available spyware.

Like the rest of us, they were making judgments based on appearances--a serious vulnerability that social engineers learn to take advantage of.