RE: Steps to avoid Social Engineering
From: Matt Cunnane (matt.cunnane_at_gmail.com)
To: <email@example.com> Date: Tue, 19 Apr 2005 19:27:41 +0100
As a start, I'd recommend calling them back via the company's main
switchboard number. This isn't foolproof, but provides a quick and easy
test to weed out less sophisticated attackers.
From: Tabs The Cat [mailto:firstname.lastname@example.org]
Sent: 18 April 2005 19:39
Subject: Steps to avoid Social Engineering
I have a question for you guys (and gals). We all know about social
engineering. Some of us use it on a daily basis. And we all know how
it can be even more dangerous than any computerized attacks, but how
can we protect against it?
I'll give you an example: we have a database based program that
was written by and maintained by a third party that is in another
city. In the past when they needed access for maintenance, we would
provide them it via VPN. Recently there has been a problem so they
were contacted. Earlier today someone from that company phoned me to
discuss details about the VPN. I haven't given them any information
yet. In this case I am fairly positive it is legit since they knew the
company that we use as well as who lodged the complaint.
But how could I get this person (or any one in the future) prove
to me that they are the people who are they say they are? Any advice?