Re: Steps to avoid Social Engineering
From: John Blackley (jblackley_at_sysmatrix.net)
Date: 20 Apr 2005 01:51:13 -0000 To: email@example.com('binary' encoding is not supported, stored as-is) In-Reply-To: <firstname.lastname@example.org>
I sympathise with your problem and the first piece of advice I have for you is this: You may be able to reduce the risk and you may not be able to entirely eliminate it. However, beware of the risk of making your controls so convoluted that you disappear up your own environment.
Some thoughts on controls: A single point of contact at the third-party company begins to reduce the risk of impersonation - only receive calls from an authorised person at the third-party (allowing a backup, of course, for when he/she isn't available to make the call).
When someone calls from the third-party, call them back at the third-party's switchboard and ask to be connected to them.
If you have a written contract with the third-party and that contract has some kind of identifier on it (contract or PO number), ask for that.
You can go on from here yourself, I'm sure. The key here is simple, easily-established rules that give you some assurance that you are talking to the person you think you're talking to.
John A Blackley