How can users protect themselves from passive social engineering in just a few steps? On the occasion of Safer Internet Day on February 8th, important tips on how to protect your own data and information.
Cyber criminals not only strike online, they also use passive social engineering. In doing so, they collect data and information just like “in real life” in order to then use it for online fraud, blackmail or identity theft on the net. Social engineering is the interpersonal influence of people with the aim of building trust in a person and thus gaining access to sensitive information. Passive social engineering doesn’t even need the interpersonal component in the form of conversations, calls, and direct messages. Cyber criminals and perpetrators operate even more subtly. An inconspicuous look over the shoulder, an inspection of the documents in the waste bin or leaving a prepared USB stick behind.
Social engineering: consider human weaknesses
“The best technical solutions reach their limits when attackers can exploit the insecurity and ignorance of teams and employees. No security concept is complete if the human vulnerability is not also taken into account,” explains Dr. Sebastian Schmerl, Director Security Services EMEA Arctic Wolf. “Security awareness training helps companies close this vulnerability and sensitize the workforce to potential threats. Employees should not only learn to recognize suspicious e-mail attachments and manipulated websites and act accordingly, but also how to protect themselves from passive social engineering in their everyday work.”
Here are eight important tips against passive social engineering.
1. Pay attention to the environment
Many companies give their employees the freedom to work from anywhere – this can be in the home office, but also in a café, train or plane. In public places in particular, attention is required: Is someone nearby? Can unauthorized persons view your own screen or work documents? In addition, documents and devices should never be left unattended – not even for a few seconds, for example to get a new drink in a café. Criminals only need a few moments to photograph information or gain access to data with a few clicks.
2. Use privacy filters to prevent social engineering
Privacy filters are flat plastic discs that restrict the viewing angle. They are placed in front of the screen and can thus protect data from prying, unauthorized views.
3. Dispose of storage media and documents correctly
Storage media, from hard drives to USB sticks, must be professionally erased to ensure data does not fall into the wrong hands. NIST Special Publication 800-88 Revision 1 clarifies how to effectively erase and dispose of storage media in its media sanitization guidelines. But even with paper-based documents, professional destruction is essential – even in the home office! – so that criminals do not stumble upon real data treasures when rummaging through the paper bins, which open the door to systems, databases and more.
4. Keep devices safe
All devices – from laptops to tablets to smartphones – should be adequately protected and kept physically safe when not in use. And no: the car or a checked-in suitcase are not such safe places.
5. Social engineering: protect device access
All devices should be secured with a password or biometric factors. Sensitive systems must also be additionally protected using multi-factor authentication.
6. Enable remote location and erasure
To prevent data from falling into the wrong hands in the event of theft, the “Remote location and deletion” function should be activated on the devices.