So NFOrce reset the server's root password for him, giving him complete access to the server
Is this normal for ISPs to have the sort of access that allows them to reset any server root password??? That is insane!!!
No, it is not. What would happen if theymos actually forgot his password and they couldn't reset it?
You can't prevent social engineering, no matter what you do.
Usually ISPs have contact information, like phone number, home adress, passport scan etc which can easily be used to verify a person. When combined with PGP, whis should be almost 100% safe.
and that's the point. social engineering depends on human error.
My point is, that you can prevent social engineering with a good training of your staff. That money is always good invested, because it gains trust from the customer. Now, after all these hacks that had happened in the past, theymos should have chosen the right ISP with the right policy already a long time ago.
edit:
just an example:
http://www.esecurityplanet.com/views/article.php/3908881/9-Best-Defenses-Against-Social-Engineering-Attacks.htm
...
1. Educate yourself.
"Our first mitigation is security through education," Hadnagy said. "If people aren't educated to the types of attacks being used, then they cannot possibly defend against them."
Social-Engineer.org provides a number of information resources on social engineering attacks. The two most commonly used and effective approaches, or "pretexts," used in the contest were posing as an internal employee or posing as someone hired by corporate to perform an audit or take a survey.
"Contestants used the survey pretext a lot," Hadnagy said. "It allowed them to ask questions that are believable in that context."
Hadnagy noted that employees rarely sought to confirm the pretext with another source, like a manager, before giving away information.
2. Be aware of the information you're releasing.
This tip encompasses both verbal communication and social media like Facebook or Twitter. Hadnagy noted that serious social engineers, as opposed to someone participating in a contest for fun, would get deep background on their targets before moving.
"You would know where they live," he said. "You would know whether they're happy or unhappy in their jobs."
3. Determine which of your assets are most valuable to criminals.
Even companies that actively seek to protect themselves from social engineering attacks often focus on protecting the wrong things, according to Jim O'Gorman, a security consultant and member of Social-Engineer.org.
"When a lot of companies focus on protecting their assets, they're very focused on that from the perspective of their business," O'Gorman said. "That's not necessarily the way an attacker will look at your company. They'll look for assets that are valuable to them, assets that they can monetize."
"Information perceived as having no value will not be protected," Social-Engineer.org said in the primary findings of its report. "This is the underlying fact that most social engineering efforts rely upon, as value to an attacker is different than value to an organization. Companies need to consider this when evaluating what to protect, considering more than just the importance of value to the delivery of service, product, or intellectual property."
O'Gorman said an independent assessment is the best tool to determine which of your assets criminals are most likely to target.
4. Write a policy and back it up with good awareness training.
Once you know which of your assets are most tempting to criminals and the pretexts they're most likely to use to pursue them, write a security policy for protecting your data assets. Then back up that policy with good awareness training.
"A policy is just a written statement," Hadnagy said. "It doesn't mean anything if people don't follow it."
In the primary findings of its report on the contest, Social-Engineer.org noted, "For awareness training to be truly effective it requires complete coverage of all employees. In many instances contestants would contact call centers, which often do not have as complete of awareness training programs. This translated into information leakage that could have been avoided, as well as significant increase of risk to the target organizations. Demonstration of the ineffectiveness of awareness training was apparent by the lack of employee resistance to answering questions."
Social-Engineer.org believes employees need a clear set of guidelines in place to respond well to a given situation. Absent such guidelines, employees will default to actions they perceive as helpful, which often means giving away information they shouldn't.
5. Keep your software up to date.
Hackers using social engineering techniques are often seeking to determine whether you are running unpatched, out-of-date software they can exploit.
"A lot of the information given out really would not be damaging if the target keeps his software up to date," Hadnagy said.
Staying on top of patches and keeping your software updated can mitigate a lot of risk.
6. Give employees a sense of ownership when it comes to security
"Security programs in this country are failing miserably," Hadnagy said. "The reason is that they're not personal. They don't make security a personal thing. Employees need to feel a sense of ownership when it comes to security."
O'Gorman added, "I think it's important that employees understand that what applies in the workplace also applies at home. Make it personal to that extent. Changing habits, changing culture is extremely difficult."
Both noted that criminals will not respect boundaries between one's work life and one's personal life, and any personal information obtained from a compromised work computer may also compromise one's personal life.
7. When asked for information, consider whether the person you're talking to deserves the information they're asking about.
This is where the rubber meets the road. Whenever you are in a conversation with someone you don't know, before you answer a question they ask, make sure they deserve to know the information that they're asking about.
In most cases, the person you're talking to has no need to know what version of an operating system you're running, or who handles trash collection at your company.
As Hadnagy is fond of pointing out, social engineers know that most people instinctively try hard to be helpful to their fellow human beings when asked. Social engineers leverage that instinct to their advantage. Companies certainly want their employees—especially customer-facing employees—to be friendly and helpful, but they must also temper that helpfulness with restraint.
For instance, an employee in sales wants to be as helpful to a potential customer as possible. But that employee should still make sure that the questions the potential customer is asking are relevant before answering.
"From a sales point of view, it's hard to say that," Hadnagy said. "If you're a sales guy, you don't want to lose that potential sale. You have to determine if the information you're giving out really is relevant to the potential sale."
8. Watch for questions that don't fit the pretext.
The last tip leads directly into this one. If a person asks a question that does not fit the persona they present, it should set off alarm bells.
"In a business sense, I think you have to be really aware of questions that do no match the person on the phone," Hadnagy said.
Additionally, a sudden sense of pressure or urgency is often a sign.
"When you're on the phone with someone, or you're talking to someone, and all of a sudden you feel this pressure to make a decision, to take an action, you have to stop and think where is this pressure coming from? They'll try to put pressure on the target so they don't have time to think about their decision," O'Gorman said. "Don't get caught up in the story that's being told to you. A sense of pressure that shouldn't be there, that's a big red flag."
9. Stick to your guns.
If you do get a feeling that someone is fishing for information that they shouldn't, stick to your guns.
"If someone asks for information that you don't know if you should release, ask your manager," Hadnagy said. "Many social engineers will break if off if there's a break in the conversation."
Hadnagy pointed to one call during the contest in which the employee who received the call put up some resistance, but ultimately gave in to the social engineer's persistence.
"The employee actually had a pretty good sense," Hadnagy said. "Three times, he said, ‘our corporate policy is that you e-mail these questions, and we answer them together as a team.’ That whole phone call would have failed from a social engineering standpoint if that employee had stuck to his guns."
Thor Olavsrud is a contributor to eSecurityPlanet.com and a former senior editor at InternetNews.com. He covers operating systems, standards and security, among other technologies.
