Risk management for social engineering

18 11 2011

On August 25th 2011, three Japanese lower house members were infected by Trojan horse virus. And user IDs and passwords for 480 deputies were possibly compromised [1]. The hacker used “social engineering” approach by pretending to be a reporter. What he/she did was asking the lower house members to let him/her use their profile pictures for an article. And the members opened the attached file which he/she sent with the email.

This is a typical approach of social engineering. And it is one of the most effective approaches to hack into systems.

“According to a report by Check Point Software Technologies Ltd., 48% of enterprises have been victims of social engineering, experiencing 25 or more attacks in the past two years, costing businesses anywhere from $25,000 to over $100,000 per security incident” [2]

There are several basic approaches (techniques) such as pretexting, diversion theft, and phishing [3]. And also there are basic countermeasures to protect from these threats such as by having education (training).

However, it is almost impossible to prevent human from making errors. So how can we mitigate the risk of these human errors?

According to risk management approaches [4] [5], we can categorize each risk as a figure below shows It categorizes based on significance level and likelihood (because “risk impact” = significance level * likelihood).

For a high significance and low likelihood risk, we should transfer the risk. For a low significance and low likelihood risk, we can just accept the risk. For a high significance and high likelihood risk, we should avoid the risk. For a low significance and high likelihood risk, we should mitigate the risk.

So where should we map for social engineering kind of risks? I suggest we should put it into “3. Avoidance”. Because significance level is very high especially for organization/people that have important information in their network such as the example above, the lower house members’ case, and likelihood is also high as the report by Check Point Software Technologies Ltd stated (if the organization has almost nothing important inside their network, then we should map it to “4.Mitigation”).

How can we “avoid” the risk? Just giving guidelines to follow or change the process to be secured are not enough as human makes mistake. So one good solution for social engineering type of risk, not to relying on human activities (to get rid of human errors), is implementing thin client. The central management system helps the organization to manage security much easier.


[1] http://www.itnews.com.au/News/278430,email-trojan-infects-japanese-parliament.aspx

[2] http://www.itnewsonline.com/news/Check-Point-Survey:-48-Percent-of-Enterprises-are-Victims-of-Social-Engineering/24789/8/3

[3] http://en.wikipedia.org/wiki/Social_engineering_(security)

[4] http://en.wikipedia.org/wiki/Risk_management

[5] http://www.ica.bc.ca/ii/ii.php?catid=17




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: