Is defending against social engineering an HR or IT issue?
Scareware scammers are using telephones to trick thousands of victims into parting with their money to fix purported problems with their PCs, according to the Federal Trade Commission earlier this week. While it is part of a larger problem that is beyond a business's ability to fix, a real-life encounter outlined by Nate Anderson of Ars Technica highlights the possible dangers and effectiveness of social engineering.
You can read about my round-up of Anderson's encounter with a scammer here. Less IT-savvy users could well have fallen for the scam and allowed a stranger to guide them through the installation of a remote access tool over the phone--and then paid them for the privilege.
The scary prospect of this approach is how a remote access Trojan could be installed in the same manner, with hapless workers being coerced into installing them on a corporate PC or laptop. Indeed, an attacker really only needs to coax one employee into visiting a website laced with a zero-day exploit to gain a foothold in the entire corporate network.
Obviously, such a well-prepared attacker would be well-equipped with malware designed to fly under the radar of security software. And, additional techniques such as the use of the Tor anonymizer network could further obfuscate the existence of the malware and possibly even defeat intrusion detection systems.
Given the situation outlined above, is defending against social engineering the job of HR-- to put proper training in place--or of IT--to implement even more robust defenses? I'm curious to hear your opinions, as well as practices in your company, on this subject. - Paul Mah (Twitter @paulmah)