Social Engineering
7 minute read
Objective and Purpose
intelliHR and its team are responsible for defending the integrity and confidentiality of information and resources owned by intelliHR, it’s customers, and partners. This policy is designed to raise awareness among the intelliHR team that social engineering attacks will almost certainly be used to target intelliHR. This policy further informs staff members that the guise of social engineering attacks are varied and can include a variety of mediums, from phone, email messages to in-person encounters.
Scope
The scope for this policy includes all intelliHR team members.
Policy
intelliHR team members are required to constantly be on guard to Social Engineering efforts which can present in many different ways but ultimately are designed to compromise Client Data and/or our resources. We all have a responsibility to protect all information owned by or entrusted to us. The first and most practical form of protection is for all team members to maintain a healthy level of scepticism to any unfamiliar form of communication.
The following examples of the most common forms of Social Engineering explain why this is important.
Phishing
Phishing is a leading form of social engineering attack that is typically delivered in the form of an email, chat, web ad or website that has been designed to impersonate a real system, person, or organisation. Phishing messages are crafted to deliver a sense of urgency or fear with the end goal of capturing an end user’s sensitive data. A phishing message might come from a bank, the government or a major corporation. The call to actions vary. Some ask the end user to “verify” their login information of an account and include a mocked-up login page complete with logos and branding to look legitimate.
Baiting
Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, such as a corporate branded flash drive labelled “Executive Salary Summary Q3” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work.
Quid Pro Quo
Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end user might receive a phone call from the hacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials.
Piggybacking/Tailgating
Piggybacking, also called tailgating, is when an unauthorised person physically follows an authorised person into a restricted corporate area or system. One tried-and-true method of piggybacking is when a hacker calls out to an employee to hold a door open for them as they’ve forgotten their ID card. Another method involves a person asking an employee to “borrow” his or her laptop for a few minutes, during which the criminal is able to quickly install malicious software
Pretexting
Pretexting, the human equivalent of phishing, is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority well known to an end user in order to gain access to login information.
How to deal with Customer Queries which have the potential to reveal sensitive data
Step 1
All team members should approach any un-familiar communication with a health level of scepticism. All Existing Customer Account queries should be responded to by the Customer Success team - Why?- only these team members have access to Customer Accounts so other team members are unlikely to be able to help. If a communication doesn’t seem right, it should be raised with your manager or brought to the attention of the Internal Security Team immediately. The internal security team comprises of - Andrew Smith, Callum Pember, Constantin Oleinic, Soloman Weng, Sean Mason, and Michael Devenish. You should register any security concerns in the incidents slack channel where it will receive immediate attention.
Step 2
All Customer information should only be revealed to known key customer contacts i.e. a customer system administrator, and this should only be completed by the Account Management Team. Any requests for unauthorised, undocumented releases of information, such as passwords, processes, sensitive personal information, and financial information by customer team members or possible third parties must be referred as to the Customers System Administrator.
Step 3
Revealing Customer Information of any type – even just revealing a customer process for example – should only be completed by a CS Team member with a validated customer System Administrator. If the enquiry is made by somebody other than a nominated System Administrator, they should be referred to their System Administrator, who is in a better position to make a decision if the information should be shared with inquirer or not. Often CS will be familiar with the System Administrator contact and will provide basic support to them without validation. However when sensitive personal information (see Step 2) is being inquired about, a validation must be undertaken
- Confirming their business name, their name and role - this will allow CS to confirm they are an authorised system admin based upon their user account;
- Then personal details should be requested and confirmed against their personal details within the intelliHR system (for example, Date of Birth and Street Address). The following details need to be confirmed by a System Administrator before proceeding with a high-risk support scenario:
- Full Name;
- Date of Birth;
- Home Address;
- Business or intelliHR Platform’s URL name.
The following high-risk support scenarios require a customer validation check at all times, regardless of whether the person is known to the Customer Success Manager or not:
- Permission Group changes;
- Deleting of any data;
- Requesting an export of any data;
- Changing or resetting of a system administrators password;
- Updating any information in the customer’s platform that may have wider implications on either intelliHR’s data security or the customer’s platform.
intelliHR staff members have at their complete discretion the option to delay a request for any changes to seek further confirmation from either their supervisor or from another point of contact from the customers organisation.
Step 4
If any contact with unauthorised persons has been attempted at a minimum this should be brought to the attention of the key customer contact (via email or phone), and where suspicions have been prompted with the intelliHR security team.
Email and Inbound Queries - for example, Non-Customer Communications
All inbound email, intercom and phone queries all have the potential to reveal critical information, or in some cases infect our systems with malware – whilst we use virus protection there are still many risks.
Step 1
All team members should approach any un-familiar communications with a health level of scepticism. Do not just take as a given that they are who they say they are.
Step 2
Always remember – “Curiosity Killed the Cat” it is better to be safe than sorry, do not click on any links or files, in an email, chat or linked file from anybody without first considering if it could be something dangerous. Everything should be treated as being dangerous, particularly when the origin is unknown. If you have clicked on an item and the behaviour that follows was not as expected, again please raise this immediately via the incidents slack channel.
Step 3
Query the contact about why they have made a particular request or sent a particular communication – If the query relates to an area other than one you are responsible for, just explain that you will pass them along to the appropriate area where hopefully they will be known. If you are the responsible contact until you are confident they are who they say they are, and have a legitimate reason to be contacting us, be very careful about sharing information or clicking upon any attachments sent by them.
Step 4
If for any reasons you are concerned, please raise it immediately with your manager or the intelliHR security team.
Non-compliance with this policy
Non-compliance with this policy will be addressed at the discretion of the intelliHR executive team, and outcomes include up to termination based on the severity of the violation.