Chubb offers tips on reducing information security risk from ‘social engineering’ attacks

As part of their information security programs, companies should consider hiring a vendor to test employees at random by asking them for information that should not be shared and raise awareness among the “most vulnerable” employees -such as new hires and senior managers – insurance provider The Chubb Corp. suggested in a paper released Tuesday.

Chubb announced Tuesday it published its Guide to Preventing Social Engineering Fraud on its website.

“Some criminals consider it much easier to abuse a person’s trust than to use technical means to hack into a secured computer system,” explains Warren, N.J.-based Chubb, whose subsidiaries include Chubb Insurance Company of Canada. Some criminals “have learned how to trick their targets into giving them information by exploiting certain qualities in human nature. They use various forms of communication, such as e-mail, the Internet, the telephone, and even face-to-face interactions, to perpetrate their scheme of defrauding and infiltrating companies.”

Chubb says its new guide “explains how a thief may pose as a vendor or client over the telephone, online or in person to trick an employee into paying a bill or making a securities transfer,” the insurer noted in a release.

Mitigating the risk of social engineering attacks “should be a part of any comprehensive security policy,” Chubb advises. “It should include a component for raising awareness among employees and educating those who are most vulnerable: new hires, help desk personnel, contractors, executive assistants, human resource personnel, senior managers and executives, as well as information technology (IT) employees who handle technical and physical security.”

Chubb advises commercial policyholders to maintain “strict policies on displaying security badges and other credentials and making sure all guests are escorted.”

Related: Managing cyber risks more than just IT: p&c conference

Employees should “politely refuse entry to anyone ‘tailgating,'” Chubb advises in its guide. “Consider conducting a recurring, third-party penetration test to assess your organization’s vulnerabilities, including unannounced random calls or emails to employees soliciting information that should not be shared.”

One social engineering technique is impersonation or “pretexting,” which “may involve an attacker using a believable reason to impersonate a person in authority, a fellow employee, it representative, or vendor in order to gather confidential or other sensitive information,” Chubb warns.

Another is “baiting,” where someone leaves a device loaded with malware – such as a USB memory stick, a CD or DVD – “at a location where an employee will come across it, and then out of curiosity will plug/load the infected device into his or her computer.”