Social Engineering attacks is definitely one of the most dangerous hack methods in this information age. The book Computer Security Handbook (6th ed.) suggests that it is imperative for information security professionals and organizations to strengthen the three common avenues of detection for social engineering attacks, viz., People, Audit Controls and Technology.
It is essential to educate users/people about the various potential sources of these attacks across aspects of impersonation, seduction, intimidation, etc. The one thumb rule for protecting users from social engineers is to make sure that the users do not disclose any sensitive information (passwords, account details, etc.) under any circumstances without evident legitimate proof requesting for it and checking for the authenticity by making another contact with the concerned department/business. Social engineering attacks can be fought against by strengthening the aspects of detection, response and mitigation. Detection of these attacks can be carried out through effective auditing of datapoints like emails, internet content, system logins and changes along with effective anti-malware and anti-phishing tools. The response to these attacks should be well-defined and planned according to the incident-management processes practiced by the organization. For information security professionals, it is essential to always be ready for an attack of this nature since with evolution of information security standards, the attacks also get complex. It is imperative for the organization to also include the prevention of such attacks within their defense strategy. Since at some level these attacks require the user/victim to willingly share information, the organization should treat areas of policy building, training, technology and physical security with high importance. For eg. providing training sessions for awareness on such attacks and refreshers on security policies should be an on-going exercise encouraging employees to ask the reason for any requests regarding sensitive/PII. Similarly, technology mandates should be made clear to employees regarding installation of malware/firewalls, anti-virus practices, two-factor authentication for any transactional processes, etc. In order to evade any security breach in office-premises, it is essential for the organization to implement rules like display of ID cards, door locks, special/limited access to confidential areas, security camera operations, appropriate disposal of confidential documents not in use, computer password updates, etc.
Though it might be difficult to defend the organization against social engineer attacks since the subject involved are humans, I think security professionals stand a better chance of defense with the above mentioned methods.
P.S.: Do take note if your business/organization deals with information exchange. :)
