connections logo
An employee publication of the Texas Department of Criminal Justice
March/April 2011

Information resource security threat: the Social Engineer


By Marilyn Cummings, TDCJ Information Security Officer

TDCJ relies on a quality information resource security program to reduce risk of data loss and theft. Learning to identify information security hazards will help you avoid becoming an unwitting victim.Log in screen

“Social engineering” describes a non-technical breach that involves tricking people into ignoring security procedures by deliberately deceiving and manipulating them into revealing confidential information. Social engineers rely on people’s natural inclination to be helpful and cooperative. They may even go so far as to pose as a chatty person who talks you right out of your password.

Unfortunately, not all social engineers are strangers, and not all social engineers are only after company information. Consider this example: Karen works closely with Melissa. They share office space and interact every day. They even know each other’s computer login ID and password. They are a team.

Then, Karen receives a promotion and Melissa does not.

Melissa continues working without complaint, but as soon as Karen leaves the office for a training assignment, Melissa secretly logs into Karen’s machine, deletes critical files, and sends a scorching email to the department director using Karen’s email account.

Of course, the saboteur is in trouble, and will no doubt lose her job, but what about Karen? Is she in trouble, too?

Yes, she is. According to agency policy, Karen is responsible for actions performed using her login information, which should have been kept secret and not shared with anyone, even a close co-worker.

TDCJ employees have to be especially aware of the risks social engineers pose to information security. Like Billy, who writes his password on a sticky note and puts it on his monitor so it’s easy to see when logging in. Every day, everyone who passes by his desk sees his prominently displayed password. Now, someone other than Billy can log into any computer in the building and access supposedly secure data without anyone’s knowledge. When the damaging activity is traced back to Billy’s login ID, he would be held responsible for the perpetrator’s actions.

It’s easy to prevent these kinds of problems; simply never give your login credentials to anyone. The Information Technology Department’s Computer Help Desk has an administrative login which allows them to do their work. If they ask if you know your password, say you do, but do not give them your password. They are only ensuring that you will be able to access the system on your own after the help call has ended. If they need your password, they will specifically ask for it. In any event, you should always change your password immediately after a computer problem has been resolved.

If you believe you might have been stung by a social engineer and accidentally revealed sensitive information, immediately report it to the appropriate supervisor, including network administrators, so they will be on the alert for any suspicious or unusual activity. Also, change any passwords you might have revealed. If you use the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.

The complete Texas Department of Criminal Justice Information Resource Security Program is available on the TDCJ Intranet under Manuals and Publications.

 

back to top

 

_______________________________________________________________________

 

For more Policies and Benefits, click here










 

 

 

 

 

Policies and Benefits

 

 

star bulletBoard Bulletin

star bulletAgency News

star bulletPolicies and Benefits

Information resource security threat: the Social Engineer

Agency leave policies reorganized

Call toll–free to Report Waste, Fraud and Abuse of TDCJ Resources

star bullet Saluting Employees