Pretexting Protection

Pretexting Protection is one of the three major components of the Gramm-Leach-Bliley (GLB) Act that govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information:

  • Financial Privacy Rule
  • Safeguards Rule
  • Pretexting Protection

Pretexting, (often referred to as “social engineering”) has become the critical challenge facing the Information Technology Industry as a rapidly increasing the number of hackers are attempting to gain access to personal and nonpublic information.  Numerous organizations worldwide are attempting to develop an Intrusion Detection and Prevention System (IDPS) that can be applied universally.

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. Information Technology personnel should be aware that they also publish a Special Publication 800-series that reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.

A 2007 publication recommended “using multiple types of IDPS technologies to achieve more comprehensive and accurate detection and prevention of malicious activity”.  They identified four primary types of IDPS technologies.  They point out that each technology type offers fundamentally different information gathering, logging, detection, and prevention capabilities.

  •  Network-Based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity.
  • Wireless, which monitors wireless networks traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves.
  • Network Behavior Analysis (NBA), which examines network traffic to identify threats that generate unusual traffic flows, such as Distributed Denial of Service (DDoS) attacks, certain forms of malware, and policy violations (e.g., a client system providing network services to other systems).
  • Host-Based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

Because there is such a wide spectrum of characteristics that describe an IT organization’s system and network environments to evaluate IDPS products it is necessary to first define the requirements and consider using a combination of several sources of data on the products’ characteristics and capabilities.

Until such time as there is a common method of protecting against invasions and pretexting it is suggested by most and encouraged by the GLB Act that operators of IT systems covered by the federal law adopt educational programs for their employees and users processing IT data. The GLB Safeguard Rule requires the development, monitoring, and testing of programs to determine the adequacy of the IT controls. GLB Act also recommends that follow-up programs of random spot-checks after the training be incorporated to evaluate personnel test their degree compliance with the guide lines.  The training of employees would concentrate on teaching those that manage access to recognize and deflect inquires made under the pretext of an authorized person. Impersonating the account holder, by phone, by mail, or even by “phishing” is intrusion by using a phony website or email to collect personal nonpublic private data. Pretexting by individuals is punishable as a common law crime of False Pretenses.

 

IT Vulnerability

The vulnerability of information technology (IT) systems globally has become a major, financial liability for companies and institutions that have not been certified as being in compliance with the laws set to determine adequate protection.

Summary

  • Information technology systems are expanding nationally and globally.
  • Lack of controls results in financial losses and major law suits.
  • Standards and guidelines for System Organizational Controls have been adopted.
  • Current law suits regarding invasions indicate the seriousness of the problem.

Information technology has become the medium by which businesses, institutions and people around the globe communicate. The use of email has increased to the point where the number of transmissions per minute is in the millions at practically no cost to the senders. The amount of letters and use of postal service have declined to such a degree that the United States postal service can no longer afford to  operate at prior levels of manpower.

Information technology systems handling financial data that is personal and nonpublic have literally taken over the exchange of financial data between banks and businesses. Businesses processing credit card information, and other types of financial history of individuals transmit personal data that is not for release to the public on a routine basis.

Processing communications and financial information has increased business efficiencies to a level that it is impossible to calculate. However this has come at a high cost for many people and businesses globally because of invasions of systems by unauthorized users which lead to unauthorized withdrawals and charges by identity thefts.

The degree to which people who have been damaged by the invasion of an IT system is being reported by the filing of law suits nationally and internationally against system organizations, financial institutions and business indicates that the vulnerability of IT systems remains very high.

This has created the necessity for establishing a standard for Service Organizational Controls (SOC).  This has lead to the establishment of SOC 1, SOC 2, and SOC 3 standards and guidelines for information technology systems by AICPA.

Go back to top