Pretexting Protection
Pretexting Protection is one of the three major components of the Gramm-Leach-Bliley (GLB) Act that govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information:
- Financial Privacy Rule
- Safeguards Rule
- Pretexting Protection
Pretexting, (often referred to as “social engineering”) has become the critical challenge facing the Information Technology Industry as a rapidly increasing the number of hackers are attempting to gain access to personal and nonpublic information. Numerous organizations worldwide are attempting to develop an Intrusion Detection and Prevention System (IDPS) that can be applied universally.
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. Information Technology personnel should be aware that they also publish a Special Publication 800-series that reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
A 2007 publication recommended “using multiple types of IDPS technologies to achieve more comprehensive and accurate detection and prevention of malicious activity”. They identified four primary types of IDPS technologies. They point out that each technology type offers fundamentally different information gathering, logging, detection, and prevention capabilities.
- Network-Based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity.
- Wireless, which monitors wireless networks traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves.
- Network Behavior Analysis (NBA), which examines network traffic to identify threats that generate unusual traffic flows, such as Distributed Denial of Service (DDoS) attacks, certain forms of malware, and policy violations (e.g., a client system providing network services to other systems).
- Host-Based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.
Because there is such a wide spectrum of characteristics that describe an IT organization’s system and network environments to evaluate IDPS products it is necessary to first define the requirements and consider using a combination of several sources of data on the products’ characteristics and capabilities.
Until such time as there is a common method of protecting against invasions and pretexting it is suggested by most and encouraged by the GLB Act that operators of IT systems covered by the federal law adopt educational programs for their employees and users processing IT data. The GLB Safeguard Rule requires the development, monitoring, and testing of programs to determine the adequacy of the IT controls. GLB Act also recommends that follow-up programs of random spot-checks after the training be incorporated to evaluate personnel test their degree compliance with the guide lines. The training of employees would concentrate on teaching those that manage access to recognize and deflect inquires made under the pretext of an authorized person. Impersonating the account holder, by phone, by mail, or even by “phishing” is intrusion by using a phony website or email to collect personal nonpublic private data. Pretexting by individuals is punishable as a common law crime of False Pretenses.
