Pulling it all together – Social Engineering Security Policy

Identity verification policy

There are several considerations to make when designing an identity verification system. One is evidence of the claimed identity, which in this case it can either be physical evidence or digital evidence. Physical evidence may entail an identity card or a passport, while digital evidence is information such as personal data. Those asking for the information will need to prove that the identity is theirs.

Another consideration is the validity of the identity. Wiley (2010) argues that hackers majorly capitalize on pretexting to impersonate people, even in physical cases. It can be avoided by counter-checking the person's physical identity document to see whether it is forged or genuine. This involves looking at the name and date of birth to ensure that what they claim is true. For digital cases of identity, those asking for information, the policy should be designed to ensure that the cryptographic features confirm the identity. The information should also not have been edited. The attendees can ask for personal information about the person to ensure that they conform to those in the system. Security Through Education. (2014) shows that framing can be used to present information to the victims to derail their decision-making. How the claimant presents, the data should be counter-checked to detect any form of framing.

Identity being claimed has existed over time? If new, then that is a red flag on the possibility of a forged identity. A history check can confirm whether the identity is for alive people since hackers can use the identities of dead people. If it is physical persons, have those people been in the organization over time, or are they new? If they are persons over the emails, b counter-check should be done on whether the same emails have been used before in the business interactions with the claimant. For text messages, the mobile phone number is counter-checked.Identity verification policy designs should also be done so that the identity belongs to the persons who are claiming to be theirs. This can be done to ensure that the person matches the photo in the document in physical and remote interactions. They must also match the biometric information being claimed, and also, they must be not wearing anything likely to hinder the identity verification.

Policy for Physical identity verification

For those customers seeking information about the company on their accounts. They must submit document identity documents or passports to confirm that they are the real individuals who own the documents and match up with those in the system. Personal information can also be asked and compared to those in the company's system to ensure that they appropriately and correctly coincide with those given by the claimants.

In addition, those claiming identity and personal information from the company physically must be identified to ensure that they have existed for some time in the company. If they are not or seem to be new, additional steps should be taken to confirm their identity, including a thorough counter-check of every bit of personal information. Customers must give proof of when they opened a particular account, if it deals with finances, or what might be the balance on their credit cards.

Digital identity verification policy

For those customers or identity claimants seeking information through digital means such as emails and short messages, several steps can verify their identity. Phone number for the case of short messages whose features like country code and use of virtual sim detections must be considered to ensure that this is the right identity as claimed by those asking for the specific information. Attendant must use IP address analysis to identify any attempts that might be made by use of VPN and proxies to identify any case of virtual personification. They can use the email address lookup and ensure that the domain of the identity is valid and detect whether the number may be suspicious. In advanced cases, the company may adopt artificial intelligence such as voice recognition to ensure that the identity of the rightful owner.

References

Security Through Education. (2014). Framing - Security Through Education. [online] Available at: https://www.social-engineer.org/framework/influencing-others/framing/ accessed May 20, 2022

Wiley(2010). Social engineering: The art of human hacking. John Wiley & Sons.