Link
A Microsoft white paper detailing guidelines for protecting your corporate assets from social engineers and properly training staff on the matter.
Monday, December 04, 2006
A CERT Article leads to my thesis
http://www.cert.org/incident_notes/IN-2002-03.html
This CERT article details the practice of instant message/IRC users being tricked into installing software on their computers.
This led me to think about the chapters in Mitnick's Art of Deception detailing the act of posing as a member of the IT support team in order to get a client to install malicious software onto their machine.
My initial plans were to asses what is "worse" for a business: hacking/viruses/'traditional' means of intrusion, or social engineering. All of my reading and research have shown that both can be extremely damaging and costly to businesses. However, the combination of these two seems to be the worst overall scenario.
Employees are often difficult to train on 'good' information handling practices. And keeping software patched/configured securely can be nearly impossible. But by posing as an internal employee and then invoking technological know-how, a hacker has the ultimate edge.
THESIS: The combination of social engineering and traditional penetration methods is ultimately the most effective technique in damaging corporate infrastructure.
This CERT article details the practice of instant message/IRC users being tricked into installing software on their computers.
This led me to think about the chapters in Mitnick's Art of Deception detailing the act of posing as a member of the IT support team in order to get a client to install malicious software onto their machine.
My initial plans were to asses what is "worse" for a business: hacking/viruses/'traditional' means of intrusion, or social engineering. All of my reading and research have shown that both can be extremely damaging and costly to businesses. However, the combination of these two seems to be the worst overall scenario.
Employees are often difficult to train on 'good' information handling practices. And keeping software patched/configured securely can be nearly impossible. But by posing as an internal employee and then invoking technological know-how, a hacker has the ultimate edge.
THESIS: The combination of social engineering and traditional penetration methods is ultimately the most effective technique in damaging corporate infrastructure.
Monday, November 13, 2006
SecurityFocus on Social Engineering
http://www.securityfocus.com/infocus/1527
This site details a real example of social engineering as conducted by a CFO on his own company to test its information security.
This site details a real example of social engineering as conducted by a CFO on his own company to test its information security.
Wednesday, October 18, 2006
Security and Risk Analysis 111: Honors Option Proposal
Excerpt from proposal document
I hope to explore the social (non-technical) aspects of information theft. My resources for this will include Kevin Mitnick’s The Art of Deception and The Art of Intrusion, as well as online resources and other texts regarding social engineering. I will then compose an essay weighing the threat posed by poorly configured technology, software exploits, and hardware failure versus poorly trained personnel, lax security policy, and other social factors that lead to the breakdown of an information system.
I hope to explore the social (non-technical) aspects of information theft. My resources for this will include Kevin Mitnick’s The Art of Deception and The Art of Intrusion, as well as online resources and other texts regarding social engineering. I will then compose an essay weighing the threat posed by poorly configured technology, software exploits, and hardware failure versus poorly trained personnel, lax security policy, and other social factors that lead to the breakdown of an information system.
Subscribe to:
Posts (Atom)