Link
A Microsoft white paper detailing guidelines for protecting your corporate assets from social engineers and properly training staff on the matter.
Monday, December 04, 2006
A CERT Article leads to my thesis
http://www.cert.org/incident_notes/IN-2002-03.html
This CERT article details the practice of instant message/IRC users being tricked into installing software on their computers.
This led me to think about the chapters in Mitnick's Art of Deception detailing the act of posing as a member of the IT support team in order to get a client to install malicious software onto their machine.
My initial plans were to asses what is "worse" for a business: hacking/viruses/'traditional' means of intrusion, or social engineering. All of my reading and research have shown that both can be extremely damaging and costly to businesses. However, the combination of these two seems to be the worst overall scenario.
Employees are often difficult to train on 'good' information handling practices. And keeping software patched/configured securely can be nearly impossible. But by posing as an internal employee and then invoking technological know-how, a hacker has the ultimate edge.
THESIS: The combination of social engineering and traditional penetration methods is ultimately the most effective technique in damaging corporate infrastructure.
This CERT article details the practice of instant message/IRC users being tricked into installing software on their computers.
This led me to think about the chapters in Mitnick's Art of Deception detailing the act of posing as a member of the IT support team in order to get a client to install malicious software onto their machine.
My initial plans were to asses what is "worse" for a business: hacking/viruses/'traditional' means of intrusion, or social engineering. All of my reading and research have shown that both can be extremely damaging and costly to businesses. However, the combination of these two seems to be the worst overall scenario.
Employees are often difficult to train on 'good' information handling practices. And keeping software patched/configured securely can be nearly impossible. But by posing as an internal employee and then invoking technological know-how, a hacker has the ultimate edge.
THESIS: The combination of social engineering and traditional penetration methods is ultimately the most effective technique in damaging corporate infrastructure.
Subscribe to:
Posts (Atom)