|
Windows 2003
Windows 2000
Windows XP
BackOffice
Best of the Web
Book Reviews
Career Tools
Device Drivers
Hardware Guides
MCSE Toolkit
Networking
Service Packs
Scripting
Security
Anti-Virus
Articles & Whitepapers
Books on Security
Cryptography
Disaster Recovery
FAQ's & Tutorials
Firewalls
Forensics
Hacking
Honeypots
Incident Response
Intrusion Detection
Kerberos
Legal Resources
Online Seminars
Password Security
Penetration Testing
Security Links
Securing Networks
Social Engineering
Vulnerabilities
User Groups
Utilities
Cybercheese
|
|
 |
Social Engineering
|
|
Social Engineering is a hacker term for
deceiving people into revealing confidential information. It is a
tactic that is often used by hackers to gain information about a
network or simply to bypass a complex security system altogether.
(Why bother brute force cracking a password is you can con an
employee into revealing it to you.) In most cases hackers pose as
company employees (typically over the phone), and try to gain the
confidence of an employee who has access to the required
information. If done correctly, the "mark" doesn't even know they've
been conned, and the hacker can travel across your network
undetected using "legitimate' credentials. Combating this threat
requires 2 things: Awareness of social engineering techniques and
education of your user community. |
|
Recommended Books |
|
|
The
Art of Deception: Controlling
the Human Element of Security
By Kevin D. Mitnick and William L. Simon. Published
by John Wiley, October 2002. Hardcover, 352 pages. ISBN
0471237124 "Social engineering", or the
art of deceiving and manipulating people in order to
gain information, is an underestimated security risk
that is rarely addressed in employee training programs
or corporate security policies. For the hacker, it's an
essential skill that can be used to bypass even the most
sophisticated security measures without even being
detected. Sound far fetched? Social engineering was the
one the preferred tools used by the most notorious
hacker in the world, Kevin Mitnick - the author of this
book. The goal of "The Art of Deception" is to
raise awareness of the tools and techniques of social
engineers, and not to teach the art to a new generation
of hackers. Mitnick spends 13 of the 16 chapters
relating "fictional" accounts of social
engineering techniques, provides analyses of these
accounts from both the attackers and victims
perspective, and then offers advice on preventing or
defeating these attacks. The accounts are brief,
entertaining, and eye opening to those uninitiated to
con games. The analysis and advice section are written
in layman's terms with a minimum of technical jargon,
making this an ideal book for management as well as
administrators. For the security administrator, the last
2 chapters are the real jewel of the book. Here, Mitnick
provides a number of sample security policies and
procedures, including data classification categories,
verification and authentication procedures, guidelines
for awareness training, methods of identifying a social
engineering attacks, warning signs, and flowcharts for
responding to requests for information or action.
Included with every security policy suggestion is a
follow up paragraph of explanations and notes that
outline the potential vulnerabilities in the policy. Definitely
a must read for the security conscious!
Read
our full review here. |
|
|
Where to Start,,, |
Social
Engineering: What is it, why is so little said about it and what
can be done?
A quick introduction to the threat of social engineering. Source:
Sans.org (July 26, 2000)
Social
Engineering Fundamentals, Part I: Hacker Tactics
Social engineering is a hacker©s
clever manipulation of the natural human tendency to trust, with
the goal of obtaining information that will allow him/her to gain
unauthorized access to a valued system and the information that
resides on that system. The basic goals of social engineering are
the same as hacking in general: to gain unauthorized access to
systems or information in order to commit fraud, network
intrusion, industrial espionage, identity theft, or simply to
disrupt the system or network.
Source: SecurityFocus.com (Dec
18, 2001)
Social Engineering Fundamentals, Part II: Combat
Strategies
This article will examine some ways that individuals and
organizations can protect themselves against potentially costly
social engineering attacks.
Source: SecurityFocus.com
(January 9, 2002)
The Complete Social Engineering FAQ. |
|
|
| Articles |
A Proactive Defence to
Social Engineering
Intruders or hackers are continually trying to
gain illicit access to computer systems and there
are many different types of attack. Companies
spend a lot of time and money trying to protect
their networks. Most of their attention focuses on
technology such as upgrades, security kits and
high-end encryption but a popular means of gaining
access bypasses the technical systems completely.
It©s based on the long-time con or confidence game
but has a new name and new face © social
engineering. A company needs good policies in
place to defend against this type of attack, but
even more, they need an effective, on-going
security awareness program. The best means of
defence, in this case, is education.
Source: Sans.org (August 2, 2001)
Enhancing Defenses
Against Social Engineering
This paper focuses on some of the underlying
reasons people are vulnerable to social
engineering exploits, and how security
professionals can use this knowledge to best
minimize these vulnerabilities. Source:
Sans.org (March 26, 2001)
The Cyber Con Game © Social Engineering
A look at various methods of social engineering
and ways to combat it. Source:
Sans.org (February 18, 2001)
Social engineering: examples and countermeasures
from the real-world
An eye opening narrative of social engineering
tactics and recommended countermeasures. Source:
Computer Security Institute
Social Engineering: Policies and
Education a Must
People are usually the weakest link in the
security chain, and Social Engineering is still
the most effective method of circumventing
obstacles. A skilled Social Engineer will often
try to exploit this weakness before spending time
and effort on other methods to crack passwords.
Why try to hack through someone©s security system
when you can get a user to open the door for you?
Social Engineering is the hardest form of attack
to defend against because it cannot be defended
with hardware or software alone. A successful
defense depends on having good policies in place
and educating employees to follow the policies.
Source:
Sans.org (February 16, 2001)
The human firewall
Giving out sensitive data to people without first
authenticating their identity and access privileges
is one of the most common and worst mistakes
employees can make. Allowing a stranger inside an
organization without authorization is yet another
example of a broken link in the human firewall
chain. Source: NetworkWorldFusion (May 2003)
The Use of Social
Engineering as a Means of Violating Computer
Systems
'Social Engineering' is an practice that can be
used to exploit what has long been considered the
'weakest link' in the security chain of an
organisation - the 'human factor'. As a security
professional, it is important to be familiar with
this threat, the techniques that could be used and
the countermeasures that can be implemented to
protect against it. By having this understanding,
a security professional can ensure that
appropriate protective measures are undertaken.
Source:
Sans.org (October 12, 2001)
|
|
|
Entire contents
© 1999-2003 LabMice.net and TechTarget
All rights reserved |
This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is
affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be
directed to the appropriate manufacturer or vendor. |
